Summary

This article reviews the core concepts and best practices for managing secrets, keys, and certificates in Azure DevOps—covering Azure Key Vault essentials, DevSecOps secret integration, and Azure Pipelines service connections. These techniques align with AZ-400 exam objectives and real-world security requirements.

Azure Key Vault Essentials

Azure Key Vault provides a secure, centralized store for secrets, keys, and certificates.

• Purpose
  Securely store API keys, passwords, certificates, and cryptographic keys.

• Access Policies
  Configure who can read, write, or manage vault objects.

• Monitoring & Logging
  Integrate with Azure Monitor and Azure Activity Logs to audit access and changes.

• Best Practices

  • Enable soft-delete and purge protection
  • Enforce role-based access control (RBAC)
  • Regularly rotate and audit secrets

# Create a new Key Vault with soft-delete enabled
az keyvault create \
  --name MyKeyVault \
  --resource-group MyResourceGroup \
  --location eastus \
  --enable-soft-delete true

# Add a secret to Key Vault
az keyvault secret set \
  --vault-name MyKeyVault \
  --name MySecret \
  --value "MySecretValue"

Integrating Secret Management in DevSecOps Pipelines

Implement automated, secure retrieval of secrets in CI/CD workflows.

1. GitHub Actions

• Use the Azure/login action to authenticate.
• Fetch secrets from Key Vault at runtime.
• Apply environment protection rules.
• Rotate credentials on a regular schedule.

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Fetch secret from Key Vault
        run: |
          az keyvault secret show \
            --vault-name MyKeyVault \
            --name MySecret

2. Azure Pipelines

• Link Key Vault as a Variable Group.
• Reference secrets in YAML or classic pipelines without exposing them in code.
• Turn on diagnostic logging for Key Vault access.

variables:
- group: KV-Secrets-Group

steps:
- task: AzureKeyVault@2
  inputs:
    azureSubscription: 'MyServiceConnection'
    KeyVaultName: 'MyKeyVault'
    SecretsFilter: '*'

3. General Best Practices

• Enforce least-privilege for all identities and service principals.
• Rotate secrets, keys, and certificates at least every 90 days.
• Monitor access logs and trigger alerts on anomalous patterns.

Azure Pipelines Service Connections

Service connections allow pipelines to authenticate with external systems without embedding credentials in code.

Overview

Securely connect to Azure, GitHub, container registries, and third-party services.

Types of Service Connections

Configuration Steps

1. In Azure DevOps, go to Project Settings > Service connections.
2. Click New service connection and select the type.
3. Provide authentication details (service principal, token, or PAT).
4. Assign the minimal required scope and permissions.
5. Validate and save the connection.

# Example: Create a service connection via Azure CLI (ARM)
az devops service-endpoint create \
  --service-endpoint-configuration azurerm.json

ARM Service Connection

• Use an existing or new service principal with a Contributor or custom role.
• Specify subscription ID, resource group, and scope.
• Test the connection before saving.

GitHub Service Connection

• Authorize Azure DevOps via OAuth or provide a Personal Access Token (PAT).
• Limit repository permissions to only those needed for your pipelines.

Usage in Pipelines

Reference service connections in YAML tasks or classic releases:

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'MyServiceConnection'
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: az group list

Best Practices

• Audit service connection permissions regularly.
• Adopt custom roles with just-enough permissions.
• Rotate service principal credentials and tokens on a scheduled basis.

Links and References

• Azure Key Vault Documentation
• Azure DevOps Service Connections
• GitHub Actions for Azure
• AZ-400 Exam Guide