cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
ericonline
Community Champion
Community Champion

BEST PRACTICES: How to Protect Secrets in Power Automate?

What are some best practices for protecting secrets in Power Automate? 

  • "Secrets" such as usernames, passwords, clientIDs, clientSecrets, api keys, etc. are often required when using HTTP actions in Power Automate
  • These secrets are often embedded in plaintext in headers, urls or Request bodies
  • When you share a Flow, you share these plaintext values
  • Not everyone understands how to sanitize things before sharing or exporting
  • This is insecure

Further reading:

https://engineering.udacity.com/three-simple-rules-for-putting-secrets-into-git-d47b207852b9

https://blog.cryptomove.com/secrets-management-guide-approaches-open-source-tools-commercial-product...

Please consider voting for this idea:

https://powerusers.microsoft.com/t5/Power-Automate-Ideas/Protect-Secrets-in-Power-Automate/idi-p/430...

2 ACCEPTED SOLUTIONS

Accepted Solutions
v-litu-msft
Community Support
Community Support

Hi @ericonline,

 

Actually, there is no connector or action that is about to protect the secret.

As a workaround, I usually store these pieces of information into a SharePoint list within the private Group of SharePoint, it could be accessed only for me. When I using it I just need to add the Get item action, then username, password, APIKey, would appear as dynamic content.

Annotation 2019-12-20 111637.png

 

I hope something helps.

Best Regards,
Community Support Team _ Lin Tu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

@ericonline - If you review the post, it at first does indicate how the secret is left in plain text in the history, however by setting the Secure Outputs section, you can see it is now hidden from the run history.

 

asdf.png

View solution in original post

11 REPLIES 11
v-litu-msft
Community Support
Community Support

Hi @ericonline,

 

Actually, there is no connector or action that is about to protect the secret.

As a workaround, I usually store these pieces of information into a SharePoint list within the private Group of SharePoint, it could be accessed only for me. When I using it I just need to add the Get item action, then username, password, APIKey, would appear as dynamic content.

Annotation 2019-12-20 111637.png

 

I hope something helps.

Best Regards,
Community Support Team _ Lin Tu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

Hi @v-litu-msft , this is a good idea, thank you for sharing. I will suggest your idea in the short term.

I'd still like to see a true "secrets" action in Power Automate that stores everything in an encrypted state rather than plaintext.

Did some more research and found John Lui's post on using Tracked Properties to "hide" secrets from view. Unfortunately, when you export the Flow, Tracked Properties are visible in plain text within definition.json.

Esli
Frequent Visitor

@ericonline

Can't you use Azure Key Vault for this?
It even has a connector in flow.

 

https://docs.microsoft.com/nl-be/connectors/keyvault

seadude
Memorable Member
Memorable Member

Great dea! I looked closer at the Get Secret action, which is what I think I'd use the Key Vault service for (holding API keys for example). It states the key would be visible in the Run History of the Flow...

https://docs.microsoft.com/nl-be/connectors/keyvault/#get-secret

Hm... I don't want my keys in plain text ANYWHERE, especially not in an artifact such as each Flow run!

ericonline
Community Champion
Community Champion

The question remains: How do you protect secrets in Flow? 

 

Just validated that Key Vault is NOT an option...

Storing secrets in Key Vault and using the Key Vault Actions in Flow DOES NOT actually protect secrets. The secrets are visible in plain text in the run history BOTH in the Key Vault Actions themselves AND any references to the secrets:

 

image.png

 

This is unfortunate. Is there not a way to treat the output of these values with some opaqueness? Maybe "*******"?

@ChristopherMank At first I thought so as well, but the secrets are left in plain text in the Flow run history. My previous post shows an example.

@ericonline - If you review the post, it at first does indicate how the secret is left in plain text in the history, however by setting the Secure Outputs section, you can see it is now hidden from the run history.

 

asdf.png

View solution in original post

Dang! I totally missed that new functionality. Thank you for bringing it up!

mdevaney
Super User
Super User

@ericonline 

There's 2 steps needed to secure a password in a flow action:

  • Secure Inputs + Outputs in the flow action settings
  • Retrieve keys from a (free) Azure Key Vault so you don't have to store the password in the flow

 

Check out this article if you require full instructions:

 

Link to Article - Hide Passwords In Power Automate Flows (and API Keys, Secrets)

https://matthewdevaney.com/hide-passwords-in-power-automate-flows-and-api-keys-secrets/

 

powerautomate-hidepassword-21-792x1024.jpg

Helpful resources

Announcements
MPA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Welcome Super Users.jpg

Super User Season 2

Congratulations, the new Super User Season 2 for 2021 has started!

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Top Solution Authors
Users online (2,554)