Vaults are used to store secrets, OIDC tokens, and tool caches. You'll use vaults for any sensitive value, such as authentication credentials, which you want to be able to access in your Mint workflows without checking into your repository.

Default Vault

You'll automatically have a vault named default.

The default vault allows you to reference secrets using the secrets context directly in an expression, like this:

${{ secrets.SOME_API_TOKEN }}

To reference secrets in any other vault, you'll need to explicitly reference the vault name. For example, if you have a vault named foo:

${{ }}

Custom Vaults

You can also create separate vaults. This can be helpful simply for organization, such as grouping secrets related to specific repositories or projects together. It can also be helpful for security, to restrict access to certain secrets. Read more about locked and unlocked vaults.

Locked Vaults

Vaults can either be unlocked or locked.

Unlocked vaults can be accessed from any repository and from any user in your organization that initiates a run using the Mint CLI. If general, you should use an unlocked vault for any secrets which you want to be accessible from a feature branch.

Locked vaults can only be accessed from repositories+branches that you specify, and from users that you grant access. In general, you should use a locked vault for secrets such as deployment keys, which should only be able to be used from branches like main and not from feature branches.

It's common for have a locked vault that matches protected branches in your version control provider, if you're using Mint to facilitate Continuous Deployment.

For testing changes to Mint workflows that involve locked vault, you can either:

  • temporarily grant access to a specific feature branch that is being used for testing
  • temporarily grant access to a specific user who is working on the changes

More on Vaults

Continue reading about secrets and OIDC tokens.