Keyvault vs Azure devops variable group

Question

Hi ,

I am currently using azure devops pipeline variables {secret variables} in my azure devops yaml pipeline. I am concerned about security of sensitive data.

Can someone please help me to decide whether to use key vault task to fetch secrets or use a variable group instead. Also, if I link key vault secrets in azure variable groups, is there a possibility that my credentials will be exposed in any case?? Please suggest some best practices to ensure the security of sensitive information and use these credentials safely in the azure pipelines/scripts.

Answer 1

1. Key Vault Task vs. Variable Group:

• Key Vault Task:
  • Security: Fetching secrets directly from Azure Key Vault at runtime using the AzureKeyVault task is considered more secure. The secrets are never stored in the pipeline or in Azure DevOps, and they're only accessed when needed.
    • Dynamic Access: It allows for real-time retrieval of secrets, ensuring that the most up-to-date secrets are used. This is particularly beneficial if secrets change frequently.
    • Variable Group Linked to Key Vault:
      • Convenience: Linking a Key Vault to a variable group is convenient as it allows you to manage secrets centrally within Azure DevOps.
        • Exposure Risk: There is a slight risk that credentials might be exposed in logs or outputs if not handled correctly in the pipeline. Although secret variables are masked in logs, mistakes in pipeline configuration could lead to unintended exposure.

2. Potential Exposure of Credentials:

• If secrets are retrieved using a variable group linked to Key Vault, and they are improperly handled (e.g., accidentally outputted to logs or passed to tasks that log their inputs), there is a risk of exposure.
• The main risk occurs when secrets are not securely referenced, or when environment variables that contain these secrets are inadvertently printed.

3. Best Practices for Securing Sensitive Information:

• Use Key Vault Task: Prefer using the Azure Key Vault task to fetch secrets at runtime rather than storing them in variable groups. This reduces the risk of exposure since the secrets are not stored in Azure DevOps and are retrieved securely at the point of use.
• Avoid Logging Secrets: Ensure that secrets are never printed in logs. Azure DevOps masks secret variables, but ensure you don't accidentally expose them by improper use in scripts or tasks.
• Restrict Access: Limit access to the Key Vault and variable groups to only those who need it. Implement Role-Based Access Control (RBAC) to restrict who can access and manage secrets.
• Use Managed Identities: When possible, use Managed Identities for Azure resources to access the Key Vault. This removes the need for storing credentials within the pipeline altogether.
• Regularly Rotate Secrets: Ensure that secrets stored in Key Vault are regularly rotated and that the updated secrets are fetched automatically by your pipelines.
• Audit and Monitor: Use Azure Monitor and Azure Security Center to audit access to Key Vault and monitor for any unauthorized access attempts.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

The recommendation is that you set secret variables with Azure Key Vault. See:

https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secrets?view=azure-devops&source=recommendations#use-secret-variables

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola