Use a vault for secrets

Need to provide secrets such as credentials to your robot? You can use a vault. Both local and Robocorp Cloud vault is supported.

To better show you how to set up the vault, we have provided an example robot for you to play with.

Run this robot locally in Robocorp Lab

You can run this robot on your local machine using Robocorp Lab:

  1. Set up your development environment.
  2. Download the example robots.
  3. Open the using-vault example.
  4. Complete the setup below.
  5. Open the tasks.robot file and run it.

Setting the robot up to run locally

Local vault

Create a vault.json file. Place it outside your repository, for example, in your home directory (/Users/<your-username>/vault.json). Never commit your vault file.

Provide your vault values in the vault.json file, for example:

{
  "credentials": {
    "username": "some-username",
    "password": "some-password"
  }
}

By doing so, you have created a secret called credentials.

You can use any name for the vault file and the keys in the file.

Configure file vault support

When running in Robocorp Cloud, your robot will automatically use the Robocorp Cloud vault, without the need for any configuration.

When running your robot locally, you will need to override this default configuration to tell the library that it should read the secrets from a local file. You do this by setting the relevant environment variables in the devdata/env.json file, which is included in the example.

Edit the file setting the RPA_SECRET_FILE variable so that it points to the vault.json file you created in the previous step:

{
  "RPA_SECRET_MANAGER": "RPA.Robocloud.Secrets.FileSecrets",
  "RPA_SECRET_FILE": "/Users/<your-username-here>/vault.json"
}

This way, with no additional code changes, your robot will work both locally and in Robocorp Cloud.

Read the vault values - Option 1: Robot script

We added the RPA.Robocloud.Secrets library in the *** Settings *** section:

*** Settings ***
Library    RPA.Robocloud.Secrets

We use the Get Secret keyword from the RPA.Robocloud.Secrets library to fetch a secret by name credentials and store the secret to a variable. We can then access the properties of the secret by their name:

*** Tasks ***
Get and log the value of the vault secrets using the Get Secret keyword
    ${secret}=    Get Secret    credentials
    # Note: in real robots, you should not print secrets to the log. this is just for demonstration purposes :)
    Log    ${secret}[username]
    Log    ${secret}[password]

Read the vault values - Option 2: Python library

In the file variables/variables.py, we import the RPA Framework secrets library and read the values from the vault:

from RPA.Robocloud.Secrets import Secrets

secrets = Secrets()
USER_NAME = secrets.get_secret("credentials")["username"]
PASSWORD = secrets.get_secret("credentials")["password"]

After this, ${USER_NAME} and ${PASSWORD} variables can be accessed in the robot script, as we see here:

*** Tasks ***
Get and log the value of the vault secrets using the imported variables file
    # Note: in real robots, you should not print secrets to the log. this is just for demonstration purposes :)
    # This works because we are importing the `variables.py` file:
    Log    ${USER_NAME}
    Log    ${PASSWORD}

The RPA Framework secrets library handles both local and Robocorp Cloud vault. It looks for the RPA_SECRET_MANAGER environment variable and defaults to Robocorp Cloud vault.

Robocorp Cloud vault

Robocorp Cloud vault

Configure your vault in Robocorp Cloud in the relevant workspace using the UI. The name of the secret should match the name used in your code that reads the secret, for example, credentials. Provide the secrets as key-value pairs.