Secrets

Any sensitive values or variables which are used in Pulumi script should be stored as a secret in Pulumi and in the Azure Key Vault.

Pulumi

During generation of Azure components the sensitive values such as Access Keys or Passwords might be easily exposed as plain text. It's important to store them safely by declaring them as a secret using the Pulumi secret method.

Creating a Secret:

export const acrAdminPass = pulumi.secret(acrCredentials.apply(
  (credentials) => credentials.passwords[0].value
));

The value of this password will be hidden in the output of pulumi up, and stored safely in the stack:

acrAdminPass                  : [secret]

It could happen that other variables derive its value from a secret, even if they don't store the secret themselves. causing Pulumi to mask it as well. To uncover their value, use the Pulumi unsecret method.

Azure Key Vault

As a standard in the Data Engine solution, App Services should have enabled System Assigned Managed Identities and use them to access the Key Vaults by configuring Access Policies.

Once the Access Policy is created, the App Service can access Secrets stored in the Key Vault through SecretURI.

Creating a new Secret which is Azure Container Registry password:

const secret_ACR_ADMIN_PASS = new keyvault.Secret(
  "ACR-ADMIN-PASS",
  {
    resourceGroupName: resourceGroup.name,
    vaultName: keyVaultCoreName,
    properties: {
      value: acrAdminPass
    }
  }
)

Access a KeyVault Secret from AppService:

{
    name: "DOCKER_REGISTRY_SERVER_PASSWORD",
    value: pulumi.interpolate`@Microsoft.KeyVault(SecretUri=${secret_ACR_ADMIN_PASS.properties.secretUriWithVersion})`,
},

Secrets

Pulumi​

Creating a Secret:​

Azure Key Vault​

Access a KeyVault Secret from AppService:​

Pulumi

Creating a Secret:

Azure Key Vault

Access a KeyVault Secret from AppService: