{"id":"721ec804-7f66-4bca-9087-63c8bc0a0524","shortId":"GbRjn8","kind":"skill","title":"create-secret","tagline":">-","description":"# Create Secret Skill\n\nGenerate Harness Secret definitions and manage secrets via MCP v2 tools.\n\n## MCP v2 Tools Used\n\n| Tool | Resource Type | Purpose |\n|------|--------------|---------|\n| `harness_list` | `secret` | List existing secrets |\n| `harness_get` | `secret` | Get secret metadata (not the value) |\n| `harness_create` | `secret` | Create a new secret |\n| `harness_update` | `secret` | Update secret metadata or value |\n| `harness_delete` | `secret` | Delete a secret |\n| `harness_describe` | `secret` | Discover secret resource schema |\n\n## Secret Types\n\n### SecretText\n\nStores text-based secrets: passwords, API tokens, connection strings.\n\n```yaml\nsecret:\n  identifier: my_api_key\n  name: My API Key\n  description: API key for external service\n  type: SecretText\n  spec:\n    secretManagerIdentifier: harnessSecretManager\n    valueType: Inline\n    value: <secret_value>\n```\n\nFor other secret types (SecretFile, SSHKey with KeyReference/KeyPath/Password, WinRmCredentials with NTLM/Kerberos) and secret manager configuration, consult references/secret-types.md.\n\n## Secret Scopes\n\n| Scope | Visibility | MCP Parameters |\n|-------|-----------|----------------|\n| Project | Only within the project | `org_id` + `project_id` |\n| Organization | All projects in the org | `org_id` only |\n| Account | All orgs and projects | Neither org_id nor project_id |\n\n## Instructions\n\n### Step 1: Determine Requirements\n\n- Secret type: SecretText, SecretFile, SSHKey, or WinRmCredentials\n- Secret manager: Harness built-in or external\n- Scope: project, org, or account\n- Tags and description for organization\n\n### Step 2: Check for Existing Secrets\n\n```\nharness_list(\n  resource_type=\"secret\",\n  org_id=\"<org>\",\n  project_id=\"<project>\",\n  search_term=\"<keyword>\"\n)\n```\n\n### Step 3: Create the Secret\n\n```\nharness_create(\n  resource_type=\"secret\",\n  org_id=\"<org>\",\n  project_id=\"<project>\",\n  body={\n    \"secret\": {\n      \"identifier\": \"my_api_key\",\n      \"name\": \"My API Key\",\n      \"type\": \"SecretText\",\n      \"spec\": {\n        \"secret_manager_identifier\": \"harnessSecretManager\",\n        \"value_type\": \"Inline\",\n        \"value\": \"<value>\"\n      }\n    }\n  }\n)\n```\n\n### Step 4: Verify Creation\n\n```\nharness_get(\n  resource_type=\"secret\",\n  resource_id=\"my_api_key\",\n  org_id=\"<org>\",\n  project_id=\"<project>\"\n)\n```\n\n## Referencing Secrets in Pipelines\n\n```yaml\n# Project-level secret\n<+secrets.getValue(\"my_api_key\")>\n\n# Org-level secret\n<+secrets.getValue(\"org.my_api_key\")>\n\n# Account-level secret\n<+secrets.getValue(\"account.my_api_key\")>\n```\n\nIn connector configuration:\n\n```yaml\nconnector:\n  spec:\n    authentication:\n      spec:\n        tokenRef: github_pat   # secret identifier\n```\n\nIn service variables:\n\n```yaml\nvariables:\n  - name: DB_PASSWORD\n    type: Secret\n    value: <+secrets.getValue(\"db_password\")>\n```\n\n## Naming Conventions\n\n| Secret Type | Pattern | Example |\n|-------------|---------|---------|\n| API Keys | `{service}_api_key` | `github_api_key` |\n| Passwords | `{system}_password` | `prod_db_password` |\n| Tokens | `{provider}_token` | `slack_token` |\n| SSH Keys | `ssh_{purpose}` | `ssh_deploy_key` |\n| Certificates | `{service}_cert` | `ssl_prod_cert` |\n\nIdentifier must match: `^[a-zA-Z_][0-9a-zA-Z_]{0,127}$`\n\n## Examples\n\n### Create a GitHub PAT secret\n\n```\n/create-secret\nCreate a SecretText for a GitHub personal access token at the project level\nusing the Harness built-in secret manager\n```\n\n### Create SSH credentials\n\n```\n/create-secret\nCreate an SSH key secret for deploying to production servers as the \"deploy\" user\n```\n\n### Create a Vault-referenced secret\n\n```\n/create-secret\nCreate a secret that references the database password stored in HashiCorp Vault\nat secret/data/production/database#password\n```\n\n### List secrets\n\n```\n/create-secret\nShow me all secrets in the payments project\n```\n\n### Create WinRM credentials\n\n```\n/create-secret\nCreate WinRM NTLM credentials for the Windows deployment servers\n```\n\n## Error Handling\n\n| Error | Cause | Solution |\n|-------|-------|----------|\n| Duplicate identifier | Secret with same ID exists | Use unique identifier or update existing |\n| Secret manager not found | Invalid `secretManagerIdentifier` | Verify the secret manager connector exists |\n| Encryption failed | Secret manager connectivity issue | Check delegate connectivity to secret manager |\n| Invalid secret type | Unsupported type string | Use `SecretText`, `SecretFile`, `SSHKey`, or `WinRmCredentials` |\n| Invalid valueType | Case mismatch | Use `Inline` or `Reference` (case-sensitive) |\n\n## Performance Notes\n\n- Never include actual secret values in generated YAML. Use placeholder references only.