Skip to content

ADO variable groups

Registry of all Azure DevOps Variable Groups across all HCS ADO projects. Variable Groups are linked to kv-hcs-vault-01 — ADO never stores secret values directly.


The model

Variable Groups in ADO serve as the bridge between Key Vault and pipelines:

kv-hcs-vault-01  →  ADO Variable Group (KV-linked)  →  Pipeline task
(source of truth)     (maps KV secret names              (reads the value
                       to pipeline variable names)         at runtime)

When a pipeline needs a secret: 1. The pipeline references a Variable Group 2. ADO fetches the current secret value from Key Vault at pipeline runtime 3. The value is injected as an environment variable or pipeline variable 4. The value is never logged, never stored, never visible in pipeline output


How to create a new KV-linked variable group

  1. In ADO, go to Pipelines → Library → + Variable group
  2. Enable Link secrets from an Azure key vault as variables
  3. Select:
  4. Subscription: be069ae1-fc96-4a07-9f8e-5994d83a817d
  5. Key vault name: kv-hcs-vault-01
  6. Add the specific secrets the pipeline needs (authorize access when prompted)
  7. Name the group following the convention: <project>-<env>-secrets — e.g., platform-prd-secrets
  8. Save, then add it to the registry table below
  9. In the pipeline YAML, reference it:
    variables:
      - group: platform-prd-secrets
    
  10. Commit the registry update: docs(identity): register variable group <group-name>

Registry

Group name ADO project Linked vault Secrets included Used by pipelines Notes
platform-prd-secrets Platform Engineering kv-hcs-vault-01 hcs-github-org-pat, anthropic-api-key (none yet — group exists for future pipeline use) Primary variable group for the Platform Engineering ADO project

Variable group access

Before a pipeline can use a Variable Group, it must be authorized:

  1. In ADO, go to Pipelines → Library → <group name>
  2. Click Pipeline permissions
  3. Add the specific pipeline(s) that need access
  4. Or use the open access toggle for trusted internal projects (use with care)

Adding a secret to an existing variable group

  1. Add the secret to kv-hcs-vault-01 first (see secret-inventory.md)
  2. In ADO: Pipelines → Library → <group name> → + Add
  3. Select the secret from the KV dropdown
  4. Update the Secrets included column in the registry table above
  5. Commit: docs(identity): add <secret-name> to variable group <group-name>

Naming convention

Variable Groups follow the pattern: <project>-<env>-secrets

Component Values
project Short identifier for the ADO project or workload (e.g., platform, ranger, scout)
env dev, stg, prd
suffix Always -secrets

Examples: platform-prd-secrets, ranger-dev-secrets, scout-prd-secrets