Skip to main content
In this module, you’ll learn how to secure sensitive data—secrets, keys, and certificates—in your DevOps automation pipelines. We’ll focus on best practices for Azure Key Vault, GitHub Actions, and Azure Pipelines so you can confidently manage credentials and cryptographic materials in production environments.
Never store secrets or certificates in plaintext within your code repositories. Always leverage a secure vault or secrets store.

Azure Key Vault

Azure Key Vault is a cloud-hosted service that centralizes the storage and management of secrets, keys, and certificates. You can apply fine-grained access policies, enable detailed logging, and integrate with other Azure services.

Key Vault Components

ComponentDescriptionExample
SecretPasswords, API keys, connection stringsaz keyvault secret set …
KeyCryptographic keys for encryption and signingaz keyvault key create …
CertificateManaged X.509 certificatesaz keyvault certificate create

Quickstart with Azure CLI

# Create a new Key Vault
az keyvault create \
  --name MyVault \
  --resource-group MyResourceGroup \
  --location eastus

# Store a secret
az keyvault secret set \
  --vault-name MyVault \
  --name AppSecret \
  --value s3cr3tValue

# Retrieve the secret
az keyvault secret show \
  --vault-name MyVault \
  --name AppSecret
Ensure your user or service principal has the Key Vault Contributor role or an equivalent access policy.
The image is a slide titled "Implementing and Managing Secrets, Keys, and Certificates by Using Azure Key Vault," listing three topics: Exploring Azure Key Vault, Understanding Secrets, and Working With Keys.

Access Control, Monitoring, and Best Practices

Secure your vault by defining access policies, enabling logging with Azure Monitor, and rotating keys regularly.
FeatureDescription
Access PoliciesGrant or deny permissions at object level
Diagnostic LoggingCapture read/write operations for audit and alerts
Key RotationAutomate renewal of keys and certificates
The image is a slide titled "Implementing and Managing Secrets, Keys, and Certificates by Using Azure Key Vault," listing topics such as Access Policies, Monitoring and Logging, and Best Practices.

Secrets in CI/CD Pipelines

Managing secrets in your build and release workflows is critical. Below is a quick comparison of GitHub Actions and Azure Pipelines secret stores:
CI/CD PlatformSecret StoreReference in Pipeline
GitHub ActionsGitHub Encrypted Secretssecrets.MY_SECRET
Azure PipelinesVariable Groups & Key Vault Task$(MY_SECRET)

GitHub Actions Example

# .github/workflows/deploy.yml
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Use GitHub Secret
        run: echo "API key is ${{ secrets.API_KEY }}"

Azure Pipelines Example

# azure-pipelines.yml
variables:
  - group: KeyVaultVariables

steps:
  - task: AzureKeyVault@1
    inputs:
      azureSubscription: 'MyServiceConnection'
      KeyVaultName: 'MyVault'
      SecretsFilter: '*'
      RunAsPreJob: true
  - script: echo "Fetched secret: $(AppSecret)"
Use the Azure Key Vault task in Azure Pipelines to pull secrets at runtime rather than storing them statically.
The image is a slide titled "Implementing and Managing Secrets in GitHub Actions and Azure Pipelines," listing four topics: understanding secrets in DevOps, managing secrets in GitHub Actions, secrets in Azure Pipelines, and best practices in GitHub Actions.

Service Connections in Azure Pipelines

Service connections let your pipelines authenticate to external systems such as Azure, GitHub, or container registries.

Types of Service Connections

Connection TypeUse Case
Azure Resource ManagerDeploy to Azure subscriptions
GitHubCheckout or trigger workflows on GitHub
Docker RegistryPush/pull container images
The image is a slide titled "Using Service Connections in Pipeline," listing two topics: "Introduction to Service Connections in Azure Pipelines" and "Types of Service Connections."

Configuring and Using Service Connections

# azure-pipelines.yml
resources:
  connections:
    - connection: MyAzureSubscription
      type: azureResourceManager
    - connection: MyGitHubConnection
      type: github

steps:
  - checkout: self
  - script: |
      az account show
      echo "Cloning via $(MyGitHubConnection)"
The image is a slide titled "Using Service Connections in Pipeline," listing three topics: configuring GitHub service connections, using service connections in pipelines, and best practices for managing service connections.

Conclusion

By centralizing your secrets in Azure Key Vault, integrating vault access into your CI/CD pipelines, and configuring secure service connections, you’ll build robust, compliant DevOps workflows. Implement these patterns to reduce risk and maintain operational excellence.

Watch Video