|
| 1 | +--- |
| 2 | +title: Restrictions on Hardcoded Credentials |
| 3 | +description: Explains what standards and restrictions are in place for Azure Applications temaplates with regards to credentials. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 08/21/2025 |
| 6 | +--- |
| 7 | + |
| 8 | +# Restrictions on Hardcoded Credentials |
| 9 | + |
| 10 | +Azure Applications enforces strict security policies prohibiting the use of hardcoded credentials (e.g., usernames, passwords, keys, SAS URIs) in managed applications and solution templates. This restriction is mandated under [Marketplace Certification Policy 300.4.4 Parameters](https://learn.microsoft.com/legal/marketplace/certification-policies#30044-parameters). |
| 11 | + |
| 12 | +## Security Risks of Hardcoded Credentials |
| 13 | + |
| 14 | +Hardcoded credentials pose significant risks: |
| 15 | +- They can be exploited by attackers to gain unauthorized access to deployed resources |
| 16 | +- They violate secure coding practices and compromise customer trust |
| 17 | + |
| 18 | +As a result, any secrets present in the template are at risk for exposure and cannot be considered secure. |
| 19 | + |
| 20 | +## Managing Credentials in ARM Templates |
| 21 | + |
| 22 | +- Managed Applications (only if management access is enabled): [Use Azure Key Vault when deploying Managed Applications](https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/key-vault-access). |
| 23 | +- Solution templates: Credentials have to be parameterized and provided by the customer. If for any reason this is not possible, then they should be randomly generated in the template and should not be guessable. |
| 24 | + - Implement [parameters in templates](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/parameters) |
| 25 | + - Variables used for credentials or secrets should not use plaintext strings. |
| 26 | + - The use of the ```uniquestring``` function is deterministic for an input and does not meet the requirement that the password is not guessable. [Template functions](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-string#uniquestring). |
| 27 | + - Any password string must NOT be concatenated with any plaintext string. For example, [concat(parameters('password')), 'plaintext')] is an invalid password. This is to avoid padding the string to bypass password length requirements. |
| 28 | + - If there is a hardcoded SAS URI, then it is as good as a public link. The publisher can either create a public link or package the resource with the zip file and reference it using [referenced linked templates and artifacts](https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/artifacts-location). |
| 29 | + |
| 30 | +## Credential Examples |
| 31 | + |
| 32 | +Hardcoded credential: |
| 33 | +- ```"adminPassword": "fixedValue"``` |
| 34 | + |
| 35 | +Guessable passwords: |
| 36 | +- ```"adminPassword": "[concat(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')), 'fixedvalue')]"``` |
| 37 | + |
| 38 | +SAS URIs: |
| 39 | +- ```https://<storage_account>.blob.core.windows.net/<container>/<blob_name>?sv=2022-11-02&st=2025-08-20T09%3A00%3A00Z&se=2025-08-20T10%3A00%3A00Z&sr=b&sp=r&sig=<signature>``` |
| 40 | + |
| 41 | +API Keys/Storage keys: |
| 42 | +- ```api_key = "12345abcde67890xyz12345abcde67890"``` |
| 43 | + |
| 44 | +## References |
| 45 | + |
| 46 | +To learn more about Marketplace policies, refer to the [Commercial marketplace certification policies](https://learn.microsoft.com/legal/marketplace/certification-policies) documentation. |
0 commit comments