Use Encrypted File Secrets

Updated 6 months ago by Chakravarthy Tenneti

You can upload encrypted files and reference them across your account in the same way as encrypted text.

In this topic:

Before You Begin

Step 1: Add Encrypted File

  1. In Secrets Management, click Encrypted Files.
  2. Click Add Encrypted File. The Add Encrypted File dialog appears.
  3. Select the secrets manager you will use to encrypt this file.
  4. Enter a name for the encrypted file. This is the name you will use to reference the file in application entities.
  5. Click Choose File, and locate and add a file. The default Secrets Manager for your account is used to encrypt the file.
  6. Scope to Account - If your Harness User account is part of a User Group with the Administer Other Account Functions permission enabled, you will see the Scope to Account option. Select Scope to Account to make this encrypted file secret available to Delegate Profile scripts only. Only secrets scoped to the account are available to use in Delegate Profiles.
  7. If you want to restrict the use of the secret to specific applications and environments, do the following:
    1. In Usage Scope, click the drop-down under Applications, and click the name of the application.
    2. In Environments, click the name or type of environment.
  8. Click SUBMIT.

Step 2: Reference the Encrypted File

When you are in an application entity that uses files, you can reference the encrypted file. For example, in the following Configuration File dialog, click Encrypt File and the File dropdown lets you choose the file you added in Secrets Management:

To use Encrypted Files, you have to add them to a Service. You can then use the Encrypted File in any Workflow that deploys that Service using the variable ${configFile.getAsBase64("fileName")}.

For information on adding Encrypted Files to a Service, see Config Files.

Review: Secrets in Outputs

When a secret is displayed in an output, Harness substitutes the secret value with the secret name so that the secret value is never displayed. For example, here the secret values for repo username and password are replaced with <<<secret_name>>>:

helm repo add --username <<<repoUsername>>> --password <<<repoPassword>>> nginx

If you accidentally use a very common value in your secret, like whitespace or a single character, the <<<secret_name>>> substitution might appear in multiple places in the output. For example, if your secret value is a and your output is Alfalfa sprouts are great, this would result in output like this:

Alf<<<my_secret>>>lf<<<my_secret>>> sprouts <<<my_secret>>>re gre<<<my_secret>>>t

If you see output similar to this, review your secret and fix the error.

How did we do?