Programmatically Setting Secrets with the Vault API

CI/CD
Jul 18, 2025
Dan Manges
Programmatically Setting Secrets with the Vault API

We just shipped an API endpoint to set vault secrets.

Programmatically setting secrets is especially useful for automating secret rotation.

Authenticating with OpenID Connect (OIDC)

When possible, it's best to authenticate into services using OpenID Connect from RWX. Using OIDC ensures that the connection is coming from an RWX run. It also generates short-lived credentials rather than permanent credentials that could be lost or stolen.

However, not all services support OIDC, so it's very common to need to store credentials in vault secrets instead.

Ways to Set Secrets on RWX

You can set secrets:

The UI or CLI is the best approach for manually setting secrets.

If you want to programmatically set secrets, you can either use the CLI or the API.

Use the CLI if you're writing a shell script or invoking other command line utilities in your automation.

Use the API if you prefer setting secrets from code without invoking a command line utility.

Setting Secrets with the CLI

/bin/bash
rwx vaults set-secrets \
  --vault the-vault-name \
  the-secret-name="sensitive value"

Setting Secrets with the API

See the full vault secrets API documentation

Although you'll likely be integrating with the API from code, here is an example of calling the API from the command line. This example uses jq to avoid issues with character escaping in any of the values when building the JSON payload. It also assumes the access token is set in an environment variable named $RWX_ACCESS_TOKEN

/bin/bash
jq -n \
  --arg vault_name "your-vault" \
  --arg name "the-secret-name" \
  --arg secret "sensitive value" \
  --arg description "Helpful context" \
  '{
    vault_name: $vault_name,
    secrets: [
      { name: $name, secret: $secret, description: $description }
    ]
  }' | \
  curl -X POST https://cloud.rwx.com/mint/api/vaults/secrets \
    --header "Authorization: Bearer $RWX_ACCESS_TOKEN" \
    --header "Content-Type: application/json" \
    --data @-

Accessing Secrets in Runs

You can then access secrets in your run using an expression. As a best practice, reference them in environment variables to minimize issues with escaping characters.

.rwx/example.yml
1
tasks:
2
  - key: use-secret
3
    run: echo "the secret is $SECRET_VALUE"
4
    env:
5
      SECRET_VALUE: ${{ vaults.your-vault.secrets.your-secret }}

Demo

Secrets are automatically filtered from logs, the value shows up as ******** in the log output.

Never miss an update

Get the latest releases and news about RWX and our ecosystem with our newsletter.

Share this post

Enjoyed this post? Pleas share it on your favorite social network!

Related posts

Read more on updates and advice from the RWX engineering team

See all posts
Manually Initiating CI Runs
CI/CD

Manually Initiating CI Runs

We just shipped a new feature to manually initiate CI runs on RWX. Make CI opt-in to to push code freely without incurring higher CI costs.

Jul 17, 2025
Read now
Support for Multiple Operating Systems, without Defaults or Boilerplate
CI/CD

Support for Multiple Operating Systems, without Defaults or Boilerplate

We recently shipped support for specifying the operating system for RWX runs. We did it without having defaults, or requiring boilerplate.

Jul 16, 2025
Read now
Fast File Tree Navigation, Powered by WebAssembly
CI/CD

Fast File Tree Navigation, Powered by WebAssembly

We shipped a web-based file tree navigator to see files from a task's output. To make browsing as fast as possible, we implemented it in WebAssembly.

Jul 11, 2025
Read now