I see that in Azure release pipelines, we can read secrets either by creating a key vault based variable group in library or by using the task "Azure Key vault" in pipeline. Both of them do the same thing i.e. reading the secret value from the key vault, with a difference that we can link variable group with multiple pipelines, and the "Azure Key vault" task would remain confined to one pipeline.
I want to understand what is the best practice while reading secrets from Azure key vault in release pipelines. Which of the two approaches is recommended here and why?
Which of the two approaches is recommended here and why?
Reusability is the biggest difference between them, and it is also the basis for you to decide which way to choose.
If you confirm that your job is a one-time job, then you can choose Azure key vault task. In this case, you do not need to configure the variable group in library and link the library to the release pipeline.
But if you need to reuse it or plan to reuse it in the future, then choose variable group in library, so that you do not need to add the Azure key vault task in each pipeline.
But would you recommend going with pipeline variables when we already have these secrets in Azure key vault. Will that not duplicate these secrets in Azure Key Vault and pipeline variables in that case.
I do not recommend that you use those variables that have been set in Azure key vault in pipeline variables. Because the variable in the pipeline will overwrite the value of the variable you set in Azure key vault.