AZ-400 Designing and Implementing Microsoft DevOps Solutions

Implement and manage secrets, keys, and certificates by using Azure Key Vault, GitHub secrets, and Azure Pipelines secrets

#AZ-400 Designing and Implementing Microsoft DevOps Solutions

Azure Key Vault is a cloud service that offers a secure way to store and access secrets such as keys, tokens, or passwords. Its primary benefit is to centralize the management of application secrets and remove the need to store them in code.

Creating an Azure Key Vault involves the following steps:

  • Navigate to the Azure portal, and create a Key Vault.
  • Set an access policy for key, secret, and certificate operations.
  • Add secrets or keys to the Key Vault.

To access these secrets programmatically, you can use the Azure SDK. Below is a Python example:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
client = SecretClient(vault_url="", credential=credential)

secret = client.get_secret("")

print(f"Retrieved secret with name '{secret.name}' and value '{secret.value}'")

Important: In order to access your Key Vault, your application needs to be authenticated, which can be achieved through managed identities in Azure.

Table of Contents

GitHub Secrets

GitHub secrets provide a secure way to store sensitive data like access tokens and secrets, which in turn help in organizing, storing, and managing the various secrets needed by your applications and environments.

GitHub secrets can be set at the repository, organization, or environment level. Adding secrets on the repository level involves:

  • Going to your GitHub repository settings.
  • Selecting the ‘Secrets’ menu.
  • Choosing ‘New repository secret’ and providing name/value.

To use secrets in your workflows, you can reference them with the `secrets` context:

steps:
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

Azure Pipelines Secrets

Azure Pipelines secrets offer a way to secure and manage sensitive information such as keys, tokens, passwords in your CI/CD pipeline. Secrets are encrypted and can only be decrypted in the context of the pipeline they are defined in.

Creating secrets in Azure Pipelines is done using the ‘Pipeline > Library’ in Azure DevOps.

Once a secret is created, it can be referenced in the pipeline yaml file using the `$(secretName)` syntax:

steps:
- script: echo My secret is $(mySecret)
env:
mySecret: $(mySecret)

Note: As with GitHub secrets, Azure Pipelines secrets must be explicitly mapped to environment variables to be used in scripts.

To sum up, Azure Key Vault, GitHub secrets, and Azure Pipelines secrets are three different tools that provide secure control and management over sensitive application or workflow data. By securely managing this sensitive data, you help protect your applications, your data, and your business. You also meet the requirements of the AZ-400 Designing and Implementing Microsoft DevOps Solutions examination, indicating expertise in modern DevOps methodologies.

Practice Test

True/False: Azure Key Vault can be used to manage secrets, keys, and certificates.

  • True
  • False

Answer: True.

Explanation: Azure Key Vault is a tool offered by Microsoft Azure for managing cryptographic keys, secrets, and certificates.

In GitHub, where should you never hardcode secrets?

  • A. Comments
  • B. Config files
  • C. Environment variables
  • D. None of the above

Answer: D. None of the above

Explanation: Secrets should never be hardcoded in any place of your codebase or configuration, be it comments, config files, or environment variables for security purposes.

Azure Pipelines secrets can be used in what types of scripts?

  • A. PowerShell scripts
  • B. Bash scripts
  • C. Python scripts
  • D. All of the above

Answer: D. All of the above.

Explanation: Azure Pipelines secrets can be used in all types of scripts including PowerShell, Bash, and Python.

True/False: GitHub secrets are encrypted environment variables that you create in a repository.

  • True
  • False

Answer: True.

Explanation: GitHub secrets are encrypted environment variables and are used for storage and management of sensitive data like API keys, passwords, or tokens.

Which Azure service provides a secure store for application secrets?

  • A. Azure Active Directory
  • B. Azure Key Vault
  • C. Azure Resource Manager
  • D. Azure Monitor

Answer: B. Azure Key Vault

Explanation: Azure Key Vault is designed to securely save and manage secrets, cryptographic keys, and certificates.

What should be used to store secret variables in Azure Pipelines?

  • A. Build variables
  • B. Pipeline variables
  • C. Environment variables
  • D. All of the above

Answer: D. All of the above.

Explanation: Build variables, Pipeline variables, and Environment variables can all be used to store secret variables in Azure Pipelines.

