cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
ericonline
Community Champion
Community Champion

BEST PRACTICES: How to Protect Secrets in Power Automate?

‎12-19-2019 02:21 PM

What are some best practices for protecting secrets in Power Automate? 

  • "Secrets" such as usernames, passwords, clientIDs, clientSecrets, api keys, etc. are often required when using HTTP actions in Power Automate
  • These secrets are often embedded in plaintext in headers, urls or Request bodies
  • When you share a Flow, you share these plaintext values
  • Not everyone understands how to sanitize things before sharing or exporting
  • This is insecure

Further reading:

https://engineering.udacity.com/three-simple-rules-for-putting-secrets-into-git-d47b207852b9

https://blog.cryptomove.com/secrets-management-guide-approaches-open-source-tools-commercial-product...

Please consider voting for this idea:

https://powerusers.microsoft.com/t5/Power-Automate-Ideas/Protect-Secrets-in-Power-Automate/idi-p/430...

Labels:
Message 1 of 12
6,878 Views
0 Kudos
2 ACCEPTED SOLUTIONS

Accepted Solutions
v-litu-msft
Community Support
Community Support

‎12-19-2019 07:17 PM

Hi @ericonline,

 

Actually, there is no connector or action that is about to protect the secret.

As a workaround, I usually store these pieces of information into a SharePoint list within the private Group of SharePoint, it could be accessed only for me. When I using it I just need to add the Get item action, then username, password, APIKey, would appear as dynamic content.

Annotation 2019-12-20 111637.png

 

I hope something helps.

Best Regards,
Community Support Team _ Lin Tu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Message 2 of 12
6,859 Views
ChristopherMank
Advocate I
Advocate I
In response to ericonline

‎12-28-2020 09:34 AM

@ericonline - If you review the post, it at first does indicate how the secret is left in plain text in the history, however by setting the Secure Outputs section, you can see it is now hidden from the run history.

 

asdf.png

View solution in original post

Message 10 of 12
5,993 Views
11 REPLIES 11
v-litu-msft
Community Support
Community Support

‎12-19-2019 07:17 PM

Hi @ericonline,

 

Actually, there is no connector or action that is about to protect the secret.

As a workaround, I usually store these pieces of information into a SharePoint list within the private Group of SharePoint, it could be accessed only for me. When I using it I just need to add the Get item action, then username, password, APIKey, would appear as dynamic content.

Annotation 2019-12-20 111637.png

 

I hope something helps.

Best Regards,
Community Support Team _ Lin Tu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 12
6,860 Views
ericonline
Community Champion
Community Champion
In response to v-litu-msft

‎12-20-2019 07:31 AM

Hi @v-litu-msft , this is a good idea, thank you for sharing. I will suggest your idea in the short term.

I'd still like to see a true "secrets" action in Power Automate that stores everything in an encrypted state rather than plaintext.

Message 3 of 12
6,853 Views
0 Kudos
seadude
Memorable Member
Memorable Member
In response to ericonline

‎01-11-2020 07:05 PM

Did some more research and found John Lui's post on using Tracked Properties to "hide" secrets from view. Unfortunately, when you export the Flow, Tracked Properties are visible in plain text within definition.json.

Message 4 of 12
6,840 Views
0 Kudos
Esli
Frequent Visitor

‎01-30-2020 03:18 AM

@ericonline

Can't you use Azure Key Vault for this?
It even has a connector in flow.

 

https://docs.microsoft.com/nl-be/connectors/keyvault

Message 5 of 12
6,807 Views
seadude
Memorable Member
Memorable Member
In response to Esli

‎01-30-2020 08:23 PM

Great dea! I looked closer at the Get Secret action, which is what I think I'd use the Key Vault service for (holding API keys for example). It states the key would be visible in the Run History of the Flow...

https://docs.microsoft.com/nl-be/connectors/keyvault/#get-secret

Hm... I don't want my keys in plain text ANYWHERE, especially not in an artifact such as each Flow run!

Message 6 of 12
6,779 Views
0 Kudos
ericonline
Community Champion
Community Champion
In response to seadude

‎07-14-2020 03:30 PM

The question remains: How do you protect secrets in Flow? 

 

Just validated that Key Vault is NOT an option...

Storing secrets in Key Vault and using the Key Vault Actions in Flow DOES NOT actually protect secrets. The secrets are visible in plain text in the run history BOTH in the Key Vault Actions themselves AND any references to the secrets:

 

image.png

 

This is unfortunate. Is there not a way to treat the output of these values with some opaqueness? Maybe "*******"?

Message 7 of 12
6,559 Views
0 Kudos
ChristopherMank
Advocate I
Advocate I
In response to ericonline

‎12-24-2020 08:15 PM

This looks like a great solution for this:

https://flowaltdelete.ca/2020/06/08/grab-azure-key-vault-secrets-securely/

Message 8 of 12
6,013 Views
0 Kudos
ericonline
Community Champion
Community Champion
In response to ChristopherMank

‎12-28-2020 09:21 AM

@ChristopherMank At first I thought so as well, but the secrets are left in plain text in the Flow run history. My previous post shows an example.

Message 9 of 12
5,997 Views
0 Kudos
ChristopherMank
Advocate I
Advocate I
In response to ericonline

‎12-28-2020 09:34 AM

@ericonline - If you review the post, it at first does indicate how the secret is left in plain text in the history, however by setting the Secure Outputs section, you can see it is now hidden from the run history.

 

asdf.png

Message 10 of 12
5,994 Views
ericonline
Community Champion
Community Champion
In response to ChristopherMank

‎12-28-2020 09:53 AM

Dang! I totally missed that new functionality. Thank you for bringing it up!

Message 11 of 12
5,992 Views
0 Kudos
mdevaney
Super User
Super User

‎09-26-2021 11:42 AM

@ericonline 

There's 2 steps needed to secure a password in a flow action:

  • Secure Inputs + Outputs in the flow action settings
  • Retrieve keys from a (free) Azure Key Vault so you don't have to store the password in the flow

 

Check out this article if you require full instructions:

 

Link to Article - Hide Passwords In Power Automate Flows (and API Keys, Secrets)

https://matthewdevaney.com/hide-passwords-in-power-automate-flows-and-api-keys-secrets/

 

powerautomate-hidepassword-21-792x1024.jpg

Message 12 of 12
3,307 Views
0 Kudos

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

May UG Leader Call Carousel 768x460.png

June User Group Leader Call

Join us on June 28 for our monthly User Group leader call!

MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

Power Automate Designer Feedback_carousel.jpg

Help make Flow Design easier

Are you new to designing flows? What is your biggest struggle with Power Automate Designer? Help us make it more user friendly!

View All
Top Solution Authors
View All
Top Kudoed Authors
View All
Users online (1,296)