Manage variable groups

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

This article explains how to create and use variable groups in Azure Pipelines. Variable groups store values and secrets that you can pass into a YAML pipeline or make available across multiple pipelines in a project.

Secret variables in variable groups are protected resources. You can add combinations of approvals, checks, and pipeline permissions to limit access to secret variables in a variable group. Access to nonsecret variables isn't limited by approvals, checks, or pipeline permissions.

Variable groups follow the library security model for roles and permissions.

Create a variable group

You can create variable groups for the pipeline runs in your project.

Note

To create a secret variable group to link secrets from an Azure key vault as variables, follow the instructions at Link secrets from an Azure key vault.

Azure Pipelines UI

You can create a variable group in the Azure Pipelines user interface.

Prerequisites

An Azure DevOps organization and project where you have permissions to create pipelines and variables.

Create the variable group

1. In your Azure DevOps project, select Pipelines > Library from the left menu.

2. On the Library page, select + Variable group.

   

3. On the new variable group page, under Properties, enter a name and optional description for the variable group.

4. Under Variables, select + Add, and then enter a variable name and value to include in the group. If you want to encrypt and securely store the value, select the lock icon next to the variable.

5. Select + Add to add each new variable. When you finish adding variables, select Save.

   

You can now use this variable group in project pipelines.

Azure DevOps CLI

In Azure DevOps Services, you can create variable groups by using the Azure DevOps CLI.

Prerequisites

• An Azure DevOps organization and project where you have permissions to create pipelines and variables.

• Azure CLI version 2.30.0 or higher with the Azure DevOps CLI extension. For more information, see Get started with Azure DevOps CLI.

  The Azure DevOps CLI extension automatically installs the first time you run an az pipelines variable-group command.

  In Azure DevOps CLI commands, you can set the default organization by using az devops configure --defaults organization=<YourOrganizationURL>, or use the --detect true parameter to automatically detect the organization.

  You can configure the default project by using az devops configure -d project=<Project Name or ID>.

  If you don't detect the organization or configure a default organization or project, you must specify the org and project parameters in the commands.

Create the variable group

To create a variable group, use the az pipelines variable-group create command.

For example, the following command creates a variable group named home-office-config, adds the variables app-location=home-office and app-name=contoso, and outputs results in YAML format.

az pipelines variable-group create --name home-office-config
                                   --variables app-location=home-office app-name=contoso
                                   --output yaml

Output:

authorized: false
description: null
id: 5
name: home-office-config
providerData: null
type: Vsts
variables:
  app-location:
    isSecret: null
    value: home-office
  app-name:
    isSecret: null
    value: contoso

Link secrets from an Azure key vault

You can create a variable group that links to an existing Azure key vault and map selected Key Vault secrets to the variable group. Only the secret names are mapped to the variable group, not the secret values. Pipeline runs that link to the variable group fetch the latest secret values from the vault.

Any changes made to existing secrets in the key vault are automatically available to all the pipelines that use the variable group. However, if secrets are added to or deleted from the vault, the associated variable groups don't automatically update. You must explicitly update the secrets to include in the variable group.

Although Key Vault supports storing and managing cryptographic keys and certificates in Azure, Azure Pipelines variable group integration only supports mapping key vault secrets. Cryptographic keys and certificates aren't supported.

Note

Key vaults that use Azure role-based access control (Azure RBAC) aren't supported.

Prerequisites

• An Azure key vault that contains your secrets. You can create a key vault by using the Azure portal.
• An Azure service connection for your project.

Create the variable group

1. In your Azure DevOps project, select Pipelines > Library > + Variable group.
2. On the Variable groups page, enter a name and optional description for the variable group.
3. Enable the Link secrets from an Azure key vault as variables toggle.
4. Select your Azure subscription endpoint and key vault name.
5. Enable Azure DevOps to access the key vault by selecting Authorize next to the vault name.
6. On the Choose secrets screen, select specific secrets from your vault for mapping to this variable group, and then select OK.
7. Select Save to save the secret variable group.

Note

Your Azure service connection must have at least Get and List permissions on the key vault, which you can authorize in the preceding steps. You can also provide these permissions from the Azure portal by following these steps:

1. Open Settings for the key vault, and then choose Access configuration > Go to access policies.
2. On the Access policies page, if your Azure Pipelines project isn't listed under Applications with at least Get and List permissions, select Create.
3. Under Secret permissions, select Get and List, and then select Next.
4. Select your service principal, and then select Next.
5. Select Next again, review the settings, and then select Create.

For more information, see Use Azure Key Vault secrets.

Update variable groups

Azure Pipelines UI

You can update variable groups by using the Azure Pipelines user interface.

1. In your Azure DevOps project, select Pipelines > Library from the left menu.
2. On the Library page, select the variable group you want to update. You can also hover over the variable group listing, select the More options icon, and select Edit from the menu.
3. On the variable group page, change any of the properties, and then select Save.

