What is Secrets Management?

Updated 4 days ago by Chakravarthy Tenneti

Harness includes a built-in Secrets Management feature that enables you to store encrypted secrets, such as access keys, and use them in your Harness applications. Some key points about Secrets Management:

  • Secrets are always accessed/decrypted at the time when they are needed, and at no time are they stored unencrypted.
  • Harness Manager does not have access to your key management system, and only the Harness Delegate, which sits in your private network, has access to it. Harness never makes secrets management accessible publicly. This adds an important layer of security.

In this topic:

Secrets How-tos

Before You Begin

Before learning about, you should have an understanding of the following:

Visual Summary

You can choose to use your own secrets management solution, or the built-in Harness Secrets Manager. This diagram shows how Harness handles secrets:

Harness Secrets Management Process Overview

Harness sends only encrypted data to the secrets manager, as follows: 

  1. Your browser sends data over HTTPS to Harness Manager. 
  2. Harness Manager relays encrypted data to the Harness Delegate, also over HTTPS. 
  3. The Delegate exchanges a key pair with the secrets manager, over an encrypted connection. 
  4. The Harness Delegate uses the encrypted key and the encrypted secret, and then discards them. The keys never leave the Delegate.
Any secrets manager requires a running Harness Delegate to encrypt and decrypt secrets. Any Delegate that references a secret requires direct access to the secrets manager.

You can manage your secrets in Harness using either a Key Management Service or third party Secrets Managers.

Using Key Management Services

Google Cloud Key Management Service is the default Secrets Manager in Harness. 

The Key Management Service (Google Cloud KMS or AWS KMS) only stores the key. Harness uses envelope encryption to encrypt and decrypt the secrets. The encrypted secret and the encrypted Data Encryption Key (used for envelope encryption) are stored in the Harness database. 

If you are using a KMS, rotation of keys is not supported by Harness and you might lose access to your secrets if the older version of the key is removed from your KMS.

Using Third-Party Secrets Managers

You can also use third-party Secrets Managers — HashiCorp Vault, Azure Key Vault, CyberArk, and AWS Secrets Manager.

These Secrets Managers store the key, perform encryption and decryption, and also store the secrets (encrypted key pair). Neither the keys nor the secrets are stored in the Harness database. A reference to the secret is stored in the Harness database.

Secrets in Harness Community and On-Prem Accounts

In Community and On-Prem accounts, Harness uses a random-key secrets store as the Harness Secrets Manager.

Once you have installed On-Prem, Add a Harness Secrets Manager. By default, On-Prem installations use the local Harness MongoDB for the default Harness Secrets Manager. This is not recommended.
Harness does not currently support migrating secrets from the random-key secrets store. If you add secrets here, you will need to recreate them in any custom secrets manager you configure later.

All Harness secrets managers require a running Harness Delegate to encrypt and decrypt secrets.

If you created a Harness trial account, a Delegate is typically provisioned by Harness, and the default Harness Secrets Manager performs encryption/decryption.


How did we do?