Migrate Secrets between Secrets Managers

Updated 2 weeks ago by Chakravarthy Tenneti

Harness Secrets Management supports the ability to migrate your secrets between secrets managers.

In this topic:

Before You Begin

Review: Important Migration Topics

HashiCorp Vault Migration

When migrating to HashiCorp Vault, the vault must not be read-only. If it is read-only, the migration will fail.

The migrated secrets are created in the vault at the path specified by:

  • Encrypted text:
    /<SECRET_ENGINE_NAME>/<BASE_PATH_IN_VAULT_CONFIGURATION>/<SECRET_TEXT>/<NAME OF THE SECRET>
  • Encrypted file:
    /<SECRET_ENGINE_NAME>/<BASE_PATH_IN_VAULT_CONFIGURATION>/<CONFIG_FILE>/<NAME OF THE FILE>

Secret References and Migration

Encrypted text secrets are referenced in Harness components using the expression ${secrets.getValue("secret_name")}.

Encrypted file secrets are referenced by the expression ${configFile.getAsBase64("fileName")}.

When you migrate secrets, any references to the secrets do not need to be changed in any way. The same secrets will work with the new secret manager. No action is required.

Secrets in Transit during Migration

During migration transmission, secrets are encrypted by AES 256 encryption. They are always transmitted over HTTPS.

Step: Migrating Secrets

  1. In Secrets Management, click Configure Secrets Managers.
  2. Next to the secrets manager from which you want to migrate secrets, click Migrate.
  3. In the Migrate Secrets dialog, select your target secrets manager in the Transition Secrets to: drop‑down list, and click Submit.

Next Steps


How did we do?