The usage of Vault relies on environment variables, which are normally set automatically by the Robocorp Agent or Assistant when a run is executed via Control Room.
When developing robots locally in VSCode, you can use the Robocorp Code Extension to set these variables automatically as well.
Alternatively, you may set these environment variables manually using rcc or directly in some other fashion. The specific variables which must exist are:
RC_API_SECRET_HOST: URL to Robocorp Vault API
RC_API_SECRET_TOKEN: API Token for Robocorp Vault API
RC_WORKSPACE_ID: Control Room Workspace ID
An alternative to using Vault from Control Room is to use a local file with mock secrets. This enables development of a Robot without any existing Control Room workspace.
Note: Secrets stored in a file are not safe to use with sensitive values, and should only be used during development-time
File-based secrets can be set by defining two environment variables.
RC_VAULT_SECRET_FILE: Absolute path to the secrets database file
Example content of local secrets file as JSON:
Example as YAML:
Secret values (either received or sent) will be automatically hidden by the
library, if the library
robocorp.log is available in the environment. It is
still imperative that any code that handles secret values does not expose
them by accident before interacting with Vault.
For example, when setting new values hide all variables already in the enclosing scope:
Secrets in Vault can be modified during Robot executions, which can be useful for updating ephemeral values such as authentication tokens.
New secrets be created with the
get_secret return a container of
secret values, which can be modified and updated back to Vault: