Store authentication credentials
Harness uses connectors to external secret managers (for example Google Secret Manager or Hashicorp Vault) to resolve/store secrets used by pipelines and elsewhere in the Harness platform. External secret manager connectors require configuration, including a means to authenticate to the external secret manager.
You can only use Harness Built-in Secret Manager to store authentication credentials for access to the corresponding secret manager.
Storing credentials from one secret manager within another can result in complex and challenging situations. Moreover, these configurations might introduce vulnerabilities, posing potential security risks.
The Harness platform has several validations, including the disabling of self-references.
Below is further explanation for each type of secret manager Harness currently supports.
AWS Key Management Service (KMS) and AWS Secrets Manager
Harness supports three authentication methods for AWS Key Management Service (KMS) and AWS Secrets Manager:
-
AWS Access Key: Access Key Id, Secrets Access Key, and AWS ARN must be stored in Harness Built-in Secret Manager.
-
Assume IAM role on delegate: AWS ARN must be stored in Harness Built-in Secret Manager.
-
Assume Role using STS on delegate: AWS ARN must be stored in Harness Built-in Secret Manager.
Hashicorp Vault
Harness supports the following five authentication methods for Hashicorp Vault:
- AppRole secret IDs must be stored in the Harness Built-in Secret Manager.
- Token secret IDs must be stored in the Harness Built-in Secret Manager.
- AWS Auth secret IDs must be stored in the Harness Built-in Secret Manager.
- Vault Agent: Secret storage is not required in the Harness Built-in Secret Manager.
- Kubernetes Auth: Secret storage is not required in the Harness Built-in Secret Manager.
Azure Key Vault
Harness supports two authentication methods for Azure Key Vault:
- With the credentials option, the Azure Authentication key must be stored in the Harness Built-in Secret Manager.
- With the credentials of a specific Harness Delegate option, secret storage is not required in Harness Built-in Secret Manager.
GCP Key Management Service
Harness supports only one authentication method for GCP Key Management Service, for which the GCP KMS Credentials file must be stored in the Harness Built-in Secret Manager.
GCP Secrets Manager
Harness supports two authentication methods for GCP Secrets Manager:
- With the credentials option, the Google Secrets Manager Credentials File must be stored in the Harness Built-in Secret Manager.
- With the credentials of a specific Harness Delegate option, secret storage is not required in Harness Built-in Secret Manager.
Custom Secrets Manager
For Custom Secrets Manager, if any secret is needed in the template as a variable, it can only be stored in the Harness Built-in Secret Manager.