Programmatically Setting Secrets with the Vault API

CI/CD
Jul 18, 2025
Dan Manges
Programmatically Setting Secrets with the Vault API

We just shipped an API endpoint to set vault secrets.

Programmatically setting secrets is especially useful for automating secret rotation.

Authenticating with OpenID Connect (OIDC)

When possible, it's best to authenticate into services using OpenID Connect from RWX. Using OIDC ensures that the connection is coming from an RWX run. It also generates short-lived credentials rather than permanent credentials that could be lost or stolen.

However, not all services support OIDC, so it's very common to need to store credentials in vault secrets instead.

Ways to Set Secrets on RWX

You can set secrets:

The UI or CLI is the best approach for manually setting secrets.

If you want to programmatically set secrets, you can either use the CLI or the API.

Use the CLI if you're writing a shell script or invoking other command line utilities in your automation.

Use the API if you prefer setting secrets from code without invoking a command line utility.

Setting Secrets with the CLI

/bin/bash
rwx vaults set-secrets \
  --vault the-vault-name \
  the-secret-name="sensitive value"

Setting Secrets with the API

See the full vault secrets API documentation

Although you'll likely be integrating with the API from code, here is an example of calling the API from the command line. This example uses jq to avoid issues with character escaping in any of the values when building the JSON payload. It also assumes the access token is set in an environment variable named $RWX_ACCESS_TOKEN

/bin/bash
jq -n \
  --arg vault_name "your-vault" \
  --arg name "the-secret-name" \
  --arg secret "sensitive value" \
  --arg description "Helpful context" \
  '{
    vault_name: $vault_name,
    secrets: [
      { name: $name, secret: $secret, description: $description }
    ]
  }' | \
  curl -X POST https://cloud.rwx.com/mint/api/vaults/secrets \
    --header "Authorization: Bearer $RWX_ACCESS_TOKEN" \
    --header "Content-Type: application/json" \
    --data @-

Accessing Secrets in Runs

You can then access secrets in your run using an expression. As a best practice, reference them in environment variables to minimize issues with escaping characters.

.rwx/example.yml
1
tasks:
2
  - key: use-secret
3
    run: echo "the secret is $SECRET_VALUE"
4
    env:
5
      SECRET_VALUE: ${{ vaults.your-vault.secrets.your-secret }}

Demo

Secrets are automatically filtered from logs, the value shows up as ******** in the log output.

Never miss an update

Get the latest releases and news about RWX and our ecosystem with our newsletter.

Share this post

Enjoyed this post? Pleas share it on your favorite social network!

Related posts

Read more on updates and advice from the RWX engineering team

See all posts
Using an MCP Server to Fix Tests that Failed on CI
CI/CD

Using an MCP Server to Fix Tests that Failed on CI

We shipped an MCP Server via the RWX CLI. Use it to have AI fix tests that failed on CI, powered by RWX tracking test failures as a semantic output.

Aug 8, 2025
Read now
tmpfs for Super Fast Writes
CI/CD

tmpfs for Super Fast Writes

To accelerate performance in high iops scenarios like an npm install, we built support for running tasks using tmpfs.

Aug 6, 2025
Read now
RWX July 2025 Recap: ARM runners, VS Code Extension, and more
CI/CD

RWX July 2025 Recap: ARM runners, VS Code Extension, and more

In July we released ARM runners, a VS Code Extension, and an option to start runs manually. Stay tuned for progress on a new way to build container images.

Aug 4, 2025
Read now