What is Variable Group

• Grouping of common variables and secrets
• Variable groups store values and secrets that you might want to be passed into a YAML pipeline or make available across multiple pipelines
• Can be shared to multiple pipelines in the same project
• Variables groups are protected resources (approvals and checks can be added and pipeline permissions can be set)
• https://docs.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml

Creating Variable Group

• Azure DevOps portal > select target project
• Under pipeline > Libray
• Variable group > “+ Variable groups”

Using Variable Group in Pipeline

variables:
- group: demo-vg # contains foo & var variables


# use variables: foo & bar
# if foo and bar are not secret type variable then -> foo & bar will be available to pipeline tasks ar environment variables

# ... ... ...

Linking KeyVault Secrets to Variable Group

Prerequisites

• Create Azure KeyVault if does not exists
• Create Secrets in Azure KeyVault (these secrets will be linked to variable group)
• Enable RBAC for vault access policy (KeyVault > Access Policy > Permission model: “Azure role-based access control”)
• Create service connection
• Make sure that Service Connection “Service Principal” has “Key Vault Administrator” role assigned

Creating Variable Group

• Pipelines > Libray
• ”+ Variable Group” > Fill: Name and description
• Add variables > Save

Linking KeyVault Secrets

• Libray > Variable group > select target variable group
• Enable “Link secrets from an Azure key vault as variables”
• Select subscription and KeyVault
• ”+ Add” > select secrets
• Save

Using KeyVault Secrets to Pipeline Task

• Create a variable group and link KeyVault secrets as described in this article (previous section)
• Define variables at root (pipeline) scope mentioning varibale group (variable group linking)
• Use task env to pass required environment variables by interpolating (extracting) values from variables in “Variable Group” (which, in turn, are coming from KeyVault)
  • KeyVault secret naming restriction: does not allow “_”
  • Secret type pipeline variables are not injected as environment variables automatically

variables:
- group: kv-secret-vg # variable group linked to KeyVault secrets


jobs:
- job: DemoJob
  displayName: Demo Job
  continueOnError: false
  steps:
  - task: DemoTask@1
    inputs:
	  # ... ... ...
  env:
	DEMO_ID: $(x-id)
	DEMO_PASS: $(x-password)


# ... ... ...