Vaults

Vaults are used to store secrets, vars, OIDC tokens, and tool caches.

You'll use vaults for any sensitive value, like authentication credentials, that you want to be able to access in your Mint workflows without checking into your repository.

Although vars are not sensitive, they're configured in vaults to help organize them.

Default Vault

You'll automatically have a vault named default.

The default vault allows you to reference secrets using the secrets context directly in an expression, like this:

${{ secrets.SOME_API_TOKEN }}

To reference secrets in any other vault, you'll need to reference the vault name explicitly. For example, if you have a vault named foo:

${{ vaults.foo.secrets.SOME_API_TOKEN }}

Similarly with vars, you can omit the vault named when defining vars in the default vault:

${{ vars.YOUR_VAR }}

And you'll need to qualify it if using any other vault:

${{ vaults.foo.vars.YOUR_VAR }}

Custom Vaults

You can also create custom vaults. This can be helpful simply for organizational purposes. For example, you may want to group secrets and vars related to specific repositories or projects together.

It can also be helpful for security to restrict access to certain secrets. To restrict access, you'll need to configure the vault as being locked.

Locked Vaults

Vaults can either be locked or unlocked.

Unlocked vaults can be accessed from any repository and from any user in your organization that initiates a run using the Mint CLI. If general, you should use an unlocked vault for any secrets which you want to be accessible from a feature branch.

Locked vaults can only be accessed from repositories and branches that you specify and from users that you grant access. In general, you should use a locked vault for secrets such as deployment keys, which should only be able to be used from branches like main and not from feature branches.

It's common for have a locked vault that matches protected branches in your version control provider, if you're using Mint to facilitate Continuous Deployment.

For testing changes to Mint workflows that involve locked vaults, you can temporarily grant access to:

  • a specific feature branch that is being used for testing
  • a specific user who is working on the changes

More on Vaults

Continue reading about secrets, vars, OIDC tokens, and tool caches.