Cyber Security

What is the best way to manage secrets in Azure Pipelines without exposing them in YAML?

TH Asked by Thomas Moore · 10-06-2025
0 upvotes 11,092 views 0 comments
The question

Security is a top priority for our team. We are currently using "Variable Groups" to store our database connection strings, but I feel like having them inside Azure DevOps isn't secure enough for our compliance audits. Is there a way to pull secrets directly from Azure Key Vault during the pipeline execution so that the values never actually reside in the DevOps environment?

3 answers

0
SU
Answered on 15-08-2025

The most secure approach is definitely the Azure Key Vault integration. You can link an entire Key Vault to a Variable Group in the "Library" section of Azure DevOps. This way, the secrets stay in Key Vault, and the pipeline only fetches them at runtime using the Service Principal's identity. This satisfies most SOC2 and ISO compliance requirements because Azure DevOps only stores a reference, not the actual encrypted value. Make sure your Service Connection has "Get" and "List" permissions on the Key Vault's Access Policies, or it will fail with a "Forbidden" error during the build.

0
CH
Answered on 05-09-2025

Instead of linking the whole vault to a variable group, have you considered using the 'AzureKeyVault@2' task directly in your YAML steps? This allows you to pull specific secrets only when needed in a particular job. Doesn't this offer a more granular "least privilege" approach compared to importing the entire library at the start of the pipeline?

TH 10-09-2025

That’s a valid point, Christopher. Using the task directly gives much tighter control. However, I’ve noticed that when I use the task, the secrets are sometimes printed in the logs if a script fails. Does the 'AzureKeyVault' task automatically mask the values with asterisks like the Variable Groups do, or do I need to manually set up output variables to ensure they stay hidden?

0
MA
Answered on 25-10-2025

Azure DevOps automatically masks any variable marked as a "Secret" or pulled from Key Vault. Even if you try to echo it, it will show as *** in the logs.

SU 25-10-2025

Margaret is correct. It's a built-in feature. Just be careful with base64 encoding; sometimes if you encode a secret, the log won't recognize the encoded string and might accidentally display it.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session