Share via


Do you have plaintext passwords in your Azure deployments?

If you are developing deployments for Azure you will encounter situations where you need to use passwords and other data that needs to stay hidden. Azure has plenty of facilities for this, but sometimes people can be tempted to take shortcuts. So, for one of the projects I'm involved in there was a suspicion that not everyone had been diligent. I wrote a quick Powershell script to walk though all deployments looking for parameters named *secret* or *password*, and having a type not called "SecureString".  This script iterates over all subscriptions that the current credentials have permissions for, and over all resource groups. It would be easy enough to modify the script for more selective filtering.

[powershell]
Get-AzureRmSubscription | ForEach-Object {
$subscriptionname = $_.Name
$_ | Select-AzureRmSubscription | Out-Null
Write-Verbose "- processing subscription $subscriptionname"
Get-AzureRmResourceGroup | ForEach-Object {
$rgname = $_.ResourceGroupName
Write-Verbose "-- query deployments for RG $rgname"
$deployments = Get-AzureRmResourceGroupDeployment -ResourceGroupName $rgname
$deployments | ForEach-Object {
$deployment = $_
if ($keynames = $deployment.Parameters.Keys -match "(password)|(secret)")
{
$keynames | ForEach-Object {
$type = $deployment.Parameters.$_.Type
$value = $deployment.Parameters.$_.Value
if ($type -ne "SecureString")
{
Write-Verbose "--- found non-secure password field(s) among keys $($keynames -join ',')"
[pscustomobject] @{
Subscription = $subscriptionname
RG = $rgname
Deploymentname = $deployment.DeploymentName
PasswordFieldName = $_
PasswordFieldType = $type
PasswordFieldValue = $value
TimeStamp = $deployment.Timestamp
}
}
}
}
}
}
}
[/powershell]

The script assumes that authentication has already happened; if not, just run add-azurermaccount first. The output is an object that you could pipe to Out-Gridview or Export-CSV.

Fair warning: the output of this script could contain plaintext passwords...

Comments