You use release pipelines in Azure Pipelines to deploy an app. Secrets required be the pipeline are stored as pipeline variables. Logging of commands is enabled for the Azure Pipelines agent.
You need to prevent the values of the secrets from being logged.
What should you do?
To prevent secrets from being logged in Azure Pipelines when logging of commands is enabled, you should store the secrets in environment variables instead of pipeline variables. This approach reduces the risk of the secrets appearing in the logs, as environment variables are typically not logged by default. Passing secrets on the command line or echoing them to the command line would not be secure, and simply adding a prefix to their names does not ensure their protection.
A is correct. But provided link and explanation are not totally correct. The question is about Classis Release (not YAML), so the correct explanation is from here: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=classic%2Cbatch We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.
A is the answer. https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash#secret-variable-in-the-ui We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables. You'll need to map secret variable as environment variables to reference them in YAML pipelines.
An even better approach would be to get them from a key vault. Your machine could be compromised and then those environment variables are secrets no more.
Option A, storing secrets in environment variables instead of pipeline variables, is a valid approach to prevent secrets from being logged during pipeline execution. However, it is not the most optimal solution for this scenario.
While environment variables are not logged by default, they can be accidentally exposed through logs or other sources, and their values can be visible in the running process of the task. Additionally, environment variables are typically accessible to all tasks running in the pipeline, which could potentially increase the attack surface if an attacker gains access to the pipeline. By applying a prefix of "secret" to the name of the pipeline variables, as suggested in option C, the variables are automatically marked as secret variables in Azure Pipelines, and their values are not logged by default during pipeline execution. This provides a more secure approach to handling secrets in pipelines and reduces the risk of accidental exposure. Therefore, while option A is not necessarily incorrect, option C is a better solution for securing secrets in Azure Pipelines.
Bard AI response to the question -- Applying a prefix of secret to the name of the variables is not a secure way to protect secrets. This is because the Azure Pipelines agent logs all variables, regardless of their name. This means that the values of the secrets would be exposed in the logs, even if they are prefixed with the word "secret". hence option A is correct
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables#variable-naming-restrictions "Don't use variable prefixes reserved by the system. These are: endpoint, input, secret, path, and securefile. Any variable that begins with one of these strings (regardless of capitalization) won't be available to your tasks and scripts."
Answer is supported by provided link
The correct answer is A. Bard AI explanation -- Storing secrets in the environment variables instead of the pipeline variables will prevent the values of the secrets from being logged. This is because environment variables are not logged by the Azure Pipelines agent. option C is not correct - The statement that by applying a prefix of "secret" to the name of the pipeline variables, the variables are automatically marked as secret variables in Azure Pipelines, and their values are not logged by default during pipeline execution is not true.
A. Store the secrets in the environment variables instead of the pipeline variables. Environment variables are not shown in the build logs unless you explicitly log them as part of your pipeline script. Store secrets in pipeline variables, they can be easily accessed and potentially exposed in the logs, by default, pipeline variables are logged in plaintext in the build logs.
A. Store the secrets in the environment variables instead of the pipeline variables.
By applying a prefix such as "secret" to the name of the variables, Azure Pipelines automatically redacts the values of these variables from being logged in the pipeline logs. This approach ensures that even if logging of commands is enabled for the Azure Pipelines agent, sensitive information such as secret values will not be exposed in the logs.
This is incorrect. https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#variable-naming-restrictions User-defined and environment variables can consist of letters, numbers, ., and _ characters. Don't use variable prefixes reserved by the system. These are: endpoint, input, secret, path, and securefile. Any variable that begins with one of these strings (regardless of capitalization) won't be available to your tasks and scripts.
Came in Exam June 23, 2024