Secrets in GitHub can be accessed by which type of actions?

  • A. Public actions
  • B. Private actions
  • C. Forked actions
  • D. None of the above

Answer: C. Forked actions.

Explanation: The secrets are not passed to the runner when a workflow is triggered from a forked repository.

True/False: Azure Key Vault can only be accessed through the Azure portal.

  • True
  • False

Answer: False.

Explanation: Azure Key Vault can be accessed through Azure PowerShell, Azure CLI, REST APIs, as well as the Azure portal.

Which of the following is a best practice when handling keys and secrets in Azure DevOps?

  • A. Store secrets in source code
  • B. Hardcode secrets in configuration files
  • C. Use Azure Key Vault to manage keys and secrets
  • D. Share secrets via email

Answer: C. Use Azure Key Vault to manage keys and secrets.

Explanation: Azure Key Vault provides secure storage and management of keys and secrets, an essential best practice for secure DevOps.

True/False: Azure Pipelines secrets are encrypted and can be used in YAML files without revealing the secret to the public.

  • True
  • False

Answer: True.

Explanation: Azure Pipelines secrets are encrypted and set during pipeline creation so they can be safely used in YAML files.

Interview Questions

What is Azure Key Vault?

Azure Key Vault is a cloud service that securely stores and tightly controls access to secrets, keys, and certificates.

What do GitHub secrets do?

GitHub secrets allow sensitive data to be stored securely in GitHub repositories. This can include access tokens, passwords, or keys used in GitHub Actions.

In Azure Pipelines, where are secrets defined?

In Azure Pipelines, secrets are defined in the pipeline YAML file and are encrypted at rest. They can be used in tasks as input arguments or in scripts.

How can secrets be exported from Azure Key Vault to be used in Azure Pipelines?

Secrets can be exported from Azure Key Vault using the Azure Resource Manager service connection. They can also be exported directly in the pipeline tasks.

Can you store certificates in Azure Key Vault?

Yes, Azure Key Vault is capable of securely storing certificates.

Why replace traditional secrets management with Azure Key Vault?

Azure Key Vault offers tight access control and a single source of truth for secrets. It also logs all access and use of secrets, aids in meeting compliance requirements, and centralizes secrets application-wide.

What is the purpose of Azure Resource Manager service connection in Azure Pipelines?

The Azure Resource Manager service connection is used to access resources in your Azure subscription. In the context of secrets management, it enables Azure Pipelines to pull secrets from Azure Key Vault.

Is it possible to view the value of a GitHub secret once it has been created?

No, once a GitHub secret is created, its value is hidden and cannot be viewed. However, it can be updated or deleted as required.

How can I reference secrets in my azure pipeline YAML?

In the YAML file, secrets can be mapped to environment variables, which can then be used in scripts or tasks.

Are secrets in Azure Pipelines encrypted?

Yes, secrets in Azure Pipelines are encrypted at rest.

Can multiple Azure Pipelines use secrets from the same Azure Key Vault?

Yes, multiple pipelines can reference and use secrets from the same Azure Key Vault.

Can I access Azure Key Vault secrets from a GitHub action?

Yes, you can access Azure Key Vault secrets from a GitHub action using the Azure login action, which authenticates a GitHub workflow with Azure Key Vault.

What is key rotation and why is it important?

Key rotation is the act of switching to a new key after a period of time. This can minimize the potential damage if a key is compromised as the validity of the key is limited.

How can GitHub secrets be used in a GitHub Actions workflow?

In a GitHub Actions workflow, secrets can be accessed via the ‘secrets’ context as environment variables.

What kind of keys does Azure Key Vault support?

Azure Key Vault supports two types of keys: cryptographic keys and secrets. As for cryptographic keys, it supports both symmetric (AES) and asymmetric keys (RSA & EC).

Related Post

AZ-400 Designing and Implementing Microsoft DevOps Solutions

Integrate Azure Pipelines and GitHub Actions with work item tracking tools

extutorials.com
AZ-400 Designing and Implementing Microsoft DevOps Solutions

Design a hotfix path plan for responding to high-priority code fixes

extutorials.com
AZ-400 Designing and Implementing Microsoft DevOps Solutions

Integrate GitHub repositories with Azure Pipelines

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *