How to Use Secrets in Azure Pipelines
Azure Pipelines keeps secrets in secret variables and variable groups (optionally backed by Key Vault), masked in logs.
Define secrets as secret pipeline variables or in a Library variable group (which can sync from Azure Key Vault). Map them into the environment explicitly to use them.
Map a secret into a script
Secret variables are not auto-injected as env vars - map them under env: so the script can read them.
azure-pipelines.yml
variables:
- group: production-secrets # variable group (may be Key Vault backed)
steps:
- script: |
curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com/deploy
displayName: Deploy
env:
API_TOKEN: $(API_TOKEN)Gotchas
- Secret variables are deliberately not mapped into the process env automatically - you must pass them via
env:. - Reference a secret only as
$(NAME)inenv:; do not echo it. Azure masks known secret values but cannot mask derived strings. - Use a Key Vault-backed variable group to avoid storing secret values in Azure DevOps at all.
Related guides
How to Use Secrets in GitHub Actions SafelyUse GitHub Actions secrets correctly - repo vs environment vs org secrets, why forks can not read them, and h…
How to Set a Variable in Azure PipelinesSet variables in Azure Pipelines with the variables: block and dynamically at runtime via the logging command…