datafactory linked service TypeBasicLinkedServiceTypeAzureBlobStorage passes connection string as secure string and then the portal will not display the storage account

[katbyte]

I'm copying the azurerm issue hashicorp/terraform-provider-azurerm#19862 here as this seems to be an upstream issue, with the portal? Terraform with the AzAPI and AzureRM providers + the AZ CLI pass the connection string as a secure string leading the portal to not be able to display it correctly.

Affected Resource(s)/Data Source(s)

azurerm_data_factory_linked_service_azure_blob_storage

Terraform Configuration Files

provider "azurerm" {
  # Configuration options
  features {}
}

data "azurerm_resource_group" "test" {
  name     = "test-lg"
 # location = "East US"
}

data "azurerm_client_config" "current" {
}

data "azurerm_storage_account" "example" {
  name                = "levgoronshteynstorage"
  resource_group_name = data.azurerm_resource_group.test.name
}

resource "azurerm_data_factory" "test" {
  name                = "example-lev"
  location            = data.azurerm_resource_group.test.location
  resource_group_name = data.azurerm_resource_group.test.name
}

resource "azurerm_key_vault" "test" {
  name                = "example-lev"
  location            = data.azurerm_resource_group.test.location
  resource_group_name = data.azurerm_resource_group.test.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

resource "azurerm_data_factory_linked_service_key_vault" "test" {
  name            = "linkkv-lev"
  data_factory_id = azurerm_data_factory.test.id
  key_vault_id    = azurerm_key_vault.test.id
}

resource "azurerm_data_factory_linked_service_azure_blob_storage" "test" {
  name            = "example-lev"
  data_factory_id = azurerm_data_factory.test.id
 service_principal_id = "f38c0ec8-c8d0-4df8-b29b-69057f6236984239"
 service_principal_key = "6zc5e2d7-5f12-5669-9ea5-8108093a60ce"
 tenant_id = "0d4q3e88-8caf-41ca-b4da-e3b33b6c52ec"
 connection_string = "DefaultEndpointsProtocol=https;AccountName=levgoronshteynstorage;AccountKey=NJaByjNTH3HZcRyROBeDFPjKoPIUMViI0p7r+79tRLBVSQNmmspGBdwI4ns2qGyp1HtvrZC+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net"

ALL sensitive information has been changed!

Expected Behaviour

When a user uses Azure Portal to add a linked service for blob storage, the portal breaks up the connection string into two properties below:

{
  "connectionString": "<value>",
  "encryptedCredential": "<value>"
}

Actual Behaviour

When using AzureRM provider, the connection string is stored as secure string and the storage account name is hidden with asterisks.

"connectionString": {
      "type": "SecureString",
      "value": "**********"
    },
    "credential": null,
    "description": null,
    "encryptedCredential": "ew0KICAiVmVyc2lvbiI6ICIyMDE3LTExLTMwIiwNCiAgIlByb3RlY3Rpb25Nb2RlIjogIktleSIsDQogICJTZWNyZXRDb250ZW50VHlwZSI6ICJQbGFpbnRleHQiLA0KICAiQ3JlZGVudGlhbElkIjogIkRBVEFGQUNUT1JZQEREMjREMjZGLTFEQkYtNDVERi04NEM1LTIzRUI4MDIzMUU1QV9hZGU1YTkzYS00MWZlLTRjZGYtOTA1NS1lNzg5YzcwMzM2NDciDQp9",

Steps to Reproduce

Use the Terraform Configuration File provided

change the resource group and storage account

apply the terraform file.

Important Factoids

No response

References

The AZ CLI tool has the same behaviour as terraform:

az datafactory linked-service create --factory-name "example-lev" --properties "{\"type\":\"AzureBlobStorage\",\"typeProperties\":{\"connectionString\":

{\"type\":\"SecureString\",\"value\":\"DefaultEndpointsProtocol=https;AccountName=xxx;AccountKey=xxx+xxx+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net\"}}}" --name "exampleLinkedService" --resource-group "test-lg"
{
  "etag": "4f008de4-0000-0100-0000-63b477df0000",
  "id": "/subscriptions/xxx/resourceGroups/test-lg/providers/Microsoft.DataFactory/factories/example-lev/linkedservices/exampleLinkedService",
  "name": "exampleLinkedService",
  "properties": {
    "accountKey": null,
    "accountKind": null,
    "additionalProperties": null,
    "annotations": null,
    "azureCloudType": null,
    "connectVia": null,
    "connectionString": {
      "type": "SecureString",
      "value": "**********"
    },
    "credential": null,
    "description": null,
    "encryptedCredential": "xxxxxxxxxxxxxxxxxxxxxxxx",
    "parameters": null,
    "sasToken": null,
    "sasUri": null,
    "serviceEndpoint": null,
    "servicePrincipalId": null,
    "servicePrincipalKey": null,
    "tenant": null,
    "type": "AzureBlobStorage"
  },
  "resourceGroup": "test-lg",
  "type": "Microsoft.DataFactory/factories/linkedservices"

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Jingshu923, @zhangyd2015, @Frey-Wang.

