Hard-coding secrets directly inside Azure Logic Apps workflow definitions is a security risk. Secrets embedded in the definition are exposed through source control, the Azure Portal, ARM template exports, and run history.
Secrets such as passwords, API keys, tokens, connection strings, and client secrets should never be hard-coded in workflow definitions. When they are, they become visible to anyone with access to the repository, the Azure Portal workflow designer, ARM exports, or run history logs.
If hard-coded secrets are exposed, an attacker can use them to gain unauthorized access to the target services. The secrets cannot be rotated without modifying the workflow definition, increasing the window of exposure.
Store secrets in Azure Key Vault and reference them at runtime via Logic App parameters with the securestring type, or pass them via
ARM template parameters.
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "hardcoded-secret",
"location": "[resourceGroup().location]",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Call_API": {
"type": "Http",
"inputs": {
"method": "POST",
"uri": "https://api.example.com/data",
"headers": {
"Authorization": "Bearer abc123-secret-token"
}
}
}
},
"triggers": {}
}
}
}
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "parameterized-secret",
"location": "[resourceGroup().location]",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Call_API": {
"type": "Http",
"inputs": {
"method": "POST",
"uri": "https://api.example.com/data",
"headers": {
"Authorization": "@{concat('Bearer ', parameters('ApiToken'))}"
}
}
}
},
"triggers": {},
"parameters": {
"ApiToken": {
"type": "securestring"
}
}
},
"parameters": {
"ApiToken": {
"value": "[parameters('apiToken')]"
}
}
}
}
Store secrets in Azure Key Vault and reference them at runtime via secure Bicep parameters and Logic App workflow parameters.
resource workflow 'Microsoft.Logic/workflows@2019-05-01' = {
name: 'hardcoded-secret'
location: resourceGroup().location
properties: {
definition: {
'$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
actions: {
Call_API: {
type: 'Http'
inputs: {
method: 'POST'
uri: 'https://api.example.com/data'
headers: {
Authorization: 'Bearer abc123-secret-token' // Noncompliant
}
}
}
}
triggers: {}
}
}
}
@secure()
param apiToken string
resource workflow 'Microsoft.Logic/workflows@2019-05-01' = {
name: 'parameterized-secret'
location: resourceGroup().location
properties: {
definition: {
'$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
actions: {
Call_API: {
type: 'Http'
inputs: {
method: 'POST'
uri: 'https://api.example.com/data'
headers: {
Authorization: '@{concat(\'Bearer \', parameters(\'ApiToken\'))}'
}
}
}
}
triggers: {}
parameters: {
ApiToken: {
type: 'securestring'
}
}
}
parameters: {
ApiToken: {
value: apiToken
}
}
}
}