How to use Secure String Parameters in Logic Apps

1
votes

I don't understand the purpose of the greyed out Actual Value field in the Logic Apps Designer. I guess it might be relevant when dealing with a Secure String, especially since this message comes up when entering a value in Default Value for this type of Parameter:

It is not recommended to set a default value for type 'SecureString' because it will be stored as plain text.

Secure String Parameter in Designer mode

I imagine there might be a way to pass the actual ApiKey value via a different mechanism at runtime, which would supersede my default string "secret", but I have no idea how to do this. For instance, if my Logic App is on an HTTP Trigger, would passing a header? or query param? called "ApiKey" with the actual key work?

Where is this process documented for all Trigger types?

And still, what is the purpose of the Actual Value field in Designer?

Edit following @hury-shen's comment dated 2020-10-29 below:

This is what I've tried:

Logic App Code view

however this (still) returns:

Operation failed: The request content is not valid and could not be deserialized: 'Could not find member 'reference' on object of type 'FlowTemplateParameter'. Path 'properties.parameters.ApiKey.reference', line 1, position 3710.'.

when I try to switch back to Designer mode.

1
azure-logic-apps

1 Answers

1
votes

When we define parameters in logic app, the value will be visible in the code view of the logic app although we choose "Secure String" type. If you want to use username, password and secret as parameters, you can store them in azure key vault and then define the parameters at the workflow definition level like this:

{
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
   "contentVersion": "1.0.0.0",
   // Template parameter values
   "parameters": {
      "<parameter-name-1>": {
         "value": "<parameter-value>"
      },
      "<parameter-name-2>": {
         "value": "<parameter-value>"
      },
      "<secured-parameter-name>": {
         "reference": {
            "keyVault": {
               "id": "/subscriptions/<Azure-subscription-ID>/resourceGroups/<Azure-resource-group-name>/Microsoft.KeyVault/vaults/<key-vault-name>",
            },
            "secretName: "<secret-name>"
         }
      },
      <other-parameter-values>
   }
}