Running a SSH command to get the value of a secret (password, key etc.) in a customs secret manager usually requires a connecting to a remote machine via an ssh private key which is generally stored in the encrypted key section.
In Harness it is currently not possible to refer an encrypted file directly via a shell script template in our secrets manager. To achieve this and use this key to refer a secret in a remote host via ssh, the following steps need to be followed:
- Copy and paste the actual value of your private key as an encrypted text in “secrets management“ section e.g test_privatekey has the private key value.
the text in encrypted text is save as single line which is different from the formatting of a private key.
-
Note To use in the customs secret manager, the encrypted text must be scoped to account and not to applications.
-
To use the value of the encrypted text we have to use ${secrets.getValue(“test_privatekey”)} in our shell script, which will give the plain text value.
-
Further in the script we have to format this plain text value to the format of a rsa private key, the following script can be used to achieve the same.
echo ${secrets.getValue("test_privatekey")} > file1
sed -e 's/----- /-----/' -e 's/ -----/-----/' -e 's/-----BEGIN RSA PRIVATE KEY-----//g' -e 's/-----END RSA PRIVATE KEY-----//g' -e '1i\
-----BEGIN RSA PRIVATE KEY-----
' -e '$a\
-----END RSA PRIVATE KEY-----
' file1 > file2
rm file1 && mv file2
chmod 400 keyfile
secret=ssh -o StrictHostKeyChecking=no -n -i keyfile <SpecialUserAccount>@<hostmachine ip> Retrieve --systemName "<name>" --accountname '<TargetAccount>'
This is a simple example of an ssh command used to fetch a password, you can replace it with your own suitable command.
This can be tested out in a workflow as a normal shell script step to verify that the value is being rendered correctly.
Note : to test out in a workflow the “encrypted text“ needs to have usage scope to Applications, and once verified then scoped to account to be used in secrets manager.
- Add the shell script template to your “custom secret manager“ and save.
