ADO variable groups¶
Registry of all Azure DevOps Variable Groups across all HCS ADO projects. Variable Groups are linked to kv-hcs-vault-01 — ADO never stores secret values directly.
The model¶
Variable Groups in ADO serve as the bridge between Key Vault and pipelines:
kv-hcs-vault-01 → ADO Variable Group (KV-linked) → Pipeline task
(source of truth) (maps KV secret names (reads the value
to pipeline variable names) at runtime)
When a pipeline needs a secret: 1. The pipeline references a Variable Group 2. ADO fetches the current secret value from Key Vault at pipeline runtime 3. The value is injected as an environment variable or pipeline variable 4. The value is never logged, never stored, never visible in pipeline output
How to create a new KV-linked variable group¶
- In ADO, go to Pipelines → Library → + Variable group
- Enable Link secrets from an Azure key vault as variables
- Select:
- Subscription:
be069ae1-fc96-4a07-9f8e-5994d83a817d - Key vault name:
kv-hcs-vault-01 - Add the specific secrets the pipeline needs (authorize access when prompted)
- Name the group following the convention:
<project>-<env>-secrets— e.g.,platform-prd-secrets - Save, then add it to the registry table below
- In the pipeline YAML, reference it:
- Commit the registry update:
docs(identity): register variable group <group-name>
Registry¶
| Group name | ADO project | Linked vault | Secrets included | Used by pipelines | Notes |
|---|---|---|---|---|---|
platform-prd-secrets |
Platform Engineering | kv-hcs-vault-01 | hcs-github-org-pat, anthropic-api-key | (none yet — group exists for future pipeline use) | Primary variable group for the Platform Engineering ADO project |
Variable group access¶
Before a pipeline can use a Variable Group, it must be authorized:
- In ADO, go to Pipelines → Library →
<group name> - Click Pipeline permissions
- Add the specific pipeline(s) that need access
- Or use the open access toggle for trusted internal projects (use with care)
Adding a secret to an existing variable group¶
- Add the secret to
kv-hcs-vault-01first (see secret-inventory.md) - In ADO: Pipelines → Library →
<group name>→ + Add - Select the secret from the KV dropdown
- Update the Secrets included column in the registry table above
- Commit:
docs(identity): add <secret-name> to variable group <group-name>
Naming convention¶
Variable Groups follow the pattern: <project>-<env>-secrets
| Component | Values |
|---|---|
| project | Short identifier for the ADO project or workload (e.g., platform, ranger, scout) |
| env | dev, stg, prd |
| suffix | Always -secrets |
Examples: platform-prd-secrets, ranger-dev-secrets, scout-prd-secrets