There are more secrets involved in application development than those that are required to connect to other systems. Examples include license keys, which are required during application compilation, or database usernames and passwords, which need to be passed on to the application after deployment or as part of an ARM template deployment.

These secrets can be stored in pipeline variables or variable groups, which we covered in Chapter 3, in the Creating a build definition in Azure DevOps section. Microsoft will store all variables that are marked as secrets securely and make them non-retrievable through the user interface.

However, there might be reasons for not wanting to store secrets in Azure DevOps but in a specialized key store such as Azure Key Vault instead. Doing so will provide the extra guarantees that come with Key Vault and the ability to further control access policies using Azure role-based access control (Azure RBAC) and Key Vault access policies.

When storing secrets in an Azure key vault, they can still be used as a variable group as well, by connecting an empty variable group to the key vault through a service connection, as shown in the following screenshot:

To use a key vault as the storage for a variable group, perform the following actions:

1. Enable the second slider to load the secrets from the key vault.
2. Select an already existing ARM service connection from the drop-down menu, or create a service connection with a new managed identity for Azure on the fly by selecting an Azure subscription from the list.
3. Type in the name of the key vault that the secrets should be loaded into. You can also select one from the drop-down menu. In that case, only key vaults that are accessible by the selected service connection are shown.
4. It is recommended that you disable the slider that allows access to all pipelines. In general, open authorizations are considered a risk, but, in particular, variable groups that hold secrets should only be available to explicitly authorized users.
5. Access for specific users can be configured using the Security tab.

The proper authorizations for the service connection to Azure and the key vault can also be automatically created. Please note that both operations will make changes to the Azure security setup, so ensure that these are (still) correct.