Skip to main content

Migrate Secrets between Secrets Managers

Harness Secrets Management supports the ability to migrate your secrets between secrets managers.

In this topic:

Before You Begin


For Harness On-Prem, you cannot migrate from a third-party secret manager to Harness Secrets Manager. You can migrate from Harness Secrets Manager to a third-party secret manager, but not back to Harness Secrets Manager.

Instead, simply migrate between your third-party secret managers without attempting to revert to Harness Secrets Manager.

Review: Important Migration Topics

HashiCorp Vault Migration

When migrating to HashiCorp Vault, the vault must not be read-only. If it is read-only, the migration will fail.

The migrated secrets are created in the vault at the path specified by:

  • Encrypted text:
  • Encrypted file:

Secret References and Migration

Encrypted text secrets are referenced in Harness components using the expression ${secrets.getValue("secret_name")}.

Encrypted file secrets are referenced by these expressions:

  • ${configFile.getAsBase64("secret_name")} — This displays the contents of the file encoded in Base64 binary-to-text encoding schemes.
  • ${configFile.getAsString("secret_name")} — This displays the contents of the file as a string.

When you migrate secrets, any references to the secrets do not need to be changed in any way. The same secrets will work with the new secret manager. No action is required.

Secrets in Transit during Migration

During migration transmission, secrets are encrypted by AES 256 encryption. They are always transmitted over HTTPS.

Step: Migrating Secrets

  1. In Secrets Management, click Configure Secrets Managers.

  2. Next to the secrets manager from which you want to migrate secrets, click Migrate.

  3. In the Migrate Secrets dialog, select your target secrets manager in the Transition Secrets to: drop‑down list, and click Submit.

Next Steps