diff --git a/.gitignore b/.gitignore
index cde198e80f..998287d771 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,4 +24,5 @@ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/tla/yarnregistry.t
 yarnregistry.pdf
 hadoop-tools/hadoop-aws/src/test/resources/auth-keys.xml
 hadoop-tools/hadoop-aws/src/test/resources/contract-test-options.xml
+hadoop-tools/hadoop-azure/src/test/resources/azure-auth-keys.xml
 patchprocess/
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index e1addb2c38..016fec86e1 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -916,6 +916,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-12472. Make GenericTestUtils.assertExceptionContains robust.
     (Steve Loughran via jing9)
 
+    HADOOP-12520. Use XInclude in hadoop-azure test configuration to isolate
+    Azure Storage account keys for service integration tests. (cnauroth)
+
   OPTIMIZATIONS
 
     HADOOP-11785. Reduce the number of listStatus operation in distcp
diff --git a/hadoop-tools/hadoop-azure/src/site/markdown/index.md b/hadoop-tools/hadoop-azure/src/site/markdown/index.md
index 0d69ccf737..9d0115afe0 100644
--- a/hadoop-tools/hadoop-azure/src/site/markdown/index.md
+++ b/hadoop-tools/hadoop-azure/src/site/markdown/index.md
@@ -226,18 +226,25 @@ following failure message:
 
 To resolve this, restart the Azure Emulator.  Ensure it v3.2 or later.
 
-It's also possible to run tests against a live Azure Storage account by adding
-credentials to `src/test/resources/azure-test.xml` and setting
+It's also possible to run tests against a live Azure Storage account by saving a
+file to `src/test/resources/azure-auth-keys.xml` and setting
 `fs.azure.test.account.name` to the name of the storage account.
 
 For example:
 
-    <property>
-      <name>fs.azure.account.key.youraccount.blob.core.windows.net</name>
-      <value>YOUR ACCESS KEY</value>
-    </property>
+    <?xml version="1.0"?>
+    <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+    <configuration>
+      <property>
+        <name>fs.azure.account.key.youraccount.blob.core.windows.net</name>
+        <value>YOUR ACCESS KEY</value>
+      </property>
 
-    <property>
-      <name>fs.azure.test.account.name</name>
-      <value>youraccount</value>
-    </property>
+      <property>
+        <name>fs.azure.test.account.name</name>
+        <value>youraccount</value>
+      </property>
+    </configuration>
+
+DO NOT ADD azure-auth-keys.xml TO REVISION CONTROL.  The keys to your Azure
+Storage account are a secret and must not be shared.
diff --git a/hadoop-tools/hadoop-azure/src/test/resources/azure-test.xml b/hadoop-tools/hadoop-azure/src/test/resources/azure-test.xml
index 75b466d5c8..00611fc1a5 100644
--- a/hadoop-tools/hadoop-azure/src/test/resources/azure-test.xml
+++ b/hadoop-tools/hadoop-azure/src/test/resources/azure-test.xml
@@ -15,7 +15,7 @@
 
 <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
 <configuration xmlns:xi="http://www.w3.org/2001/XInclude">
- 
+
   <!-- For tests against live azure, provide the following account information -->
   <!--
   <property>
@@ -26,8 +26,16 @@
     <name>fs.azure.account.key.{ACCOUNTNAME}.blob.core.windows.net</name>
     <value>{ACCOUNTKEY}</value>
   </property>
-  -->  
-  
+  -->
+
+  <!-- Save the above configuration properties in a separate file named -->
+  <!-- azure-auth-keys.xml in the same directory as this file. -->
+  <!-- DO NOT ADD azure-auth-keys.xml TO REVISION CONTROL.  The keys to your -->
+  <!-- Azure Storage account are a secret and must not be shared. -->
+  <include xmlns="http://www.w3.org/2001/XInclude" href="azure-auth-keys.xml">
+    <fallback />
+  </include>
+
   <!-- For tests against azure-emulator -->
   <!--
   <property>