Add Google KMS as a Harness Secrets Manager

Updated 5 months ago by Chakravarthy Tenneti

You can use the Google Cloud Key Management Service (Cloud KMS) as your secrets manager. Cloud KMS allows you to create, use, rotate, and destroy symmetric (AES256) and asymmetric (several RSA and EC options) cryptographic keys.

In this topic:

Before You Begin

Step 1: Configure Secrets Manager

  1. Select Continuous Security > Secrets Management. The Secrets Management page appears.
  2. Click Configure Secrets Managers. In the resulting Secrets Managers page, the Status column indicates the Default provider.
  3. Click Add Secrets Manager. The Configure Secrets Manager dialog appears.
  4. Select Google KMS from the drop down list.

Step 2: Display Name

Enter an arbitrary name to identify this secrets manager. The name can include letters, numbers, spaces, and the following characters: ' - !

Step 3: Gather the Required Details

To fill in the Configure Secrets Manager dialog's remaining fields, log into Google Cloud Console and follow these steps:

  1. Create or select your project.
  2. Select Security > Cryptographic Keys.
  3. Select a key ring. (If no key ring is present, create one.)
    To create resources in this or the next step, see Google Cloud's Creating Symmetric Keys topic.
  4. Select a key within the ring. (If no key ring is present, create one.)
  5. To the right of your key's Enabled & Primary Version, open the Actions ⋮ menu, then select Copy Resource ID.
    A reference to the key is now on your clipboard.
  6. Paste the reference into an editor. You can now copy and paste its substrings into each of the Harness Configure Secrets Manager dialog's remaining fields—Project ID, Region, Key Ring, Key Name—as shown below.

Step 4: Attach Service Account Key (Credentials) File

Export your Google Cloud service account key, and attach it to the Harness Configure Secrets Manager dialog, as follows:

  1. In the Google Cloud Console, select IAM & admin > Service account.
  2. Scroll to the service account you want to use. (If no service account is present, create one.)
  3. Grant this service account the cloudkms.cryptoKeyEncrypterDecrypter permission. (See Google Cloud's Using Cloud IAM with KMS topic.)
  4. Open your service account's Actions ⋮ menu, then select Create key.
  5. In the resulting Create private key dialog, select the JSON option, create the key, and download it to your computer.
  6. Return to Harness Manager's Configure Service Manager dialog. Under GCP KMS Credentials File, click the Choose File button, and upload the key file you just exported from Google Cloud.
  7. Click Submit. Your Google Cloud KMS will now appear in Harness Manager's Secrets Managers list, labeled with the Display Name you assigned.

Limitations

Harness currently does not support migrating secrets from Google Cloud KMS (or other secrets managers) to CyberArk. For details, see CyberArk Limitations.


How did we do?