Scope Secret Managers to Applications and Environments
You can limit the scope of Harness Secret Managers to specific Harness Applications and Environments. Once you set this up, the secrets stored in the Secret Manager may only be used in these Applications and Environments.
When used in combination with Harness User Groups Application Permissions, you can scope a Secret Manager's secrets and User Group to the same Applications and Environments.
In this topic:
- Before You Begin
- Visual Summary
- Review: Required Permissions
- Review: Secrets Limitations
- Review: Changing Secret Manager Scope
- Step 1: Open the Harness Secret Manger
- See Also
Before You Begin
Visual Summary
Here is a quick summary of how to scope secrets managers and secrets to Applications and Environments.
Review: Required Permissions
To scope a Secret Manager, a Harness User must belong to a User Group with the following permissions.
Account Permissions
A User must belong to a User Group with the Manage Secrets Managers Account Permission enabled.
See Managing Users and Groups (RBAC).
Application Permissions
The Application Permissions in the User Group determine the Applications and Environments that can be used to scope a Secret Manager and use its secrets.
- To scope the Secret Manager: User Groups must have the Update permissions on the same Applications and Environments used in the Secret Manager scope.
- To use and create secrets stored in the Secret Manager: User Groups must have the Read permissions on the same Applications and Environments used in the Secret Manager scope.
Review: Secrets Limitations
When you create a Harness Encrypted Text or File secret, you select the Secret Manager for the secret.
By default, Harness secrets inherit the same scope as the secret manager where they are stored.
If you choose to apply additional scoping rules to a secret, then the Applications and Environments in the secret's scope must be entirely contained within the scope applied to its Secrets Manager.
Review: Changing Secret Manager Scope
When you change the scope on an existing Secrets Manager that already stores secrets, the new scope might conflict with scopes of its secrets.
In this case, Harness will ask you if you want the secrets to inherit the scope from the Secrets Manager or cancel the change.
As a result of the secret scope change, Workflows and Pipelines using these secrets might stop working.
Alternatively, you can resolve conflicting secrets scopes manually. Next, you can set the Secrets Manager Usage Scope so that there are no more conflicting secrets.
Step 1: Open the Harness Secret Manger
You can scope a Secret Manager during or after you create it. In this example, we will change an existing Secret Manager:
- In Harness, click Security, and then click Secrets Management.
- In Secrets Management, click Configure Secrets Managers.
- Click the name of the Secret Manager you want to scope.
You can only change the scope of Secret Managers if your Harness User Group has the Manage Secrets Managers Account Permission enabled. - In Usage Scope, select the Applications and Environment types where this Secret Manager's secret may be used.
- Click Submit.
See Also
- Adding Secrets Managers
- Managing Secrets