Skip to main content

Add an AWS KMS secret manager

To store and use encrypted secrets (such as access keys) and files, you can add an AWS KMS Secret Manager.

important

You can only use Harness Built-in Secret Manager to store authentication credentials for access to the corresponding secret manager.

Storing credentials from one secret manager within another can result in complex and challenging situations. Moreover, these configurations might introduce vulnerabilities, posing potential security risks.

The Harness platform has several validations, including the disabling of self-references.

This topic describes how to add an AWS KMS Secret Manager in Harness.

Before you begin

Step 1: Add a Secret Manager

This topic assumes you have a Harness Project set up. If not, go to Create Organizations and Projects.

You can add a Connector from any module in your Project in Project setup, or in your Organization, or Account Resources.

In Connectors, select Connector.

In Secret Managers, select AWS KMS. The AWS Key Management Service settings appear.

Step 2: Overview

Enter a Name for your secret manager.

You can choose to update the ID or let it be the same as your secret manager's name. For more information, go to Entity Identifier Reference.

Enter a Description for your secret manager.

Enter Tags for your secret manager.

Select Continue.

Option: Credential Type

You can select the following options for authenticating with AWS:

  • AWS Access Key.
  • Assume IAM role on delegate.
  • Assume Role using STS on delegate.

Option: AWS Access Key

Use your AWS IAM user login credentials.

Either from the JSON for the Key Policy, or in the AWS IAM console, under Encryption keys, gather the AWS Access Key IDAWS Secret Key, and Amazon Resource Name (ARN).

For more information, go to Finding the Key ID and ARN from Amazon.

AWS Access Key ID

Select Create or Select a Secret.

In the secret settings dialog, you can create/select a Secret and enter your AWS Access Key as it's value.

The AWS Access Key is the AWS Access Key ID for the IAM user you want to use to connect to secret manager.

AWS Secret Access Key

Select Create or Select a Secret.

You can create a new Secret with your Access Key ID's secret key as the Secret Value, or use an existing secret.

AWS ARN

Select Create or Select a Secret.

As explained above, you can create a new Secret with your ARN as the Secret Value, or use an existing secret.

Option: Assume IAM Role on Delegate

If you select Assume the IAM Role on Delegate Harness will authenticate using the IAM role assigned to the AWS host running the Delegate, you select using a Delegate Selector.

Option: Assume Role using STS on Delegate

This option uses the AWS Security Token Service (STS) feature. Typically, you use AssumeRole within your account or for AWS cross-account access.

Role ARN

Enter the Amazon Resource Name (ARN) of the role that you want to assume. This is an IAM role in the target deployment AWS account.

External ID

If the administrator of the account to which the role belongs provided you with an external ID, then enter that value.

For more information, go to How to Use an External ID When Granting Access to Your AWS Resources to a Third Party from AWS.

Assume Role Duration (seconds)

This is the AssumeRole Session Duration. Go to Session Duration in the AssumeRole AWS docs.

Step 3: Setup Delegates

In Delegates Setup, enter Selectors for specific Delegates that you want to allow to connect to this Connector. Select Save and Continue.

Step 4: Test Connection

In Connection Test, select Finish after your connection is successful.