Hiding the secrets

Open-source credentials

Time to hide those secrets from prying eyes! The current version of the Log In keyword in our robot code looks like this:

*** Keywords ***
Log In
    Input Text    id:username    maria
    Input Password    id:password    thoushallnotpass
    Submit Form
    Wait Until Page Contains Element    id:sales-form

The credentials are just written there, available for anyone with access to the source code to see! 😱

We are being a bit too much open-source with those.

How to make them "proprietary"?

You want to replace the actual credentials with references to those credentials. The RPA Framework provides a library for this use case: RPA.Robocloud.Secrets. Add the library in the *** Settings *** section:

Library           RPA.Robocloud.Secrets

Use the Get Secret keyword from the RPA.Robocloud.Secrets library to fetch a secret by name robotsparebin and store the secret to a variable. Replace the concrete credentials with references by accessing the properties of the secret by their name. Let's use username and password to make them obvious:

*** Keywords ***
Log In
    ${secret}=    Get Secret    robotsparebin
    Input Text    id:username    ${secret}[username]
    Input Password    id:password    ${secret}[password]
    Submit Form
    Wait Until Page Contains Element    id:sales-form

Wait. How did you find that library? Or that keyword? Or the argument?!

The Language Server Protocol for Robot Framework is an extension (currently for Visual Studio Code, soon for Robocorp Lab) that provides powerful features for robot development.

You are not sure what the name of the library was? No worries; library auto-completion to the rescue:

LSP: Library auto-completion

What about the keyword? Probably something about "secret"? Well, the keyword auto-completion is pretty intelligent. Take your best guess and let it suggest you some matching keywords:

LSP: Keyword auto-completion

Great! But how do I know if the keyword has arguments? Or the name of those arguments? That is also covered:

LSP: Keyword arguments auto-completion

And that is not all. If you have the Editor: Format On Save enabled in Visual Studio Code, the extension will handle the formatting for you. Four spaces everywhere? Check! If you have more than one developer in your team, your formatting will now stay consistent. Give it a try!

Creating a local vault file to store the secrets

The secret with the credentials does not exist at the moment. Where should we place them? And in what format? The format is just good old JSON. In this case, the robotsparebin is the name of the secret. The username and password are the properties of that secret:

{
  "robotsparebin": {
    "username": "maria",
    "password": "thoushallnotpass"
  }
}

For local robot development, you create a JSON file somewhere outside your repository (so that you don't accidentally commit it!). Create a vault.json file in your home directory (/Users/<your-username> on macOS, /home/<your-username> on Linux, C:\Users\<your-username> on Windows) and paste the above JSON in the file.

macOS / Linux: To find your home directory, run cd in the terminal. Then, run pwd to print the full path to your home directory.

Letting the robot know where to find the vault file

In the root of your robot directory, create a new devdata directory. Inside that directory, create a env.json file. Paste the following JSON in that file (replacing <your-username> with your username):

macOS / Linux:

{
  "RPA_SECRET_MANAGER": "RPA.Robocloud.Secrets.FileSecrets",
  "RPA_SECRET_FILE": "/Users/<your-username>/vault.json"
}

Windows:

{
  "RPA_SECRET_MANAGER": "RPA.Robocloud.Secrets.FileSecrets",
  "RPA_SECRET_FILE": "C:\\Users\\<your-username>\\vault.json"
}

The RPA_SECRET_MANAGER and RPA_SECRET_FILE are environment variables that instruct the RPA.Robocloud.Secrets library to use secrets stored in a file.

These are only used locally. In Robocorp Cloud, you have other mechanisms for storing your secrets. Those secrets can be passed in from the cloud to a self-hosted Robocorp App, too! For local testing, using the file for secrets works nicely.

What have I done?! 😱

That was quite a few changes! Would it be great to see what you have modified, let's say, in the .robot file? As in how did the code look previously compared to now (what was added, modified, or removed)? Here's how Visual Studio Code displays the changes; pretty neat, eh?:

Viewing changes in Visual Studio Code

Higher-level view of what is new and what is modified is also available:

Viewing added and modified files in Visual Studio Code

You can naturally view the changes on the command-line, too! Run git diff. This is how it might look like:

Viewing the changes with the command-line

Running git status displays a higher-level view of the changes:

git status
On branch remove-credentials
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
    modified:   tasks.robot

Untracked files:
  (use "git add <file>..." to include in what will be committed)
    devdata/

Note that nothing has been committed yet. The files have been changed, but Git has not stored them in the repository. It only does it when you tell it to. Let's test the changes first before deciding whether to commit or not.

Testing the robot locally

With those changes, your robot should still work, but instead of exposing the credentials for everyone to see, it fetches them from an external file that is not stored in the repository. Run the robot to see if it still works!

Testing the robot in Robocorp Cloud development workspace

Currently, both the production and development workspaces contain the same version of the robot. Now you are going to push this shiny new version of the robot to the development workspace. This way, the production workspace stays untouched and undisturbed.

Push the robot from Robocorp Lab to Robocorp Cloud and run the process. It should fail! From the process output console, we see that the vault is missing: RobocloudVaultError: 404

404 is a HTTP response status code meaning "Not Found".

Creating a secret in the cloud vault

The local robot used the file-based secret for the credentials. The robot in the cloud cannot access that file on your computer. You need to provide the credentials in the cloud.

  • Navigate to Vault and click Add.
  • Enter robotsparebin as the name (the name has to match the secret name in the robot script).
  • Click Add item and enter username as the key and maria as the value.
  • Click Add item and enter password as the key and thoushallnotpass as the value.
  • Click Confirm to create the secret.

You can click on the lock icon to view the values if you want to ensure there are no typos!

Robocorp Cloud vault

Run the process

Rerun the robot. Now that the secret is available in the vault, the run should succeed!

What we learned

  • Secrets should be stored in a vault, not in the code repository.
  • The RPA.Robocloud.Secrets library provides the Get Secret keyword for easy secret retrieval.
  • A secret has a name and one or more key-value pairs.
  • Local robots can use a file-based vault (a JSON file).
  • The user home directory (/Users/<your-username> on macOS, /home/<your-username> on Linux, C:\Users\<your-username> on Windows) is one option for placing the secret file.
  • Robocorp-hosted Runtime Environments use Robocorp Cloud vault.
  • The Self-hosted Robocorp App can also use Robocorp Cloud vault.
  • Code changes are easy to view using either visual or command-line Git clients.