Issue Details

---

I'm copying the azurerm issue hashicorp/terraform-provider-azurerm#19862 here as this seems to be an upstream issue, with the portal? Terraform with the AzAPI and AzureRM providers + the AZ CLI pass the connection string as a secure string leading the portal to not be able to display it correctly.

Affected Resource(s)/Data Source(s)

azurerm_data_factory_linked_service_azure_blob_storage

Terraform Configuration Files

provider "azurerm" {
  # Configuration options
  features {}
}

data "azurerm_resource_group" "test" {
  name     = "test-lg"
 # location = "East US"
}

data "azurerm_client_config" "current" {
}

data "azurerm_storage_account" "example" {
  name                = "levgoronshteynstorage"
  resource_group_name = data.azurerm_resource_group.test.name
}

resource "azurerm_data_factory" "test" {
  name                = "example-lev"
  location            = data.azurerm_resource_group.test.location
  resource_group_name = data.azurerm_resource_group.test.name
}

resource "azurerm_key_vault" "test" {
  name                = "example-lev"
  location            = data.azurerm_resource_group.test.location
  resource_group_name = data.azurerm_resource_group.test.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

resource "azurerm_data_factory_linked_service_key_vault" "test" {
  name            = "linkkv-lev"
  data_factory_id = azurerm_data_factory.test.id
  key_vault_id    = azurerm_key_vault.test.id
}

resource "azurerm_data_factory_linked_service_azure_blob_storage" "test" {
  name            = "example-lev"
  data_factory_id = azurerm_data_factory.test.id
 service_principal_id = "f38c0ec8-c8d0-4df8-b29b-69057f6236984239"
 service_principal_key = "6zc5e2d7-5f12-5669-9ea5-8108093a60ce"
 tenant_id = "0d4q3e88-8caf-41ca-b4da-e3b33b6c52ec"
 connection_string = "DefaultEndpointsProtocol=https;AccountName=levgoronshteynstorage;AccountKey=NJaByjNTH3HZcRyROBeDFPjKoPIUMViI0p7r+79tRLBVSQNmmspGBdwI4ns2qGyp1HtvrZC+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net"

ALL sensitive information has been changed!

Expected Behaviour

When a user uses Azure Portal to add a linked service for blob storage, the portal breaks up the connection string into two properties below:

{
  "connectionString": "<value>",
  "encryptedCredential": "<value>"
}

Actual Behaviour

When using AzureRM provider, the connection string is stored as secure string and the storage account name is hidden with asterisks.

"connectionString": {
      "type": "SecureString",
      "value": "**********"
    },
    "credential": null,
    "description": null,
    "encryptedCredential": "ew0KICAiVmVyc2lvbiI6ICIyMDE3LTExLTMwIiwNCiAgIlByb3RlY3Rpb25Nb2RlIjogIktleSIsDQogICJTZWNyZXRDb250ZW50VHlwZSI6ICJQbGFpbnRleHQiLA0KICAiQ3JlZGVudGlhbElkIjogIkRBVEFGQUNUT1JZQEREMjREMjZGLTFEQkYtNDVERi04NEM1LTIzRUI4MDIzMUU1QV9hZGU1YTkzYS00MWZlLTRjZGYtOTA1NS1lNzg5YzcwMzM2NDciDQp9",

Steps to Reproduce

Use the Terraform Configuration File provided

change the resource group and storage account

apply the terraform file.

