Secrets (API keys, passwords, certificates) must never appear in IaC files, CI logs, or state files. Azure Key Vault + Key Vault references in ARM/Bicep, SOPS-encrypted .tfvars, and Vault dynamic credentials are the production patterns.
Secrets lifecycle pipeline from creation to rotation and expiry alerting.
Use system-assigned or user-assigned Managed Identity to access Key Vault from compute. No client secret to store, rotate, or leak. Grant Key Vault Secrets User role on the vault.
App Service and Azure Functions support Key Vault references in app settings: @Microsoft.KeyVault(SecretUri=https://mykv.vault.azure.net/secrets/mykey/). The secret is fetched at runtime — not stored in the app config.
Use Mozilla SOPS to encrypt sensitive .tfvars files with Azure Key Vault keys before committing to git. Decrypt at apply time in CI using the service principal Managed Identity. No secrets in git history.
Key Vault + Event Grid + Azure Functions enables zero-touch rotation: when a secret nears expiry, Event Grid fires an event, the function generates a new secret, updates KV, and notifies consumers.
WARNING: Terraform state may contain secret values in plaintext if they appear in resource attribute blocks. Use Key Vault data sources and avoid writing secrets to resource attributes where possible.
HashiCorp Vault dynamic credentials for Azure: instead of storing SP credentials, Vault generates short-lived Azure SP credentials on demand. Automatically revoked after TTL. Best-in-class for CI pipelines.
Sign in to share your feedback and join the discussion.