Custom Secrets Manager (GCP Secret Manager Example)

Hey all,

A recent request came in for GCP Secrets Manager support, which, at the time of this writing, Harness does not natively support. This doc will walk through how to get each piece setup and why (for reference, here is the script repo).

Google Setup Requirements

The Google requirements to be setup before bring anything into Harness is an API Key and a Service Account with permissions to the Secrets Manager and the Cloud Resource Manager. Additionally, the Secrets Manager and Cloud Resource Manager APIs need to be enabled.

Once those requirements are setup, you will need to save the API_KEY into the Harness Secrets Manager as custom_secret_manager.

Then create a Base64 encoded version of the Service Account JSON credentials file and add it to the Harness Secrets Manager as custom_secret_sa. Make sure to select “Scope to Account” for this secret.

Harness Setup Requirements

After adding the required secrets into the Harness Secret Manager, add the Delegate Profile script from the git repo to a Delegate Profile

Then you will need to assign the Delegate Profile to the desired Delegate(s).

The next step is to add the Secret Fetch script into the Template Library with the appropriate variables at the bottom

Harness Secret Manager

The last piece is to link the Secret Fetch Template with the Custom Secret Manager. You will need to go to Security > Secrets Management > Configure Secrets Manager

Then you will need to click the + Add Secret Manager on the top right

Change the dropdown to Custom (this is a feature flag right now, so you will need to request it to be enabled)

Select the Shell Script from the drop down and add the GCP ProjectID and a name of a secret for Harness to look for

Hitting the Submit will run a test of the script to make sure that the script can find a secret and get a response.

The last piece is to add a secret. You will need to go to Encrypted Text at the top left and select + Add Encrypted Text

Select the custom secret manager in the top drop down, add the display name, add the name of the secret that is in the GCP Secrets Manager, and add the GCP ProjectID

Hopefully this helps!

Don’t forget to like/comment/share!

1 Like