Skip to content
Latchkey

How to Use Secrets in Azure Pipelines

Azure Pipelines keeps secrets in secret variables and variable groups (optionally backed by Key Vault), masked in logs.

Define secrets as secret pipeline variables or in a Library variable group (which can sync from Azure Key Vault). Map them into the environment explicitly to use them.

Map a secret into a script

Secret variables are not auto-injected as env vars - map them under env: so the script can read them.

azure-pipelines.yml
variables:
  - group: production-secrets   # variable group (may be Key Vault backed)

steps:
  - script: |
      curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com/deploy
    displayName: Deploy
    env:
      API_TOKEN: $(API_TOKEN)

Gotchas

  • Secret variables are deliberately not mapped into the process env automatically - you must pass them via env:.
  • Reference a secret only as $(NAME) in env:; do not echo it. Azure masks known secret values but cannot mask derived strings.
  • Use a Key Vault-backed variable group to avoid storing secret values in Azure DevOps at all.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →