AZ-400 Question #451: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription that contains an Azure key vault named Vault1, an Azure pipeline named Pipeline1, and an Azure SQL database named DB1. Pipeline1 is used to deploy an app that will authenticate to DB1 by using a password. You need to store the password in Vault1. The solution must ensure that the password can be accessed by Pipeline1. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

This question tests your knowledge of storing secrets in Azure Key Vault and making them accessible to Azure Pipelines securely. You need to configure both Key Vault storage and pipeline integration correctly.

Approach. First, you should store the password as a Secret in Azure Key Vault (Vault1) - not a Key or Certificate - because passwords are sensitive string values best represented as secrets. Second, you need to link the Key Vault to the Azure Pipeline by adding an Azure Key Vault task or creating a Variable Group in Azure DevOps that is linked to Vault1, which allows Pipeline1 to retrieve the secret at runtime. The pipeline must also have an authorized service connection (Service Principal) with 'Get' and 'List' permissions on Vault1's secrets via an Access Policy or RBAC role (Key Vault Secrets User). This ensures the password is never stored in plain text in the pipeline and is retrieved securely from Key Vault during execution.

Concept tested. Azure Key Vault secret storage and Azure Pipelines integration - specifically how to store a password as a Key Vault Secret and grant a pipeline access to it using Variable Groups or the Key Vault task with appropriate service principal permissions.

Reference. https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops

No community discussion yet for this question.