Azure Blueprint does support secureString and secureObject type when you create artifact and blueprint definition. So far there is not much of information about the use of secureString with Azure Blueprint.
This article would hopefully clarify somewhat about secureString.
First of all, Microsoft has something here to check out
Portal UI Discrepancy
If you define a parameter as a secureString type like below
"g_vmLocalAdminPassword": { "type": "securestring", "minLength": 8, "metadata": { "displayName": "VM Local Admin Password", "description": "Local Admin password for virtual machine" } }
..and then assign your blueprint and artifact directly from Azure Portal you would be surprised on how Azure Blueprint may think.
This would be considered a default design when you use Azure Blueprint with Azure Portal UI.
secureString parameter As Code
Like Azure ARM template, you can supply Key Vault reference. Take a look at the parameter definition for secureString type in assignment parameter file that stores actual value.
"g_vmLocalAdminPassword": { "reference": { "keyVault": { "id": "/subscriptions/aa2201b1-a52a-1199-11ec-930c4deb35e8/resourceGroups/azsec-rg/providers/Microsoft.KeyVault/vaults/shared-kv" }, "secretName": "vmLocalAdminPassword" } }
You have your own choice to do it as code in order to avoid inconvenience way that Azure Portal may provide.
Here is example of using assignment parameter file for deploying Azure Blueprint as code https://github.com/azsec/azure-blueprints/tree/master/AzureSecurityCenter
Pingback: Essential tips for building a large Azure blueprint