Re: Secure Dynatrace API Token in Exported Azure ARM Templates

Jet · ‎01 Aug 2025

We are installing the Dynatrace OneAgent on an Azure Managed Service Fabric cluster using an Azure ARM template. The Dynatrace API token is passed as a secret value with a reference to an Azure Key Vault secret.

Basically, the Azure Virtual Machine Scale Set (VMSS) extension is installed on the Azure Managed Service Fabric cluster node type. We cannot install the extension directly on the VMSS because it will be deleted during the next Azure Managed Service Fabric cluster update. Instead, it must be installed as an extension on the Service Fabric cluster , as documented in Microsoft's official documentation.

{
  "name": "dynatrace",
  "properties": {
    "publisher": "dynatrace.ruxit",
    "type": "<Extension-Type>",
    "typeHandlerVersion": "<Extension-Version>",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "tenantId": "<Environment-ID>",
        "token": "<API-Token>",
        "server": "<Server-Url>",
        "enableLogAnalytics": "yes",
        "hostGroup": "<Host-Group>"
    },
  }
}

The issue is that anyone with permissions to export the ARM template of the Azure Managed Service Fabric cluster from the Azure Portal can see the Dynatrace API token in the exported template, which poses a security risk.

However, if we install the OneAgent using Azure CLI directly on the Azure Virtual Machine, this issue does not occur. The exported ARM template does not include plain text Dynatrace API token.

Is it possible to mitigate the Dynatrace access token exposure in this case when One agent is installed via ARM template not with az cli or Powershell ?

IzabelaRokita · ‎16 Dec 2025

Hey @Jet ,
I just wanted to check in and see if you still need help with this. If so, I’d be happy to look into it for you! 😊
Please let me know what works best for you.