Skip to main content

Use secrets managers

In this tutorial, we'll walk you through the process of safely storing and accessing sensitive information like API keys and credentials. You'll learn best practices while gaining hands-on experience to ensure your secrets remain protected. Let's dive into the world of Harness secrets management.

Create secrets

Harness offers built-in secret management for encrypted storage of sensitive information. Secrets are decrypted when needed, and only the private network-connected Harness Delegate has access to the key management system. You can also integrate your own secret manager. To learn more about secrets in Harness, go to Harness Secret Manager Overview.

To create a secret, do the following:

  1. Sign in to Harness.
  2. Select Projects, and then select Secrets.
  3. Select New Secret, and then select Text.
  4. Enter Name for the secret.
  5. For the Secret Value, enter a GitHub personal access token (PAT) with the repo scope. For more information, go to creating a personal access token in the GitHub documentation.
  6. Select Save.

Harness secrets management overview

Harness Secret Manager is a platform designed to securely and centrally manage secrets. It offers a unified interface to store, manage, and distribute secrets, including API keys, passwords, and certificates, used in software applications. Developers can seamlessly incorporate secrets into their applications, enforce access controls, and monitor secret usage. This system streamlines secret management and strengthens security for organizations using Harness for software development and deployment workflows.

Manage Secrets with built-in Harness Secret Manager

Google Cloud Key Management Service is the default secret manager in Harness and is named Harness Secret Manager Google KMS. To learn how to configure Harness Secret Manager Google KMS, go to how to add a Google KMS Secret Manager in Harness.

Your browser sends information securely to Harness Manager using HTTPS. Harness Manager transfers encrypted information to the Harness Delegate using HTTPS. The delegate securely exchanges a pair of keys with the secret manager through an encrypted connection. The Harness Delegate uses the encrypted key and secret, and then removes them. The keys never leave the delegate. The delegate uses the required value to deploy on the instances.

Integrate third-party secret managers

note

This feature is behind a Feature Flag and is available only to our paid customers.

Before you begin

Verify that you have the following:

Use AWS KMS to manage secrets

  1. Sign in to Harness.
  2. Select Projects, and then select Default Project.

Harness Delegate

The Harness Delegate is a service that runs in your local network or VPC to establish connections between the Harness Manager and various providers, such as artifacts registries, cloud platforms, etc. The delegate is installed in the target infrastructure, for example, a Kubernetes cluster, and performs operations, including deployment and integration. To learn more about delegates, go to the Delegate overview.

Make sure the delegate is installed and it is connected. For more details, go to the Google Cloud Functions tutorial.

Create an AWS access key ID

To create an AWS access key, do the following:

  1. Select New Secret, and then select Text.
  2. Enter the secret name aws_kms_access_key.
  3. For the secret value, paste the access token for your AWS user account. The Harness Delegate uses this credential to authenticate Harness with AWS at deployment runtime.
  4. Select Save.

Create an AWS secret key ID

To create an AWS secret key ID, do the following:

  1. Select New Secret, and then select Text.
  2. Enter the secret name aws_kms_secret_key.
  3. For the secret value, paste the access token for your AWS user account. The Harness Delegate uses this credential to authenticate Harness with AWS at deployment runtime.
  4. Select Save.

Create an AWS ARN

To create an AWS ARN, do the following:

  1. Select New Secret, and then select Text.
  2. Enter the secret name aws_kms_arn.
  3. For the secret value, paste the ARN for your AWS user account. The Harness Delegate uses this credential to authenticate Harness with AWS at deployment runtime.
  4. Select Save.

For more information, go to find the Access key ID and ARN in the AWS documentation.

Connectors

Connectors in Harness enable integration with third-party tools, providing authentication for operations during pipeline runtime. For instance, a GitHub connector facilitates authentication and fetching files from a GitHub repository within pipeline stages. For more details, go to Connectors.

To create an AWS connector, do the following:

  1. Create the AWS Connector.

  2. Copy the contents of the aws-kms-connector.yaml file.

  3. In your Harness project in the Harness Manager, under Project Setup, select Connectors.

  4. Select Create via YAML Builder and paste the copied YAML.

  5. Select Save Changes and verify that the new connector named aws-kms-connector is successfully created.

  6. Select Connection Test under Connectivity Status to verify the connection is successful.

note

If you are NOT using the default organization and project, make sure to change the orgIdentifier and projectIdentifier in the aws-kms-connector.yaml file.

You can now use this secret manager in your pipeline.

Secrets and log sanitization

Harness sanitizes deployment logs and any script outputs to mask text secret values.

Let's create a pipeline that will print logs on the console to see how Harness sanitization logs.

Create a new secret

To create a new secret, do the following:

  1. Select New Secret, and then select Text.
  2. Enter the secret name docsecret.
  3. For the secret value, add the string docsecret.
  4. Select Save.

Create a pipeline

To create a pipeline, do the following:

  1. In Default Project, select Pipelines.
  2. Select New Pipeline.
  3. Enter the name print secret.
  4. Select Inline to store the pipeline in Harness.
  5. Select Start and, in the Pipeline Studio, toggle to YAML to use the YAML editor.
  6. Select Edit YAML to enable edit mode. Copy the contents of thesecret-sanitization.yaml file and paste it.
  7. Select Save to save the pipeline.

Run the pipeline

Finally, it's time to execute the pipeline.

To run the pipeline, do the following:

  1. Select Run, and then select Run Pipeline to initiate the deployment.
  2. Observe the execution logs as Harness runs the pipeline.
  3. In console logs, the secret is masked with asterisks (*), as shown in the following image.

When a text secret is displayed in a deployment log, Harness substitutes the text secret value with asterisks (*) so that the secret value is never displayed.​ For more information, go to secrets and log-sanitization. The only exception is output variables. If an output variable value contains a secret, be aware that the secret will be visible in the build details. For more information, go to output variables.