Azure Pipelines can pull secrets from dotEnv Cloud the same way any CI system does: install the CLI, authenticate with an organization API key from a secret variable, and pull the variables your stage needs. This guide shows a YAML pipeline end to end.
Store the API key as a secret variable
In your pipeline or a variable group, add a secret variable named DOTENV_API_KEY. Secret variables are masked in logs and are not passed to scripts automatically. You map them into the step's environment explicitly, which is exactly what we want.
Install the CLI
On a Microsoft-hosted ubuntu-latest agent the install script runs as-is:
Pull secrets
Map the secret variable into the step's environment with the env block, then pull a .env file:
Here is a complete single-stage pipeline:
Export into the step environment instead
If your build reads from the process environment, source shell exports inside the same step so they stay in scope:
Client-managed encryption
For client-managed projects, add a second secret variable for the encryption key and map it in as DOTENV_CLIENT_KEY, or pass --client-key with a path to a file you write earlier in the job. The CLI decrypts on the agent; the key is never uploaded.
For the GitLab equivalent, see GitLab CI, and review Securing CI/CD Pipelines for hardening.