Azure DevOps CLI

In Azure DevOps Services, you can update variable groups by using the Azure DevOps CLI.

List variable groups

To update a variable group or the variables within it by using the Azure DevOps CLI, you use the variable group group-id.

You can get the value of the variable group ID from the output of the variable group creation command, or use the az pipelines variable-group list command.

For example, the following command lists the first three project variable groups in ascending order and returns the results, including variable group ID, in table format.

az pipelines variable-group list --top 3 --query-order Asc --output table

Output:

ID    Name               Type    Number of Variables
----  -----------------  ------  ---------------------
1     myvariables        Vsts    2
2     newvariables       Vsts    4
3     new-app-variables  Vsts    3

Update a variable group

To update a variable group, use the az pipelines variable-group update command.

For example, the following command updates the variable group with ID 4 to change the name and description, and outputs results in table format.

az pipelines variable-group update --group-id 4
                                   --name my-new-variables
                                   --description "New home office variables"
                                   --output table

Output:

ID    Name              Description               Is Authorized  Number of Variables
----  ----------------  ------------------------- -------------  -------------------
4     my-new-variables  New home office variables false          2

Show details for a variable group

You can use the az pipelines variable-group show command to show details for a variable group. For example, the following command shows details for the variable group with ID 4 and returns the results in YAML format.

az pipelines variable-group show --group-id 4 --output yaml

Output:

authorized: false
description: Variables for my new app
id: 4
name: my-new-variables
providerData: null
type: Vsts
variables:
  app-location:
    isSecret: null
    value: home-office
  app-name:
    isSecret: null
    value: contoso

Delete a variable group

Azure Pipelines UI

You can delete variable groups in the Azure Pipelines user interface.

1. In your Azure DevOps project, select Pipelines > Library from the left menu.
2. On the Library page, hover over the variable group you want to delete and select the More options icon.
3. Select Delete from the menu, and then select Delete on the confirmation screen.

Azure DevOps CLI

In Azure DevOps Services, you can delete variable groups by using the Azure DevOps CLI.

To delete a variable group, use the az pipelines variable-group delete command. For example, the following command deletes the variable group with ID 1 and doesn't prompt for confirmation.

az pipelines variable-group delete --group-id 1 --yes

Manage variables in variable groups

Azure Pipelines UI

You can change, add, or delete variables in variable groups by using the Azure Pipelines user interface.

1. In your Azure DevOps project, select Pipelines > Library from the left menu.
2. On the Library page, select the variable group you want to update. You can also hover over the variable group listing, select the More options icon, and select Edit from the menu.
3. On the variable group page, you can:
   • Change any of the variable names or values.
   • Delete any of the variables by selecting the garbage can icon next to the variable name.
   • Change variables to secret or nonsecret by selecting the lock icon next to the variable value.
   • Add new variables by selecting + Add.
4. After making changes, select Save.

Azure DevOps CLI

In Azure DevOps Services, you can manage variables in variable groups by using the Azure DevOps CLI.

List variables in a variable group

To list the variables in a variable group, use the az pipelines variable-group variable list command. For example, the following command lists all the variables in the variable group with ID 4 and shows the result in table format.

az pipelines variable-group variable list --group-id 4 --output table

Output:

Name            Is Secret    Value
--------------  -----------  -----------
app-location    False        home-office
app-name        False        contoso

Add variables to a variable group

To add a variable to a variable group, use the az pipelines variable-group variable create command.

For example, the following command creates a new variable named requires-login with a default value of true in the variable group with ID 4. The result is shown in table format.

az pipelines variable-group variable create --group-id 4
                                            --name requires-login
                                            --value true
                                            --output table

Output:

Name            Is Secret    Value
--------------  -----------  -------
requires-login  False        true

Update variables in a variable group

To update variables in a variable group, use the az pipelines variable-group variable update command.

For example, the following command updates the requires-login variable with the new value false in the variable group with ID 4, and shows the result in YAML format. The command specifies that the variable is a secret.

az pipelines variable-group variable update --group-id 4
                                            --name requires-login
                                            --value false
                                            --secret true
                                            --output yaml

The output shows the value as null instead of false because it's a secret hidden value.

requires-login:
  isSecret: true
  value: null

Manage secret variables

To manage secret variables, use the az pipelines variable-group variable update command with the following parameters:

• secret: Set to true to indicate that the variable's value is kept secret.
• prompt-value: Set to true to update the value of a secret variable by using an environment variable or prompt via standard input.
• value: For secret variables, use the prompt-value parameter to be prompted to enter the value via standard input. For noninteractive consoles, you can pick up the environment variable prefixed with AZURE_DEVOPS_EXT_PIPELINE_VAR_. For example, you can input a variable named MySecret by using the environment variable AZURE_DEVOPS_EXT_PIPELINE_VAR_MySecret.

