Skip to content
Latchkey

How to Use Variable Groups and Secrets in Azure Pipelines

A variable group in the Library stores reusable values and secrets that many pipelines can link to at once.

Create a variable group in Pipelines > Library, mark sensitive entries as secret, then link it with variables: - group:. Secrets must be mapped into env: to be readable.

Link a group and map a secret

Secret variables are not auto-injected as env vars; map them explicitly under env:.

azure-pipelines.yml
variables:
  - group: prod-credentials
steps:
  - script: ./deploy.sh
    env:
      API_TOKEN: $(apiToken)   # secret from the linked group

Gotchas

  • Secret variables are masked in logs and are NOT exposed to scripts automatically - map them into env:.
  • Back a variable group with Azure Key Vault to pull secrets at runtime instead of storing them in the group.
  • Reference group variables with macro syntax $(name), not runtime expressions.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →