Harness is about to release a new option to integrate with Vault to serve it as a Secrets Manager. We are talking about a safe and reliable method called Vault Agent.
I had some difficulties setting up a good integration that reduced the toil to 0. I wasn't sure how to handle the underlying Auth method options provided by Vault. There’s TTL everywhere, RoleIDs, Secrets that expire, etc. So, this is my humble contribution to anyone suffering from the same. Buckle up!
Tutorial
Requirements
A Vault Server, good credentials, and some patience.
Tasks on Vault
I’ll create a ‘kv’ Secrets Engine called Harness:
Then, I’ll create a policy named harness_v2_engine_gabs:
Keep those two IDs in your Mental Vault (your brain - or Notepad++ since this is a lab).
Third Step
Time to get the Vault Agent! It’s super important to mention that Harness only needs access to the sink file that the agent will write the tokens into. I’ll run the Vault Agent at the same Server that is hosting my Harness Delegate.
Depending on your SecOps team, they might have a shared volume or something similar. The only required thing is to make sure that the Harness Delegate is capable of reaching the sink file path.
The first thing you do is to get the Vault on that Delegate. We’re not going to start the Server. It’s the agent, and I guess it is in the same bundle.
The first thing I’d like to do is to write a good config.hcl. This might be different depending on your preferred Auth Method and Security restrictions, but I’m using the AppRole Method in this lab. With this in mind, this is a good starting config file:
Time to test it with Harness! Important: Currently, this capability for the Secrets Manager is behind a Feature Flag. You can ask your CSM or any contact to enable that. However, this is going to be GA in the next week, so I don’t think you need to do that.
Please pay attention to the new fields, such as Delegate Selector and Sink Path. It's pretty easy to configure. Take a look:
Big Last Step - Test that Vault!
Let’s create a nice secret via the Harness UI:
It works!
Outcome
This is a safe, reliable approach to make Vault your Harness Secrets Manager. If you need TTL in secretID, this might add a little toil to make the Agent keep the good credentials, but this is eligible to automation, IMHO.
Any questions or comments? Don't hesitate to reach out.