Delete variables from a variable group

To delete a variable from a variable group, use the az pipelines variable-group variable delete command. For example, the following command deletes the requires-login variable from the variable group with ID 4.

az pipelines variable-group variable delete --group-id 4 --name requires-login

The command prompts for confirmation because that is the default.

Are you sure you want to delete this variable? (y/n): y
Deleted variable 'requires-login' successfully.

Use variable groups in pipelines

You can use variable groups in YAML or Classic pipelines. Changes that you make to a variable group are automatically available to all the definitions or stages the variable group is linked to.

Use variable groups in YAML pipelines

Once you authorize a YAML pipeline to use a variable group, you can use the variable group or variables within it in the pipeline.

Authorize the YAML pipeline to use the variable group

If you only name the variable group in YAML pipelines, anyone who can push code to your repository could extract the contents of secrets in the variable group. Therefore, to use a variable group with YAML pipelines, you must authorize the pipeline to use the group. Classic pipelines can use variable groups without separate authorization.

Azure Pipelines UI

You can authorize pipelines to use your variable groups by using the Azure Pipelines user interface.

1. In your Azure DevOps project, select Pipelines > Library from the left menu.
2. On the Library page, select the variable group you want to authorize.
3. On the variable group page, select the Pipeline permissions tab.
4. On the Pipeline permissions screen, select + and then select a pipeline to authorize. Or, select the More actions icon, select Open access, and select Open access again to confirm.

Selecting a pipeline authorizes that pipeline to use the variable group. To authorize another pipeline, select the + icon again. Selecting Open access authorizes all project pipelines to use the variable group. Open access might be a good option if you don't have any secrets in the group.

Another way to authorize a variable group is to select the pipeline, select Edit, and then queue a build manually. You see a resource authorization error and can then explicitly add the pipeline as an authorized user of the variable group.

Azure DevOps CLI

In Azure DevOps Services, you can authorize variable groups by using the Azure DevOps CLI.

To authorize all project pipelines to use the variable group, set the authorize parameter in the az pipelines variable-group create command to true. Open access might be a good option if you don't have any secrets in the group.

Use the variable group in the YAML pipeline

To use a variable from a variable group, add a reference to the group name in your YAML pipeline file. You can then use variables from the variable group in your file.

variables:
- group: my-variable-group

You can reference multiple variable groups in the same pipeline. If multiple variable groups include the same variable, the last variable group that uses the variable in the file sets the variable's value. For more information about precedence of variables, see Expansion of variables.

You can also reference a variable group in a template. The following variables.yml template file references the variable group my-variable-group. The variable group includes a variable named myhello.

variables:
- group: my-variable-group

The YAML pipeline references the variables.yml template, and uses the variable $(myhello) from the variable group my-variable-group.

stages:
- stage: MyStage
  variables:
  - template: variables.yml
  jobs:
  - job: Test
    steps:
    - script: echo $(myhello)

Use variable group variables in YAML pipelines

You access the variable values in a linked variable group the same way as you access variables you define within the pipeline. For example, to access the value of a variable named customer in a variable group linked to the pipeline, you can use $(customer) in a task parameter or a script.

If you use both standalone variables and variable groups in your pipeline file, use the name-value syntax for the standalone variables.

variables:
- group: my-variable-group
- name: my-standalone-variable
  value: 'my-standalone-variable-value'

To reference a variable in a variable group, you can use macro syntax or a runtime expression. In the following examples, the group my-variable-group has a variable named myhello.

To use a runtime expression:

variables:
- group: my-variable-group
- name: my-passed-variable
  value: $[variables.myhello]
- script: echo $(my-passed-variable)

To use macro syntax:

variables:
- group: my-variable-group

steps:
- script: echo $(myhello)

You can't access secret variables, including encrypted variables and key vault variables, directly in scripts. You must pass these variables as arguments to a task. For more information, see Secret variables.

Use variable groups in Classic pipelines

Classic pipelines can use variable groups without separate authorization. To use a variable group:

1. Open your Classic pipeline.

2. Select Variables > Variable groups, and then select Link variable group.

3. In a build pipeline, you see a list of available groups. Link a variable group to the pipeline. All the variables in the group are available for use within the pipeline.

   In a release pipeline, you also see a dropdown list of stages in the pipeline. Link the variable group to the pipeline itself, or to one or more specific stages of the release pipeline. If you link to one or more stages, the variables from the variable group are scoped to these stages and aren't accessible in the other stages of the release.

   

When you set a variable with the same name in multiple scopes, the following precedence is used, highest first:

1. Variable set at queue time
2. Variable set in the pipeline
3. Variable set in the variable group

For more information about precedence of variables, see Expansion of variables.

Note

Variables in different groups that are linked to a pipeline in the same scope (for example, job or stage) will collide and the result may be unpredictable. Ensure that you use different names for variables across all your variable groups.

Related articles

• Define variables
• Define custom variables
• Use secret and nonsecret variables in variable groups
• Use Azure Key Vault secrets in Azure Pipelines
• Add approvals and checks