Edit

Share via

Link a variable group to secrets in Azure Key Vault

Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022 | Azure DevOps Server 2020

You can create a variable group that links to existing Azure key vaults and maps selected key vault secrets to the variable group. Only the secret names are mapped to the variable group, not the secret values. When pipelines run, they link to the variable group to fetch the latest secret values from the vault at runtime.

Any changes made to existing secrets in the key vault are automatically available to all the pipelines that use the variable group. However, if secrets are added to or deleted from the vault, the associated variable groups don't automatically update. You must explicitly update the secrets to include in the variable group.

Although Key Vault supports storing and managing cryptographic keys and certificates in Azure, Azure Pipelines variable group integration only supports mapping key vault secrets. Cryptographic keys and certificates aren't supported.

Prerequisites

Product Requirements
Azure DevOps - An Azure DevOps project.
- An Azure Resource Manager service connection for your project.
- Permissions:
    - To use service connections: Have at least the User role for the service connection.
    - To create a variable group: Have at least Creator library permission.
Azure - An Azure account with an active subscription. Create an account for free.
- Permissions:
    To create a key vault: Have at least the Owner role for the subscription.

Create a key vault

If you don't have a key vault already, you can create one as follows:

  1. In the Azure portal, select Create a resource.
  2. Search for and select Key Vault, then select Create.
  3. Select your subscription.
  4. Select an existing resource group or create a new one.
  5. Enter a name for the key vault.
  6. Select a region.
  7. Select the Access and configuration tab.
  8. Select Vault access policy.
  9. Select your account as the principal.
  10. Select Review + create and then Create.

Create the variable group linked to the key vault

  1. In your Azure DevOps project, select Pipelines > Library > + Variable group.

  2. On the Variable groups page, enter a name and optional description for the variable group.

  3. Enable the Link secrets from an Azure key vault as variables toggle.

  4. Select your service connection and select Authorize.

  5. Select your key vault name and enable Azure DevOps to access the key vault by selecting Authorize next to the vault name.

  6. Select + Add and on the Choose secrets screen, select the secrets from your vault for mapping to this variable group, then select OK.

  7. Select Save to save the secret variable group.

    Screenshot of variable group with Azure key vault integration.

Key vaults with role-based access control (RBAC) permissions are not supported. Your key vault permission model must be set to Vault access policy. If you're using a key vault with RBAC permissions, you can use the following workaround to link your key vault to your variable group:

  1. Create an ARM service connection

  2. Navigate to Azure portal, find your key vault > Access control (IAM), then grant the service connection the appropriate RBAC role (Key Vault Secrets User or Key Vault Secrets Officer or based on your scenario).

    Note

    Make sure you have the Key Vault Administrator role to create secrets.

  3. Navigate back to your Azure DevOps project, select Pipelines > Library.

  4. Select + Variable group, then enter a name for your variable group.

  5. Select the Link secrets from an Azure key vault as variables toggle to enable it.

  6. Select your service connection and select Authorize.

  7. Select your key vault name from the dropdown menu.

  8. Select + Add, choose your secret, then select Ok.

  9. Select Save when you're done.

    A screenshot displaying how to link an RBAC key vault secret to a variable group.

Note

Your service connection must have at least Get and List permissions on the key vault, which you can authorize in the preceding steps. You can also provide these permissions from the Azure portal by following these steps:

  1. Open Settings for the key vault, and then choose Access configuration > Go to access policies.
  2. On the Access policies page, if your Azure Pipelines project isn't listed under Applications with at least Get and List permissions, select Create.
  3. Under Secret permissions, select Get and List, and then select Next.
  4. Select your principal, and then select Next.
  5. Select Next again, review the settings, and then select Create.

Related content

  • Last updated on