Log in to your Azure DevOps. To take a look at my public repo just navigate here or create your own one. Read my blog Create Azure DevOps account for instructions how to do it.

Azure DevOps

Click on Library.


Click on Variable group

Give a name and description, then activate Link secrets from an Azure key vault as variables

Choose from drop down Service Connection and Key vault name we created previously. If you didn't have any Service Connections read my blog Create new Azure Service Connection

if you get this error

secret management permissions

we have to add some permissions to the service connection.

Add Get and List secret management permissions on the selected key vault

Open Azure portal and go to my-super-secrets key vault resource we created previously

Key Vault

Click on Access policies

Access polices

click on Add new

Add access policy

Click on Select principle and choose principle we created before in this blog Create Service Principle.

Click on Secret permissions and ensure that Get and List are checked (ticked)

Secret permissions

Choose OK

Don't forget to click on save

Add Get and List secret management permissions on the selected key vault using PowerShell

# add access policy
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ThisIsNameForKeyVault' -ServicePrincipalName '131164c0-9b17-4813-b12c-96b086cc7a1c' -PermissionsToSecrets Get,List

Provide the vault name and service principle name. Read my blog Create Service Principle to find out how to create Service Principle.

Go back to Azure DevOps -> Pipelines -> Library. Choose your variable group name.

Now we add variables to the library from connected Key Vault

Click on Add


Select all. These secrets we created to use in our first Terraform configuration here. You choose your environment variables you need to use in the pipelines. Define also Expiration date if necessary.

Choose secrets

Click Ok


click on Save.

Our Library looks like this


To include this variable group in the Builds pipeline, go to your build


Click on Variables

Then on Variables groups and Link variable group

Link variable group

Choose group and click on Link

Now you can use the syntax in your yaml files like this to get the value of this secrets

- script: dotnet build --configuration $(buildConfiguration)
 displayName: 'dotnet build with following configuration $(buildConfiguration)'

If you like my post image, you can free download it from here.

Don't forget to subscribe to get latest news from Sergey .NET directly to your mail.