AZ-400 Designing and Implementing Microsoft DevOps Solutions Exam

Implement and manage secrets, keys, and certificates by using Azure Key Vault

Azure Key Vault is a cloud service that helps you securely store secrets, keys, and certificates. You can use it to keep connection strings, API keys, and TLS certificates safe. With Key Vault, you get a centralized place for managing sensitive data without hard‐coding values in your code or scripts.

To add items to Key Vault, you create a vault and then add secrets, keys, or certificates through the Azure portal, CLI, or PowerShell. For secrets, you store text values such as passwords. For keys, you handle cryptographic operations like encryption and decryption. For certificates, you can import existing certificates or generate new ones directly in the vault.

Access control in Key Vault relies on Azure role‐based access control (RBAC) and access policies. RBAC assigns broader permissions at the vault level, while access policies offer fine‐grained operations such as get, list, or delete on specific items. By using managed identities or service principals, you can grant your applications just the right permissions they need.

In automation workflows, use a managed identity or service principal to authenticate to Key Vault without storing credentials in your code. Your pipeline or script can request secrets at runtime, ensuring that no sensitive information sits in source control. This strategy helps keep your automation processes both secure and maintainable.

Implement and manage secrets in GitHub Actions and Azure Pipelines

GitHub Actions and Azure Pipelines let you store and use secrets directly in your CI/CD workflows. In GitHub Actions, you store values under your repository’s Settings > Secrets, or at the environment level for shared secrets across multiple repos. In Azure Pipelines, use pipeline variables or variable groups to hold sensitive data.

In GitHub Actions, you reference secrets in your YAML file using the syntax ${{ secrets.NAME }}. The values are automatically masked in logs and cannot be printed in plain text. You can also limit a secret’s availability to certain environments, adding an extra layer of control.

Azure Pipelines supports variable groups that can be linked to Azure Key Vault for automatic secret synchronization. You declare the variable group in your pipeline YAML or classic editor, and the pipeline fetches the secrets at runtime. These secrets are masked by default to prevent accidental exposure in logs.

Regardless of the platform, always follow these best practices:

• Limit the scope of secrets to only the pipelines that need them
• Rotate secrets regularly to reduce the impact of any compromise
• Use approval gates or environment policies for sensitive deployments

Design and implement a strategy for managing sensitive files during deployment, including Azure Pipelines secure files

Sensitive files like certificates, SSH keys, or configuration JSON files often need to be used during deployment. Azure Pipelines offers the Secure Files feature, which lets you upload files in a safe vault within the project. These files are encrypted at rest and can only be downloaded by authorized pipelines.

To use secure files, upload them under Pipelines > Library > Secure files. In your YAML pipeline or classic release, add a Download Secure File task that references the file by name. The task makes the file available on the agent for subsequent steps without exposing it publicly.

Access to secure files is controlled by pipeline permissions and approval checks. You can require manual approval before a pipeline can run steps that use secure files. This setup helps you enforce controls like two‐person reviews for highly sensitive assets.

Keep these points in mind:

• Remove or revoke secure files that are no longer needed
• Rotate certificates and keys stored as secure files on a regular schedule
• Audit downloads and uses of secure files to detect any unusual activity

Design pipelines to prevent leakage of sensitive information

Preventing secret leaks starts with designing pipelines that avoid printing or storing sensitive values in logs or artifacts. Always use built‐in mechanisms—like secret masking in logs—rather than custom scripts that echo environment variables. This reduces the risk that credentials show up in plain text.

Implement the principle of least privilege by granting only the minimal access each pipeline needs. Use dedicated service principals or managed identities with scoped permissions. Avoid using high‐privilege accounts that could lead to wider exposure if compromised.

Keep secrets out of source code by referencing them from secure stores like Key Vault or pipeline variables. For any temporary files or environment variables that hold secrets, ensure your scripts clean up these values immediately after use. This limits the window during which a secret could be accessed improperly.

Finally, add auditing and monitoring for any secret operations. Configure alerts for unusual access patterns and review logs regularly. Having these controls in place helps you quickly detect and respond to any attempts at unauthorized access.

Conclusion

In this section, you learned how to use Azure Key Vault to store and control access to secrets, keys, and certificates. You saw how GitHub Actions and Azure Pipelines provide secure places for storing and using secrets in your workflows. You also explored the management of sensitive files through Azure Pipelines Secure Files and the best practices for permissions and approvals.

Designing pipelines with masking, least privilege, and cleanup steps helps prevent the leakage of sensitive data. By combining these tools and practices, you can create a robust strategy that keeps your secrets safe throughout the automation and deployment process.