Credential Management¶
All credential handling in the Azure Local Load Testing Framework follows the principle of least privilege. Credentials are never hardcoded in scripts or configuration files.
Credential Sources¶
The CredentialManager module supports three credential retrieval modes:
| Source | How It Works | Best For |
|---|---|---|
| Key Vault | Retrieves secrets from Azure Key Vault via managed identity or service principal | CI/CD pipelines, production environments |
| Interactive | Prompts the user with Get-Credential |
Development, manual testing |
| Parameter | Accepts a [PSCredential] object passed directly |
Scripted orchestration, testing |
Using Credentials in Scripts¶
# Key Vault mode
$cred = Get-ManagedCredential -Name "cluster_admin" -Source KeyVault
# Interactive mode
$cred = Get-ManagedCredential -Name "cluster_admin" -Source Interactive
# Parameter mode
$cred = Get-ManagedCredential -Name "cluster_admin" -Source Parameter -Credential $myCred
All scripts accept a -CredentialSource parameter:
.\Invoke-VMFleetPipeline.ps1 `
-ClusterConfig "config/clusters/my-cluster.yml" `
-CredentialSource KeyVault
Key Vault Configuration¶
The config/credentials/keyvault-config.yml file maps logical credential names to Key Vault secrets:
keyvault:
name: "my-keyvault-name"
resource_group: "my-rg"
secrets:
cluster_admin_password: "hci-cluster-admin-pwd"
cluster_admin_username: "hci-cluster-admin-user"
azure_client_secret: "sp-client-secret"
Deploying Key Vault Infrastructure¶
Use the provided Bicep template:
az deployment group create `
-g "my-resource-group" `
-f "common/bicep/keyvault.bicep" `
-p vaultName="my-keyvault-name"
CI/CD Credential Patterns¶
| Platform | Credential Mechanism |
|---|---|
| GitHub Actions | GitHub Secrets → environment variables → -CredentialSource Parameter |
| Azure DevOps | Service Connections or Variable Groups → pipeline variables |
| GitLab CI | CI/CD Variables (masked) → environment variables |
Security Practices¶
- All credential access is logged — values are masked in logs for audit trail
- Key Vault access should use managed identity where possible
- Rotate secrets on a regular schedule
- Use
:sensitive: trueinmaster-environment.ymlto flag variables that must come from Key Vault - Never commit credentials to the repository — use
.gitignoreand pre-commit hooks