| title | Set secret variables |
|---|---|
| description | Learn how to set secret variables. |
| ms.topic | concept-article |
| ms.date | 01/12/2026 |
| monikerRange | <=azure-devops |
[!INCLUDE version-lt-eq-azure-devops]
Secret variables are encrypted variables that you can use in pipelines without exposing their value. Use secret variables for private information like passwords, IDs, and other identifying data that you don't want exposed in a pipeline. Secret variables are encrypted at rest with a 2048-bit RSA key and are available on the agent for tasks and scripts to use.
Why secret variables matter: Protecting sensitive credentials in your CI/CD pipelines is critical. By storing secrets securely, you prevent unauthorized access to sensitive resources, reduce the risk of credential exposure in build logs, and maintain compliance with security best practices. Secret variables ensure that only authorized pipelines and tasks can access sensitive data, protecting your organization's security posture.
The recommended ways to set secret variables are in the UI, in a variable group, and in a variable group from Azure Key Vault. You can also set secret variables in a script with a logging command but this method isn't recommended since anyone who can access your pipeline can also see the secret.
Secret variables that you set in the pipeline settings UI for a pipeline are scoped to the pipeline where you set them. Use variable groups to share secret variables across pipelines.
Set secret variables in the pipeline editor when you edit an individual pipeline. Encrypt and make a pipeline variable secret by selecting the lock icon.
Set secret variables the same way for YAML and Classic.
[!INCLUDE set secret variable in UI]
To reference secret variables in YAML pipelines, map them as environment variables. In this example, the UI defines two secret variables, SecretOne and SecretTwo. The value of SecretOne is foo, and the value of SecretTwo is bar.
steps:
- powershell: |
Write-Host "My first secret variable is $env:FOO_ONE"
$env:FOO_ONE -eq "foo"
env:
FOO_ONE: $(SecretOne)
- bash: |
echo "My second secret variable: $FOO_TWO"
if [ "$FOO_TWO" = "bar" ]; then
echo "Strings are equal."
else
echo "Strings are not equal."
fi
env:
FOO_TWO: $(SecretTwo) The pipeline outputs:
My first secret variable is ***
True
My second secret variable: ***
Strings are equal.
[!INCLUDE secrets masked]
For a more detailed example, see Define variables.
Unlike a normal variable, the system doesn't automatically decrypt secret variables into environment variables for scripts. You need to explicitly map secret variables.
In this example, set the variable mySecret on the Variables tab. The value of mySecret is foo.
:::image type="content" source="media/variables/set-secret-var-classic.png" alt-text="Screenshot of the Variables tab in Classic pipeline editor with a secret variable named mySecret being configured with the lock icon.":::
Each task that uses the secret as an environment variable needs to remap the variable. If you want to use the secret variable mySecret in a script, use the Environment Variables section of the task. Set the environment variable name to FOO_ONE, and set the value to $(mySecret).
:::image type="content" source="media/variables/secret-passed-variable-classic.png" alt-text="Screenshot of the Environment Variables section in a Classic task showing FOO_ONE mapped to the mySecret variable.":::
The script outputs True.
You can add secrets to a variable group or link secrets from an existing Azure Key Vault.
-
Select Pipelines > Library > + Variable group.
:::image type="content" source="../library/media/add-variable-group.png" alt-text="Screenshot of the Library page with the Add Variable Group button highlighted.":::
-
Enter a name and description for the group.
-
Optional: Move the toggle to link secrets from an Azure Key Vault as variables. For more information, see Use Azure Key Vault secrets.
-
Enter the name and value for each variable to include in the group, choosing + Add for each one.
-
To make your variable secure, choose the lock icon at the end of the row.
-
When you're finished adding variables, select Save.
:::image type="content" source="../library/media/save-variable-group.png" alt-text="Screenshot of the Save button on the variable group creation page showing the completed variable group ready to be saved.":::
Variable groups follow the library security model.
You can create variable groups and link them to an existing Key Vault, so you can map to secrets stored in the key vault. Only the secret names are mapped to the variable group, not the secret values. The pipeline runs that link to the variable group and fetches the latest secret values from the vault. For more information, see Link a variable group to secrets in Azure Key Vault.
Use the Azure Key Vault task to include secrets in your pipeline. By using this task, your pipeline can connect to your Key Vault and retrieve secrets to use as pipeline variables.
-
In the pipeline editor, select Show assistant to expand the assistant panel.
-
Search for
vaultand select the Key Vault task.:::image type="content" source="../release/media/azure-key-vault/configure-azure-key-vault-task.png" alt-text="Screenshot of the task assistant panel with vault search results showing the Azure Key Vault task option.":::
For more information about the Key Vault task, see Use Azure Key Vault secrets in Azure Pipelines.
Use the task.setvariable logging command to set variables in PowerShell and Bash scripts. This method is the least secure way to work with secret variables but can be useful for debugging. The recommended ways to set secret variables are in the UI, in a variable group, and in a variable group from Key Vault.
Warning
Security Risk: Setting secret variables in scripts by using logging commands is inherently less secure. Anyone with access to your pipeline definition, build logs, or source code can see the logging command and potentially expose the secret. Use this method only for debugging purposes in secure, trusted environments. Always prefer UI-based configuration, variable groups, or Azure Key Vault integration for production scenarios.
To set a variable as a script by using a logging command, pass the issecret flag.
[!INCLUDE set secret variable in UI]
For more information, see setting and using variables in scripts.