Security is a top priority for our team. We are currently using "Variable Groups" to store our database connection strings, but I feel like having them inside Azure DevOps isn't secure enough for our compliance audits. Is there a way to pull secrets directly from Azure Key Vault during the pipeline execution so that the values never actually reside in the DevOps environment?
3 answers
The most secure approach is definitely the Azure Key Vault integration. You can link an entire Key Vault to a Variable Group in the "Library" section of Azure DevOps. This way, the secrets stay in Key Vault, and the pipeline only fetches them at runtime using the Service Principal's identity. This satisfies most SOC2 and ISO compliance requirements because Azure DevOps only stores a reference, not the actual encrypted value. Make sure your Service Connection has "Get" and "List" permissions on the Key Vault's Access Policies, or it will fail with a "Forbidden" error during the build.
Instead of linking the whole vault to a variable group, have you considered using the 'AzureKeyVault@2' task directly in your YAML steps? This allows you to pull specific secrets only when needed in a particular job. Doesn't this offer a more granular "least privilege" approach compared to importing the entire library at the start of the pipeline?
Azure DevOps automatically masks any variable marked as a "Secret" or pulled from Key Vault. Even if you try to echo it, it will show as *** in the logs.
Margaret is correct. It's a built-in feature. Just be careful with base64 encoding; sometimes if you encode a secret, the log won't recognize the encoded string and might accidentally display it.
That’s a valid point, Christopher. Using the task directly gives much tighter control. However, I’ve noticed that when I use the task, the secrets are sometimes printed in the logs if a script fails. Does the 'AzureKeyVault' task automatically mask the values with asterisks like the Variable Groups do, or do I need to manually set up output variables to ensure they stay hidden?