https://community.dynatrace.com/t5/Cloud-platforms/Secure-Dynatrace-API-Token-in-Exported-Azure-ARM-Templates/m-p/291570#M2216 <P>Hey&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/90573">@Jet</a>&nbsp;,<BR /><SPAN>I just wanted to check in and see if you still need help with this. If so, I’d be happy to look into it for you!&nbsp;</SPAN><SPAN class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:"><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></SPAN><BR /><SPAN>Please let me know what works best for you.</SPAN></P> Tue, 16 Dec 2025 13:22:16 GMT IzabelaRokita 2025-12-16T13:22:16Z https://community.dynatrace.com/t5/Cloud-platforms/Secure-Dynatrace-API-Token-in-Exported-Azure-ARM-Templates/m-p/282768#M2109 <P class="">We are installing the<SPAN>&nbsp;</SPAN>Dynatrace OneAgent<SPAN>&nbsp;</SPAN>on an<SPAN>&nbsp;</SPAN><STRONG>Azure Managed Service Fabric cluster</STRONG><SPAN>&nbsp;</SPAN>using an<SPAN>&nbsp;</SPAN>Azure ARM template. The<SPAN>&nbsp;</SPAN><STRONG>Dynatrace API token</STRONG><SPAN>&nbsp;</SPAN>is passed as a<SPAN>&nbsp;</SPAN>secret value<SPAN>&nbsp;</SPAN>with a reference to an<SPAN>&nbsp;</SPAN>Azure Key Vault secret.</P> <P class="">Basically, the<SPAN>&nbsp;</SPAN><STRONG>Azure Virtual Machine Scale Set (VMSS) extension&nbsp;</STRONG>is installed on the<SPAN>&nbsp;</SPAN>Azure Managed Service Fabric cluster node type. We cannot install the extension directly on the VMSS because it will be deleted during the next<SPAN>&nbsp;</SPAN>Azure Managed Service Fabric cluster update. Instead, it must be installed as an extension on the Service Fabric cluster , as documented in<SPAN>&nbsp;</SPAN>Microsoft's official documentation.</P> <LI-CODE lang="javascript">{ "name": "dynatrace", "properties": { "publisher": "dynatrace.ruxit", "type": "&lt;Extension-Type&gt;", "typeHandlerVersion": "&lt;Extension-Version&gt;", "autoUpgradeMinorVersion": true, "settings": { "tenantId": "&lt;Environment-ID&gt;", "token": "&lt;API-Token&gt;", "server": "&lt;Server-Url&gt;", "enableLogAnalytics": "yes", "hostGroup": "&lt;Host-Group&gt;" }, } }</LI-CODE> <P class="">&nbsp;</P> <P class="">The issue is that<SPAN>&nbsp;</SPAN>anyone with permissions&nbsp;to export the&nbsp;ARM template&nbsp;of the&nbsp;Azure Managed Service Fabric cluster&nbsp;from the&nbsp;Azure Portal&nbsp;can see the&nbsp;Dynatrace API token&nbsp;in the exported template, which poses a<SPAN>&nbsp;</SPAN><STRONG>security risk</STRONG>.</P> <P class="">However, if we install the<SPAN>&nbsp;</SPAN><STRONG>OneAgent</STRONG><SPAN>&nbsp;</SPAN>using<SPAN>&nbsp;</SPAN><STRONG>Azure CLI</STRONG><SPAN>&nbsp;</SPAN>directly on the<SPAN>&nbsp;</SPAN><STRONG>Azure Virtual Machine</STRONG>, this issue does not occur. The exported ARM template does not include plain text Dynatrace API token.</P> <P class="">Is it possible to mitigate the Dynatrace access token exposure in this case when One agent is installed via ARM template not with az cli or Powershell ?&nbsp;</P> <P class="">&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV> <DIV>&nbsp;</DIV> </DIV> Tue, 16 Dec 2025 13:21:36 GMT https://community.dynatrace.com/t5/Cloud-platforms/Secure-Dynatrace-API-Token-in-Exported-Azure-ARM-Templates/m-p/282768#M2109 Jet 2025-12-16T13:21:36Z https://community.dynatrace.com/t5/Cloud-platforms/Secure-Dynatrace-API-Token-in-Exported-Azure-ARM-Templates/m-p/291570#M2216 <P>Hey&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/90573">@Jet</a>&nbsp;,<BR /><SPAN>I just wanted to check in and see if you still need help with this. If so, I’d be happy to look into it for you!&nbsp;</SPAN><SPAN class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:"><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></SPAN><BR /><SPAN>Please let me know what works best for you.</SPAN></P> Tue, 16 Dec 2025 13:22:16 GMT https://community.dynatrace.com/t5/Cloud-platforms/Secure-Dynatrace-API-Token-in-Exported-Azure-ARM-Templates/m-p/291570#M2216 IzabelaRokita 2025-12-16T13:22:16Z