Add an AWS Secrets Manager

Updated 2 months ago by Chakravarthy Tenneti

You can use AWS Secrets Manager for your Harness secrets. AWS Secrets Manager differs from AWS KMS in that AWS Secrets Manager stores both secrets and encryption keys whereas with AWS KMS, Harness stores the secret in its Harness store and retrieves the encryption keys from KMS.

In this topic:

Before You Begin

Permissions: Test AWS Permissions

Harness uses the same minimum IAM policies for AWS secret manager access as the AWS CLI.

The AWS account you use for the AWS Secret Manager must have the following policies at a minimum:

"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"Resource": "*"

See Using Identity-based Policies (IAM Policies) for Secrets Manager from AWS.

To test use the AWS account when running aws secretsmanager list-secrets on either the Harness Delegate host or another host.

Step 1: Configure Secrets Manager

  1. In Security, select Secrets Management, and then click Configure Secrets Managers. In the resulting Secrets Managers page, the Status column indicates the Default provider.
  2. Click Add Secrets Manager. The Configure Secrets Manager settings appear.
  3. Select AWS Secrets Manager from the drop-down list.
    For information on restrictions on names and maximum quotas, see Quotas for AWS Secrets Manager.

Step 2: Display Name

Enter a name for this secrets manager.

Step 3: Access Key

The AWS Access Key ID for the IAM user you want to use to connect to Secrets Manager.

Step 4: Secret Key

Enter the Secret Access Key corresponding to the Access Key ID.

Step 5: AWS ARN

Enter the Amazon Resource Name (ARN) for the customer master key (CMK). See Finding the key ID and ARN from AWS.

Step 6: Secret Name Prefix

Enter a prefix to be added to all secrets. For example, devops will result in secrets like devops/mysecret. The prefix is not a folder name, but a prefix. Secrets Manager uses is a flat naming method.

Step 7: Region

Select the AWS Region for the Secrets Manager.

Step 8: Usage Scope

See Scope Secret Managers to Applications and Environments.


  • For limitations of AWS secrets, see Quotas for AWS Secrets Manager.
  • Secret names must be alphanumeric (Vault and KMS do not have this limitation). When migrating secrets created using Vault or KMS into AWS Secrets Manager, failures might occur due to the secret name limitation. You will have to rename those secrets into an alphanumeric format before they can be transitioned into AWS Secrets Manager.

How did we do?