Microsoft DevOps Engineer Expert AZ-400 Practice Question
Your company stores all code in GitHub Enterprise Cloud and deploys workloads to both Azure and AWS. The security team enforces FedRAMP High rules that prohibit long-lived cloud credentials in CI/CD systems. Instead, pipelines must obtain short-lived tokens issued through OpenID Connect (OIDC) at run time. Pipeline definitions must live in the same repository as the code. You need to recommend a deployment automation solution that meets these requirements with the least additional components or custom tasks. Which solution should you choose?
Azure Pipelines classic release pipelines with environment-specific service connections that store the required cloud access keys
GitHub Actions on self-hosted runners that use repository secrets to store AWS and Azure access keys
Azure Pipelines YAML pipelines with an AWS service connection configured from long-lived access keys and an Azure service-principal secret
GitHub Actions with GitHub-hosted runners and federated OIDC credentials to Azure and AWS
GitHub Actions natively supports OIDC federation to both Azure and AWS, allowing workflows to exchange a GitHub-issued token for short-lived cloud credentials at runtime without storing any secrets. This directly satisfies the FedRAMP requirement. Furthermore, the YAML workflow file resides in the same repository as the code, meeting another key requirement.
The distractors suggesting the use of long-lived access keys stored in repository secrets or traditional service connections explicitly violate the security policy. While modern Azure Pipelines also support OIDC via Workload Identity Federation for both Azure and AWS, choosing this option for a repository already in GitHub would require setting up a separate Azure DevOps project and service connections, introducing more components than the native GitHub Actions solution. Therefore, GitHub Actions is the solution that meets all requirements with the least additional components.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OpenID Connect (OIDC) and how does it work with GitHub Actions?
Open an interactive chat with Bash
Why does GitHub Actions with OIDC have an advantage compared to Azure Pipelines for this use case?
Open an interactive chat with Bash
What are the benefits of using federated OIDC credentials over long-lived credentials?
Open an interactive chat with Bash
Microsoft DevOps Engineer Expert AZ-400
Design and implement build and release pipelines
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .