Reference Existing Secret Manager Secrets
If you already have secrets created in a secrets manager such as HashiCorp Vault or AWS Secrets Manager, you do not need to re-create the existing secrets in Harness.
Harness does not query the secrets manager for existing secrets, but you can create a secret in Harness that references an existing secret in HashiCorp Vault or AWS Secrets Manager. No new secret is created in those providers. If you delete the secret in Harness, it does not delete the secret in the provider.
In this topic:
- Before You Begin
- Option 1: Vault Secrets
- Option 2: AWS Secrets Manager Secrets
- Option 3: CyberArk Secrets
- Option 4: Azure Key Vault Secrets
- Next Steps
Before You Begin
- See Add an AWS Secrets Manager.
- See Add a HashiCorp Vault Secrets Manager.
- See Add a CyberArk Secrets Manager.
- See Add Azure Key Vault Secrets.
Option 1: Vault Secrets
You can create a Harness secret that refers to the existing Vault secret using a path and key, such as /path/secret_key#my_key
.

In the above example, /foo/bar
is the pre-existing path, MySecretKey
is the secret name, and MyKey
is the key used to lookup the secret value.
/foo/bar/MySecretKey#MyKey
) had been generated by a Vault secrets engine named harness-engine
, it would reside in this full path /harness-engine/foo/bar/MySecretKey#MyKey
. However, in the Value field, you would enter only /foo/bar/MySecretKey#MyKey
.This Harness secret is simply a reference pointing to an existing Vault secret. Deleting this Harness secret will not delete the Vault secret referred to by this secret.
Option 2: AWS Secrets Manager Secrets
You can create a Harness secret that refers to an existing secret in AWS Secrets Manager using the name of the secret, and a prefix if needed. For example, devops/mySecret
.

Referencing Secret Keys
In AWS Secrets Manager, your secrets are specified as key-value pairs, using a JSON collection:

To reference a specific key in your Harness secret, add the key name following the secret name, like secret_name#key_name
. In the above example, the secret is named example4docs. To reference the example1 key, you would enter example4docs#example1
.

Option 3: CyberArk Secrets
Once you have set up CyberArk as the default Harness Secrets Manager, you can reference existing secrets in the Encrypted Text dialog.

To use an existing CyberArk secrets, enter the following fields.
- Name - Enter a name for the secret so you can reference it in Harness. This is a Harness setting, not a name in CyberArk.
- Query - Queries the CyberArk secrets manager for the secret. For example, the query
Safe=Test;Folder=root\OS\Windows;Object=windows1
search for SafeTest
, folderroot\OS\Windows
, and object namewindows1
. The query is combined with the user credentials provided in the CyberArk Secrets Manager setup to create the complete API query.
The query syntax is:
Safe=<safe>;Folder=<folder>;Object=<name>
What Safe, Folder, and Object are named depends on your CyberArk setup. You can see the Safe as the Address field and Object as Username field in the following example, and so the query would be Address=components;Username=svc_account
:

Option 4: Azure Key Vault Secrets
You can create a Harness secret that refers to an existing secret in Azure Key Vault, using that secret's name (for example: azureSecret
). You can also specify the secret's version (for example: azureSecret/05
).
