cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Super User
Super User

BEST PRACTICES: How to Protect Secrets in Power Automate?

What are some best practices for protecting secrets in Power Automate? 

  • "Secrets" such as usernames, passwords, clientIDs, clientSecrets, api keys, etc. are often required when using HTTP actions in Power Automate
  • These secrets are often embedded in plaintext in headers, urls or Request bodies
  • When you share a Flow, you share these plaintext values
  • Not everyone understands how to sanitize things before sharing or exporting
  • This is insecure

Further reading:

https://engineering.udacity.com/three-simple-rules-for-putting-secrets-into-git-d47b207852b9

https://blog.cryptomove.com/secrets-management-guide-approaches-open-source-tools-commercial-product...

Please consider voting for this idea:

https://powerusers.microsoft.com/t5/Power-Automate-Ideas/Protect-Secrets-in-Power-Automate/idi-p/430...

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Community Support
Community Support

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

Hi @ericonline,

 

Actually, there is no connector or action that is about to protect the secret.

As a workaround, I usually store these pieces of information into a SharePoint list within the private Group of SharePoint, it could be accessed only for me. When I using it I just need to add the Get item action, then username, password, APIKey, would appear as dynamic content.

Annotation 2019-12-20 111637.png

 

I hope something helps.

Best Regards,
Community Support Team _ Lin Tu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

6 REPLIES 6
Highlighted
Community Support
Community Support

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

Hi @ericonline,

 

Actually, there is no connector or action that is about to protect the secret.

As a workaround, I usually store these pieces of information into a SharePoint list within the private Group of SharePoint, it could be accessed only for me. When I using it I just need to add the Get item action, then username, password, APIKey, would appear as dynamic content.

Annotation 2019-12-20 111637.png

 

I hope something helps.

Best Regards,
Community Support Team _ Lin Tu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Highlighted
Super User
Super User

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

Hi @v-litu-msft , this is a good idea, thank you for sharing. I will suggest your idea in the short term.

I'd still like to see a true "secrets" action in Power Automate that stores everything in an encrypted state rather than plaintext.

Highlighted
Super User
Super User

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

Did some more research and found John Lui's post on using Tracked Properties to "hide" secrets from view. Unfortunately, when you export the Flow, Tracked Properties are visible in plain text within definition.json.

Highlighted
Frequent Visitor

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

@ericonline

Can't you use Azure Key Vault for this?
It even has a connector in flow.

 

https://docs.microsoft.com/nl-be/connectors/keyvault

Highlighted
Super User
Super User

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

Great dea! I looked closer at the Get Secret action, which is what I think I'd use the Key Vault service for (holding API keys for example). It states the key would be visible in the Run History of the Flow...

https://docs.microsoft.com/nl-be/connectors/keyvault/#get-secret

Hm... I don't want my keys in plain text ANYWHERE, especially not in an artifact such as each Flow run!

Highlighted
Super User
Super User

Re: BEST PRACTICES: How to Protect Secrets in Power Automate?

The question remains: How do you protect secrets in Flow? 

 

Just validated that Key Vault is NOT an option...

Storing secrets in Key Vault and using the Key Vault Actions in Flow DOES NOT actually protect secrets. The secrets are visible in plain text in the run history BOTH in the Key Vault Actions themselves AND any references to the secrets:

 

image.png

 

This is unfortunate. Is there not a way to treat the output of these values with some opaqueness? Maybe "*******"?

Helpful resources

Announcements
firstImage

Super User Program Update

Three Super User rank tiers have been launched!

firstImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

firstImage

New & Improved Power Automate Community Cookbook

We've updated and improved the layout and uploading format of the Power Automate Cookbook!

thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

Top Solution Authors
Top Kudoed Authors
Users online (7,628)