Secrets

Use secrets for storing any sensitive value that you want to access in your Mint workflows. It's common to pass secrets as environment variables into tasks, although you can also pass them to commands directly. Either way, you'll reference the secret using expressions, such as ${{ secrets.YOUR_SECRET }}.

See the documentation on vaults for configuring vaults to store secrets.

Settings Secrets

You can set secrets in the Mint UI, under Vaults.

https://cloud.rwx.com/mint/deep_link/vaults

You can also set secrets using the Mint CLI. See the getting started docs for notes on installing and authenticating the CLI.

To set secrets in the default vault, while passing the values on the command line:

mint vaults set-secrets SECRETNAME1=secretvalue1 SECRETNAME2=secretvalue2

To set secrets in a different vault:

mint vaults set-secrets --vault your_vault SECRETNAME=secretvalue

You can also pass secrets in a file, formatted with the dotenv format.

mint vaults set-secrets --file secrets.env

The dotenv format expects lines of KEY=value, with double quotes used for multiline secrets, such as this:

SECRETNAME=secretvalue
MULTILINE_SECRET="line 1
line 2"

Secret in Default Vault passed as ENV

You'll often want to pass secrets as environment variables into tasks. This task sets a secret named YOUR_SECRET in an environment variable also named YOUR SECRET. This environment variable will only be set for this task, and not any subsequent tasks which depend on this. In general, it's recommended to pass secret values into each task that needs them. For more details, see the documentation on environment variables.

tasks:
  - key: example-task
    run: ...
    env:
      YOUR_SECRET: ${{ secrets.YOUR_SECRET }}

Secret in Custom Vault passed as ENV

Given a vault named your_other_vault:

tasks:
  - key: example-task
    run: ...
    env:
      YOUR_SECRET: ${{ vaults.your_other_vault.secrets.YOUR_SECRET }}

Secret in Default Vault passed in Run Script

Although it's recommended to use environment variables, you can also pass secrets directly into run scripts:

tasks:
  - key: example-task
    run: ./some-script.sh ${{ secrets.YOUR_SECRET }}