Python API


class RPA.Robocorp.Vault.BaseSecretManager

Bases: object

Abstract class for secrets management. Should be used as a base-class for any adapter implementation.

abstract get_secret(secret_name)

Return Secret object with given name.

abstract set_secret(secret: Secret)

Set a secret with a new value.

class RPA.Robocorp.Vault.FileSecrets(secret_file='secrets.json')

Bases: BaseSecretManager

Adapter for secrets stored in a database file. Supports only plaintext secrets, and should be used mainly for debugging.

The path to the secrets file can be set with the environment variable RPA_SECRET_FILE, or as an argument to the library.

The format of the secrets file should be one of the following:

  "name1": {
    "key1": "value1",
    "key2": "value2"
  "name2": {
    "key1": "value1"


  key1: value1
  key2: value2
  key1: value1
SERIALIZERS = {'.json': (<function load>, <function dump>), '.yaml': (<function full_load>, <function dump>)}

Get secret defined with given name from file.


secret_name – Name of secret to fetch


Secret object


KeyError – No secret with given name


Load secrets file.


Save the secrets content to disk.

set_secret(secret: Secret) None

Set the secret value in the local Vault with the given Secret object.


secret – A Secret object.


IOError, ValueError – Writing the local vault failed.

class RPA.Robocorp.Vault.RobocorpVault(*args, **kwargs)

Bases: BaseSecretManager

Adapter for secrets stored in Robocorp Vault.

The following environment variables should exist:

  • RC_API_SECRET_HOST: URL to Robocorp Secrets API

  • RC_API_SECRET_TOKEN: API token with access to Robocorp Secrets API

  • RC_WORKSPACE_ID: Robocorp Workspace ID

If the robot run is started from the Robocorp Control Room these environment variables will be configured automatically.

ENCRYPTION_SCHEME = 'robocloud-vault-transit-v2'

Create a URL for encryption public key.


Create a URL for a specific secret.

get_publickey() bytes

Get the public key for AES encryption with the existing token.


Get secret defined with given name from Robocorp Vault.


secret_name – Name of secret to fetch


Secret object


RobocorpVaultError – Error with API request or response payload

property headers

Default request headers.

property params

Default request parameters.

set_secret(secret: Secret) None

Set the secret value in the Vault. Note that the secret possibly consists of multiple key-value pairs, which will all be overwritten with the values given here. So don’t try to update only one item of the secret, update all of them.


secret – A Secret object

exception RPA.Robocorp.Vault.RobocorpVaultError

Bases: RuntimeError

Raised when there’s problem with reading from Robocorp Vault.


Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

class RPA.Robocorp.Vault.Secret(name, description, values)

Bases: Mapping

Container for a secret with name, description, and multiple key-value pairs. Immutable and avoids logging internal values when possible.

  • name – Name of secret

  • description – Human-friendly description for secret

  • values – Dictionary of key-value pairs stored in secret

property description
get(k[, d]) D[k] if k in D, else d.  d defaults to None.
items() a set-like object providing a view on D's items
keys() a set-like object providing a view on D's keys
property name
values() an object providing a view on D's values
class RPA.Robocorp.Vault.Vault(*args, **kwargs)

Bases: object

Vault is a library for interacting with secrets stored in the Robocorp Control Room Vault (by default) or file-based secrets, which can be taken into use by setting some environment variables.

Robocorp Vault relies on environment variables, which are normally set automatically by the Robocorp Work Agent or Assistant when a run is initialized by the Robocorp Control Room. When developing robots locally in VSCode, you can use the Robocorp Code Extension to set these variables automatically as well.

Alternatively, you may set these environment variable manually using rcc or directly in some other fashion. The specific variables which must exist are:

  • RC_API_SECRET_HOST: URL to Robocorp Vault API

  • RC_API_SECRET_TOKEN: API Token for Robocorp Vault API

  • RC_WORKSPACE_ID: Control Room Workspace ID

File-based secrets can be set by defining two environment variables.

  • RPA_SECRET_MANAGER: RPA.Robocorp.Vault.FileSecrets

  • RPA_SECRET_FILE: Absolute path to the secrets database file

Example content of local secrets file:

    "swaglabs": {
        "username": "standard_user",
        "password": "secret_sauce"


    username: standard_user
    password: secret_sauce

Examples of Using Secrets in a Robot

Robot Framework

*** Settings ***
Library    Collections
Library    RPA.Robocorp.Vault

*** Tasks ***
Reading secrets
    ${secret}=    Get Secret  swaglabs
    Log Many      ${secret}

Modifying secrets
    ${secret}=          Get Secret      swaglabs
    ${level}=           Set Log Level   NONE
    Set To Dictionary   ${secret}       username    nobody
    Set Log Level       ${level}
    Set Secret          ${secret}


from RPA.Robocorp.Vault import Vault

VAULT = Vault()

def reading_secrets():
    print(f"My secrets: {VAULT.get_secret('swaglabs')}")

def modifying_secrets():
    secret = VAULT.get_secret("swaglabs")
    secret["username"] = "nobody"
property adapter
get_secret(secret_name: str) Secret

Read a secret from the configured source, e.g. Robocorp Vault, and return it as a Secret object.


secret_name – Name of secret

set_secret(secret: Secret) None

Overwrite an existing secret with new values.

Note: Only allows modifying existing secrets, and replaces

all values contained within it.


secret – Secret as a Secret object, from e.g. Get Secret