Keeper Secrets Manager integration for Harness CI. Securely retrieves secrets from your Keeper Vault and later pipeline steps can read them. Uses a zero-knowledge model: secrets are fetched directly from Keeper at runtime and never pass through Harness in decrypted form. The Docker image supports multi-platform (e.g. linux/amd64, linux/arm64); set platform on the pipeline or step as needed.
Example
kind: pipeline
name: default
# Multi-platform: use linux/amd64, linux/arm64, or linux/arm as needed
platform:
os: linux
arch: amd64
steps:
- name: fetch_keeper_secrets
image: keeper/harness-plugin:latest
settings:
ksm_config:
from_secret: keeper_base64_secret
secrets: |
RECORD_UID/field/password > PASSWORD
RECORD_UID/field/login > USERNAME
Properties
secrets
stringrequiredKeeper Notation: one line per secret. Format is RECORD_UID/selector/field_name > destination_name. Use selector field for standard fields (e.g. login, password), custom_field for custom fields, or file for attachments. Secrets are written to /harness/secrets/ with the destination name as the filename. Replace RECORD_UID with the actual Record UID from your Keeper Vault (Record details → Record UID).
Default: none
ksm_config
stringrequiredKeeper Secrets Manager authentication (mapped to PLUGIN_KSM_CONFIG). Supported values: one-time access token (US:...), Base64-encoded token, or JSON config. In Harness CI: create a secret under Project → Project Setup → Secrets (e.g. Text secret keeper_base64_secret or keeper_otat_secret, or File secret keeper_ksm_config_file for JSON). Use the settings block with ksm_config (e.g. ksm_config: from_secret: keeper_base64_secret) so the platform passes it as PLUGIN_KSM_CONFIG.
Default: none