Encrypted Files API
This topic lists sample queries that read, create, update and delete Harness secrets that rely on encrypted files.
This API is currently in Beta. It supports only Get and Delete operations. For Create and Update operations, use the cURL commands given in this topic and update the parameters as needed. The !
character at the end of a parameter's name indicates that it is a required parameter.
Get a Secret by ID
This sample retrieves an existing file secret by its ID:
query{
secret(secretId:"txZMBymoS5KLTF2vUs2p0Q",secretType:ENCRYPTED_FILE){
... on EncryptedFile{
name
secretManagerId
id
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
inheritScopesFromSM
scopedToAccount
}
}
}
Get a Secret by Name
This sample uses a secretByName
query to retrieve an existing file secret by its name:
query{
secretByName(name:"000-azure-b22-",secretType:ENCRYPTED_FILE){
... on EncryptedFile{
name
secretManagerId
id
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
inheritScopesFromSM
scopedToAccount
}
}
}
Create a Secret
This sample creates a file secret.
The UI doesn't support file upload for Create and Update. To do this, use the below cURL commands. You must pass query and file as two form parameters as shown in the below samples.
Usage Scope
The required CreateSecretInput
input must include a SecretType
.
mutation ($secret: CreateSecretInput!) {
createSecret(input: $secret) {
secret {
id
name
... on EncryptedFile {
name
secretManagerId
id
}
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
}
}
}
Query Variables
For the above query, these sample variables specify the SecretType
, and include an inline name
value.
{
"secret": {
"secretType": "ENCRYPTED_FILE",
"encryptedFile": {
"name": "sample-file-name",
"value": "000-azure-b22",
"secretManagerId": "abcdSmUISabcRrAB6NL73w",
"usageScope": {
"appEnvScopes": [{
"application": {
"filterType": "ALL"
},
"environment": {
"filterType": "PRODUCTION_ENVIRONMENTS"
}
}]
}
}
}
}
Sample cURL:
curl --location --request POST '[https://app.harness.io/gateway/api/graphql?accountId=](https://app.harness.io/gateway/api/graphql?accountId=px7xd_BFRCi-pfWPYXVjvw)<account-id>' \
--header 'authorization: <Bearer-token>' \
--form 'file=@"/Users/sampleusername/Downloads/examplefile"' \
--form 'query="{
\"query\":\" mutation($secret: CreateSecretInput!){ createSecret(input: $secret){ secret{ id, name ... on EncryptedFile{ name secretManagerId id } usageScope{ appEnvScopes{ application{ filterType appId } environment{ filterType envId } } } } } } \",
\"variables\":{
\"secret\":{
\"secretType\":\"ENCRYPTED_FILE\",
\"encryptedFile\":{
\"name\":\"fileSecretName\",
\"usageScope\":{
\"appEnvScopes\":[
{
\"application\":{
\"filterType\":\"ALL\"
},
\"environment\":{
\"filterType\":\"PRODUCTION_ENVIRONMENTS\"
}
}
]
}
}
}
}
}"'
Inherit Scope
The required CreateSecretInput
input must include a SecretType
.
mutation ($secret: CreateSecretInput!) {
createSecret(input: $secret) {
secret {
id
name
... on EncryptedFile {
name
secretManagerId
id
inheritScopesFromSM
scopedToAccount
}
}
}
}
Query Variables
For the above query, these sample variables specify the SecretType
, and include an inline name
value.
{
"secret": {
"secretType": "ENCRYPTED_FILE",
"encryptedFile": {
"name": "file-name",
"secretManagerId": "abcdSmUISabcRrAB6NL73w",
"scopedToAccount": false,
"inheritScopesFromSM": true,
"usageScope": null
}
}
}
Sample cURL:
curl --location --request POST '[https://app.harness.io/gateway/api/graphql?accountId=](https://app.harness.io/gateway/api/graphql?accountId=px7xd_BFRCi-pfWPYXVjvw)<account-id>' \
--header 'authorization: <Bearer-token>' \
--form 'file=@"/Users/sampleusername/Downloads/examplefile"' \
--form 'query="{
\"query\":\"mutation($secret: CreateSecretInput!){ createSecret(input: $secret){ secret{ id, name ... on EncryptedFile{ name secretManagerId id inheritScopesFromSM scopedToAccount } } } }\",
\"variables\":{
\"secret\":{
\"secretType\":\"ENCRYPTED_FILE\",
\"encryptedFile\":{
\"name\":\"fileSecretName\",
\"scopedToAccount\":false,
\"inheritScopesFromSM\":true,
\"usageScope\":null
}
}
}
}"'
Update a Secret
This sample updates an existing secret.
