Microsoft DevOps Engineer Expert AZ-400 Practice Question
You store all production secrets in a single Azure Key Vault. A GitHub repository contains several workflow files, and an Azure DevOps project contains multiple YAML pipelines. You must allow both GitHub Actions and Azure Pipelines to fetch the same up-to-date secrets at runtime without copying secret values into repository files, pipeline YAML, or library variables. Secret rotation in Key Vault should require no changes to the CI/CD definitions. Which solution meets these requirements?
Export the Key Vault secrets to a .env file during deployment and commit the file to the repository for both systems to consume.
Define the secrets as environment variables in each GitHub workflow and use secure files in the Azure Pipelines Library.
Store each secret as an encrypted repository secret in GitHub and as an encrypted pipeline variable in Azure Pipelines.
In GitHub Actions, authenticate to Azure with OIDC and use an action to pull secrets directly from Key Vault; in Azure Pipelines, link a variable group to the same Key Vault and reference the variables.
Using federated OpenID Connect (OIDC) authentication in GitHub Actions lets the workflow obtain an access token for the Azure AD-backed Key Vault without storing any long-lived credentials. After the workflow has logged in with the azure/login action, the azure/keyvault-secrets (or equivalent Azure CLI) action can retrieve any required secret directly from the vault at job runtime, so new versions are picked up automatically.
In Azure Pipelines, linking a Library variable group to the same Key Vault exposes each vault secret as a pipeline variable (referenced as $(variableName)). Because the variable group is a live link, secret values are resolved on each run; rotating the secret in Key Vault does not require editing the pipeline YAML.
Storing encrypted repository or pipeline secrets (option A) or embedding environment variables or secure files (option C) duplicates secret data and must be updated after rotation. Committing a generated .env file to the repository (option D) violates the requirement to avoid storing secrets in source control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Key Vault and why is it used for secrets management?
Open an interactive chat with Bash
What is OpenID Connect (OIDC) authentication and how does it work in GitHub Actions?
Open an interactive chat with Bash
How does linking Azure Pipelines with a variable group to Key Vault work?
Open an interactive chat with Bash
What is OpenID Connect (OIDC) authentication and how does it work with Azure Key Vault?
Open an interactive chat with Bash
How does linking an Azure Pipelines Library variable group to Key Vault help with secret management?
Open an interactive chat with Bash
Why is committing a .env file to the repository considered a bad practice for secret management?
Open an interactive chat with Bash
Microsoft DevOps Engineer Expert AZ-400
Develop a security and compliance plan
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .