Security Guidelines

azd exec is a powerful tool that requires careful handling. Understand the security implications before use.

⚠️ Critical Security Warning

azd exec grants scripts full access to your Azure credentials and environment. Always review scripts before execution. Never run untrusted code.

What Scripts Can Access

When you run a script with azd exec, it has access to:

🔐 Azure Credentials

  • Azure CLI authentication tokens
  • Active Azure subscription
  • Service principal credentials (if configured)
  • Managed identity (in Azure-hosted environments)

🌍 Environment Variables

  • AZURE_SUBSCRIPTION_ID
  • AZURE_ENV_NAME
  • AZURE_LOCATION
  • Custom variables from .env
  • All system environment variables

💾 File System

  • Read/write access to your file system
  • Project files and source code
  • Configuration files
  • Local secrets and credentials

🌐 Network

  • Full network access
  • Can make external API calls
  • Can download/upload data
  • Can communicate with Azure services

Safe Practices

✅ DO These Things

  • Review scripts before running
    Terminal window
    # Read the script first
    cat run-migration.sh
    

    # Then execute
    azd exec ./run-migration.sh
  • Use version control for scripts

    Track changes to scripts in Git. Review diffs before pulling updates.

  • Verify script sources

    Only run scripts from trusted sources: official documentation, your team's repositories, or verified open-source projects.

  • Use HTTPS for downloads
    Terminal window
    # Download and review before executing
    curl -O https://trusted-source.com/migration.sh
    cat migration.sh
    azd exec ./migration.sh
  • Store secrets in Azure Key Vault
    Terminal window
    # Retrieve secrets at runtime using azd exec
    API_KEY=$(azd exec -- az keyvault secret show \
      --name "api-key" \
      --vault-name "kv-$AZURE_ENV_NAME" \
      --query "value" -o tsv)
  • Use least privilege Azure RBAC roles

    Grant scripts only the permissions they need. Avoid Owner or Contributor roles when Reader or specific roles suffice.

  • Enable audit logging
    Terminal window
    # Log script execution
    echo "[$(date)] Running migration script" >> ~/.azd-exec-audit.log
    azd exec ./run-migration.sh

❌ DON'T Do These Things

  • Never pipe untrusted scripts directly
    Terminal window
    # ❌ DANGEROUS - Don't do this!
    curl http://unknown-site.com/migration.sh | azd exec -
    

    # ❌ Also dangerous
    wget -O - https://site.com/setup.sh | azd exec -
  • Don't store secrets in environment variables
    Terminal window
    # ❌ Bad practice
    export DATABASE_PASSWORD='my-secret-password'
    azd exec ./run-migration.sh
  • Don't ignore script warnings or errors
    Terminal window
    # ❌ Don't suppress errors
    azd exec ./migration.sh 2>/dev/null
  • Don't use production credentials in development

    Use separate Azure subscriptions or environments for development and production.

  • Don't commit secrets to version control
    Terminal window
    # ✅ Use .env and .gitignore
    echo "*.env" >> .gitignore
    echo "API_KEY=secret123" >> .env.local
  • Don't disable security features
    Terminal window
    # ❌ Don't do this
    set +e  # Disables error handling
    # ... run risky commands

Common Attack Vectors

🎯 Malicious Script Injection

Risk: Attacker tricks you into running malicious code disguised as helpful scripts.

Prevention:

  • Always inspect scripts before execution
  • Verify the source of scripts from documentation
  • Use checksums to verify script integrity
Terminal window
# Verify script integrity
sha256sum script.sh
# Compare with published checksum

🎯 Credential Theft

Risk: Scripts exfiltrate Azure credentials or secrets to external servers.

Prevention:

  • Review network calls in scripts
  • Monitor Azure activity logs
  • Use network policies to restrict outbound connections
  • Rotate credentials regularly

🎯 Resource Abuse

Risk: Scripts create expensive Azure resources or cryptocurrency miners.

Prevention:

  • Set Azure spending limits and budgets
  • Review resource creation in scripts
  • Enable Azure Cost Management alerts
  • Use Azure Policy to restrict resource types

🎯 Data Exfiltration

Risk: Scripts upload sensitive data to unauthorized locations.

Prevention:

  • Audit file operations in scripts
  • Use Azure Private Link for sensitive workloads
  • Enable data loss prevention policies
  • Monitor unusual data transfer patterns

Incident Response

If you suspect a security incident:

  1. Immediately revoke Azure credentials
    Terminal window
    # Logout from Azure CLI
    azd auth logout
    

    # Revoke all sessions (Azure Portal)
    # Azure Portal > Azure Active Directory > Users > [Your User] > Revoke Sessions
  2. Rotate all secrets and keys

    Update secrets in Azure Key Vault, regenerate storage account keys, rotate service principal credentials.

  3. Review Azure Activity Logs
    Terminal window
    # Check recent Azure activities
    azd exec -- az monitor activity-log list \
      --start-time $(date -u -d "1 hour ago" "+%Y-%m-%dT%H:%M:%SZ") \
      --query "[?contains(authorization.action, 'write')]" \
      -o table
  4. Delete unauthorized resources

    Identify and remove any resources created by malicious scripts.

  5. Report the incident

    If the script was from a public source, report it. Contact your security team if in an organization.

Additional Resources

📄 Complete Threat Model 🔍 Security Review 🛡️ Azure Security Best Practices 📚 Getting Started Guide