Reference Existing Secret Manager Secrets

This content is for Harness FirstGen. Switch to NextGen.If you already have secrets created in a secrets manager such as HashiCorp Vault or AWS Secrets Manager, you do not need to re-create the existing secrets in Harness.

Harness does not query the secrets manager for existing secrets, but you can create a secret in Harness that references an existing secret in HashiCorp Vault or AWS Secrets Manager. No new secret is created in those providers. If you delete the secret in Harness, it does not delete the secret in the provider.

In this topic:

• Before You Begin
• Option: Vault Secrets
• Option: AWS Secrets Manager Secrets
  • Referencing Secret Keys
• Option: Azure Key Vault Secrets
• Option: Google Cloud Secret Manager
• Next Steps

Before You Begin

• See Add an AWS Secrets Manager.
• See Add a HashiCorp Vault Secrets Manager.
• See Add Azure Key Vault Secrets.

Option: Vault Secrets

You can create a Harness secret that refers to the existing Vault secret using a path and key, such as /path/secret_key#my_key.

In the above example, /foo/bar is the pre-existing path, MyVaultSecret is the secret name, and MyKey is the key used to lookup the secret value.

Do not prepend the Vault secrets engine to the path. In the above example, if the secret (/foo/bar/MyVaultSecret#MyKey) had been generated by a Vault secrets engine named harness-engine, it would reside in this full path /harness-engine/foo/bar/MyVaultSecret#MyKey. However, in the Value field, you would enter only /foo/bar/MyVaultSecret#MyKey.This Harness secret is simply a reference pointing to an existing Vault secret. Deleting this Harness secret will not delete the Vault secret referred to by this secret.

You can also reference pre-existing Vault secrets in the Harness YAML editor, as described in Encrypted Information in YAML.

Option: AWS Secrets Manager Secrets

You can create a Harness secret that refers to an existing secret in AWS Secrets Manager using the name of the secret, and a prefix if needed. For example, devops/mySecret.

Referencing Secret Keys

In AWS Secrets Manager, your secrets are specified as key-value pairs, using a JSON collection:

To reference a specific key in your Harness secret, add the key name following the secret name, like secret_name#key_name. In the above example, the secret is named example4docs. To reference the example1 key, you would enter example4docs#example1.

Option: Azure Key Vault Secrets

You can create a Harness secret that refers to an existing secret in Azure Key Vault, using that secret's name (for example: azureSecret). You can also specify the secret's version (for example: azureSecret/05).

Option: Google Cloud Secret Manager

You can create a Harness secret that refers to an existing secret in Google Cloud Secret Manager.

In Secrets Manager, select the Google Cloud Secrets Manager you added to Harness. See Add a Google Cloud Secrets Manager.

In Reference Secret Name, enter the name of an existing secret in GCP.

In Version, enter the secret version you want to use.

In Region, enter the location of the secret. If the secret is Automatically replicated, leave this empty.

Next Steps

• Migrate Secrets Between Secrets Managers