Using Azure Key Vault secrets in Azure DevOps Pipelines

Lee Dale
5 min readMar 23, 2022

Our applications use all sorts of sensitive information and it’s easy to store this sensitive information in an unsecured way. For instance, by putting database connection strings inside your appsettings.json file you can expose your database user name and passwords to others who shouldn’t have access to that information.

One way of storing secrets in a more secure way is to put those secrets inside your Azure Build Pipeline as shown below:

This is a better solution as now the sensitive information is outside of the code base and stored securely inside your DevOps Pipeline. Now only users with access to the Pipeline are able to see any sensitive information. This may be OK for you but you might want to further restrict who can see this sensitive information and put it in a more secure place.

Another drawback to this solution is that you may have lots of variables that are shared across multiple pipelines. You will need to update each pipeline when you want to change a variable.

This is where the concept of Variable Groups come in.

Variable Groups

You can create Variable Groups in your project which essentially group together a number of variables and allow those variables to be used across multiple pipelines within your project. Below is a guide on how to create a new Variable Group

  1. Click on the Library link under Pipelines

2. Click the Add Variable Group button

3. Name the Variable Group and click the Add button to start adding variables to it.

You can see I have added a new variable called SomeSecret with a value.

4. You can now click the Save button and this will create the new Variable group

You now have a Variable Group you can use within your pipelines. Next is a quick detour to explain another option…

Lee Dale

I am a Lead Software Developer with a keen interest in application security . Currently studying for an MSc in Cyber Security.