diff --git a/app/models/ci/variable.rb b/app/models/ci/variable.rb
index f235260208f..67444118ec5 100644
--- a/app/models/ci/variable.rb
+++ b/app/models/ci/variable.rb
@@ -6,7 +6,7 @@ module Ci
 
     validates :key,
       presence: true,
-      uniqueness: { scope: :project_id },
+      uniqueness: { scope: [:project_id, :environment_scope] },
       length: { maximum: 255 },
       format: { with: /\A[a-zA-Z0-9_]+\z/,
                 message: "can contain only letters, digits and '_'." }
diff --git a/db/migrate/20170612150426_add_environment_scope_to_ci_variables.rb b/db/migrate/20170612150426_add_environment_scope_to_ci_variables.rb
new file mode 100644
index 00000000000..17fe062d8d5
--- /dev/null
+++ b/db/migrate/20170612150426_add_environment_scope_to_ci_variables.rb
@@ -0,0 +1,15 @@
+class AddEnvironmentScopeToCiVariables < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:ci_variables, :environment_scope, :string, default: '*')
+  end
+
+  def down
+    remove_column(:ci_variables, :environment_scope)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 028556bdccf..006122bc7c7 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -374,6 +374,7 @@ ActiveRecord::Schema.define(version: 20170621102400) do
     t.string "encrypted_value_iv"
     t.integer "project_id", null: false
     t.boolean "protected", default: false, null: false
+    t.string "environment_scope", default: "*", null: false
   end
 
   add_index "ci_variables", ["project_id"], name: "index_ci_variables_on_project_id", using: :btree
diff --git a/spec/models/ci/variable_spec.rb b/spec/models/ci/variable_spec.rb
index 83494af24ba..ad3aa660b96 100644
--- a/spec/models/ci/variable_spec.rb
+++ b/spec/models/ci/variable_spec.rb
@@ -5,12 +5,14 @@ describe Ci::Variable, models: true do
 
   let(:secret_value) { 'secret' }
 
-  it { is_expected.to validate_presence_of(:key) }
-  it { is_expected.to validate_uniqueness_of(:key).scoped_to(:project_id) }
-  it { is_expected.to validate_length_of(:key).is_at_most(255) }
-  it { is_expected.to allow_value('foo').for(:key) }
-  it { is_expected.not_to allow_value('foo bar').for(:key) }
-  it { is_expected.not_to allow_value('foo/bar').for(:key) }
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:key) }
+    it { is_expected.to validate_uniqueness_of(:key).scoped_to(:project_id, :environment_scope) }
+    it { is_expected.to validate_length_of(:key).is_at_most(255) }
+    it { is_expected.to allow_value('foo').for(:key) }
+    it { is_expected.not_to allow_value('foo bar').for(:key) }
+    it { is_expected.not_to allow_value('foo/bar').for(:key) }
+  end
 
   describe '.unprotected' do
     subject { described_class.unprotected }