Secret Pipeline Parameter in Azure Devops

Asked 12/1, 2021 at 14:48 Answered 8/8 at 11:36

Solved azure-devops azure-pipelines azure-pipelines-yaml

I have a use case where I want to use pipeline parameters in a yaml pipeline with user name and password. For the username it's easy because I simply add the following in my parameters section.

parameters:
- name: Username
  type: string
  displayName: Username(Email)

I also want to use password as a pipeline parameter but I haven't found a way to declare it as a secret. Is there a way to use a pipeline parameter as secret like a variable? I found a workaround so far as I declared a variable as a secret and update this variable before each run. But that's not the best experience. Maybe I have missed something in the docs?

It would be awesome if it works as in the following code:

parameters:
- name: Username
  type: string
  displayName: Username(Email)
- name: Password
  type: secret
  displayName: Password

Benefactress answered 12/1, 2021 at 14:48 Comment(1)

I wish this feature was available (I was looking to it too), however, the most secure approach would be having your password stored in the Azure Key vault, and then it should be consumed by your pipeline. – Minim 8/5, 2022 at 11:26

This is not possible. Some time ago I even created a feature request on developer community Secret type for runtime paramaters (feel free to upvote). So if you have workaround working you must stick with that for some time, until Azure DevOps team will not implement this.

Cyprinodont answered 12/1, 2021 at 14:51 Comment(0)

There is an alternative to this. Would suggest creating a variable group inside Azure DevOps with a secret value or define the variable as a secret at the individual pipeline if it will always be the same regardless of step/environments). Here's how to do it via a Variable Group

Then the variable group would be loaded into the pipeline via a variable template:

  variables:
  - group: 'Secrets_${{ parameters.environmentName}}'

This would then be referenced by the individual task by password: ${{ variables.Secret1}}

The important thing with this code snippet is understanding variable scope. Best practice would be a different group for each environment while using the same variable name. As such the variable groups should be scoped and loaded at the correct level.

Fanatical answered 12/1, 2021 at 16:47 Comment(1)

This is different from a secret parameter -- the value is stored in DevOps and may be used by others. A parameter would need to be entered separately for each run. When this is not an issue, it works well. – Ignoble 3/10, 2023 at 8:52

I have used a secret variable in my yaml template in Azure DevOps:

# Pipeline 

trigger: none

stages:
  - template: deploy.yml
    parameters:
      passwordVariable: $(secret_password_variable)

# Template deploy.yml 

parameters:
  - name: passwordVariable

stages:
  - stage: Deploy
    jobs:
      - job:
        steps:
          - task: PowerShell@2
            displayName: "Deploy script"
            inputs:
              targetType: "inline"
              script: |
                echo $env:PASSWORD
            env:
              PASSWORD: ${{ parameters.passwordVariable }}

Rational answered 8/8 at 11:36 Comment(0)

Recommended topics

Hot tags