HDInsight on-demand linked service sshPassword shows up in clear text

Category: sql server hdinsight


Janus Christensen on Thu, 05 Oct 2017 09:31:39


We have deployed a HDInsight on-demand linked service to Data Factory, and when I go to the Data Factory and select "Author and deploy" -> Linked services and select the HDInsight on-demand linked service, the sshPassword is displayed in clear text. Is there a way to hide the password, so that it would show up as "**********". I can see that is what happens with sensitive information in other types of linked services (for example: the servicePrincipalKey in Data Lake Store linked services).

I have tried to change the type to "securestring" for sshPassword in the ARM template used to deploy HDI on-demand linked services, but this does not seem to have any effect.

Here is what the linked service looks like:

    "name": "ls-hdiod-test",
    "properties": {
        "hubName": "my-datafactory-dev_hub",
        "type": "HDInsightOnDemand",
        "typeProperties": {
            "version": "3.5",
            "clusterSize": 2,
            "timeToLive": "00:20:00",
            "osType": "linux",
            "sshPassword": "PasswordRedacted",
            "sshUserName": "admin",
            "coreConfiguration": {},
            "hBaseConfiguration": {},
            "hdfsConfiguration": {},
            "hiveConfiguration": {},
            "mapReduceConfiguration": {},
            "oozieConfiguration": {},
            "sparkConfiguration": {},
            "stormConfiguration": {},
            "yarnConfiguration": {},
            "additionalLinkedServiceNames": [],
            "linkedServiceName": "ls-asa-test",
            "hcatalogLinkedServiceName": "ls-sqldb-hive-metastore"


Kapil.Kumawat on Thu, 05 Oct 2017 09:52:26

Hello Janus,

You can use Azure Key vault to hide password to show up as plain text.

To enable it please check this link -


EricCS07 on Tue, 10 Oct 2017 09:53:52

Hi Janus, 

You are able to use SecureString in ADF V2 for the password which will be marked as *** in <g class="gr_ gr_125 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="125" id="125">follow</g> <g class="gr_ gr_124 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="124" id="124">format</g>: 

        "sshPassword": {
            "value": "passwordvalue",
            "type": "SecureString"