An important security element is the handling of secrets. When deploying an application, there are always secrets involved. Especially when deploying to the cloud, that is, over the internet, handling these access keys in a secure way is very important. Besides the secrets that are necessary for deployment, there are also secrets that need to be inserted into the runtime configuration of an application. A common example is for accessing the database.

In Chapter 6, Infrastructure and Configuration as Code, multiple mechanisms for delivering application configurations were discussed, including Azure Resource Manager (ARM) templates. However, templates require the input of external secrets, since they cannot be stored in parameter files in source control.

If secrets cannot be stored in source control, then where should they be stored instead? Common options include storing secrets in service connections or in variable groups.