Scope Secret Managers to Applications and Environments

You can limit the scope of Harness Secret Managers to specific Harness Applications and Environments. Once you set this up, the secrets stored in the Secret Manager may only be used in these Applications and Environments.

When used in combination with Harness User Groups Application Permissions, you can scope a Secret Manager's secrets and User Group to the same Applications and Environments.

In this topic:

• Before You Begin
• Visual Summary
• Review: Required Permissions
  • Account Permissions
  • Application Permissions
• Review: Secrets Limitations
• Review: Changing Secret Manager Scope
• Step 1: Open the Harness Secret Manger
• See Also

Before You Begin

• What is Secrets Management?
• Add a Secrets Manager
• Managing Harness Secrets

Visual Summary

Here is a quick summary of how to scope secrets managers and secrets to Applications and Environments.

Review: Required Permissions

To scope a Secret Manager, a Harness User must belong to a User Group with the following permissions.

Account Permissions

A User must belong to a User Group with the Manage Secrets Managers Account Permission enabled.

See Managing Users and Groups (RBAC).

Application Permissions

The Application Permissions in the User Group determine the Applications and Environments that can be used to scope a Secret Manager and use its secrets.

• To scope the Secret Manager: User Groups must have the Update permissions on the same Applications and Environments used in the Secret Manager scope.
• To use and create secrets stored in the Secret Manager: User Groups must have the Read permissions on the same Applications and Environments used in the Secret Manager scope.

Review: Secrets Limitations

When you create a Harness Encrypted Text or File secret, you select the Secret Manager for the secret.

By default, Harness secrets inherit the same scope as the secret manager where they are stored.

If you choose to apply additional scoping rules to a secret, then the Applications and Environments in the secret's scope must be entirely contained within the scope applied to its Secrets Manager.

Review: Changing Secret Manager Scope

When you change the scope on an existing Secrets Manager that already stores secrets, the new scope might conflict with scopes of its secrets.

In this case, Harness will ask you if you want the secrets to inherit the scope from the Secrets Manager or cancel the change.

As a result of the secret scope change, Workflows and Pipelines using these secrets might stop working.

Alternatively, you can resolve conflicting secrets scopes manually. Next, you can set the Secrets Manager Usage Scope so that there are no more conflicting secrets.

Step 1: Open the Harness Secret Manger

You can scope a Secret Manager during or after you create it. In this example, we will change an existing Secret Manager:

1. In Harness, click Security, and then click Secrets Management.
2. In Secrets Management, click Configure Secrets Managers.
3. Click the name of the Secret Manager you want to scope.
   You can only change the scope of Secret Managers if your Harness User Group has the Manage Secrets Managers Account Permission enabled.
4. In Usage Scope, select the Applications and Environment types where this Secret Manager's secret may be used.
5. Click Submit.

See Also

• Adding Secrets Managers
  • Add a Google Cloud KMS Secrets Manager
  • Add an AWS Secrets Manager
  • Add an AWS KMS Secrets Manager
  • Add an Azure Key Vault Secrets
  • Add a HashiCorp Vault Secrets Manager
• Managing Secrets
  • Use Encrypted Text Secrets
  • Use Encrypted File Secrets
  • Migrate Secrets between Secrets Managers
  • Restrict Secrets Usage
  • Reference Existing Secrets
  • Use Secrets in a Delegate Profile
  • Add SSH Keys
  • Use SSH Keys via Kerberos for Server Authentication
  • Add WinRM Connection Credentials