Skip to main content

Reference Existing Secret Manager Secrets

If you already have secrets created in a secret manager such as HashiCorp Vault or AWS Secrets Manager, you do not need to re-create the existing secrets in Harness.

Harness does not query the secret manager for existing secrets, but you can create a secret in Harness that references an existing secret in HashiCorp Vault or AWS Secrets Manager. No new secret is created in those providers. If you delete the secret in Harness, it does not delete the secret in the provider.

Before you begin

Option: Vault secrets

You can create a Harness secret that refers to the existing Vault secret using a path and key, such as /path/secret_key#my_key.

In the above example, /path is the pre-existing path, secret_key is the secret name, and my_key is the key used to lookup the secret value.

note

Do not prepend the Vault secrets engine to the path. In the above example, if the secret (/path/secret_key#my_key) had been generated by a Vault secrets engine named harness-engine, it would reside in this full path /harness-engine/path/secret_key#my_key. However, in the Value field, you would enter only /path/secret_key#my_key.

This Harness secret is simply a reference pointing to an existing Vault secret. Deleting this Harness secret will not delete the Vault secret referred to by this secret.

You can reference pre-existing Vault secrets in the Harness YAML editor.

Option: HashiCorp Vault Secrets

note

Currently, this feature is behind the feature flag PL_ACCESS_SECRET_DYNAMICALLY_BY_PATH. Contact Harness Support to enable the feature.​

​For HashiCorp Vault, you can also use expressions to reference pre-existing secrets in Vault using a fully-qualified path, such as hashicorpvault://LocalVault/foo/bar/mysecret#mykey

With this kind of referencing, you don't need to pre-create secrets.

The scheme hashicorpvault:// is needed to distinguish a Vault secret from other secret references. It is followed by the identifier of the Vault secret manager.

For example, if you have a HashiCorp Vault connector with the identifier myVault in the Account scope and a secret with the name example present in the vault path /harness/testpath with the following values:

​{  
"key1": "value one",
"key2": "value two"
}

You can reference the value of key1 for the secret example using the following expression:

<+secrets.getValue("account.hashicorpvault://myVault/harness/testpath/example#key1")>

For a HashiCorp Vault connector at the Org scope, use the following expression:

<+secrets.getValue("org.hashicorpvault://myVault/harness/testpath/example#key1")>​

For a HashiCorp Vault connector at the Project scope, use the following expression:

<+secrets.getValue("hashicorpvault://myVault/harness/testpath/example#key1")>
note

To dynamically reference secrets in HashiCorp Vault, make sure you use the expression in the following format:
<+secrets.getValue()>

Option: AWS Secrets Manager secrets

You can create a Harness secret that refers to an existing secret in AWS Secrets Manager using the name of the secret, and a prefix if needed. For example, mySecret.

Referencing secret keys

In AWS Secrets Manager, your secrets are specified as key-value pairs, using a JSON collection:

To reference a specific key in your Harness secret, add the key name following the secret name, like secret_name#key_name. In the above example, the secret is named example4docs. To reference the example1 key, you would enter example4docs#example1.

Referencing pre-existing secrets

note

Currently, this feature is behind the feature flag PL_ACCESS_SECRET_DYNAMICALLY_BY_PATH. Contact Harness Support to enable the feature.​​

For AWS secret manager, you can also use expressions to reference pre-existing secrets using a fully-qualified path, such as awssecretsmanager://<connector_identifier>/<secret>.

With this kind of reference, you don't need to pre-create secrets.

The scheme awssecretsmanager:// is needed to distinguish an AWS secret manager secret from other secret references. The identifier of the secret manager follows this.

For example, if you have an AWS secret manager connector with the identifier exampleAWS in the Account scope and a secret with the name example present in it.

You can reference the secret example using the following expression:

<+secrets.getValue("account.awssecretsmanager://exampleAWS/example")>

For an AWS secret manager connector at the Org scope, use the following expression:

<+secrets.getValue("org.awssecretsmanager://exampleAWS/example")>​

For an AWS secret manager connector at the Project scope, use the following expression:

<+secrets.getValue("awssecretsmanager://exampleAWS/example")>
note

To dynamically reference secrets in the AWS secret manager, make sure you use the expression in the following format: <+secrets.getValue()>

Option: Azure Key Vault secrets

You can create a Harness secret that refers to an existing secret in Azure Key Vault, using that secret's name (for example: azureSecret). You can also specify the secret's version (for example: azureSecret/05).

Referencing pre-existing secrets

note

Currently, this feature is behind the feature flag PL_ACCESS_SECRET_DYNAMICALLY_BY_PATH. Contact Harness Support to enable the feature.​​

For Azure Key Vault secret manager, you can also use expressions to reference pre-existing secrets using a fully-qualified path, such as azurevault://My_AzureVault/mySecret.

With this kind of reference, you don't need to pre-create secrets.

The scheme azurevault:// is needed to distinguish an Azure Key Vault secret from other secret references. The identifier of the secret manager follows this.

For example, if you have an Azure Key Vault connector with the identifier exampleAzureKeyVault in the Account scope and a secret with the name example present in it.

You can reference the secret example using the following expression:

<+secrets.getValue("account.azurevault://exampleAzureKeyVault/example")>

For an Azure Key Vault secret manager connector at the Org scope, use the following expression:

<+secrets.getValue("org.azurevault://exampleAzureKeyVault/example")>​

For an Azure Key Vault secret manager at the Project scope, use the following expression:

<+secrets.getValue("azurevault://exampleAzureKeyVault/example")>
note

To dynamically reference secrets in the Azure Key Vault, make sure you use the expression in the following format: <+secrets.getValue()>

Option: GCP Secret Manager

note

Currently, this feature is behind the feature flag PL_ACCESS_SECRET_DYNAMICALLY_BY_PATH. Contact Harness Support to enable the feature.​​

For GCP secret manager, you can also use expressions to reference pre-existing secrets using a fully-qualified path, such as gcpsecretsmanager://My_GoogleSM/mySecret

With this kind of reference, you don't need to pre-create secrets.

The scheme gcpsecretsmanager:// is needed to distinguish a GCP secret manager secret from other secret references. The identifier of the secret manager follows this.

For example, if you have a GCP secret manager connector with the identifier exampleGCP in the Account scope and a secret with the name example present in it.

You can reference the secret example using the following expression:

<+secrets.getValue("account.gcpsecretsmanager://exampleGCP/example")>

You can also reference a specific version of the secret. For example, if you want to reference the version 7 of a secret, use the following expression:

<+secrets.getValue("org.gcpsecretsmanager://exampleGCP/example")>​

To reference a specific version of a secret, use the following expression:

<+secrets.getValue("org.gcpsecretsmanager://exampleGCP/example/<version_number>")>

For a GCP secret manager connector at the Project scope, use the following expression:

<+secrets.getValue("gcpsecretsmanager://exampleGCP/example")>

To reference a specific version of a secret, use the following expression:

<+secrets.getValue("gcpsecretsmanager://exampleGCP/example/<version_number>")>
note

To dynamically reference secrets in GCP secret manager, make sure you use the expression in the following format: <+secrets.getValue()>