Add a HashiCorp Vault Secrets Manager

Updated 3 weeks ago by Chakravarthy Tenneti

To store and use encrypted secrets (such as access keys), you can add a HashiCorp Vault Secrets Manager.

In this topic:

Before You Begin

Step 1: Configure Secrets Manager

  1. Select Continuous Security > Secrets Management. The Secrets Management page appears.
  2. Click Configure Secrets Managers. In the resulting Secrets Managers page, the Status column indicates the Default provider.
  3. Click Add Secrets Manager. The Configure Secrets Manager dialog appears.
  4. Select HashiCorp Vault from the drop down list.
  5. Enter the following information — Display Name, Vault URL, and Base Secret Path. For more information, see Vault documentation.
  6. Select the Authentication Type — Token or App Role.

Option: Token

For Harness, the Token option requires periodic tokens (tokens that have renewal options).

To create a periodic token, make sure to specify a period in the token creation command:

vault token create -policy=harness -period=768h

Next, use the new token with Harness.

If you want to verify the renewal manually, use the command:

vault token lookup <token_id>

You will see an additional period field specifying the period of the token. To verify renewal, wait until the period expires and run the lookup command again.

Option: App Role Method

The App Role option enables the Harness Vault Secrets Manager to authenticate with Vault-defined roles.

The Vault AppRole method allows multiple roles to be defined, corresponding to different applications, and each with different levels of access. To authenticate with Vault, the application is assigned a static Role ID and a dynamically generated Secret ID, which are both required to log in and fetch a Vault token.

The App Role ID and Secret ID you supply will be used by Harness to fetch a Vault Auth Token dynamically at configured intervals set in Renewal Interval.

The Vault AppRole ID used needs to have an ACL policy attached for Harness to use it. Typically, you create the policy first, then create the AppRole and attach the policy.

In the policy examples below: If you've created a Read-only Vault Secrets Manager, this secrets manager needs only read and list permissions on Vault. It does not need—and cannot assume—create, update, or delete permissions.

If the secrets are in the default Vault folder, the policy will look like this:

path "secret/*" {
capabilities = ["create", "update", "list", "read", "delete"]
path "sys/mounts"{
capabilities = ["read"]

If the secrets are in a subfolder, such as secrets/harness, the policy will look like this:

path "secret/harness/*" {
capabilities = ["create", "list", "read", "update", "delete"]
path "secret/harness" {
capabilities = ["list", "read"]
path "sys/mounts"{
capabilities = ["read"]

If the Vault Secrets Manager needs to renew tokens, the following permissions are needed:

path "auth/token/renew-self"
capabilities = ["read", "update"]

For more information, see RoleID and Authenticating Applications with HashiCorp Vault AppRole from HashiCorp.

Step 2: Fetch Engines

Once you have entered the required fields, click Fetch Engines. Harness will populate the Secret Engine drop-down with the list of engines it finds:

Select the engine you want to use.

Step 3: Renewal Interval

In Renew Interval, you can (optionally) select how often Harness Delegate reloads the Vault access token.

Step 4: Read-only Vault

If required by your organization's security practices, select the Read-only Vault check box. This selection authorizes Harness to read secrets from Vault, but not to create or manage secrets within Vault.

Once you have filled out the dialog, click Submit.

Read-only Limitations

If you select Read-only Vault, there are several limitations on the resulting Harness Vault Secrets Manager. First, as shown by the above screenshot's disabled Use as Default Secrets Manager option, a read-only secrets manager cannot be Harness' default secrets manager.

Also, a read-only Harness Vault Secrets Manager:

  • Cannot be used in the Add Encrypted File dialog.
  • Cannot create inline secrets in the Add Encrypted Text modal.
  • Cannot migrate (deprecate) its secrets to another secrets manager. 
  • Cannot have secrets migrated to it from another secrets manager.

How did we do?