Usage Scope
The required UpdateSecretInput
input must supply an id
and a secretType
.
mutation ($secret: UpdateSecretInput!) {
updateSecret(input: $secret) {
secret {
id
name
... on EncryptedFile {
name
secretManagerId
id
}
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
}
}
}
Query Variables
For the above query, these sample variables specify the SecretType
, and include an inline name
value.
{
"secret": {
"secretId": "5ZeaabAaaSCS5gVJH9aabAaa",
"secretType": "ENCRYPTED_FILE",
"encryptedFile": {
"name": "azure-secrets",
"usageScope": {
"appEnvScopes": [{
"application": {
"filterType": "ALL"
},
"environment": {
"filterType": "PRODUCTION_ENVIRONMENTS"
}
}]
}
}
}
}
Sample cURL:
curl --location --request POST 'https://app.harness.io/gateway/api/graphql?accountId=<account-id>' \
--header 'x-api-key: <api-key>' \
--form 'file=@"/path/to/secret/file"' \
--form 'query="
{
\"query\": \" mutation($secret: UpdateSecretInput!){ updateSecret(input: $secret){ secret{ id name ... on EncryptedFile{ name secretManagerId id } usageScope{ appEnvScopes{ application{ filterType appId } environment{ filterType envId } } } } } } \",
\"variables\": {
\"secret\": {
\"secretType\": \"ENCRYPTED_FILE\",
\"secretId\": \"<secretId>\",
\"encryptedFile\": {
\"name\": \"<secretName>\",
\"usageScope\": {
\"appEnvScopes\": [
{
\"application\": {
\"filterType\": \"ALL\"
},
\"environment\": {
\"filterType\": \"PRODUCTION_ENVIRONMENTS\"
}
}
]
}
}
}
}
}"'
Inherit Scope
The required UpdateSecretInput
input must supply an id
and a secretType
.
mutation ($secret: UpdateSecretInput!) {
updateSecret(input: $secret) {
secret {
id
name
... on EncryptedFile {
name
secretManagerId
id
inheritScopesFromSM
scopedToAccount
}
}
}
}
Query Variables
{
"secret": {
"secretId": "5ZeaabAaaSCS5gVJH9aabAaa",
"secretType": "ENCRYPTED_FILE",
"encryptedFile": {
"name": "azure-secrets",
"scopedToAccount": false,
"inheritScopesFromSM": true,
"usageScope": null
}
}
}
Sample cURL:
curl --location --request POST '[https://app.harness.io/gateway/api/graphql?accountId=](https://app.harness.io/gateway/api/graphql?accountId=px7xd_BFRCi-pfWPYXVjvw)<account-id>' \
--header 'authorization: <Bearer-token>' \
--form 'file=@"/Users/shashanksingh/Downloads/hello"' \
--form 'query="{
\"query\":\"mutation($secret: UpdateSecretInput!){ updateSecret(input: $secret){ secret{ id, name ... on EncryptedFile{ name secretManagerId id inheritScopesFromSM scopedToAccount } } } }\",
\"variables\":{
\"secret\":{
\"secretType\":\"ENCRYPTED_FILE\",
\"secretId\":\"tsOCZjLJRzembSBofpnVsA\",
\"encryptedFile\":{
\"name\":\"fileSecretName\",
\"scopedToAccount\":false,
\"inheritScopesFromSM\":true,
\"usageScope\":null
}
}
}
}"'
Delete a Secret
This sample deletes a specified secret. The required DeleteSecretInput
input must supply a secretId
and a secretType
.
mutation($secret: DeleteSecretInput!){
deleteSecret(input: $secret){
clientMutationId
}
}
Query Variables
Here are query variables for the above deleteSecret
operation.
{
"secret": {
"secretId": "Cu8ran5nSqOhxvlcfF2V6A",
"secretType": "ENCRYPTED_FILE"
}
}