\n- Verify the correct scope (account, org, project) before creating — secrets at the wrong scope will not be accessible.\n- Confirm the secret manager exists and is accessible before creating secrets.\n\n## Troubleshooting\n\n### Secret Not Accessible in Pipeline\n\n1. Check scope -- project secrets need no prefix, org secrets need `org.` prefix, account secrets need `account.` prefix\n2. Verify the pipeline's project has access to the secret's scope\n3. Confirm the user/service account running the pipeline has `core_secret_view` permission\n\n### External Secret Manager Errors\n\n1. Verify the secret manager connector is healthy (`harness_get` on the connector)\n2. For Vault: check the path format includes `#key` suffix for specific keys\n3. For AWS SM: ensure IAM permissions allow `secretsmanager:GetSecretValue`\n4. Delegate must have network access to the external secret manager\n\n### SSH Key Connection Failures\n\n1. Verify the private key is in PEM format\n2. Check that the target server accepts key-based authentication\n3. If using KeyPath, confirm the key file exists on the delegate host\n4. Test with `credentialType: Password` first to isolate key-specific issues\n\n## Security Best Practices\n\n- Use external secret managers (Vault, AWS SM) for production secrets\n- Scope secrets as narrowly as possible -- prefer project over account\n- Never output secret values in pipeline logs\n- Rotate secrets regularly and update references\n- Audit secret access via the `/audit-report` skill","tags":["create","secret","harness","skills","agent-skills","agents"],"capabilities":["skill","source-harness","skill-create-secret","topic-agent-skills","topic-agents"],"categories":["harness-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/harness/harness-skills/create-secret","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add harness/harness-skills","source_repo":"https://github.com/harness/harness-skills","install_from":"skills.sh"}},"qualityScore":"0.457","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 15 github stars · SKILL.md body (6,133 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:06:29.646Z","embedding":null,"createdAt":"2026-05-09T01:05:28.311Z","updatedAt":"2026-05-18T19:06:29.646Z","lastSeenAt":"2026-05-18T19:06:29.646Z","tsv":"'-9':360 '/audit-report':758 '/create-secret':373,398,419,437,449 '0':359,365 '1':160,573,621,672 '127':366 '2':189,591,634,681 '3':206,604,647,692 '4':241,657,705 'a-za-z':355,361 'accept':687 'access':381,555,563,570,598,662,755 'account':147,182,280,542,586,589,608,739 'account-level':279 'account.my':284 'actual':528 'allow':654 'api':78,86,90,93,223,227,252,269,277,285,320,323,326 'audit':753 'authent':293,691 'aw':649,725 'base':75,690 'best':718 'bodi':219 'built':174,391 'built-in':173,390 'case':515,522 'case-sensit':521 'caus':462 'cert':348,351 'certif':346 'check':190,495,574,637,682 'configur':120,289 'confirm':556,605,696 'connect':80,493,497,670 'connector':288,291,487,626,633 'consult':121 'convent':315 'core':613 'correct':540 'creat':2,4,42,44,207,211,368,374,395,399,413,420,446,450,546,565 'create-secret':1 'creation':243 'credenti':397,448,453 'credentialtyp':708 'databas':426 'db':306,312,332 'definit':10 'deleg':496,658,703 'delet':57,59 'deploy':344,405,411,457 'describ':63 'descript':92,185 'determin':161 'discov':65 'duplic':464 'encrypt':489 'ensur':651 'error':459,461,620 'exampl':319,367 'exist':30,192,470,476,488,560,700 'extern':96,177,617,665,721 'fail':490 'failur':671 'file':699 'first':710 'format':640,680 'found':480 'generat':7,532 'get':33,35,245,630 'getsecretvalu':656 'github':296,325,370,379 'handl':460 'har':8,26,32,41,48,56,62,172,194,210,244,389,629 'harnesssecretmanag':102,235 'hashicorp':430 'healthi':628 'host':704 'iam':652 'id':135,137,145,154,157,200,202,216,218,250,255,257,469 'identifi':84,221,234,299,352,465,473 'includ':527,641 'inlin':104,238,518 'instruct':158 'invalid':481,501,513 'isol':712 'issu':494,716 