Vault Client
The Vault client provides secure credential management with AES-256-GCM encryption. Store usernames, passwords, and other sensitive data for use in workflow executions.
All sensitive fields (username, password, tfa_secret) are automatically encrypted by the SDK before being sent to CloudCruise servers. Plaintext credentials are never transmitted or stored.
Setup
from cloudcruise import CloudCruise, CloudCruiseParams
client = CloudCruise(
CloudCruiseParams(
api_key="your-api-key",
encryption_key="your-encryption-key",
)
)
encryption_key is required for vault operations. Get it from CloudCruise Settings.
Creating a Vault Entry
Use client.vault.create() to store new credentials:
entry = client.vault.create(
domain="https://example.com",
permissioned_user_id="unique-user-id",
options={
"user_name": "[email protected]",
"password": "secret-password",
"user_alias": "John's Account",
},
)
print("Created vault entry:", entry.get("id"))
Parameters
| Parameter | Type | Required | Description |
|---|
domain | str | Yes | Target domain for the credentials (e.g., https://example.com) |
permissioned_user_id | str | Yes | Unique identifier to reference this entry in workflows |
options | dict | No | Additional fields (see below) |
Options Dictionary
| Field | Type | Description |
|---|
user_name | str | Username or email for authentication |
password | str | Password credential |
user_alias | str | Human-readable label for the entry |
tfa_secret | str | TOTP secret for two-factor authentication |
tfa_method | str | TFA method: "AUTHENTICATOR", "EMAIL", or "SMS" |
persist_cookies | bool | Maintain cookies across workflow executions |
persist_local_storage | bool | Maintain local storage across executions |
persist_session_storage | bool | Maintain session storage across executions |
allow_multiple_sessions | bool | Allow concurrent workflow sessions with these credentials |
max_concurrency | int | Maximum concurrent sessions (when allow_multiple_sessions is true) |
proxy | dict | Proxy configuration with enable (bool) and target_ip (str) |
Getting Vault Entries
Retrieve vault entries with optional filtering:
from cloudcruise.vault import GetVaultEntriesFilters
# Get all entries
all_entries = client.vault.get()
# Get specific entry by domain and user ID
entries = client.vault.get(
GetVaultEntriesFilters(
domain="https://example.com",
permissioned_user_id="unique-user-id",
)
)
# Get entries without decrypting credentials
entries = client.vault.get(
GetVaultEntriesFilters(
domain="https://example.com",
permissioned_user_id="unique-user-id",
decryptCredentials=False,
)
)
GetVaultEntriesFilters
| Field | Type | Description |
|---|
domain | str | Filter by target domain |
permissioned_user_id | str | Filter by user ID |
decryptCredentials | bool | Whether to decrypt credentials (default: True) |
When filtering, both domain and permissioned_user_id must be provided together.
Updating a Vault Entry
Update an existing vault entry:
updated_entry = client.vault.update({
"domain": "https://example.com",
"permissioned_user_id": "unique-user-id",
"user_name": "[email protected]",
"password": "new-password",
"user_alias": "Updated Account Name",
})
Required Fields for Update
| Field | Required |
|---|
domain | Yes |
permissioned_user_id | Yes |
user_name | Yes |
password | Yes |
Deleting a Vault Entry
Delete a vault entry by domain and user ID:
client.vault.delete({
"domain": "https://example.com",
"permissioned_user_id": "unique-user-id",
})
Using Vault Entries in Workflows
Reference vault credentials in workflow runs by passing the permissioned_user_id as an input variable:
from cloudcruise import StartRunRequest
# First, ensure the vault entry exists
entries = client.vault.get(
GetVaultEntriesFilters(
domain="https://login.example.com",
permissioned_user_id="user-123",
)
)
if not entries:
client.vault.create(
domain="https://login.example.com",
permissioned_user_id="user-123",
options={
"user_name": "[email protected]",
"password": "secret-password",
},
)
# Start the workflow with the vault entry reference
run = client.runs.start(
StartRunRequest(
workflow_id="your-workflow-id",
run_input_variables={
"USER": "user-123", # References the permissioned_user_id
},
)
)
result = run.wait()
print("Run completed:", result.get("status"))
The input variable name (e.g., USER) depends on how your workflow is configured. Check your workflow’s input schema in the CloudCruise dashboard.
