Azure DevOps allows linking of Azure Key Vaults in libraries (known to the API as variable groups). This in turn effectively allows an AKV to be brought into a pipeline as a variable group in YAML.

It's also frustratingly confusing.

The documentation states "By linking the variable group to the key vault, you can ensure that your secrets are stored securely and your pipelines always have access to the latest secret values at runtime."

This is true. Maybe? Partially?

The library UI lists most of the AKV secret metadata, none of which ever is updated, refreshed, or accessible from a pipeline. It can be retrieved via the _apis/distributedtask/variablegroups/$groupNumber endpoint, but that never updates either. So what if I want to get the expiration date of a secret in a pipeline?

WELL. There are 2 refresh buttons in the library UI, one for the Azure subscription, one for for the Key vault. Neither of them update the "Last refreshed" time. Neither of them appear to even do anything. Neither of them even make a network call when inspecting the webpage?

why are they here why are they here why are they here why is the metadata even shown in the ui if it never updates

Whatever. Maybe the docs are right in the most strict and specific sense possible, because it does get the right vars at runtime. Maybe it's totally fine that the only way to get the updated information out of the UI or API endpoint is to remove and re-add the variable.

Well how the HECK am I supposed to get metadata of variables

The workaround I came up with is to add a `AzureCLI@2` task in pipeline YAML to obtain the expiration date (or other metadata) directly from the AKV:

        
        - task: AzureCLI@2
          displayName: 'az keyvault secret show EXPIRATION'
          inputs:
          azureSubscription: $subscription
          scriptType: bash
          scriptLocation: inlineScript
          inlineScript: |
              KEYVAULT_NAME=$keyvault
              SECRET_NAME=$secret
            
              az keyvault secret show \
              --vault-name $KEYVAULT_NAME \
              --name $SECRET_NAME \
              --query "attributes.expires" \
              --output tsv
        
    

This operation piggybacks off of the same service connection used by the AKV, which (depending on configuration) the pipeline should have access to.

And there you have it, access to variable metadata within a pipeline, the long way.