Reference Existing Secret Manager Secrets
If you already have secrets created in a secrets manager such as HashiCorp Vault or AWS Secrets Manager, you do not need to re-create the existing secrets in Harness.
Harness does not query the secrets manager for existing secrets, but you can create a secret in Harness that references an existing secret in HashiCorp Vault or AWS Secrets Manager. No new secret is created in those providers. If you delete the secret in Harness, it does not delete the secret in the provider.
In this topic:
- Before You Begin
- Option: Vault Secrets
- Option: AWS Secrets Manager Secrets
- Option: CyberArk Secrets
- Option: Azure Key Vault Secrets
- Option: Google Cloud Secret Manager
- Next Steps
Before You Begin
- See Add an AWS Secrets Manager.
- See Add a HashiCorp Vault Secrets Manager.
- See Add a CyberArk Secrets Manager.
- See Add Azure Key Vault Secrets.
Option: Vault Secrets
You can create a Harness secret that refers to the existing Vault secret using a path and key, such as
In the above example,
/foo/bar is the pre-existing path,
MyVaultSecret is the secret name, and
MyKey is the key used to lookup the secret value.
/foo/bar/MyVaultSecret#MyKey) had been generated by a Vault secrets engine named
harness-engine, it would reside in this full path
/harness-engine/foo/bar/MyVaultSecret#MyKey. However, in the Value field, you would enter only
This Harness secret is simply a reference pointing to an existing Vault secret. Deleting this Harness secret will not delete the Vault secret referred to by this secret.
Option: AWS Secrets Manager Secrets
You can create a Harness secret that refers to an existing secret in AWS Secrets Manager using the name of the secret, and a prefix if needed. For example,
Referencing Secret Keys
In AWS Secrets Manager, your secrets are specified as key-value pairs, using a JSON collection:
To reference a specific key in your Harness secret, add the key name following the secret name, like
secret_name#key_name. In the above example, the secret is named example4docs. To reference the example1 key, you would enter
Option: CyberArk Secrets
Once you have set up CyberArk as the default Harness Secrets Manager, you can reference existing secrets in the Encrypted Text dialog.
To use an existing CyberArk secrets, enter the following fields.
- Name - Enter a name for the secret so you can reference it in Harness. This is a Harness setting, not a name in CyberArk.
- Query - Queries the CyberArk secrets manager for the secret. For example, the query
Safe=Test;Folder=root\OS\Windows;Object=windows1search for Safe
root\OS\Windows, and object name
windows1. The query is combined with the user credentials provided in the CyberArk Secrets Manager setup to create the complete API query.
The query syntax is:
What Safe, Folder, and Object are named depends on your CyberArk setup. You can see the Safe as the Address field and Object as Username field in the following example, and so the query would be
Option: Azure Key Vault Secrets
You can create a Harness secret that refers to an existing secret in Azure Key Vault, using that secret's name (for example:
azureSecret). You can also specify the secret's version (for example:
Option: Google Cloud Secret Manager
You can create a Harness secret that refers to an existing secret in Google Cloud Secret Manager.
In Secrets Manager, select the Google Cloud Secrets Manager you added to Harness. See Add a Google Cloud Secrets Manager.
In Reference Secret Name, enter the name of an existing secret in GCP.
In Version, enter the secret version you want to use.
In Region, enter the location of the secret. If the secret is Automatically replicated, leave this empty.