Parameterize azureSubscription from variable group in yaml pipeline

Question

I'm using Yaml for Azure devops pipeline. I am using a hierarchical style for that.

I'm having one top level yaml: feature.yaml which has following structure:

trigger:
...
pool:
  vmImage: ...
  
variables:
  group: ...

stages:
  - template: deploy.yaml
    parameters:
      subName: $(subscription) #This should be taken from Variable group

I have deploy.yaml as:

stages:
    - stage: deploy
      jobs:
        - job: deploy
          steps:
          - task: AzureKeyVault@1
            inputs:
              azureSubscription: $(paramaters.subName) #This should be resolved from parameter passed form feature.yaml
              KeyVaultName: ...
              SecretsFilter: '*'
              RunAsPreJob: true

However, whenever I run this from Azure DevOps, I'm getting this error:

There was a resource authorization issue: "The pipeline is not valid. Job deploy: Step AzureKeyVault input ConnectedServiceName references service connection $(paramaters.subName) which could not be found. The service connection does not exist or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz."

It seems pipeline is not able to resolve value of azureSubscription name from variable group.

Any suggestions?

Answer 1

I discovered that when the YAML is initially parsed it expects the variable group to be in scope. I needed to move my variable group to the top of the YAML file and then it found the azure subscription variable. Not what I was expecting.