In this topic:
Before You Begin
Step 1: Configure SSH Connectivity
Currently, Harness does not support OpenSSH private keys for SSH keys. Support will be added soon. To generate an SSHv2 key using OpenSSH, use
ssh-keygen -t rsa -m PEM (
rsa specifies SSHv2) and then follow the prompts to create the PEM key. Also, ensure that the
BEGIN RSA and
END RSA lines are included when you paste the key into Harness (
pbcopy is useful for copying the key). For more information, see the ssh-keygen man page.Starting March 15, 2022, GitHub is fully deprecating RSA with SHA-1. GitHub will allow ECDSA and Ed25519 to be used. RSA keys uploaded after this cut-off date will work only with SHA-2 signatures (RSA keys uploaded before this date will continue to work with SHA-1). See Improving Git protocol security on GitHub from GitHub.Generating an SSH key in ECDSA looks like this:
ssh-keygen -t ecdsa -b 256 -f /home/user/Documents/ECDSA/key -m pemFor example, if you want to SSH into an EC2 instance, in a terminal, enter the following command:
ssh -i "example.pem" email@example.com
The SSH secret you add here can be used in Harness components wherever they need to SSH into your remote server. For example, in a Harness Environment Service Infrastructure/Infrastructure Definition dialog, you specify Connection Attributes that use the SSH secret to connect to the target host.
To add an SSH key that can be referenced in Harness entities, do the following:
- In Secrets Management, click SSH.
- Click Add SSH Key. The SSH Configuration dialog appears.
- Enter a Display Name for the SSH credentials.If you change this display name at a later date, the key will still work. You do not need to do anything.
- In Auth Scheme, select one of the following:
- SSH Key/Password: add SSH keys for Harness to use when connecting to remote servers.
- Kerberos: SSH into a target host via the Kerberos protocol. See Use SSH Key via Kerberos for Server Authentication.
- In User Name, provide the user name for the user account on the remote server. For example, if you want to SSH into an AWS EC2 instance, the user name would be ec2-user.
- Do one of the following:
- Click SSH Key File. You must create or use an existing Encrypted SSH Key file. In the Select Encrypted SSH key File drop down, select an existing file or create a new one. For more information on creating a new Encrypted SSH Key file, see Harness Encrypted File Secrets.If you are modifying an existing SSH Key File, you will not be able to edit the existing inline key that you have entered earlier. Instead, you should select an existing file or create a new Encrypted SSH key file.
- Click SSH Key**File Path (on Delegate) and specify the location of the key. This is the file path on the server running the Harness Delegate, such as /home/johndoe/example.pem**.
- Click Password and Select Encrypted Password for the user account. You must use an Encrypted Text Secret to save your password and select it here. Either select an existing Encrypted Text Secret from the drop down list or create a new one by clicking + Create Encrypted Text.
- For Vault SSH, see Add HashiCorp Vault Signed SSH Certificate Keys.
- In Select Encrypted Passphrase, select the SSH key passphrase from the drop down if one is required. It is not required by default for AWS or many other platforms. Make sure you use a Harness Encrypted Text secret to save the passphrase and refer it here. Either select an existing secret from the drop down list or create a new one by clicking + Create Encrypted Text.
For more information on creating an Encrypted Text Secret, see Harness Encrypted Text secret.
- In SSH Port, leave the default 22 or enter in a different port if needed.
- If you want to restrict the use of these SSH credentials to specific Harness components, do the following:
- In Usage Scope, click the drop-down under Applications, and click the name of the application.
- In Environments, click the name of the environment.
Step 2: Test Host Connectivity
Click TEST. The Host Connectivity Test tool appears.
In Host Name, enter the host name of the remote server you want to SSH into. For example, if it is an AWS EC2 instance, it will be something like,
Click RUN. If the test is unsuccessful, you might see an error stating that no Harness Delegate could reach the host, or that a credential is invalid. Ensure that your settings are correct and that a Harness Delegate is able to connect to the server.
When a test is successful, click Submit.
You can convert your OpenSSH key to a PEM format with:
ssh-keygen -p -m PEM -f your_private_key
This will convert your existing file headers from:
-----BEGIN OPENSSH PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----