Running a ssh command in custom secrets manager to get a secret value

Running a SSH command to get the value of a secret (password, key etc.) in a customs secret manager usually requires a connecting to a remote machine via an ssh private key which is generally stored in the encrypted key section.

In Harness it is currently not possible to refer an encrypted file directly via a shell script template in our secrets manager. To achieve this and use this key to refer a secret in a remote host via ssh, the following steps need to be followed:

  1. Copy and paste the actual value of your private key as an encrypted text in “secrets management“ section e.g test_privatekey has the private key value.

the text in encrypted text is save as single line which is different from the formatting of a private key.

  1. Note To use in the customs secret manager, the encrypted text must be scoped to account and not to applications.

  2. To use the value of the encrypted text we have to use ${secrets.getValue(“test_privatekey”)} in our shell script, which will give the plain text value.

  3. Further in the script we have to format this plain text value to the format of a rsa private key, the following script can be used to achieve the same.

echo ${secrets.getValue("test_privatekey")} > file1

sed -e 's/----- /-----/' -e 's/ -----/-----/' -e 's/-----BEGIN RSA PRIVATE KEY-----//g' -e 's/-----END RSA PRIVATE KEY-----//g' -e '1i\
' -e '$a\
' file1 > file2
rm file1 && mv file2
chmod 400 keyfile

secret=ssh -o StrictHostKeyChecking=no -n -i keyfile <SpecialUserAccount>@<hostmachine ip> Retrieve --systemName "<name>" --accountname '<TargetAccount>'

This is a simple example of an ssh command used to fetch a password, you can replace it with your own suitable command.

This can be tested out in a workflow as a normal shell script step to verify that the value is being rendered correctly.

Note : to test out in a workflow the “encrypted text“ needs to have usage scope to Applications, and once verified then scoped to account to be used in secrets manager.

  1. Add the shell script template to your “custom secret manager“ and save.