'key':87,91,94,224,228,253,270,278,286,321,324,327,340,345,402,642,646,669,676,689,698,714 'key-bas':688 'key-specif':713 'keypath':695 'keyreference/keypath/password':113 'level':265,273,281,386 'list':27,29,195,435 'log':746 'manag':12,119,171,233,394,478,486,492,500,559,619,625,667,723 'match':354 'mcp':15,18,127 'metadata':37,53 'mismatch':516 'must':353,659 'name':88,225,305,314 'narrowli':733 'need':578,583,588 'neither':152 'network':661 'never':526,740 'new':46 'note':525 'ntlm':452 'ntlm/kerberos':116 'org':134,143,144,149,153,180,199,215,254,272,543,581,584 'org-level':271 'org.my':276 'organ':138,187 'output':741 'paramet':128 'password':77,307,313,328,330,333,427,434,709 'pat':297,371 'path':639 'pattern':318 'payment':444 'pem':679 'perform':524 'permiss':616,653 'person':380 'pipelin':261,572,594,611,745 'placehold':535 'possibl':735 'practic':719 'prefer':736 'prefix':580,585,590 'privat':675 'prod':331,350 'product':407,728 'project':129,133,136,140,151,156,179,201,217,256,264,385,445,544,576,596,737 'project-level':263 'provid':335 'purpos':25,342 'refer':424,520,536,752 'referenc':258,417 'references/secret-types.md':122 'regular':749 'requir':162 'resourc':23,67,196,212,246,249 'rotat':747 'run':609 'schema':68 'scope':124,125,178,541,551,575,603,730 'search':203 'secret':3,5,9,13,28,31,34,36,43,47,50,52,58,61,64,66,69,76,83,108,118,123,163,170,193,198,209,214,220,232,248,259,266,274,282,298,309,316,372,393,403,418,422,436,441,466,477,485,491,499,502,529,547,558,566,568,577,582,587,601,614,618,624,666,722,729,731,742,748,754 'secret/data/production/database':433 'secretfil':110,166,509 'secretmanageridentifi':101,482 'secrets.getvalue':267,275,283,311 'secretsmanag':655 'secrettext':71,99,165,230,376,508 'secur':717 'sensit':523 'server':408,458,686 'servic':97,301,322,347 'show':438 'skill':6,759 'skill-create-secret' 'slack':337 'sm':650,726 'solut':463 'source-harness' 'spec':100,231,292,294 'specif':645,715 'ssh':339,341,343,396,401,668 'sshkey':111,167,510 'ssl':349 'step':159,188,205,240 'store':72,428 'string':81,506 'suffix':643 'system':329 'tag':183 'target':685 'term':204 'test':706 'text':74 'text-bas':73 'token':79,334,336,338,382 'tokenref':295 'tool':17,20,22 'topic-agent-skills' 'topic-agents' 'troubleshoot':567 'type':24,70,98,109,164,197,213,229,237,247,308,317,503,505 'uniqu':472 'unsupport':504 'updat':49,51,475,751 'use':21,387,471,507,517,534,694,720 'user':412 'user/service':607 'v2':16,19 'valu':40,55,105,236,239,310,530,743 'valuetyp':103,514 'variabl':302,304 'vault':416,431,636,724 'vault-referenc':415 'verifi':242,483,538,592,622,673 'via':14,756 'view':615 'visibl':126 'window':456 'winrm':447,451 'winrmcredenti':114,169,512 'within':131 'wrong':550 'yaml':82,262,290,303,533 'z':358,364 'za':357,363","prices":[{"id":"0a5fc316-1897-4218-8164-01d521c56ee0","listingId":"721ec804-7f66-4bca-9087-63c8bc0a0524","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"harness","category":"harness-skills","install_from":"skills.sh"},"createdAt":"2026-05-09T01:05:28.311Z"}],"sources":[{"listingId":"721ec804-7f66-4bca-9087-63c8bc0a0524","source":"github","sourceId":"harness/harness-skills/create-secret","sourceUrl":"https://github.com/harness/harness-skills/tree/main/skills/create-secret","isPrimary":false,"firstSeenAt":"2026-05-09T01:05:28.311Z","lastSeenAt":"2026-05-18T19:06:29.646Z"}],"details":{"listingId":"721ec804-7f66-4bca-9087-63c8bc0a0524","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"harness","slug":"create-secret","github":{"repo":"harness/harness-skills","stars":15,"topics":["agent-skills","agents"],"license":"apache-2.0","html_url":"https://github.com/harness/harness-skills","pushed_at":"2026-05-13T01:28:28Z","description":"A collection of structured AI agent skills that   enable Claude Code, Cursor, GitHub Copilot, and   other AI coding assistants to create, operate,   debug, and govern Harness CI/CD workflows through   natural language.","skill_md_sha":"b39277f2f0ea9aeac17831a70d7dafa13b51996e","skill_md_path":"skills/create-secret/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/harness/harness-skills/tree/main/skills/create-secret"},"layout":"multi","source":"github","category":"harness-skills","frontmatter":{"name":"create-secret","license":"Apache-2.0","description":">-","compatibility":"Requires Harness MCP v2 server (harness-mcp-v2)"},"skills_sh_url":"https://skills.sh/harness/harness-skills/create-secret"},"updatedAt":"2026-05-18T19:06:29.646Z"}}