![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 5%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Great question — and a very relevant one from a security, compliance, and DevOps maturity standpoint.
DevOps pipeline (recommended with caution):
- Pros:
- Automates secret creation and rotation.
- Supports Infrastructure-as-Code (IaC) and consistent environments.
- Can be audited and version-controlled (e.g., Bicep, Terraform, or ARM templates).
- Cons:
- If not handled correctly, secret values might leak via:
- Pipeline logs.
- Code repositories.
- Misconfigured variable groups.
- If not handled correctly, secret values might leak via:
One common problem is presence of secrets in code repos - so it's important ensure that raw secret are never stored in code or YAML files — even if the repo is private.
The recommended way to adress it is via Azure DevOps Secure Pipelines, which store secrets in Azure DevOps Library Variable Groups marked as "secret" and reference those secrets securely from your pipeline using:
variables:
- group: MySecretGroup
steps:
- task: AzureKeyVault@2
inputs:
connectedServiceName: 'MyConnection'
keyVaultName: 'my-keyvault'
secretsFilter: 'my-secret-name'
You can use AzureKeyVault@2 task in the pipeline to inject or update secrets into Key Vault without exposing their values in YAML.
Some of the secure alternatives for secret ingestion include
| Method | Secure? | Audit/Compliance-Friendly? | Recommended For |
|---|---|---|---|
| Azure Portal (ClickOps) | Not ideal | Manual, error-prone | One-off or emergency operations |
| Azure CLI with secure environment variable input | Yes | Yes | Scripting from secure environments |
| Azure DevOps Pipelines with secret vars + KeyVault@2 | Strongly secure | Fully supported | Enterprise-grade automation |
| Terraform with secrets from secure state/backend | Strongly secure | Fully supported | IaC provisioning at scale |
| GitHub Actions with OIDC + secret injection | Strongly secure | Fully supported | GitHub-native workflows |
Compliance Considerations
| Concern | DevOps + Key Vault | ClickOps |
|---|---|---|
| Audit trail | Supported (via pipeline run history and Key Vault diagnostics) | Not supported (unless Azure Activity Logs are retained) |
| Least privilege | Supported (uses managed identity to access Key Vault) | Not supported (often uses broad role assignments) |
| Reproducibility | Supported (infrastructure-as-code and pipeline-based) | Not supported |
| Change control | Supported | Not supported |
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin