Crucial Exams

Microsoft DevOps Engineer Expert AZ-400 Practice Question

An organization stores client secrets in Azure Key Vault and uses a YAML pipeline in Azure DevOps to deploy resources. Compliance mandates that:

  • Secrets must never appear in logs or artifacts.
  • Only tasks that require a secret may read it at runtime.
  • Build administrators must be unable to view or export the secret values from the Azure DevOps portal. Which design meets all requirements while keeping the pipeline definition entirely in Git?

  • Commit an encrypted JSON file containing the secrets to the repository and decrypt it during the build by using a GPG private key stored as a secure file.

  • Declare the secrets directly in the YAML file by using variables with the isSecret: true attribute and reference them in the tasks.

  • Call the AzureKeyVault@2 task in the job to download only the required secrets at runtime; reference the resulting secret variables in subsequent tasks.

  • Create a variable group in Azure DevOps, manually add each secret as a secret variable, and reference the group in the pipeline.

Microsoft DevOps Engineer Expert AZ-400
Develop a security and compliance plan
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot