Programmatically Setting Secrets with the Vault API

CI/CD
Jul 18, 2025
Dan Manges
Programmatically Setting Secrets with the Vault API

We just shipped an API endpoint to set vault secrets.

Programmatically setting secrets is especially useful for automating secret rotation.

#Authenticating with OpenID Connect (OIDC)

When possible, it's best to authenticate into services using OpenID Connect from RWX. Using OIDC ensures that the connection is coming from an RWX run. It also generates short-lived credentials rather than permanent credentials that could be lost or stolen.

However, not all services support OIDC, so it's very common to need to store credentials in vault secrets instead.

#Ways to Set Secrets on RWX

You can set secrets:

The UI or CLI is the best approach for manually setting secrets.

If you want to programmatically set secrets, you can either use the CLI or the API.

Use the CLI if you're writing a shell script or invoking other command line utilities in your automation.

Use the API if you prefer setting secrets from code without invoking a command line utility.

#Setting Secrets with the CLI

/bin/bash
rwx vaults set-secrets \
  --vault the-vault-name \
  the-secret-name="sensitive value"

#Setting Secrets with the API

See the full vault secrets API documentation

Although you'll likely be integrating with the API from code, here is an example of calling the API from the command line. This example uses jq to avoid issues with character escaping in any of the values when building the JSON payload. It also assumes the access token is set in an environment variable named $RWX_ACCESS_TOKEN

/bin/bash
jq -n \
  --arg vault_name "your-vault" \
  --arg name "the-secret-name" \
  --arg secret "sensitive value" \
  --arg description "Helpful context" \
  '{
    vault_name: $vault_name,
    secrets: [
      { name: $name, secret: $secret, description: $description }
    ]
  }' | \
  curl -X POST https://cloud.rwx.com/mint/api/vaults/secrets \
    --header "Authorization: Bearer $RWX_ACCESS_TOKEN" \
    --header "Content-Type: application/json" \
    --data @-

#Accessing Secrets in Runs

You can then access secrets in your run using an expression. As a best practice, reference them in environment variables to minimize issues with escaping characters.

.rwx/example.yml
1
tasks:
2
  - key: use-secret
3
    run: echo "the secret is $SECRET_VALUE"
4
    env:
5
      SECRET_VALUE: ${{ vaults.your-vault.secrets.your-secret }}

#Demo

Secrets are automatically filtered from logs, the value shows up as ******** in the log output.

Never miss an update

Get the latest releases and news about RWX and our ecosystem with our newsletter.

Share this post

Enjoyed this post? Please share it on your favorite social network!

Related posts

Read more on updates and advice from the RWX engineering team

See all posts
RWX November 2025 Recap: container image builds, git patching runs, OTEL, and more
CI/CD

RWX November 2025 Recap: container image builds, git patching runs, OTEL, and more

At RWX, we use our own product to rapidly prototype, develop, and ship features all the time. Here's what we've built recently...

Dec 2, 2025
Read now
We deleted our Dockerfiles: a better, faster way to build container images
CI/CD

We deleted our Dockerfiles: a better, faster way to build container images

Two weeks ago, we deleted the Dockerfile for our application, and we deleted the step in our CI pipelines that previously ran docker build.

Nov 24, 2025
Read now
rwx run - development without the push and pull
CI/CD

rwx run - development without the push and pull

Beginning with version v2, rwx run can now launch a build directly from your terminal - local code changes included.

Nov 20, 2025
Read now