Exam AZ-400 topic 4 question 17 discussion

https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/ Task 3 Step 6 - The answer for part 1 should definitely be ARM

Here is what the link (link: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops] provided states under 'Prerequisites': "An Azure subscription linked to Azure Pipelines or Team Foundation Server using the Azure Resource Manager service connection." Answer #1 is CORRECT (Team Foundation Server / Azure Pipelines service connection). It appears that the answer is worded wrongly or even poorly, but is CORRECT. As for Answer #2, specified in the second link provided [link: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview]: "Managed identities eliminate the need for developers to manage credentials." So, as specified in the question -- "Avoid persisting credentials and tokens in Azure DevOps." Answer #2 is CORRECT (Managed Service Identity Authentication), as it states in the link, "Managed identities eliminate the need for developers to manage credentials."

Copilot : Service connection type: Azure Resource Manager Authentication/authorization method for the connection: Managed Service Identity Authentication

Service connection type: Azure Resource Manager Authentication/authorization method for the connection: Managed Service Identity (MSI) Azure Resource Manager service type: This service connection type specifically targets Azure resources, including Key Vault. It allows your pipeline to interact with Key Vault using the Managed Service Identity assigned to the Azure DevOps project. Managed Service Identity (MSI) authentication: This eliminates the need to store sensitive information like credentials or tokens within your pipeline. Instead, the pipeline leverages its assigned MSI to access resources securely. Azure automatically manages and rotates the MSI credentials, enhancing security and reducing the risk of exposure.

ARM and Manage Identity

copilot says : GitHub Copilot To configure a service endpoint for accessing Azure Key Vault secrets without persisting credentials and tokens in Azure DevOps, you should use Managed Service Identity (MSI). Here are the steps: Enable Managed Service Identity (MSI) on your Azure DevOps. This will create an identity for your Azure DevOps in Azure Active Directory. Assign the necessary permissions to the MSI in Azure Key Vault. You can do this by adding an access policy in Key Vault that gives the MSI the necessary permissions (like Get, List) to retrieve secrets. In Azure DevOps, when creating the service connection for Azure Key Vault, choose "Managed identity" as the Authentication method. This way, Azure DevOps will use the managed identity to authenticate to Azure Key Vault and retrieve secrets, and you won't need to store any credentials or tokens in Azure DevOps.

ARM and Managed Service

Final Answer After all comments analysis: 1. Azure Resource Manager 2. Managed Service Identity Authentication

Can we discourage people posting answers from ChatGPT? I can use that myself and it's often wrong on the simplest things!

Following the URLs provided by Lyonel, it seems that provided answer is correct

According to ChatGPT, and the usual way of doing things: " To configure a service endpoint for accessing Azure Key Vault secrets while meeting the given requirements, you should use the Azure Resource Manager service endpoint type. Here are the steps to configure the service endpoint: In Azure DevOps, navigate to the project where you want to create the service endpoint. Go to Project Settings and select Service connections under Pipelines. Click on New service connection and select Azure Resource Manager."

AzureResourceManager, Managed Service Identity Authentication Step1: Enabled KV for ARM deployment Ste[2: To the devops project, add a ARM service connection and select ARM Service Identity for authentication, provide your cloud subscription, tenant id, provide a name for service connection, grant permission to all pipelines, save.

Azure Pipelines supports the following service connection types by default. Any service connection other than ARM doesnt look relevant. Azure Classic | Azure Repos/TFS | Azure Resource Manager | Azure Service Bus | Bitbucket | Chef | Docker hub or others | Other Git | Generic | GitHub | GitHub Enterprise Server | Jenkins | Kubernetes | Maven | npm | NuGet | Python package download | Python package upload | Service Fabric | SSH | Subversion | Visual Studio App Center |

azureresourcemanager & managed identity

https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops "An Azure subscription linked to Azure Pipelines or Team Foundation Server using the Azure Resource Manager service connection." Service connection is ARM "Avoid persisting credentials and tokens" so this would be managed identity for authentication

ARM and MI are correct.

Arm + Managed identity (to not store, access token etc..)