What is Secrets Management?
Harness includes a built-in Secrets Management feature that enables you to store encrypted secrets, such as access keys, and use them in your Harness applications. Some key points about Secrets Management:
- Secrets are always accessed/decrypted at the time when they are needed, and at no time they are stored unencrypted.
- Harness Manager does not have access to your key management system, and only the Harness Delegate, which sits in your private network, has access to it. Harness never makes secrets management accessible publicly. This adds an important layer of security.
In this topic:
- Secrets How-tos
- Before You Begin
- Visual Summary
- Harness Secrets Management Process Overview
- Scoping Secrets Usage
- Secrets in Harness Community and On-Prem Accounts
- Adding Secrets Managers
- Managing Secrets
Before You Begin
Before learning about, you should have an understanding of the following:
You can choose to use your own secrets management solution, or the built-in Harness Secrets Manager. This diagram shows how Harness handles secrets:
Harness Secrets Management Process Overview
Harness sends only encrypted data to the secrets manager, as follows:
- Your browser sends data over HTTPS to Harness Manager.
- Harness Manager relays encrypted data to the Harness Delegate, also over HTTPS.
- The Delegate exchanges a key pair with the secrets manager, over an encrypted connection.
- The Harness Delegate uses the encrypted key and the encrypted secret, and then discards them. The keys never leave the Delegate.
You can manage your secrets in Harness using either a Key Management Service or third party Secrets Managers.
Using Key Management Services
Google Cloud Key Management Service is the default Secrets Manager in Harness.
The Key Management Service (Google Cloud KMS or AWS KMS) only stores the key. Harness uses envelope encryption to encrypt and decrypt the secrets. The encrypted secret and the encrypted Data Encryption Key (used for envelope encryption) are stored in the Harness database.
Using Third-Party Secrets Managers
You can also use third-party Secrets Managers — HashiCorp Vault, Azure Key Vault, CyberArk, and AWS Secrets Manager.
These Secrets Managers store the key, perform encryption and decryption, and also store the secrets (encrypted key pair). Neither the keys nor the secrets are stored in the Harness database. A reference to the secret is stored in the Harness database.
Scoping Secrets Usage
For scoping secrets, see Restrict Secrets Usage.
For scoping Secret Managers, see Scope Secret Managers to Applications and Environments.
Secrets in Harness Community and On-Prem Accounts
All Harness secrets managers require a running Harness Delegate to encrypt and decrypt secrets.
If you created a Harness trial account, a Delegate is typically provisioned by Harness, and the default Harness Secrets Manager performs encryption/decryption.