Add an Azure Key Vault Secrets Manager

Updated 4 months ago by Rashmi Nanda Sahoo

To store and use encrypted secrets (such as access keys) and files, you can add an Azure Key Vault Secrets Manager.

In this topic:

Before You Begin

Visual Overview

Azure Key Vault safeguards cryptographic keys and secrets, encrypting authentication keys, storage account keys, data encryption keys, .pfx files, and passwords.

Step 1: Create Azure Reader Role

To enable Harness to later fetch your Azure vaults (in Step 7 below), you must first set up a Reader role in Azure. You can do this two ways:

  • Azure Portal
  • PowerShell Command

Azure Portal

To create a Reader role in the Azure portal UI:

  1. Navigate to Azure's Subscriptions page.
  2. Under Subscription name, select the subscription where your vaults reside.
Tip: Copy and save the Subscription ID. You can paste this value into Harness Manager below at Option: Enter Subscription.
  1. Select your Subscription’s Access control (IAM) property.
  2. On the resulting Access control (IAM) page, select Add a role assignment.
  3. In the resulting right pane, set the Role to Reader.
  4. Accept the default value: Assign access to: Azure AD user, group, or service principal.
  5. In the Select drop-down, select the name of your Azure App registration.
  6. Click Save.
  7. On the Access control (IAM) page, select the Role assignments tab. Make sure your new role now appears under the Reader group.
Microsoft Azure's Manage subscriptions documentation adds details about the above procedure but focuses on the Administrator rather than the Reader role.

PowerShell Command

You can also create a Reader role programmatically via this PowerShell command, after gathering the required parameters:

New-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName "Reader" -Scope /subscriptions/<subscription_id>

For details and examples, see Microsoft Azure's Add or remove role assignments documentation.

Step 2: Configure Secrets Manager in Harness

  1. Select your Account or Organization or Project.
  2. Select Connectors under ACCOUNT SETUP/ORG SETUP/PROJECT SETUP.
  3. Click New Connector. The Connectors page appears.
  4. Scroll down to Secret Managers and click Azure Key Vault.

Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each. For more information, see Azure Key Vault secrets.

  1. Enter a Name for the secret manager.
  2. You can choose to update the ID or let it be the same as your secrets manager's name. For more information, see Entity Identifier Reference.
  3. Enter Description and Tags for your secrets manager.
  4. Click Continue.
  5. In the Details page, enter Client ID, Tenant ID corresponding to the fields highlighted below in the Azure UI:
    To provide these values:
    1. In Azure, navigate to the Azure Active Directory > App registrations page, then select your App registration. (For details, see Azure's Quickstart: Register an application with the Microsoft identity platform.)
    2. Copy the Application (client) ID for the Azure App registration you are using, and paste it into the Harness dialog's Client ID field.
    3. Copy the Directory (tenant) ID of the Azure Active Directory (AAD) where you created your application, and paste it into the Harness dialog's Tenant ID field. (For details, see Microsoft Azure's Get values for signing in topic.)
  6. In the Subscription field, you can optionally enter your Azure Subscription ID (GUID).

To find this ID, navigate to Azure's Subscriptions page, as outlined above in Step 1: Create Azure Reader Role. From the resulting list of subscriptions, copy the Subscription ID beside the subscription that contains your vaults.

If you do not enter a GUID, Harness uses the default subscription for the Client ID you've provided above.
  1. Click Create or Select a Secret in the Key field. For detailed steps on creating a new secret, see Add Text Secrets.

The secret that you reference here should have the Azure authentication key as the Secret Value. The below image shows the creation of a secret with Azure authentication key as its value:

  1. To create and exchange the azure authentication key, perform the following steps:
    1. Navigate to Azure's Certificates & secrets page. (For details, see Microsoft Azure's Create a new application secret documentation.)
    2. In the resulting page’s Client secrets section, select New client secret.
    3. Enter a Description and expiration option, then click Add.
    4. Find your new key in the Client secrets section, and copy its value to your clipboard.
      This is your only chance to view this key's value in Azure. Store the value somewhere secure, and keep it on your clipboard.

  1. Click Fetch Vault.
    After a slight delay, the Vault drop-down list populates with vaults corresponding to your client secret. Select the Vault you want to use.
  2. If you choose to make Azure Key Vault your default Secrets Manager, select Use as a Default Secrets Manager.
  3. Click Save and Continue.


Please Provide Feedback