Secure Delegates with Tokens

Updated 4 months ago by Michael Cretzman

Currently, this feature is behind a Feature Flag. Contact Harness Support to enable the feature. Feature Flags can only be removed for Harness Professional and Essentials editions. Once the feature is released to a general audience, it's available for Trial and Community Editions.

See New features added to Harness and Features behind Feature Flags (Early Access) for Feature Flag information.

Delegate tokens are used by Harness to encrypt communication between Harness Delegates and the Harness Manager. By default, when a new Harness account is created, all Harness Delegates in that account include the same token.

You can further secure Delegate to Harness communication by replacing the default Delegate token with new tokens. You can rotate and revoke Delegate tokens per your governance policies and replace revoked tokens with custom tokens when needed.

In this topic:

Before You Begin

Step 1: Generate a New Token

In Harness, click Setup.

Click Harness Delegates.

Click Delegate Tokens.

Here you can see, create, and revoke all Delegate tokens.

Enter a name for the new token, and then click Generate New Token.

The new token is created and its value is copied to your system clipboard. The new token also appears in the list using the name you gave it.

Save the new token value. You cannot retrieve the token value after this.

Now you can update the Delegate(s) with the new token.

Option: Install a New Delegate with New Token

When you install a new Delegate, you can select the token to use:

Once the new Delegate has registered with Harness, you can remove any Delegates using the old tokens, and revoke the old tokens.

Option: Update and Restart Existing Delegate

You can update an existing Delegate with the new token value and then restart the Delegate.

Kubernetes Delegate

The Delegate is set up using the harness-delegate.yaml you downloaded originally.

Edit the harness-delegate.yaml you downloaded originally with the new token and then run kubectl apply -f harness-delegate.yaml to restart the Delegate pods.

Paste the token in the Delegate settings in the spec:

...
env:
- name: ACCOUNT_ID
value: AQ8xh0000000005bSM8Fg
- name: ACCOUNT_SECRET
value: [enter new token here]
- name: MANAGER_HOST_AND_PORT
value: https://app.harness.io
...

Run kubectl apply -f harness-delegate.yaml

The Delegate pods get restarted automatically. The pods will restart and take the updated settings.

Shell Script Delegate

The Delegate is set up using the config-delegate.yml you downloaded originally.

Stop the Delegate: ./stop.sh

Paste the token in the Delegate settings:

...
accountId: lnFZRF0000000nMALw
accountSecret: [enter new token here]
managerUrl: https://app.harness.io/api/
...

Restart the Delegate: ./start.sh

Docker Delegate

Docker doesn't provide a way to modify an environment variable in a running container because the OS doesn't provide a way to modify an environment variable in a running process. You need to destroy and recreate the container.

Destroy and recreate the container using the launch-harness-delegate.sh you downloaded originally.

Paste the token in the Delegate settings:

#!/bin/bash -e

sudo docker pull harness/delegate:latest

sudo docker run -d --restart unless-stopped --hostname=$(hostname -f) \
-e ACCOUNT_ID=kmpySm00000006NL73w \
-e ACCOUNT_SECRET=[enter new token here] \
-e MANAGER_HOST_AND_PORT=https://app.harness.io/ \
...

Create a new container: ./launch-harness-delegate.sh

You can verify that the environment variable has the new token using docker exec [container ID] env.

ECS Task Delegate

Update the Delegate by updating the existing ECS task and container instances.

Stop the Delegate task:

aws ecs stop-task --task [task ID or full ARN of the task]

Paste the token in the Delegate settings:

...
"cpu": 1,
"environment": [
{
"name": "ACCOUNT_ID",
"value": "Ws0x0000008z4g"
},
{
"name": "ACCOUNT_SECRET",
"value": "[enter new token here]"
},
{
"name": "DELEGATE_CHECK_LOCATION",
"value": "delegate.txt"
},

...

Start the Delegate task:

aws ecs start-task \
--task-definition [family and revision (family:revision ) or full ARN of the task definition] \
--container-instances [container instance IDs or full ARN entries for the container instances]

Helm Delegate

The Delegate is set up using the Helm Values YAML file, harness-delegate-values.yaml, you downloaded originally.

Stop the Helm Delegate.

Paste the token in the Delegate settings in the harness-delegate.yaml file:

# Account Id to which the delegate will be connecting
accountId: XIC000000Ox-cQ

# Secret identifier associated with the account
accountSecret: [enter new token here]

# Short 6 character identifier of the account
accountIdShort: xicobc

delegateName: helm-example
...

Install the Helm Delegate using the Helm Values YAML (in this example, the name is helm-delegate-doc):

helm install --name helm-delegate-doc harness/harness-delegate -f harness-delegate-values.yaml

If you are installing into a specific namespace, you will need the --namespace parameter also:

helm install harness-helm-repo/harness-delegate --name helm-delegate-doc -f harness-delegate-values.yaml --namespace doc-example

Option: Revoke Tokens

To revoke unused token, in Harness, click Setup.

Click Harness Delegates.

Click Delegate Tokens.

Here you can see, create, and revoke all Delegate tokens.

Select the token you want to revoke, and click Revoke.

Click Confirm. The token is revoked. The Harness Manager will not accept connections from any Delegates using this revoked token.

See Also


How did we do?