Environment-Scoped Secrets with RBAC Enforcement (Restrict Prod Secret Management to SRE) | Feature Requests | harness

Environment-Scoped Secrets with RBAC Enforcement (Restrict Prod Secret Management to SRE)

Energetic Koi

We operate in a strictly controlled environment with clear separation between production and non-production systems, and require RBAC controls aligned to that model.
Current limitation:
Secrets are not scoped by environment
Access control cannot enforce separation such as:
Only SRE managing production secrets
Developers limited to non-production
Current workaround:
Policy enforcement based on naming conventions and static allowlists
👉 This approach is not ideal:
Relies on conventions instead of native controls
Adds operational complexity
Does not fully meet governance expectations
What we need:
Environment-scoped secrets (prod vs non-prod)
RBAC controls aligned to environment boundaries
Clear enforcement at creation, update, and runtime usage
Impact:
Without this, it is difficult to enforce proper separation of duties and meet enterprise security standards

Created by diego.pereira@harness.io

5 days ago

Abhishek Thamman

Hi Energetic Koi,  the secret today does not store environment-level information.
Scoping a secret to an environment can be achieved as follows: 1. OIDC authentication within the secret manager. This allows or denies access at runtime based on policies defined at the secret manager. 
Restricting access via OPA policies. (This is something you are already doing.)
Is this something you would be OK with exploring? We can also get on a call to discuss this further. Please let me know.
Thanks,
Abhishek Thamman,
Senior Product Manager, Harness