Migrate Secrets between Secrets Managers
Harness Secrets Management supports the ability to migrate your secrets between secrets managers.
In this topic:
Before You Begin
Review: Important Migration Topics
HashiCorp Vault Migration
When migrating to HashiCorp Vault, the vault must not be read-only. If it is read-only, the migration will fail.
The migrated secrets are created in the vault at the path specified by:
- Encrypted text:
/<SECRET_ENGINE_NAME>/<BASE_PATH_IN_VAULT_CONFIGURATION>/<SECRET_TEXT>/<NAME OF THE SECRET>
- Encrypted file:
/<SECRET_ENGINE_NAME>/<BASE_PATH_IN_VAULT_CONFIGURATION>/<CONFIG_FILE>/<NAME OF THE FILE>
Secret References and Migration
Encrypted text secrets are referenced in Harness components using the expression
Encrypted file secrets are referenced by the expression
When you migrate secrets, any references to the secrets do not need to be changed in any way. The same secrets will work with the new secret manager. No action is required.
Secrets in Transit during Migration
During migration transmission, secrets are encrypted by AES 256 encryption. They are always transmitted over HTTPS.
Step: Migrating Secrets
- In Secrets Management, click Configure Secrets Managers.
- Next to the secrets manager from which you want to migrate secrets, click Migrate.
- In the Migrate Secrets dialog, select your target secrets manager in the Transition Secrets to: drop‑down list, and click Submit.