Hide sensitive data in ACS-Engine templates

Posts are in reverse order. The solution at the top. Introduction at the bottom 😉


ACS-Engine generates ARM Templates for setting up docker enabled clusters. Those ARM Templates contain sensitive information which can be abused when ending up in the wrong hands.


The Azure service KeyVault can be used to save the sensitive information and reference them from the template. The references would be useful to the Azure Resource Manager though wouldn’t provide the privileges for any other user to gain the information.

Storing the data in the KeyVault

Follow script to:

  1. Create a KeyVault.
  2. Store Password and Certificates in the KeyVault.

Updating ARM Template to reference keyvault secrets

Follow instructions on the script.

After updating all fields your azuredeploy.parameters.json should go from:

The differences can best be seen using a diff tool. [How to in VS Code]

Introduction to ARM

ARM Templates provide a simple solution to regenerate a whole infrastructure on the Azure Cloud. For a company, this means that they have an automatable, quickly reproducible infrastructures, that will work each time. ✌

Though that said, we need to keep in mind that the ARM Templates will require sensitive data like certificates, azure active directory creds (clientID, clientSecret) and other information needed for the infrastructure setup. To solve this problem Azure provides the KeyVault service, in which you can store the sensitive data and refer them from the ARM Templates.

Sensitive data in ACS Engine generated Templates

The templates generated from acs-engine generate command contain the sensitive information listed below:

  • secret
  • caCertificate
  • caPrivateKey
  • apiServerCertificate
  • apiServerPrivateKey
  • clientCertificate
  • clientPrivateKey
  • kubeConfigCertificate
  • kubeConfigPrivateKey

These data will be present in the file azuredeploy.parameters.json. The certificates and keys will be generated in the same folder.

To securely store the azuredeploy.parameters.json file in a repository we need to store this information in the KeyVault and refer them from the templates.

If you enjoyed the article, please share and comment below!
  • Jeff Bailey

    Do you have any guidance on how you are creating the initial certificates?

    • Rinor Maloku

      @disqus_MpVC4xK6Da:disqus The initial certificates are generated from acs-engine it’s the last part of the blog.
      by executing the below command:
      $ acs-engine generate –api-model ‘api-model.json’
      The certificates will be generated to validate with the dnsPrefix in the api-model.json file

  • Prashant Sakthivel

    Hi rinor.
    When my certificates are about to expire, I would want to replace the secrets, but I also want a backup of my old secret in case my new secret gives any troubles. How can i create a copy of my secret inside the same namespace but with a different name?