Vaults
Vaults are used to store secrets, vars, OIDC tokens, and tool caches.
You'll use vaults for any sensitive value, such as authentication credentials, which you want to be able to access in your Mint workflows without checking into your repository.
Although vars are not sensitive, they're configured in vaults to help organize them.
Default Vault
You'll automatically have a vault named default
.
The default vault allows you to reference secrets using the secrets
context directly in an expression, like this:
${{ secrets.SOME_API_TOKEN }}
To reference secrets in any other vault, you'll need to explicitly reference the vault name.
For example, if you have a vault named foo
:
${{ vaults.foo.secrets.SOME_API_TOKEN }}
Similarly with vars, you can omit the vault named when defining vars in the default
vault:
${{ vars.YOUR_VAR }}
And you'll need to qualify it if using any other vault:
${{ vaults.foo.vars.YOUR_VAR }}
Custom Vaults
You can also create custom vaults. This can be helpful simply for organization, such as grouping secrets and vars related to specific repositories or projects together.
It can also be helpful for security, to restrict access to certain secrets. To restrict access, you'll need to configure the vault as being locked.
Locked Vaults
Vaults can either be locked or unlocked.
Unlocked vaults can be accessed from any repository and from any user in your organization that initiates a run using the Mint CLI. If general, you should use an unlocked vault for any secrets which you want to be accessible from a feature branch.
Locked vaults can only be accessed from repositories and branches that you specify, and from users that you grant access.
In general, you should use a locked vault for secrets such as deployment keys, which should only be able to be used from branches like main
and not from feature branches.
It's common for have a locked vault that matches protected branches in your version control provider, if you're using Mint to facilitate Continuous Deployment.
For testing changes to Mint workflows that involve locked vault, you can either:
- temporarily grant access to a specific feature branch that is being used for testing
- temporarily grant access to a specific user who is working on the changes
More on Vaults
Continue reading about secrets, vars, OIDC tokens, and tool caches.