Vaults

Vaults are used to store secrets, vars, OIDC tokens, and tool caches.

You'll use vaults for any sensitive value, like authentication credentials, that you want to be able to access in your Mint workflows without checking into your repository.

Although vars are not sensitive, they're configured in vaults to help organize them.

Default Vault

You'll automatically have a vault named default.

The default vault allows you to reference secrets using the secrets context directly in an expression, like this:

${{ secrets.SOME_API_TOKEN }}

To reference secrets in any other vault, you'll need to reference the vault name explicitly. For example, if you have a vault named foo:

${{ vaults.foo.secrets.SOME_API_TOKEN }}

Similarly with vars, you can omit the vault named when defining vars in the default vault:

${{ vars.YOUR_VAR }}

And you'll need to qualify it if using any other vault:

${{ vaults.foo.vars.YOUR_VAR }}

Custom Vaults

You can also create custom vaults. This can be helpful simply for organizational purposes. For example, you may want to group secrets and vars related to specific repositories or projects together.

It can also be helpful for security to restrict access to certain secrets. To restrict access, you'll need to configure the vault as being locked.

Locked Vaults

Vaults can either be locked or unlocked.

Unlocked vaults can be accessed from any repository and from any user in your organization that initiates a run using the Mint CLI. If general, you should use an unlocked vault for any secrets which you want to be accessible from a feature branch.

Locked vaults can only be accessed from repositories and branches that you specify and from users that you grant access. In general, you should use a locked vault for secrets such as deployment keys, which should only be able to be used from branches like main and not from feature branches.

It's common for have a locked vault that matches protected branches in your version control provider, if you're using Mint to facilitate Continuous Deployment.

For testing changes to Mint workflows that involve locked vaults, you can temporarily grant access to:

  • a specific feature branch that is being used for testing
  • a specific user who is working on the changes

Approvals

Mint supports approval workflows with locked vaults. When you configure your vault to be locked, you can additionally indicate whether approvals are enabled. If approvals are enabled and a task that would otherwise not be permitted access to the vault (either due to its branch or user access configurations) attempts to access the vault, Mint will send an approval request.

Each vault with approvals enabled can configure how many approvals are required and who is allowed to approve access. Tasks that are trying to access a vault and need approval to do so will wait to run until access is granted or will fail if access is denied.

To configure approvals, go to the "Access Control" tab in your vault, make sure it's locked, enable approvals, and select the people in your organization that are allowed to approve access. Then, write a task that accesses that vault.

More on Vaults

Continue reading about secrets, vars, OIDC tokens, and tool caches.