Python API

Secrets

class RPA.Robocorp.Vault.BaseSecretManager

Bases: object

Abstract class for secrets management. Should be used as a base-class for any adapter implementation.

abstract get_secret(secret_name)

Return Secret object with given name.

abstract set_secret(secret: RPA.Robocorp.Vault.Secret)

Set a secret with a new value.

class RPA.Robocorp.Vault.FileSecrets(secret_file='secrets.json')

Bases: RPA.Robocorp.Vault.BaseSecretManager

Adapter for secrets stored in a database file. Supports only plaintext secrets, and should be used mainly for debugging.

The path to the secrets file can be set with the environment variable RPA_SECRET_FILE, or as an argument to the library.

The format of the secrets file should be one of the following:

{
  "name1": {
    "key1": "value1",
    "key2": "value2"
  },
  "name2": {
    "key1": "value1"
  }
}

OR

name1:
  key1: value1
  key2: value2
name2:
  key1: value1
SERIALIZERS = {'.json': (<function load>, <function dump>), '.yaml': (<function full_load>, <function dump>)}
get_secret(secret_name)

Get secret defined with given name from file.

Parameters

secret_name – Name of secret to fetch

Returns

Secret object

Raises

KeyError – No secret with given name

load()

Load secrets file.

save()

Save the secrets content to disk.

set_secret(secret: RPA.Robocorp.Vault.Secret) → None

Set the secret value in the local Vault with the given Secret object.

Parameters

secret – A Secret object.

Raises

IOError, ValueError – Writing the local vault failed.

class RPA.Robocorp.Vault.RobocorpVault(*args, **kwargs)

Bases: RPA.Robocorp.Vault.BaseSecretManager

Adapter for secrets stored in Robocorp Vault.

The following environment variables should exist:

  • RC_API_SECRET_HOST: URL to Robocorp Secrets API

  • RC_API_SECRET_TOKEN: API token with access to Robocorp Secrets API

  • RC_WORKSPACE_ID: Robocorp Workspace ID

ENCRYPTION_SCHEME = 'robocloud-vault-transit-v2'
create_public_key_url()

Create a URL for encryption public key.

create_secret_url(name)

Create a URL for a specific secret.

get_publickey() → bytes

Get the public key for AES encryption with the existing token.

get_secret(secret_name)

Get secret defined with given name from Robocorp Vault.

Parameters

secret_name – Name of secret to fetch

Returns

Secret object

Raises

RobocorpVaultError – Error with API request or response payload

property headers

Default request headers.

property params

Default request parameters.

set_secret(secret: RPA.Robocorp.Vault.Secret) → None

Set the secret value in the Vault. Note that the secret possibly consists of multiple key-value pairs, which will all be overwritten with the values given here. So don’t try to update only one item of the secret, update all of them.

Parameters

secret – A Secret object

exception RPA.Robocorp.Vault.RobocorpVaultError

Bases: RuntimeError

Raised when there’s problem with reading from Robocorp Vault.

args
with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

class RPA.Robocorp.Vault.Secret(name, description, values)

Bases: collections.abc.Mapping

Container for a secret with name, description, and multiple key-value pairs. Immutable and avoids logging internal values when possible.

Parameters

  • name – Name of secret

  • description – Human-friendly description for secret

  • values – Dictionary of key-value pairs stored in secret

property description
get(k[, d]) → D[k] if k in D, else d. d defaults to None.
items() → a set-like object providing a view on D's items
keys() → a set-like object providing a view on D's keys
property name
update(kvpairs)
values() → an object providing a view on D's values
class RPA.Robocorp.Vault.Vault(*args, **kwargs)

Bases: object

Vault is a library for interacting with secrets stored in Robocorp Vault (by default) or file-based secrets, which can be taken into use by setting some environment variables.

Robocorp Vault works together with Robocorp Worker or Robocorp CLI (RCC). The following three environment variables need to exist, and are set by Robocorp Worker automatically and can be set manually with Robocorp CLI.

  • RC_API_SECRET_HOST: URL to Robocorp Vault API

  • RC_API_SECRET_TOKEN: API Token for Robocorp Vault API

  • RC_WORKSPACE_ID: Control Room Workspace ID

File-based secrets can be set by defining two environment variables.

  • RPA_SECRET_MANAGER: RPA.Robocorp.Vault.FileSecrets

  • RPA_SECRET_FILE: Absolute path to the secrets database file

Example content of local secrets file:

{
    "swaglabs": {
        "username": "standard_user",
        "password": "secret_sauce"
    }
}

OR

swaglabs:
    username: standard_user
    password: secret_sauce

Examples

Robot Framework

*** Settings ***
Library    Collections
Library    RPA.Robocorp.Vault

*** Tasks ***
Reading secrets
    ${secret}=    Get Secret  swaglabs
    Log Many      ${secret}

Modifying secrets
    ${secret}=          Get Secret      swaglabs
    ${level}=           Set Log Level   NONE
    Set To Dictionary   ${secret}       username    nobody
    Set Log Level       ${level}
    Set Secret          ${secret}

Python

from RPA.Robocorp.Vault import Secrets

SECRETS = Secrets()

def reading_secrets():
    print(f"My secrets: {SECRETS.get_secret('swaglabs')}")

def modifying_secrets():
    secret = SECRETS.get_secret("swaglabs")
    secret["username"] = "nobody"
    secrets.set_secret(secret)
ROBOT_LIBRARY_DOC_FORMAT = 'REST'
ROBOT_LIBRARY_SCOPE = 'GLOBAL'
property adapter
get_secret(secret_name: str) → RPA.Robocorp.Vault.Secret

Read a secret from the configured source, e.g. Robocorp Vault, and return it as a Secret object.

Parameters

secret_name – Name of secret

set_secret(secret: RPA.Robocorp.Vault.Secret) → None

Overwrite an existing secret with new values.

Note: Only allows modifying existing secrets, and replaces

all values contained within it.

Parameters

secret – Secret as a Secret object, from e.g. Get Secret