Add a Google Cloud secret manager
The ability to use the credentials of a specific Harness Delegate is behind the feature flag PL_USE_CREDENTIALS_FROM_DELEGATE_FOR_GCP_SM
. Contact Harness Support to enable the feature.
You can link your Google Cloud Secret Manager to Harness and use it to store any sensitive data you use in Harness, including secrets.
Harness also supports Google KMS as a secrets manager.This topic explains how to add a GCP Secrets Manager in Harness.
Before you begin
- Go to Harness Key Concepts
- Go to Secrets Management Overview
Google Cloud secret manager important notes
- Inline secrets saved to GCP Secrets Manager must follow the naming limitations of Google Cloud Secret Manager. Secret names can only contain alphabets, numbers, dashes (-), and underscores (_).
- The maximum size for encrypted files saved to Google Cloud Secret Manager is 64KiB.
- Inline secrets saved to Google Cloud Secret Manager have a region assignment by default. An automatic assignment is the same as not selecting the Regions setting when creating a secret in Google Cloud Secret Manager.
- Harness does not support Google Cloud Secret Manager labels at this time.
- Versions for reference secrets:
- Any modification to the content of a secret stored by Harness in Google Cloud Secret Manager creates a new version of that secret.
- When you delete a secret present in Google Cloud Secret Manager from Harness, the entire secret is deleted and not just a version.
- You cannot update the name of an inline or referenced secret stored in the Google Cloud Secret Manager using the Harness Secret Manager.
- Harness does not support changing an inline secret to a reference secret or vice versa in Harness.
For more information, go to Supported Platforms and Technologies.
Google Cloud secret manager permission requirements
- Make sure you have Create/Edit permissions for Secrets.
- Make sure you have Create/Edit permissions for connectors.
- The GCP Service Account you use in the Google Secrets Manager Credentials File should have the following IAM roles:
roles/secretmanager.admin
orroles/secretmanager.secretAccessor
androles/secretmanager.secretVersionManager
.
Go to Managing secrets from Google.
Add a Google Cloud secret manager
This topic assumes you have a Harness Project set up. If not, go to Create Organizations and Projects.
You can add a connector from any module in your project, in the Project setup, or in your organization or account resources.
This topic explains the steps to add a Google Cloud Secrets Manager to the account scope.
In your Harness Account, click Account Settings.
Click Account Resources.
Click Connectors and then click New Connector.
In Secret Managers, click GCP Secrets Manager.
The GCP Secrets Manager settings appear.
Add overview
- In Name, enter a name for your secret manager.
- You can choose to update the Id or let it be the same as your secret manager's name. For more information, go to Entity Identifier Reference.
- Enter the Description for your secret manager.
- Enter Tags for your secret manager.
- Click Continue.
Configure details
Select one of the following options to configure details for the Google cloud secret manager:
- Specify credentials here
- Use the credentials of a specific Harness Delegate (IAM role, service account, etc)
Specify credentials here
Attach a Google Secret Manager credentials file
You must export your Google Cloud service account key and add it as an Encrypted File Secret in Harness.
In the Google Cloud console, select IAM & admin > Service account.
Scroll to the service account you want to use. If no service account is present, create one.
Grant this service account the Google Cloud Secret Manager permissions needed.
To do this, edit the service account and click Permissions. Click Roles, and then add the roles needed.
Go to Managing secrets in the Google Cloud documentation.Open your service account's Actions ⋮ menu, then select Create key.
In the resulting Create private key dialog, select the JSON option, create the key, and download it to your computer.
Go back to Harness.
In Google Secrets Manager Credentials File, select the encrypted file you just added in Harness.
You can also create a new File Secret here and add the Google Cloud service account key that you downloaded.
Click Continue.
Use the credentials of a specific Harness Delegate (IAM role, service account, etc)
If you select this option, Harness will authenticate using the IAM role assigned to the specific delegate you select. This would be the Application Default Credentials.
For more information, go to Application Default Credentials.
You can select a delegate using a Delegate Selector.
Click Continue.
Step 4: Setup delegates
- In Delegates Setup, enter Selectors for specific delegates that you want to allow to connect to this connector.
- Click Save and Continue.
Step 5: Test connection
Once the Test Connection succeeds, click Finish. You can now see the connector in Connectors.
Add an inline secret to the GCP Secrets Manager
Let us add an inline text secret to the GCP Secrets Manager we just created.
In your Harness account, click Account Settings.
Click Account Resources and then click Secrets.
Click New Secret and then click Text.
The Add new Encrypted Text settings appear.Select the GCP Secrets Manager you just created.
Enter a Name for your secret.
The default selection is Inline Secret Value.
Enter the Secret Value.
Select Configure Region to add the region(s) for your secret.
Click Save.
Add a secret reference to the GCP Secrets Manager
Let us add a secret reference to the GCP Secrets Manager we just created.
In your Harness account, click Account Settings.
Click Account Resources and then click Secrets.
Click New Secret and then click Text.
The Add new Encrypted Text settings appear.Select the GCP Secrets Manager you just created.
Enter a Name for your secret.
Select Reference Secret.
Enter your secret identifier in Reference Secret Identifier.
In Version, enter the version of your secret that you want to reference.
You can either enter a version number like1
,2
, or enterlatest
to reference the latest version.Click Save.
Add an encrypted file secret to the GCP Secrets Manager
Let us add an encrypted file secret to the GCP Secrets Manager we just created.
In your Harness account, click Account Settings.
Click Account Resources and then click Secrets.
Click New Secret and then click File.
The Add new Encrypted File settings appear.Select the GCP Secrets Manager you just created.
Enter a Name for your secret.
In Select File, browse, and select your file.
Select Configure Region to add the region(s) for your secret.
Click Save.