Reputation: 533
Need recommendation on updating secrets to KeyVault
I am deploying an Azure function app that calls backend api which is secured by API Keys. The app will be deployed using Azure DevOps pipeline; the API key will be stored as secret in KeyVault, i am using Bicep files for infra definition and Yaml pipeline for deploying Infra and Application. Below are questions i have w.r.t. KeyVault updates,
- Should pipeline be responsible for updating secrets in KeyVault? If so, is it recommended to maintain Secrets in DevOps variable group (pad locked), or, is there a better/more secure approach?
- Should the secrets in KeyVault be updated/maintained manually? Going with this approach our pipelines will be less mature as there would still be manual intervention/not-immutable - consider there is recreation of an environment.
I would like to know the best practices on the above, thanks.
Upvotes: 0
Views: 713
Answers (1)
Reputation: 15601
Probably the answer is it depends. Which makes this question one that might get some opinion-based answers. If you look at the Microsoft documentation, it states:
Don't set secret variables in your YAML file. Operating systems often log commands for the processes that they run, and you wouldn't want the log to include a secret that you passed in as an input. Use the script's environment or map the variable within the
variablesblock to pass secrets to your pipeline.You need to set secret variables in the pipeline settings UI for your pipeline. These variables are scoped to the pipeline in which you set them. You can also set secret variables in variable groups.
Source: Define variables - Set secret variables
Despite this, you should ask yourself the question where the ownership of those secrets lies. And the owner should be the one in charge.
- Maintaining these secrets in KeyVault means you don't even need secrets in your pipeline. This means a clear separation of responsibilities.
- Maintaining these secrets in your pipeline enables you to update them together with the code that uses them. This ties the secret to the consuming code.
Both are good scenario's depending on where the responsibility lies.
Upvotes: 1
Related Questions
- Make Azure Keyvault secrets available in entire pipeline
- Update Azure keyvault secret through Azure API
- Can key vault secrets be retrieved and retained by a pipeline?
- KeyVault Secret to DevOps - Python
- Azure Key Vault - How to update the secrets
- How to trigger a Azure devops pipeline whenever there is azure keyvault secret change?
- How to use/remap Azure KeyVault secret as Azure DevOps Pipeline environment variable?
- How to write a secret to azure key vault from Azure DevOps pipeline?
- Integrating KeyVault access into VSTS Release task
- Generate Key Vault Secrets automatically