Important Factoids

No response

References

The AZ CLI tool has the same behaviour as terraform:

az datafactory linked-service create --factory-name "example-lev" --properties "{\"type\":\"AzureBlobStorage\",\"typeProperties\":{\"connectionString\":

{\"type\":\"SecureString\",\"value\":\"DefaultEndpointsProtocol=https;AccountName=xxx;AccountKey=xxx+xxx+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net\"}}}" --name "exampleLinkedService" --resource-group "test-lg"
{
  "etag": "4f008de4-0000-0100-0000-63b477df0000",
  "id": "/subscriptions/xxx/resourceGroups/test-lg/providers/Microsoft.DataFactory/factories/example-lev/linkedservices/exampleLinkedService",
  "name": "exampleLinkedService",
  "properties": {
    "accountKey": null,
    "accountKind": null,
    "additionalProperties": null,
    "annotations": null,
    "azureCloudType": null,
    "connectVia": null,
    "connectionString": {
      "type": "SecureString",
      "value": "**********"
    },
    "credential": null,
    "description": null,
    "encryptedCredential": "xxxxxxxxxxxxxxxxxxxxxxxx",
    "parameters": null,
    "sasToken": null,
    "sasUri": null,
    "serviceEndpoint": null,
    "servicePrincipalId": null,
    "servicePrincipalKey": null,
    "tenant": null,
    "type": "AzureBlobStorage"
  },
  "resourceGroup": "test-lg",
  "type": "Microsoft.DataFactory/factories/linkedservices"

Author:	katbyte
Assignees:	-
Labels:	question, Data Factory, Service Attention, customer-reported, needs-team-attention
Milestone:	-

[navba-MSFT]

Adding Service team to look into this.

@Jingshu923, @zhangyd2015, @Frey-Wang Could you please look into this issue ?

[Frey-Wang]

@katbyte, could you please provide the information of az command with --debug tag?

[levgoronshteyn]

@Frey-Wang is the below what you are looking for?

az datafactory linked-service create --factory-name "example-lev" --properties "{\"type\":\"AzureBlobStorage\",\"typeProperties\":{\"connectionString\":{\"type\":\"SecureString\",\"value\":\"DefaultEndpointsProtocol=https;AccountName=levgoronshteynstorage;AccountKey=NJaByjNTG3KXxRyROBeDFPjK0PIUMViIop7r+79tRLBVSQNmmspGBdwI4ns2qGyp1HtvrZC+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net\"}}}" --name "exampleLinkedService123" --resource-group "test-lg" --debug cli.knack.cli: Command arguments: ['datafactory', 'linked-service', 'create', '--factory-name', 'example-lev', '--properties', '{"type":"AzureBlobStorage","typeProperties":{"connectionString":{"type":"SecureString","value":"DefaultEndpointsProtocol=https;AccountName=levgoronshteynstorage;AccountKey=NJaByjNTG3KXxRyROBeDFPjK0PIUMViIop7r+79tRLBVSQNmmspGBdwI4ns2qGyp1HtvrZC+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net"}}}', '--name', 'exampleLinkedService123', '--resource-group', 'test-lg', '--debug'] cli.knack.cli: __init__ debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x1054e41f0>, <function OutputProducer.on_global_arguments at 0x105554f70>, <function CLIQuery.on_global_arguments at 0x1055723b0>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'datafactory': ['azext_datafactory'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: Total (0) 0.000 0 0 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: datafactory 0.003 16 79 /Users/levgoronshteyn/.azure/cliextensions/datafactory cli.azure.cli.core: Total (1) 0.003 16 79 cli.azure.cli.core: Loaded 16 groups, 79 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : datafactory linked-service create cli.azure.cli.core: Command table: datafactory linked-service create cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x1060f3400>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/levgoronshteyn/.azure/commands/2023-01-16.17-21-07.datafactory_linked-service_create.87399.log'. az_command_data_logger: command args: datafactory linked-service create --factory-name {} --properties {} --name {} --resource-group {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x10610fe20>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x106162440>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x106162560>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x105555000>, <function CLIQuery.handle_query_parameter at 0x105572440>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x1061624d0>] az_command_data_logger: extension name: datafactory az_command_data_logger: extension version: 0.7.0 cli.azure.cli.core.commands.client_factory: Getting management service client client_type=DataFactoryManagementClient cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/levgoronshteyn/.azure/msal_token_cache.json', encrypt=False cli.azure.cli.core.auth.binary_cache: load: /Users/levgoronshteyn/.azure/msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? False cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: 9595f627-1f6f-4a9d-9003-26dbaa3937a7 cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/test-lg/providers/Microsoft.DataFactory/factories/example-lev/linkedservices/exampleLinkedService123?api-version=2018-06-01' cli.azure.cli.core.sdk.policies: Request method: 'PUT' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Content-Length': '319' cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '129b0dce-95ec-11ed-be34-8ae36afd6c2a' cli.azure.cli.core.sdk.policies: 'CommandName': 'datafactory linked-service create' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--factory-name --properties --name --resource-group --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.44.1 (HOMEBREW) azsdk-python-mgmt-datafactory/2.8.0 Python/3.10.9 (macOS-12.6.1-arm64-arm-64bit)' cli.azure.cli.core.sdk.policies: 'Authorization': '*****' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: {"properties": {"type": "AzureBlobStorage", "typeProperties": {"connectionString": {"type": "SecureString", "value": "DefaultEndpointsProtocol=https;AccountName=levgoronshteynstorage;AccountKey=NJaByjNTG3KXxRyROBeDFPjK0PIUMViIop7r+79tRLBVSQNmmspGBdwI4ns2qGyp1HtvrZC+6hYf+AStVaZ8eg==;EndpointSuffix=core.windows.net"}}}} urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/test-lg/providers/Microsoft.DataFactory/factories/example-lev/linkedservices/exampleLinkedService123?api-version=2018-06-01 HTTP/1.1" 200 None cli.azure.cli.core.sdk.policies: Response status: 200 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.sdk.policies: 'Content-Encoding': 'gzip' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'Vary': 'Accept-Encoding' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '13913a9e-5663-4214-96af-a686b769840d' cli.azure.cli.core.sdk.policies: 'Server': 'Kestrel' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '13913a9e-5663-4214-96af-a686b769840d' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'CANADACENTRAL:20230116T222108Z:13913a9e-5663-4214-96af-a686b769840d' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 16 Jan 2023 22:21:07 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: { "id": "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/test-lg/providers/Microsoft.DataFactory/factories/example-lev/linkedservices/exampleLinkedService123", "name": "exampleLinkedService123", "type": "Microsoft.DataFactory/factories/linkedservices", "properties": { "type": "AzureBlobStorage", "typeProperties": { "connectionString": { "type": "SecureString", "value": "**********" }, "encryptedCredential": "ew0KICAiVmVyc2lvbiI6ICIyMDE3LTExLTMwIiwNCiAgIlByb3RlY3Rpb25Nb2RlIjogIktleSIsDQogICJTZWNyZXRDb250ZW50VHlwZSI6ICJQbGFpbnRleHQiLA0KICAiQ3JlZGVudGlhbElkIjogIkRBVEFGQUNUT1JZQDZFNUJDMDcwLTM0NzktNDJFMC1BQTQ1LUQyNzlGNjc4MEJGQ18xMzk5MzM3Yy1mNTE5LTQ0ODQtODcwYi03Njg3YmE1Y2Y0ZWYiDQp9" } }, "etag": "a10008d2-0000-0100-0000-63c5cdd40000" } cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x1061370a0>, <function _x509_from_base64_to_hex_transform at 0x106137130>] cli.knack.cli: Event: CommandInvoker.OnFilterResult [] { "etag": "a10008d2-0000-0100-0000-63c5cdd40000", "id": "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/test-lg/providers/Microsoft.DataFactory/factories/example-lev/linkedservices/exampleLinkedService123", "name": "exampleLinkedService123", "properties": { "accountKey": null, "accountKind": null, "additionalProperties": null, "annotations": null, "azureCloudType": null, "connectVia": null, "connectionString": { "type": "SecureString", "value": "**********" }, "credential": null, "description": null, "encryptedCredential": "ew0KICAiVmVyc2lvbiI6ICIyMDE3LTExLTMwIiwNCiAgIlByb3RlY3Rpb25Nb2RlIjogIktleSIsDQogICJTZWNyZXRDb250ZW50VHlwZSI6ICJQbGFpbnRleHQiLA0KICAiQ3JlZGVudGlhbElkIjogIkRBVEFGQUNUT1JZQDZFNUJDMDcwLTM0NzktNDJFMC1BQTQ1LUQyNzlGNjc4MEJGQ18xMzk5MzM3Yy1mNTE5LTQ0ODQtODcwYi03Njg3YmE1Y2Y0ZWYiDQp9", "parameters": null, "sasToken": null, "sasUri": null, "serviceEndpoint": null, "servicePrincipalId": null, "servicePrincipalKey": null, "tenant": null, "type": "AzureBlobStorage" }, "resourceGroup": "test-lg", "type": "Microsoft.DataFactory/factories/linkedservices" } cli.knack.cli: Event: Cli.SuccessfulExecute [] cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x1060f3640>] az_command_data_logger: exit code: 0 cli.__main__: Command ran in 0.926 seconds (init: 0.062, invoke: 0.864) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3433 in cache telemetry.check: Negative: The /Users/levgoronshteyn/.azure/telemetry.txt was modified at 2023-01-16 17:15:21.879038, which in less than 600.000000 s

Also below is the JSON output from Data Factory Studio:

{
"name": "exampleLinkedService123",
"type": "Microsoft.DataFactory/factories/linkedservices",
"properties": {
"type": "AzureBlobStorage",
"typeProperties": {
"connectionString": {
"type": "SecureString",
"value": "**********"
},
"encryptedCredential": "ew0KICAiVmVyc2lvbiI6ICIyMDE3LTExLTMwIiwNCiAgIlByb3RlY3Rpb25Nb2RlIjogIktleSIsDQogICJTZWNyZXRDb250ZW50VHlwZSI6ICJQbGFpbnRleHQiLA0KICAiQ3JlZGVudGlhbElkIjogIkRBVEFGQUNUT1JZQDZFNUJDMDcwLTM0NzktNDJFMC1BQTQ1LUQyNzlGNjc4MEJGQ18xMzk5MzM3Yy1mNTE5LTQ0ODQtODcwYi03Njg3YmE1Y2Y0ZWYiDQp9"
},
"annotations": []
}
}

[Frey-Wang]

@levgoronshteyn, the connection string supports secure string type and it's expected behavior to convert secure string to "*". Is there any failure regarding this feature?

[levgoronshteyn]

Hi @Frey-Wang,

There is no technical failure, all works but when the client goes to the Azure Portal and visits the Data Factory Studio and then tries to see what the storage account name is, it is all in **********. If you do this through the Azure Portal UI interface manually. the storage account name is not in ******** but in plain text.

See attachment for visual reference.

[Frey-Wang]

Yes, this is expected behavior if you set the secure string type. If you use string type, then you'll see the account name.

[levgoronshteyn]

@Frey-Wang I believe Microsoft documentation states to treat this as secure string and not just a string. If we set the type to string, what ensures that the sensitive data such as AccountKey is encrypted?

@katbyte can you please confirm this?

[Frey-Wang]

If you set to string, the response payload won't contains sensitive information, and those sensitive data will be encrypted into property encryptedCredential.

[levgoronshteyn]

Understood and I will need to wait for @katbyte to respond with next steps.

[levgoronshteyn]

Hi @Frey-Wang after speaking with the team internally, we feel that we should be using the SecureString to deliver the data to the API and then the portal should be able to work with that encrypted data to parse out what needs to stay encrypted and hidden as ***** and what doesn't such as the storage account name.

Is there a good reason why the portal cannot do that or shouldn't be doing that? Also what is the point of the SecureString if the information about what is created is hidden 100% and becomes unusable after the the fact, how do other users of SecureString then deal with how to manage the linked service if they cannot see what was done?

[Frey-Wang]

Hi @levgoronshteyn, the using of SecureString means you don't want specific property being viewed when get to list related information. By design we'll automatically extract sensitive information and leave the other information visible, but since you set the whole property to be SecureString, it becomes asterisks.

Even though it becomes asterisks, all functionality of activities are still available, the point here is that the user can use it to mask the whole property in case, for example if the data factory is shared, then other user can see it as well.

[levgoronshteyn]

@Frey-Wang could you please also let me know why Azure CLI documentation by default provides the example as SecureString and doesnt have any references that i can find to change that to a string. If you take TFE out of the picture and just use AZ CLI, it will also use SecureString.

[Frey-Wang]

@levgoronshteyn, which doc do you refer to? In this example doc there is no secure string at all: https://learn.microsoft.com/en-us/azure/data-factory/quickstart-create-data-factory-azure-cli

[levgoronshteyn]

@Frey-Wang please see link below:

https://learn.microsoft.com/en-us/cli/azure/datafactory/linked-service?view=azure-cli-latest#az-datafactory-linked-service-create

I do not see any reference to changing the example provided, or an indication of using string.

[Frey-Wang]

Hi @levgoronshteyn, thanks for bring this out. The one you sent is a bit outdated. Please follow this one: https://learn.microsoft.com/en-us/azure/data-factory/quickstart-create-data-factory-azure-cli

[levgoronshteyn]

Thank you @Frey-Wang and will try it.