Using Azure Key Vault to Secure Secrets in TFS/VSTS Build and Release Pipelines

Background : When compiling and deploying applications with TFS/VSTS, sensitive data (passwords, tokens, connection strings) are often stored in encrypted variables, which can cause issues such as reluctance of key owners to store secrets, frequent configuration across projects, risk of leakage, and invalidation after changes.

What are TFS/VSTS encrypted variables? Encrypted variables hide the plaintext value behind a lock icon in the build/release definition, preventing users from seeing the secret.

What is Azure Key Vault? Azure Key Vault is a cloud service for securely storing and managing keys, secrets, and certificates. It enables centralized secret storage, controlled distribution, and reduces the risk of leakage. TFS/VSTS integrates with Key Vault to retrieve secrets during builds and releases.

Example scenario : A Docker-based CI/CD workflow pulls and pushes images from an Azure Container Registry, requiring access keys. These keys are stored in Azure Key Vault and accessed by multiple release definitions.

Configuration steps :

1. Create an Azure Key Vault : In the Azure portal, create a new Key Vault resource, provide a name, and add a secret (e.g., the container registry password).

2. Link Azure subscription : Create a Service Principal in Azure and grant TFS/VSTS access to the subscription (refer to Microsoft documentation).

3. Configure a variable group : In Azure DevOps, create a variable group, enable Azure Key Vault integration, select the subscription and the newly created vault, and import the desired secrets.

4. Associate the variable group with a release definition : Edit the release pipeline, link the variable group, and specify its scope (release-wide or environment-specific).

5. Use the secret in the release : Reference the imported secret like any other variable, e.g., $(ACR-PASSWORD) , and the pipeline will automatically retrieve the value from Key Vault at runtime.

Summary : By centralizing secret management with Azure Key Vault, key owners no longer need to store secrets in build/release definitions, reducing leakage risk and eliminating failures caused by outdated passwords. Combined with variable groups, the same secret can be reused across multiple pipelines, simplifying maintenance.