Azure DevOps Library Manager

A powerful Azure DevOps extension for managing variable groups and library variables in your Azure DevOps projects.

Build Service Permissions

Ensure the Build Service has the required permissions to update or use variable groups.

Identify the correct Build Service identity

Each project in Azure DevOps has its own Build Service identity, usually in the format:

<Project Name> Build Service (<Organisation Name>)

Example:

MyApp Build Service (Contoso)

Grant permissions on the variable group

Navigate to your project in Azure DevOps.
Go to Pipelines → Library → Variable groups.
Select the variable group you want to grant access to.
Click Security (top-right corner).
Click Add.
In User or group, search for your Build Service identity
(e.g. MyApp Build Service (Contoso)).
Assign the Administrator role (or at minimum, enable View and Use permissions).
Click Save.

💡 Tip: Avoid using Project Collection Build Service unless you intentionally want all projects in the organisation to have access to the variable group.

Introduction

This Azure DevOps extension provides a streamlined way to manage variable groups and their variables directly from your Azure DevOps pipelines. It allows you to create, update, and manage library variables programmatically, making it perfect for automated deployments, configuration management, and environment-specific variable management.

Features

Variable Group Management: Create, read, and update variable groups
Update Library Variables: Modify existing variables in variable groups
Secret Management: Support for both regular and secret variables
Flexible Identification: Find variable groups by name or ID
Azure DevOps Integration: Native support for Azure DevOps authentication
Comprehensive Logging: Detailed execution logs for troubleshooting
Error Handling: Robust error handling with meaningful error messages

Installation

Install the extension from the Azure DevOps Marketplace.

Quick Start

Basic Usage

- task: AdoLibraryManager@1
  displayName: "Update Library Variable"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "MyVariableGroup"
    key: "DatabaseConnectionString"
    value: "$(DatabaseConnectionString)"
    isSecret: true

Update Multiple Variables

- task: AdoLibraryManager@1
  displayName: "Update API Configuration"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "API-Config"
    key: "ApiUrl"
    value: "https://api.example.com"
    isSecret: false

- task: AdoLibraryManager@1
  displayName: "Update API Key"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "API-Config"
    key: "ApiKey"
    value: "$(ApiKey)"
    isSecret: true

Using Variable Group ID

- task: AdoLibraryManager@1
  displayName: "Update by ID"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "123"  # Variable group ID
    key: "Environment"
    value: "Production"
    isSecret: false

Task Inputs

Input	Type	Required	Description
`projectId`	string	Yes	The Azure DevOps project ID (use `$(System.TeamProjectId)`)
`libraryGroup`	string	Yes	Variable group name or ID to update
`key`	string	Yes	Variable key/name to set
`value`	string	Yes	Variable value to set
`isSecret`	boolean	No	Whether the variable should be marked as secret (default: false)

Task Outputs

Output	Description
`updatedVariableValue`	The value that was set for the variable

Authentication

The task uses Azure DevOps built-in authentication. Ensure your pipeline has the necessary permissions:

Variable Groups: Read and manage variable groups

Required Permissions

Your service account or the pipeline service connection needs:

Variable Groups: Read and manage permissions
Library: Read and manage permissions
Project: Read permissions

Common Use Cases

Environment-Specific Configuration

# Update environment-specific variables
- task: AdoLibraryManager@1
  displayName: "Update Environment Variables"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "Environment-$(Environment)"
    key: "DatabaseConnectionString"
    value: "$(DatabaseConnectionString)"
    isSecret: true

- task: AdoLibraryManager@1
  displayName: "Update API Endpoint"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "Environment-$(Environment)"
    key: "ApiEndpoint"
    value: "$(ApiEndpoint)"
    isSecret: false

Feature Flag Management

# Update feature flags
- task: AdoLibraryManager@1
  displayName: "Enable New Feature"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "FeatureFlags"
    key: "NewFeatureEnabled"
    value: "true"
    isSecret: false

Secret Rotation

# Rotate secrets
- task: AdoLibraryManager@1
  displayName: "Rotate API Key"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "Secrets"
    key: "ApiKey"
    value: "$(NewApiKey)"
    isSecret: true

Multi-Environment Deployment

# Deploy to multiple environments
- stage: DeployToStaging
  displayName: "Deploy to Staging"
  jobs:
  - job: UpdateConfig
    steps:
    - task: AdoLibraryManager@1
      displayName: "Update Staging Config"
      inputs:
        projectId: "$(System.TeamProjectId)"
        libraryGroup: "Staging-Config"
        key: "Environment"
        value: "Staging"
        isSecret: false

- stage: DeployToProduction
  displayName: "Deploy to Production"
  jobs:
  - job: UpdateConfig
    steps:
    - task: AdoLibraryManager@1
      displayName: "Update Production Config"
      inputs:
        projectId: "$(System.TeamProjectId)"
        libraryGroup: "Production-Config"
        key: "Environment"
        value: "Production"
        isSecret: false

Advanced Usage

Conditional Variable Updates

- task: AdoLibraryManager@1
  displayName: "Update Feature Flag"
  condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "FeatureFlags"
    key: "NewFeatureEnabled"
    value: "true"
    isSecret: false

Using Pipeline Variables

variables:
  - name: VariableGroupName
    value: "MyApp-Config"
  - name: DatabaseUrl
    value: "https://database.example.com"

- task: AdoLibraryManager@1
  displayName: "Update Database URL"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "$(VariableGroupName)"
    key: "DatabaseUrl"
    value: "$(DatabaseUrl)"
    isSecret: false

Troubleshooting

Common Issues

Authentication Errors
- Check that the service account has proper permissions
- Verify the project ID is correct
Variable Group Not Found
- Check that the variable group name is correct
- Ensure the variable group exists in the specified project
- Verify you have access to the variable group
Permission Denied
- Ensure your service account has "Variable Groups" permissions
- Check that the service account has "Library" access
- Verify the project permissions

Debugging

Enable debug logging by setting the System.Debug variable:

variables:
  System.Debug: true

- task: AdoLibraryManager@1
  displayName: "Update Variable with Debug"
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "MyGroup"
    key: "MyKey"
    value: "MyValue"
    isSecret: false

Security Best Practices

⚠️ IMPORTANT: Always use secret variables for sensitive data!

For Secret Variables

# ✅ CORRECT - Mark sensitive data as secret
- task: AdoLibraryManager@1
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "Secrets"
    key: "DatabasePassword"
    value: "$(DatabasePassword)"
    isSecret: true

For Non-Secret Variables

# ✅ CORRECT - Regular variables for non-sensitive data
- task: AdoLibraryManager@1
  inputs:
    projectId: "$(System.TeamProjectId)"
    libraryGroup: "Config"
    key: "Environment"
    value: "Production"
    isSecret: false

ADO Library Manager

AzureDotnet.Dev