Add a Google Cloud Secrets Manager
You can use your Google Cloud Secret Manager (GSM) as a secrets manager in Harness.
Once you connect your GSM to Harness, you can store the secrets and other sensitive information you use in Harness in your GSM.
In this topic:
- Before You Begin
- Supported Platforms and Technologies
- Review: Permissions
- Step 1: Add a Secrets Manager
- Step 2: Display Name
- Step 3: Attach Service Account Key (Credentials) File
- Step 4: Usage Scope
- Option: Migrate Existing Secrets to GSM
- See Also
- Configure As Code
Before You Begin
- Secrets saved to GSM must follow the naming limitations of GSM. In GSM, secret names can only contain English letters (A-Z), numbers (0–9), dashes (-), and underscores (_).
- The maximum size for encrypted files saved to GSM is 64KiB.
- Harness Secrets saved to GSM are assigned to a GCP region automatically. An automatic assignment is the same as not selecting the Regions setting when creating a secret in GSM.
- GSM secret labels aren't supported in Harness at this time.
- GSM versions aren't supported in Harness at this time. Harness only supports the latest version of the secret.
- When you change the content of a secret stored by Harness in GSM, a new version of that secret is created. That is the latest version, and that version is used by Harness.
- When you delete a secret in Harness that is stored in GSM, the entire secret is deleted, not just a version.
- An existing GSM secret's name cannot be updated using the Harness Secret Manager. Only the content of the secret is updated.
- Migration: You can migrate inline secrets (existing secrets created in Harness) to and from your Harness GSM secrets manager. Any secret references to secrets in your GSM secrets manager are not migrated.
Supported Platforms and Technologies
- Harness Permissions: to add a GSM secret manager, a Harness User must belong to a Harness User Group with the Manage Secrets Managers Account Permission.
- GCP Permissions: The GCP Service Account you use in the Google Secrets Manager Credentials File should have the following IAM roles:
See Managing secrets from Google.
Step 1: Add a Secrets Manager
- Select Continuous Security > Secrets Management. The Secrets Management page appears.
- Click Configure Secrets Managers. On the Secrets Managers page, the Status column indicates the default provider.
- Click Add Secrets Manager. The Configure Secrets Manager dialog appears.
- Select GCP Secrets Manager.
Step 2: Display Name
Enter a display name for the secrets manager.
The name can include letters, numbers, spaces, and the following characters:
' - !
Step 3: Attach Service Account Key (Credentials) File
Export your Google Cloud service account key, and attach it to the Harness Configure Secrets Manager dialog, as follows:
- In the Google Cloud console, select IAM & admin > Service account.
- Scroll to the service account you want to use. If no service account is present, create one.
- Grant this service account the GSM permissions needed.
To do this, edit the service account and click Permissions. Click Roles, and then add the roles needed.
See Managing secrets from Google.
- Open your service account's Actions ⋮ menu, then select Create key.
- In the resulting Create private key dialog, select the JSON option, create the key, and download it to your computer.
- Return to Harness Manager's Configure Secrets Manager dialog.
- In Google Secrets Manager Credentials File, click the Choose File button, and upload the key file you just exported from Google Cloud.
- Click Submit. Your GSM will now appear in Harness Manager's Secrets Managers list, labeled with the Display Name you assigned.
Step 4: Usage Scope
Option: Migrate Existing Secrets to GSM
You can migrate inline secrets from the Harness Secrets Manager to GSM.
- In Harness Audit Trail, the event for adding a GSM secret manager is
Google Secrets Manager Connected.
- You can see a secret's usage in Harness. See View Secrets Usage.
- Use Encrypted Text Secrets
- Use Encrypted File Secrets
- Secrets and Log Sanitization
- Scope Secret Managers to Applications and Environments
Configure As Code
To see how to configure the settings in this topic using YAML, configure the settings in the UI first, and then click the YAML editor button (</>).