Manage secure variables with Azure DevOps Library and Azure Pipelines

Quite often, I use secure variables in Azure Pipelines. However, though I want to use them, I do not intend on sharing the values of the variables in the code or logs due to security. Hence I required a variable store that was secure and, at the same time, easily accessible by Azure Pipelines.

I found the solution in Azure DevOps Library. In this note, I’ll demonstrate how to create a variable group, store secure values, and reference the variables in the Azure Pipelines YAML file. I’ll also show you that the Azure pipelines log won’t expose the variable’s value.

The variable group option is available under Azure DevOps project  -> Pipelines  -> Library  -> Variable groups.
A variable group has a name, a set of variables and associated values, and pipeline permissions. Pipeline permissions is a list of pipelines in the project that have access to the variables and corresponding values in the variable group.
The below image is of a variable group with the name demo-one.

This variable group has two variables SecureVariable and UnsecureVariable. The value of SecureVariable is masked due to the lock I placed on the value.
The last step is to associate the variable group with a pipeline. Please note that the pipeline should exist before adding permissions to the variable group.
I clicked on the pipeline permissions and provided the pipeline name that required access to this variable group.

In the azure-pipelines.yaml file, I accessed the variable group via the variables keyword. You may read more about that at use-a-variable-group.
You may access the azure-pipelines.yaml file from my GitHub repository: TestProjects. This pipeline only displays the values of variables accessed from the library variable group.

I triggered a pipeline run with the pipeline and library variables in place. You may access the same here – kunduso.TestProjects.add-library-variables.

And if you access the jobs, you will see that the value of the SecureVariable was masked, even in the logs. While the value of UnsecureVariable was not.
There are several ways to pass variables (secured and unsecured) to Azure DevOps pipelines. I found the option of using the Library variable group simple to use and sufficiently secure for my needs. I hope this note helped you understand the underlying concept of associating and accessing variables in Library and Azure Pipelines. Please do not hesitate to reach out if you have any questions or suggestions.

One thought on “Manage secure variables with Azure DevOps Library and Azure Pipelines

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s