How to Secure Secrets in Logic app editor and run history using ARM template, key vault and secure input

Logic apps are great at orchestrating integrations with UI based workflows and supports over 200 connectors, so it become 1st choice for many integration scenario.

One of the most common scenario is when we want to use some secure parameters (like username, password etc) in logic app, it become important to secure such secrets properly so that these secrets are not exposed while seeing the run history of logic app.

Here securestring and secureobject type parameters become our savior. In this post, we’ll see how we can use secure string parameter in logic app and get their value at deployment time in ARM (Azure resource manager) template.

Scenario : Let’s suppose we have an api which accept username and password in header. We want to securely pass these values into header without exposing them into workflow (logic app) definition or run history.

Warning: Credentials should never be passed in header in plain text. At least basic authentication should be used. This scenario is just for demo purpose.

Step1: Create a logic app which have below 2 steps.

It’s a recurring logic app which hits a url with post method.

We have 2 parameters (username and password) which we are supposed to pass in header securely.

Step2: Add secure string parameter

2.1 Click on parameters on top and click on add parameter

Create 2 parameters of type Secure String as shown below and don’t assign any default value (even though designer keep on asking to assign default value, because if you assign default value, designer will show below warning..!!! ). Also there is no point in assigning default value to secure string parameter since default value is always visible in designer and code view.

2.2 Now assign the value of your secure parameters to header parameters and save your logic app.

Step3: Create your ARM template project for this Logic App

3.1 Go to visual studio, create a new project and select Azure resource group as Project type and select logic app in template:

3.2 Your template would look like below having 3 parameters section

  1. Template Parameter : Template file level parameter value of which is passed from ARM parameter file.
  2. Workflow Definition Parameter : It is evaluated at deployment time and it refers template parameter.
  3. Last parameter definition where we define type of parameter and it is evaluated at run time and it can be referred in logic app.

Step4: Prepare arm json

4.1 Add 2 parameters of securestring type on the top of your arm as shown below in parameetr section 2:

4.2 Refer the parameter declared in above step in parameter section 2 as shown below.

Also define type of parameters as secure string in section 3 as shown below.

4.3 Now copy paste the trigger and action section from code view of your logic app which we designed in step 1 to your arm template Your template should look like below :-

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "logicAppName": {
      "type": "string",
      "minLength": 1,
      "maxLength": 80,
      "metadata": {
        "description": "Name of the Logic App."
      }
    },
    "apiUserName": {
      "type": "securestring"
    },
    "apiPassWord": {
      "type": "securestring"
    },
    "logicAppLocation": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "allowedValues": [
        "[resourceGroup().location]",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "centralus",
        "eastasia",
        "eastus",
        "eastus2",
        "japaneast",
        "japanwest",
        "northcentralus",
        "northeurope",
        "southcentralus",
        "southeastasia",
        "westeurope",
        "westus"
      ],
      "metadata": {
        "description": "Location of the Logic App."
      }
    }
  },
  "variables": {},
  "resources": [
    {
      "name": "[parameters('logicAppName')]",
      "type": "Microsoft.Logic/workflows",
      "location": "[parameters('logicAppLocation')]",
      "tags": {
        "displayName": "LogicApp"
      },
      "apiVersion": "2016-06-01",
      "properties": {
        "definition": {
          "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
          "contentVersion": "1.0.0.0",
          "actions": {
            "HTTP": {
              "inputs": {
                "headers": {
                  "password": "@parameters('passWord')",
                  "username": "@parameters('userName')"
                },
                "method": "POST",
                "uri": "https://prod-07.eastus.logic.azure.com:443/workflows/5946b1a32f4a4a53960db2a26c2e0227/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=4O-IYn0wcQDJ9XBi-LyfyFchK9qhKfXiaBkxxxxxxx"
              },
              "runAfter": {},
              "type": "Http"
            }
          },
          "outputs": {},
          "parameters": {
            "passWord": {
              "type": "SecureString"
            },
            "userName": {
              "type": "SecureString"
            }

          },
          "triggers": {
            "Recurrence": {
              "recurrence": {
                "frequency": "Minute",
                "interval": 3
              },
              "type": "recurrence"
            }
          }
        },
        "parameters": {
          "userName": {
            "value": "[parameters('apiUserName')]"
          },
          "passWord": {
            "value": "[parameters('apiPassword')]"
          }
        }
      }
    }
  ],
  "outputs": {}
}

Step 5: Define your parameters file to get values from key vault:

Prerequisite:

a) I already have a key vault named kv-demo365 and have 2 secret needed for this demo.

b) The user using which we are deploying our ARM template is added ino access policies and Key vault is enabled for ARM deployment (which allow us to get secrets at deployment time from key vault)

5.1 Define logic app name and refer key vault secret by following below format of parameter:

 "parameterName": {
        "reference": {
          "keyVault": {
          "id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
          },
          "secretName": "ExamplePassword"
        }
      }

Let’s define logic app Name, ARM Template parameter, apiUserName and apiPassWord in our parameter file:

  1. Name of logic app
  2. Name of key value secret
  3. Azure Subscription id
  4. Azure Resource Group
  5. Key vault name

Finally your parameter would like below:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "logicAppName": {
      "value": "la-secureStringParameterDemo"
    },
    "apiUserName": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/01ca4b10-1907-47be-8308-d10f0c6438ed/resourceGroups/demo1/providers/Microsoft.KeyVault/vaults/kv-demo365"
        },
        "secretName": "username"
      }
    },
    "apiPassWord": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/01ca4b10-1907-47be-8308-d10f0c6438ed/resourceGroups/demo1/providers/Microsoft.KeyVault/vaults/kv-demo365"
        },
        "secretName": "password"
      }
    }
  }
}

Step6: Deploy the logic app

6.1 Right click on your project, select deploy and New

6.2 Select your Azure account, Resource Group, Select logic app template file and parameter file and click on deploy.

6.3 Once deployed, you’ll see success message in output window.

6.4 Navigate to azure resource group and check for successful deployment

Step7: Check and Test the logic app

7.1 Edit the logic app and see that now actual value is visible for userName and passWord parameters:

7.2 Go to code view to check if secret value is visible there:

Voila..!! We have secured our secrets from being exposed in logic app editor.

7.3 Run the logic app and check if credentials are visible in run hostroy?

What..!! We see credentials are still visible in run history??

Yes, that is true and that is correct behavior since whatever we did so far made the parameters secure at rest in logic app editor.

At run time all credentials will be visible unless we secure the input of action using the credentials:

Step8: Make input secure for our http action

8.1 Click on ellipses and settings

8.2 Turn on Secure Input, click on done and save the logic app.

Step9: Run the Logic App again:

Input of http action is secured now.

This to consider while making Input Secure:

  1. When you obscure the inputs or outputs on a trigger or action, Logic Apps doesn’t send the secured data to Azure Log Analytics. Also, you can’t add tracked properties to that trigger or action for monitoring.
  2. Turning on Input Secure will prevent any input of that action being visible in run history so take it in consideration that you’ll not be able to see input of that action in run history.
  3. Logic Apps API for handling workflow history doesn’t return secured outputs.

Read more on https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app#secure-run-history

So this was how you can secure your secure your credentials in logic app editor as well as run history.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: