Beta

AZ-400: Designing and Implementing Microsoft DevOps Solutions

Design and Implement a Strategy for Managing Sensitive Information in Automation

Implement and manage secrets in GitHub Actions and Azure Pipelines

Secrets such as API keys, passwords, and tokens are critical for accessing protected resources. In this guide, we explain how to securely implement and manage secrets in popular CI/CD tools—GitHub Actions and Azure Pipelines—to safeguard your software development workflows and avoid security vulnerabilities.

The image illustrates the risks of improperly managed secrets, highlighting potential security vulnerabilities with icons like a broken shield, bug, and error message. It advises using secure methods to store and handle secrets to maintain system integrity.

Both GitHub Actions and Azure Pipelines offer built-in mechanisms for managing secrets, ensuring that sensitive information remains secure during pipeline execution. These tools help prevent accidental exposure of credentials in source code repositories, reducing the risk of data breaches.

The image is an overview diagram comparing GitHub Actions and Azure Pipelines, highlighting their role in enabling automation of software development workflows.

Note

When handling secrets, always follow best practices and limit access to only those repositories, pipelines, and team members who require them.

GitHub Actions Secrets

In GitHub Actions, secrets are securely stored within the repository settings. Follow these steps to add a secret:

  1. Navigate to your repository.
  2. Go to Settings > Secrets > Actions.
  3. Click on New Repository Secret.
  4. Enter the secret's name and value. The secret will be securely stored and used during workflow execution.

The image provides instructions for setting up secrets in GitHub Actions, showing a navigation path in the GitHub settings menu.

The image is a guide on setting up secrets in GitHub Actions, showing a prompt to click on "New repository secret" in a repository with no secrets.

To reference secrets in your workflow without exposing their values, use the following syntax:

${{ secrets.SECRET_NAME }}

For example, to reference an API key in a workflow:

${{ secrets.API_KEY }}

Always choose meaningful names for your secrets and rotate them regularly to minimize the risk of exposure.

The image provides best practices for GitHub Actions, suggesting the use of meaningful names for secrets and regularly rotating them to minimize exposure risk. It includes visual elements like a graph and a title icon.

Additionally, restrict the scope of your secrets to only the necessary repositories or workflows, and avoid embedding secrets directly into your code. Leverage GitHub’s secure storage options for optimal protection.

The image provides best practices for GitHub Actions, advising to limit the scope of secrets and avoid hard-coding them, using GitHub's secure storage instead.

Azure Pipelines Secrets

In Azure Pipelines, secrets are managed as pipeline variables that are flagged as secret. To add a secret in Azure Pipelines, use the following steps:

  1. Navigate to your pipeline.
  2. Go to Variables (Pipeline Variables).
  3. Click on Add.
  4. Enter the variable name, check the option Keep this value secret, and provide the secret value.

The image is a guide on setting up secrets in Azure Pipelines, showing steps to navigate to pipeline variables and add a new variable.

Reference secrets in your scripts using the following syntax:

$(variableName)

For example, to reference an API key secret:

$(API_KEY)

It is highly recommended to integrate Azure Key Vault for managing highly sensitive secrets. This ensures centralized and secure storage with features like access control, logging, and automated rotation.

Azure Key Vault Integration

Integrating Azure Key Vault with your pipelines adds an extra layer of security. It supports secret versioning and audit logging, making it easier to manage sensitive data across environments.

Integration with Azure Key Vault

Both GitHub Actions and Azure Pipelines can integrate with Azure Key Vault, enabling secure retrieval of secrets during workflow execution. This integration eliminates the need to hard-code secrets in configurations.

The image illustrates the integration of GitHub Actions and Azure Pipelines, highlighting the retrieval of secrets during workflow or pipeline execution.

To integrate with Azure Key Vault, ensure that:

  • You have an active Azure subscription and an Azure Key Vault.
  • Required secrets are added to the Key Vault.
  • A Service Principal with the necessary Key Vault permissions is configured.
  • Store Service Principal credentials as GitHub secrets or set them up in Azure DevOps pipeline service connections.

The following pipeline configuration demonstrates how to retrieve a secret from Azure Key Vault:

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

variables:
- group: KeyVaultSecrets

steps:
- task: UseKeyVault@1
  inputs:
    azureSubscription: 'your-service-connection'
    KeyVaultName: 'your-keyvault-name'
    SecretsFilter: 'YOUR_SECRET_NAME'
    RunAsPreJob: true
- script: echo "Secret Value: $(YOUR_SECRET_NAME)"
  displayName: 'Display Secret'

The image outlines four prerequisites for retrieving secrets from Azure Key Vault in Azure Pipelines: creating a Key Vault, adding secrets, configuring a service principal, and adding credentials to service connections.

Best Practices for Managing Secrets

Implementing effective secret management practices is essential for CI/CD security. Consider these recommendations:

  • Principle of Least Privilege: Ensure that secrets are only accessible to users and services that require them.
  • Regular Rotation: Rotate secrets periodically to minimize risks related to compromised credentials.
  • Monitoring and Auditing: Continuously monitor secret usage and audit access logs for any suspicious behaviour.
  • Avoid Hard-Coding: Do not embed secrets directly in your source code; use secure storage options like GitHub Secrets or Azure Key Vault.
  • Document Procedures: Keep detailed documentation of secret management processes to ensure consistency and reduce errors.

The image outlines best practices for managing secrets, including the principle of least privilege, regular secret rotation, and monitoring and auditing.

Common Pitfalls to Avoid

  • Hard-Coding Secrets: Embedding secrets in source code can lead to accidental exposure through version control.
  • Insecure Sharing: Avoid transmitting secrets via email, chat, or other unencrypted channels. Use secure methods such as encrypted vaults.
  • Lack of Documentation: Inadequate documentation of secret management practices can cause inconsistencies and errors. Ensure that your team is familiar with the established procedures.

The image outlines common pitfalls in secrets management, including hard-coding secrets in code, sharing secrets through insecure channels, and lack of documentation, with suggestions to avoid each issue.

By following these guidelines, you can enhance the security of your CI/CD pipelines with GitHub Actions and Azure Pipelines, ensuring that secrets are managed effectively and securely.

Watch Video

Watch video content

Previous
Implement and manage secrets keys and certificates by using Azure Key Vault
Next
Using Service Connections in Pipeline