Secret Pipeline Parameter in Azure Devops

Question

I have a use case where I want to use pipeline parameters in a yaml pipeline with user name and password. For the username it's easy because I simply add the following in my parameters section.

parameters:
- name: Username
  type: string
  displayName: Username(Email)

I also want to use password as a pipeline parameter but I haven't found a way to declare it as a secret. Is there a way to use a pipeline parameter as secret like a variable? I found a workaround so far as I declared a variable as a secret and update this variable before each run. But that's not the best experience. Maybe I have missed something in the docs?

It would be awesome if it works as in the following code:

parameters:
- name: Username
  type: string
  displayName: Username(Email)
- name: Password
  type: secret
  displayName: Password

Answer 1

This is not possible. Some time ago I even created a feature request on developer community Secret type for runtime paramaters (feel free to upvote). So if you have workaround working you must stick with that for some time, until Azure DevOps team will not implement this.

Answer 2

There is an alternative to this. Would suggest creating a variable group inside Azure DevOps with a secret value or define the variable as a secret at the individual pipeline if it will always be the same regardless of step/environments). Here's how to do it via a Variable Group

Then the variable group would be loaded into the pipeline via a variable template:

  variables:
  - group: 'Secrets_${{ parameters.environmentName}}'

This would then be referenced by the individual task by password: ${{ variables.Secret1}}

The important thing with this code snippet is understanding variable scope. Best practice would be a different group for each environment while using the same variable name. As such the variable groups should be scoped and loaded at the correct level.