robocorp-vault
Local development
Connecting to Control Room
The usage of Vault relies on environment variables, which are normally set automatically by the Robocorp Agent or Assistant when a run is executed via Control Room.
When developing robots locally in VSCode, you can use the Robocorp Code Extension to set these variables automatically as well.
Alternatively, you may set these environment variables manually using rcc or directly in some other fashion. The specific variables which must exist are:
RC_API_SECRET_HOST
: URL to Robocorp Vault APIRC_API_SECRET_TOKEN
: API Token for Robocorp Vault APIRC_WORKSPACE_ID
: Control Room Workspace ID
Using mock Vault
An alternative to using Vault from Control Room is to use a local file with mock secrets. This enables development of a Robot without any existing Control Room workspace.
Note: Secrets stored in a file are not safe to use with sensitive values, and should only be used during development-time
File-based secrets can be set by defining two environment variables.
RC_VAULT_SECRET_MANAGER
:FileSecrets
RC_VAULT_SECRET_FILE
: Absolute path to the secrets database file
Example content of local secrets file as JSON:
Example as YAML:
Hiding values
Secret values (either received or sent) will be automatically hidden by the
library, if the library robocorp.log
is available in the environment. It is
still imperative that any code that handles secret values does not expose
them by accident before interacting with Vault.
For example, when setting new values hide all variables already in the enclosing scope:
Modifying secrets
Secrets in Vault can be modified during Robot executions, which can be useful for updating ephemeral values such as authentication tokens.
Creating
New secrets be created with the create_secret
function:
Updating
The functions create_secret
and get_secret
return a container of
secret values, which can be modified and updated back to Vault: