Dynatrace API token is exposed in exported Azure ARM template

Jet · ‎01 Aug 2025

We are installing the Dynatrace OneAgent on an Azure Managed Service Fabric cluster using an Azure ARM template. The Dynatrace API token is passed as a secret value with a reference to an Azure Key Vault secret.

Basically, the Azure Virtual Machine Scale Set (VMSS) extension is installed on the Azure Managed Service Fabric cluster node type. We cannot install the extension directly on the VMSS because it will be deleted during the next Azure Managed Service Fabric cluster update. Instead, it must be installed as an extension on the Service Fabric cluster , as documented in Microsoft's official documentation.

{
  "name": "dynatrace",
  "properties": {
    "publisher": "dynatrace.ruxit",
    "type": "<Extension-Type>",
    "typeHandlerVersion": "<Extension-Version>",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "tenantId": "<Environment-ID>",
        "token": "<API-Token>",
        "server": "<Server-Url>",
        "enableLogAnalytics": "yes",
        "hostGroup": "<Host-Group>"
    },
  }
}

The issue is that anyone with permissions to export the ARM template of the Azure Managed Service Fabric cluster from the Azure Portal can see the Dynatrace API token in the exported template, which poses a security risk.

However, if we install the OneAgent using Azure CLI directly on the Azure Virtual Machine, this issue does not occur. The exported ARM template does not include plain text Dynatrace API token.

Is it possible to mitigate the Dynatrace access token exposure in this case when One agent is installed via ARM template not with az cli or Powershell ?