Encrypted Text API

Updated 6 days ago by Michael Katz

This topic lists sample queries for CRUD operations that create, read, update, and delete Harness secrets that rely on encrypted text.

The ! following the type means that this field is required.

In this topic:

Before You Begin

Get a Secret by ID

This sample retrieves an existing encrypted-text secret by its ID.

query{
secret(secretId: "abCDEF6jQO6tQnB9xxYxxx", secretType: ENCRYPTED_TEXT) {
... on EncryptedText {
id
name
secretManagerId
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
inheritScopesFromSM
scopedToAccount
}
}
}

Get a Secret by Name

This sample uses a secretByName query to retrieve an existing secret by its name.

query{
secretByName(name:"anz-csr-reader",secretType:ENCRYPTED_TEXT){
... on EncryptedText{
id
name
secretManagerId
}
}
}

This second sample adds elements to also retrieve the secret's Application and Environment scope.

query{
secretByName(name: "awstest5_AWS_secretKey", secretType: ENCRYPTED_TEXT) {
... on EncryptedText {
id
name
secretManagerId
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
inheritScopesFromSM
scopedToAccount
}
}
}

Get Secrets Manager IDs

To create a secret, you need the secrets manager's Harness ID (secretManagerId). This sample retrieves 10 secrets managers' IDs and names.

query{
secretManagers(limit: 10, offset: 2) {
nodes {
id
name
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
}
}
}

This sample uses a secretManagerByName query to retrieve the secretManagerId of a secret manager whose name you know.

query{
secretManagerByName(name: "Vault_App_Role"){
id
name
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
}
}

This sample retrieves the name of a secrets manager whose ID you know.

query{
secretManager(secretManagerId: "abABc1qABC2VrFHqZ3E-Aa") {
id
name
usageScope {
appEnvScopes {
application {
filterType
appId
}
environment {
filterType
envId
}
}
}
}
}

Create an Encrypted Text Secret

This sample creates a secret.

Usage Scope

The required CreateSecretInput input must include a SecretType.

mutation($secret: CreateSecretInput!){
createSecret(input: $secret){
secret{
id,
name
... on EncryptedText{
name
secretManagerId
id
}
usageScope{
appEnvScopes{
application{
filterType
appId
}
environment{
filterType
envId
}
}
}
}
}
}
Query Variables: Inline Value

For the above query, these sample variables specify the SecretType, and include an inline name value.

{
"secret": {
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secrets",
"value": "000-azure-b22",
"secretManagerId": "abcdSmUISabcRrAB6NL73w",
"usageScope": {
"appEnvScopes": [{
"application": {
"filterType": "ALL"
},
"environment": {
"filterType": "PRODUCTION_ENVIRONMENTS"
}
}]
}
}
}
}
Query Variables: Reference

These sample variables specify the SecretType, but provide the name value by reference.

{
"secret": {
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secret-reference",
"secretReference": "000-azure-b22",
"secretManagerId": "abcdSmUISabcRrAB6NL73w",
"scopedToAccount": false,
"inheritScopesFromSM": true,
"usageScope": {
"appEnvScopes": [{
"application": {
"filterType": "ALL"
},
"environment": {
"filterType": "NON_PRODUCTION_ENVIRONMENTS"
}
}]
}
}
}
}

Inherit Scope

The required CreateSecretInput input must include a SecretType

mutation($secret: CreateSecretInput!){
createSecret(input: $secret){
secret{
id,
name
... on EncryptedText{
name
secretManagerId
id
inheritScopesFromSM
scopedToAccount
}
}
}
}
Query Variables: Inline Value

For the above query, these sample variables specify the SecretType, and include an inline name value.

{
"secret": {
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secrets",
"value": "000-azure-b22",
"secretManagerId": "abcdSmUISabcRrAB6NL73w",
"scopedToAccount": false,
"inheritScopesFromSM": true,
"usageScope": null
}
}
}
Query Variables: Reference

These sample variables specify the SecretType, but provide the name value by reference.

{
"secret": {
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secret-reference",
"secretReference": "000-azure-b22",
"secretManagerId": "abcdSmUISabcRrAB6NL73w",
"scopedToAccount": true,
"inheritScopesFromSM": false,
"usageScope": null
}
}
}

Update a Secret

This sample updates an existing secret.

Usage Scope

The required UpdateSecretInput input must supply an id and a secretType.

mutation($secret: UpdateSecretInput!){
updateSecret(input: $secret){
secret{
id,
name
... on EncryptedText{
name
secretManagerId
id
}
usageScope{
appEnvScopes{
application{
filterType
appId
}
environment{
filterType
envId
}
}
}
}
}
}
Query Variables: Inline Value
{
"secret": {
"secretId": "5ZeaabAaaSCS5gVJH9aabAaa",
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secrets",
"value": "000-azure-b22",
"usageScope": {
"appEnvScopes": [{
"application": {
"filterType": "ALL"
},
"environment": {
"filterType": "PRODUCTION_ENVIRONMENTS"
}
}]
}
}
}
}
Query Variables: Reference
{
"secret": {
"secretId": "5ZeaabAaaSCS5gVJH9aabAaa",
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secret-update",
"secretReference": "000-azure-b22",
"usageScope": {
"appEnvScopes": [{
"application": {
"filterType": "ALL"
},
"environment": {
"filterType": "PRODUCTION_ENVIRONMENTS"
}
}]
}
}
}
}

Inherit Scope

The required UpdateSecretInput input must supply an id and a secretType.

mutation($secret: UpdateSecretInput!){
updateSecret(input: $secret){
secret{
id,
name
... on EncryptedText{
name
secretManagerId
id
inheritScopesFromSM
scopedToAccount
}
}
}
}

Query Variables: Inline Value
{
"secret": {
"secretId": "5ZeaabAaaSCS5gVJH9aabAaa",
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secrets",
"value": "000-azure-b22",
"scopedToAccount": false,
"inheritScopesFromSM": true,
"usageScope": null
}
}
}
Query Variables: Reference
{
"secret": {
"secretId": "5ZeaabAaaSCS5gVJH9aabAaa",
"secretType": "ENCRYPTED_TEXT",
"encryptedText": {
"name": "azure-secret-update",
"secretReference": "000-azure-b22",
"scopedToAccount": true,
"inheritScopesFromSM": false,
"usageScope": null
}
}
}

Delete a Secret

This sample deletes a specified secret. The required DeleteSecretInput input must supply a secretId and a secretType.

mutation($secret: DeleteSecretInput!){
deleteSecret(input: $secret)
}

Query Variables

Here are query variables for the above deleteSecret operation.

{
"secret": {
"secretId": "cHP3nO_fTt2pWhjzu_lABc",
"secretType": "ENCRYPTED_TEXT"
}
}


How did we do?