Azure DevOps: Substitute variables with variables

Question

I have Azure key vault, where in I have set of keys written

dev-key
stg-key
prd-key

Now I have downloaded the key dev-key in azure DevOps pipeline. I want to map the downloaded variable to the 'constant' variable called 'key', as this variable is being used in deployment yaml files(I am replacing this variable in token replace step)

Currently I am mapping this variable in pipeline variables like,

tenant: dev
key: $($(tenant)-key)

However the value is set in deployment yaml file to the key is $(dev-key). Can we substitute variables with variables in Azure DevOps ?

Answer 1

I have managed this with assigning the scope to the variables.

variable     value              scope
key         $(dev-key)           dev
key         $(stg-key)           stg
key         $(prd-key)           prd

Answer 2

Resolving of nested variables is currently not supported.

See: https://developercommunity.visualstudio.com/content/problem/479258/nested-release-variables-fail-to-be-recognized.html

An alternate solution is the following setup:

• Have a Key Vaultper environment
• Have a Stage per environment
• Key names are always the same in each Key Vault
• Link each vault into a variable group
• Link each variable group into your pipeline and assign a Scope
• In each task(s) of a Stage access the variable as declared in the Variable group

With this configuration, you can re-use the same secret key in tasks and the actual values are resolved by the scope of the variable group per Stage as you define.