Keeper Secrets Manager integration for Harness CI. Securely retrieves secrets from your Keeper Vault and later pipeline steps can read them. Uses a zero-knowledge model: secrets are fetched directly from Keeper at runtime and never pass through Harness in decrypted form.
Example
kind: pipeline
name: default
steps:
- name: fetch_keeper_secrets
image: keeper/harness-plugin
settings:
secrets: |
RECORD_UID/field/password > PASSWORD
RECORD_UID/field/login > USERNAME
ksm_config:
from_secret: keeper_base64_secret
Properties
secrets
stringrequiredKeeper Notation: one line per secret. Format is RECORD_UID/selector/field_name > destination_name. Use selector field for standard fields (e.g. login, password), custom_field for custom fields, or file for attachments. Secrets are written to /harness/secrets/ with the destination name as the filename. Replace RECORD_UID with the actual Record UID from your Keeper Vault (Record details → Record UID).
Default: none
ksm_config
stringrequiredKeeper Secrets Manager authentication. Supported values: one-time access token (US:...), Base64-encoded token, or JSON config. In Harness CI: create a secret first under Project → Project Setup → Secrets (e.g. Text secret keeper_base64_secret or keeper_otat_secret, or File secret keeper_ksm_config_file for JSON). Then in the Plugin step set envVariables.KSM_CONFIG to <+secrets.getValue("your_secret_identifier_name")> using the exact secret name you created.
Default: none