Vault

Store secrets and environment values in a secure Vault

The vault is a system for storing secret information that shouldn’t be committed to version control. API keys are a perfect example of something you should store in the vault. You can also use it to store values that differ between environments, like flags and URLs.

📘

Tip

Make sure you've added all your secret API keys and have your permissions setup properly for your team members such that you're compliant with your company's Infosec requirements.

The vault can be accessed in the Meya Console, or Meya CLI if you've set up your computer for local development.

Security and compliance

Not everyone needs to be able to view or update the vault. With Meya's team permissions, it's easy to control vault access so your app stays secure and compliant. Just create a team with the appropriate permissions, then assign users to the team.

The table below outlines the different vault permissions you can assign to teams.

PermissionDescription
NoneUser can:
- view vault keys
- view vault values only in their redacted form: ●●●●●

User cannot:
- create, update, or delete vault entries via console or Meya CLI
ViewUser can:
- view vault keys and values

User cannot:
- create, update, or delete vault entries via console or Meya CLI
ModifyUser can:
- view, create, update, and delete vault entries

Accessing the vault

To access the vault via the web console, navigate to your app, then choose Vault from the left-hand menu:

1120

Vault UI in the Console

If you're developing your app locally, use the meya vault command to access an interactive menu with vault commands.

1180

Vault via CLI

Viewing entries

If you have permission to view vault values, you'll see an eye icon next to the vault value. Clicking it will reveal the value. Click again to hide it.

640

Viewing vault values

If you're developing locally and don't have permission to view the vault, you'll see an error when running meya vault download:

462

User without permission to view entries

Vault syntax

The vault requires entries to be written using valid YAML or JSON syntax.

📘

Learn more about syntax

YAML
JSON

📘

Validate your syntax

Need help troubleshooting a syntax error? These tools can tell you what needs to be fixed:

JSON Formatter & Validator
YAML Linter

When modifying the vault from a local development environment, you have the option of working with your vault file in either YAML or JSON format (YAML is the default).

JSON example:

meya vault download --json --file vault.secret.json
meya vault upload --json --file vault.secret.json

The same requirement is true in the web console. Invalid syntax will result in an error when you try to save your changes.

1816

Invalid syntax

Creating, updating, and deleting entries

If you have permission to modify vault values, you'll see additional icons next to each entry for editing and deleting, and an Add item button at the bottom of the screen.

Updating entries

Click the pen icon to edit the vault key and value. Click the checkmark to finish editing. A green icon to the right of the entry will indicate an update has been made, but not saved.

🚧

Don't forget to hit the Save button in the top right corner to actually save your changes!

640

Updating a vault entry

If you're developing locally and don't have permission to modify the vault, you'll see an error when running meya vault upload:

480

User without permission to modify entries

❗️

Be careful when editing the vault entry's key.

If you have code that references the old key name, you'll get an error because the old key can no longer be found (see image below for an example).

551

Be careful when changing the name of a vault key

Creating and deleting entries

If you have permission to create and delete vault entries, you'll see a trashcan icon next to each entry, as well as an Add item button at the bottom of the screen.

Icons to the right of the entry will indicate whether the entry is being created or deleted:

874

Creating and deleting entries

🚧

Don't forget to hit the Save button in the top right corner to actually save your changes!

Using vault values at runtime

Your app can read values in the vault using Jinja2 syntax: (@ vault.foo )

🚧

The vault is read-only at runtime

Vault entries can only be created, updated, and deleted during the design process, not at runtim

Example

Here's how you can use the vault to store integration credentials and refer to them in your integration file:

type: meya.zendesk.support.integration
subdomain: (@ vault.zendesk.support.subdomain )
bot_agent_email: (@ vault.zendesk.support.bot_agent_email )
bot_agent_api_token: (@ vault.zendesk.support.bot_agent_api_token )
target_password: (@ vault.zendesk.support.target_password )

Here's what those vault entries would look like in the console:

886

Or if you're developing locally, your vault.secret.yaml file would look like this:

661

📘

To learn more about how to update the vault using Meya CLI, check out the data scope guide.