How to Use Variable Groups and Secrets in Azure Pipelines
A variable group in the Library stores reusable values and secrets that many pipelines can link to at once.
Create a variable group in Pipelines > Library, mark sensitive entries as secret, then link it with variables: - group:. Secrets must be mapped into env: to be readable.
Link a group and map a secret
Secret variables are not auto-injected as env vars; map them explicitly under env:.
azure-pipelines.yml
variables:
- group: prod-credentials
steps:
- script: ./deploy.sh
env:
API_TOKEN: $(apiToken) # secret from the linked groupGotchas
- Secret variables are masked in logs and are NOT exposed to scripts automatically - map them into
env:. - Back a variable group with Azure Key Vault to pull secrets at runtime instead of storing them in the group.
- Reference group variables with macro syntax
$(name), not runtime expressions.
Related guides
How to Create and Use Service Connections in Azure PipelinesAuthenticate to Azure, Docker registries, and other services in Azure Pipelines with service connections - cr…
How to Reuse Pipeline Templates in Azure PipelinesAvoid copy-paste in Azure Pipelines with step, job, and stage templates - pass parameters, set defaults, and…