ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 56 discussion

Actual exam question from Microsoft's AZ-400
Question #: 56
Topic #: 4
[All AZ-400 Questions]

You use release pipelines in Azure Pipelines to deploy an app. Secrets required be the pipeline are stored as pipeline variables. Logging of commands is enabled for the Azure Pipelines agent.
You need to prevent the values of the secrets from being logged.
What should you do?

  • A. Store the secrets in the environment variables instead of the pipeline variables.
  • B. Pass the secrets on the command line instead of in the pipeline variables.
  • C. Apply a prefix of secret to the name of the variables.
  • D. Echo the values of the secrets to the command line.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by syu31svc at Sept. 1, 2022, 7:18 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Miten94
1 year ago
Came in Exam June 23, 2024
upvoted 1 times
...
4bd3116
1 year, 1 month ago
Selected Answer: C
By applying a prefix such as "secret" to the name of the variables, Azure Pipelines automatically redacts the values of these variables from being logged in the pipeline logs. This approach ensures that even if logging of commands is enabled for the Azure Pipelines agent, sensitive information such as secret values will not be exposed in the logs.
upvoted 1 times
sieunhantanbao
11 months, 3 weeks ago
This is incorrect. https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#variable-naming-restrictions User-defined and environment variables can consist of letters, numbers, ., and _ characters. Don't use variable prefixes reserved by the system. These are: endpoint, input, secret, path, and securefile. Any variable that begins with one of these strings (regardless of capitalization) won't be available to your tasks and scripts.
upvoted 1 times
...
...
ozbonny
1 year, 4 months ago
Selected Answer: A
A. Store the secrets in the environment variables instead of the pipeline variables.
upvoted 1 times
...
renzoku
1 year, 11 months ago
Selected Answer: A
A. Store the secrets in the environment variables instead of the pipeline variables. Environment variables are not shown in the build logs unless you explicitly log them as part of your pipeline script. Store secrets in pipeline variables, they can be easily accessed and potentially exposed in the logs, by default, pipeline variables are logged in plaintext in the build logs.
upvoted 1 times
...
zellck
2 years, 1 month ago
Selected Answer: A
A is the answer. https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash#secret-variable-in-the-ui We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables. You'll need to map secret variable as environment variables to reference them in YAML pipelines.
upvoted 3 times
xRiot007
1 year, 11 months ago
An even better approach would be to get them from a key vault. Your machine could be compromised and then those environment variables are secrets no more.
upvoted 2 times
...
...
Aravindking
2 years, 1 month ago
Selected Answer: A
The correct answer is A. Bard AI explanation -- Storing secrets in the environment variables instead of the pipeline variables will prevent the values of the secrets from being logged. This is because environment variables are not logged by the Azure Pipelines agent. option C is not correct - The statement that by applying a prefix of "secret" to the name of the pipeline variables, the variables are automatically marked as secret variables in Azure Pipelines, and their values are not logged by default during pipeline execution is not true.
upvoted 1 times
...
Fal991l
2 years, 3 months ago
Selected Answer: C
Option A, storing secrets in environment variables instead of pipeline variables, is a valid approach to prevent secrets from being logged during pipeline execution. However, it is not the most optimal solution for this scenario.
upvoted 2 times
Fal991l
2 years, 3 months ago
While environment variables are not logged by default, they can be accidentally exposed through logs or other sources, and their values can be visible in the running process of the task. Additionally, environment variables are typically accessible to all tasks running in the pipeline, which could potentially increase the attack surface if an attacker gains access to the pipeline. By applying a prefix of "secret" to the name of the pipeline variables, as suggested in option C, the variables are automatically marked as secret variables in Azure Pipelines, and their values are not logged by default during pipeline execution. This provides a more secure approach to handling secrets in pipelines and reduces the risk of accidental exposure. Therefore, while option A is not necessarily incorrect, option C is a better solution for securing secrets in Azure Pipelines.
upvoted 2 times
Aravindking
2 years, 1 month ago
Bard AI response to the question -- Applying a prefix of secret to the name of the variables is not a secure way to protect secrets. This is because the Azure Pipelines agent logs all variables, regardless of their name. This means that the values of the secrets would be exposed in the logs, even if they are prefixed with the word "secret". hence option A is correct
upvoted 2 times
...
garbas
1 year, 9 months ago
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables#variable-naming-restrictions "Don't use variable prefixes reserved by the system. These are: endpoint, input, secret, path, and securefile. Any variable that begins with one of these strings (regardless of capitalization) won't be available to your tasks and scripts."
upvoted 2 times
...
...
...
markp
2 years, 9 months ago
Selected Answer: A
A is correct. But provided link and explanation are not totally correct. The question is about Classis Release (not YAML), so the correct explanation is from here: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=classic%2Cbatch We make an effort to mask secrets from appearing in Azure Pipelines output, but you still need to take precautions. Never echo secrets as output. Some operating systems log command line arguments. Never pass secrets on the command line. Instead, we suggest that you map your secrets into environment variables.
upvoted 3 times
...
syu31svc
2 years, 10 months ago
Selected Answer: A
Answer is supported by provided link
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel