azure-search-openai-demo-csharp icon indicating copy to clipboard operation
azure-search-openai-demo-csharp copied to clipboard

Published 20 hours ago verified publisher icon Azure-Samples

KeyVault secrets are passed to module w/o `secure()` decorator.

Open jongio opened this issue 1 year ago • 6 comments

This app creates secrets in bulk, but passes those secrets from main.bicep w/o using the secure decorator. Those secrets with therefore be in plaintext in the Azure deployment.

Add secure() here.

https://github.com/Azure-Samples/azure-search-openai-demo-csharp/blob/fb1ca3248e693ea7acb04740c97526c5a49c82eb/infra/core/security/keyvault-secrets.bicep#L3

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

jongio avatar Nov 02 '23 21:11 jongio

image

LittleLittleCloud avatar Nov 08 '23 18:11 LittleLittleCloud

@jongio Can you share an example on adding secure decorator to individual module?

LittleLittleCloud avatar Nov 08 '23 18:11 LittleLittleCloud

I'd go this route:

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

jongio avatar Nov 08 '23 20:11 jongio

I'd go this route:

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

@jongio do we have a sample of this?

luisquintanilla avatar Nov 13 '23 01:11 luisquintanilla

@LittleLittleCloud are we okay to close this one?

luisquintanilla avatar Dec 11 '23 19:12 luisquintanilla

I'd remove "secrets" file and set each one individually so they are passed securely.

jongio avatar Jan 02 '24 18:01 jongio