This content originally appeared on DEV Community and was authored by Ihechi Okere
🔐 Securing Bicep Outputs: A Game-Changer for Logic App Deployments
While developing a module to deploy a Logic App using Azure Bicep, I hit a frustrating snag: I couldn’t securely hide one of the outputs.. specifically, the storage account keys. The issue arose when I needed to call the storage account module from within the Logic App module. If a certain parameter was set to true, it would create a new storage account. Simple enough, right?
Well, not quite.
The Problem: Exposed Secrets
Every time I tried this setup, I ran into a Bicep linting error. More importantly, I was uneasy about the fact that the storage account key would always be exposed in the deployment output. Anyone with access to the deployment history could easily view it under:
Resource Group → Settings → Deployments
Here’s what that looks like:
This meant that even sensitive values like storage keys were visible in plain text—an obvious security risk, especially in shared environments or production scenarios.
My Temporary Solution: Separation of Concerns
At the time, the only workaround was to separate the storage account module from the Logic App deployment entirely. It wasn’t elegant, but it avoided exposing secrets. I shelved the problem, hoping for a better solution down the line.
The Comeback: Enter @secure() for Outputs
And then—plot twist! Microsoft dropped a powerful new feature in Bicep v0.35.1: the @secure() decorator for outputs. 🎉
Previously, @secure() was only available for input parameters. Outputs, no matter how sensitive, were always exposed in plain text. But now, you can mark outputs as secure, and they’ll be hidden from the deployment logs.
This is a huge win for anyone managing secrets or sensitive infrastructure details in Bicep.
Example Usage
@secure()
output storageKey string = storageAccount.listKeys().keys[0].value
With this, the output will no longer appear in plain text in the deployment history. Instead, it’s masked—just like secure parameters.
Still Seeing Linting Errors?
If you’re still getting linting errors when using @secure() on outputs, chances are you’re running an older version of Bicep.
🔍 Check your version:
az bicep version
📦 Install a specific version:
az bicep install --version v0.35.1
⬆️ Or upgrade to the latest:
az bicep upgrade
Learn More:
For full details, check out the official Microsoft documentation:
Secure Outputs in Bicep
This small but mighty feature makes Bicep even more production-ready. If you’ve ever hesitated to use outputs for sensitive data, now’s the time to revisit your templates.
Have you tried the new @secure() decorator yet? I’d love to hear how it’s changed your workflow or if you’ve found other clever ways to manage secrets in Bicep.
This content originally appeared on DEV Community and was authored by Ihechi Okere
Ihechi Okere | Sciencx (2025-07-05T00:24:26+00:00) Secure Outputs in Bicep. Retrieved from https://www.scien.cx/2025/07/05/secure-outputs-in-bicep/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.