Programmatically Setting Secrets with the Vault API

July 18, 2025
Dan Manges
Dan Manges
Programmatically Setting Secrets with the Vault API

We just shipped an API endpoint to set vault secrets.

Programmatically setting secrets is especially useful for automating secret rotation.

Authenticating with OpenID Connect (OIDC)

When possible, it's best to authenticate into services using OpenID Connect from RWX. Using OIDC ensures that the connection is coming from an RWX run. It also generates short-lived credentials rather than permanent credentials that could be lost or stolen.

However, not all services support OIDC, so it's very common to need to store credentials in vault secrets instead.

Ways to Set Secrets on RWX

You can set secrets:

  • Using the UI
  • Using the CLI
  • Using the API

The UI or CLI is the best approach for manually setting secrets.

If you want to programmatically set secrets, you can either use the CLI or the API.

Use the CLI if you're writing a shell script or invoking other command line utilities in your automation.

Use the API if you prefer setting secrets from code without invoking a command line utility.

Setting Secrets with the CLI

/bin/bash
rwx vaults set-secrets \
  --vault the-vault-name \
  the-secret-name="sensitive value"

Setting Secrets with the API

See the full vault secrets API documentation

Although you'll likely be integrating with the API from code, here is an example of calling the API from the command line. This example uses jq to avoid issues with character escaping in any of the values when building the JSON payload. It also assumes the access token is set in an environment variable named $RWX_ACCESS_TOKEN

/bin/bash
jq -n \
  --arg vault_name "your-vault" \
  --arg name "the-secret-name" \
  --arg secret "sensitive value" \
  --arg description "Helpful context" \
  '{
    vault_name: $vault_name,
    secrets: [
      { name: $name, secret: $secret, description: $description }
    ]
  }' | \
  curl -X POST https://cloud.rwx.com/mint/api/vaults/secrets \
    --header "Authorization: Bearer $RWX_ACCESS_TOKEN" \
    --header "Content-Type: application/json" \
    --data @-

Accessing Secrets in Runs

You can then access secrets in your run using an expression. As a best practice, reference them in environment variables to minimize issues with escaping characters.

.rwx/example.yml
1
tasks:
2
  - key: use-secret
3
    run: echo "the secret is $SECRET_VALUE"
4
    env:
5
      SECRET_VALUE: ${{ vaults.your-vault.secrets.your-secret }}

Demo

Secrets are automatically filtered from logs, the value shows up as ******** in the log output.

Share this post

Enjoyed this post? Please share it on your favorite social network!

Never miss an update.

Get the latest releases and news about RWX and our ecosystem with our newsletter.

Related posts

❯_See all posts