Vault is a library for interacting with secrets stored in the Robocorp Control Room Vault (by default) or file-based secrets, which can be taken into use by setting some environment variables.

Robocorp Vault relies on environment variables, which are normally set automatically by the Robocorp Work Agent or Assistant when a run is initialized by the Robocorp Control Room. When developing robots locally in VSCode, you can use the Robocorp Code Extension to set these variables automatically as well.

Alternatively, you may set these environment variable manually using rcc or directly in some other fashion. The specific variables which must exist are:

  • RC_API_SECRET_HOST: URL to Robocorp Vault API
  • RC_API_SECRET_TOKEN: API Token for Robocorp Vault API
  • RC_WORKSPACE_ID: Control Room Workspace ID

File-based secrets can be set by defining two environment variables.

  • RPA_SECRET_MANAGER: RPA.Robocorp.Vault.FileSecrets
  • RPA_SECRET_FILE: Absolute path to the secrets database file

Example content of local secrets file:

{ "swaglabs": { "username": "standard_user", "password": "secret_sauce" } }


swaglabs: username: standard_user password: secret_sauce

Examples of Using Secrets in a Robot

Robot Framework

*** Settings *** Library Collections Library RPA.Robocorp.Vault *** Tasks *** Reading secrets ${secret}= Get Secret swaglabs Log Many ${secret} Modifying secrets ${secret}= Get Secret swaglabs ${level}= Set Log Level NONE Set To Dictionary ${secret} username nobody Set Log Level ${level} Set Secret ${secret}


from RPA.Robocorp.Vault import Vault VAULT = Vault() def reading_secrets(): print(f"My secrets: {VAULT.get_secret('swaglabs')}") def modifying_secrets(): secret = VAULT.get_secret("swaglabs") secret["username"] = "nobody" VAULT.set_secret(secret)


The selected adapter can be set with the environment variable RPA_SECRET_MANAGER, or the keyword argument default_adapter. Defaults to Robocorp Vault if not defined.

All other library arguments are passed to the adapter.

param default_adapter:
 Override default secret adapter