Best Solution to Minimize Infrastructure Credential Leaks

B

Azure Key Vault provides a way to securely store credentials and other keys and secrets.

The Set-AzureKeyVaultSecret cmdlet creates or updates a secret in a key vault in Azure Key Vault.

To minimize the likelihood of infrastructure credentials being leaked in an Azure DevOps pipeline, the recommended solution is to use Azure Key Vault to securely store and manage the secrets and keys required by the pipeline.

Option A, adding a Run Inline Azure PowerShell task to the pipeline, is not a recommended solution for securing credentials. It is a task that enables running a PowerShell script in the pipeline, but it does not provide any additional security.

Option B, adding a PowerShell task to the pipeline and running Set-AzureKeyVaultSecret, is a step in the right direction but it is not enough. Set-AzureKeyVaultSecret is a cmdlet used to set a secret in Azure Key Vault, but it requires authentication credentials to be provided to access the key vault, and these credentials can still be leaked if not handled properly.

Option C, adding an Azure Key Vault task to the pipeline, is the recommended solution for securely retrieving secrets and keys from Azure Key Vault during the pipeline run. The Azure Key Vault task enables the pipeline to authenticate to Azure Key Vault using a service principal, and then retrieve the required secrets and keys securely without exposing the credentials.

Option D, adding Azure Key Vault references to Azure Resource Manager templates, is another way to securely retrieve secrets and keys from Azure Key Vault, but it is not directly related to securing infrastructure credentials in an Azure DevOps pipeline.

Therefore, the recommended solution for minimizing the likelihood that infrastructure credentials will be leaked in an Azure DevOps pipeline is to add an Azure Key Vault task to the pipeline (Option C).