Feature Requests

support the use of secrets from other secret managers within a custom secret manager. Currently, only secrets stored in the Harness Secret Manager can be used within a custom secret manager. Since our secret xxxxx is not stored in the Harness Secret Manager, which is causing the issue.

Request to enable the feature flag PL_ENABLE_USER_IMPERSONATION. Our vanity account is huntington.harness.io . Loren Yeung has enabled the flag for our account, so this request is just for audit purposes.

Currently, the GSM connector only supports pulling secrets from 1 project. This means that if our secrets are spread across 100 projects, we need to create 100 connectors. Just how multi-project OIDC support for GKE + Cloud Run was released, please add this feature to Google Secret Manager plugin too. GKE : https://developer.harness.io/docs/continuous-delivery/deploy-srv-diff-platforms/kubernetes/define-your-kubernetes-target-infrastructure/#enable-cross-project-access Google Cloud Run: https://developer.harness.io/docs/continuous-delivery/deploy-srv-diff-platforms/google-cloud-functions/google-cloud-run/#enable-cross-project-access

Harness uses "Environments" to define the environment to which a pipeline deploys, and uses "Connectors" to integrate with external secrets managers (like HashiCorp Vault). The connector is essentially the "identity" that interacts with the external secrets manager, and can be configured at the account, organization, or project level. Enterprise organizations require the isolation of environments, like keeping production isolated from integration or development environments, including secrets. Therefore, secrets managers require the ability to ensure access to production secrets are only provided to production workloads/pipelines. However, connectors cannot be tied to environments and the environment cannot be exposed to the secrets manager. For example, let's review a JWT integration with HashiCorp Vault. The connector can be configured at the account, organization, or project level, with the number of JWT claims and detail increasing at each level. This is an example JWT of a connector created at the project level: { "sub": "account/ABC123DEF456:org/MyAppOrg:project/MyAppProject", "iss": " https://app.harness.io/ng/api/oidc/account/ABC123DEF456 ", "aud": "harness", "exp": 1749488567, "iat": 1749484967, "account_id": "ABC123DEF456", "organization_id": "MyAppOrg", "project_id": "MyAppProject", "connector_id": "project_hashi_connector", "connector_name": "project_hashi_connector", "context": "CONNECTOR" } This JWT is all the secrets manager, HashiCorp Vault in this example, receives to identify/authenticate the connection looking to retrieve secrets. The same account/org/project is used to deploy to production, integration testing, and development. Therefore, the sub, account_id, organization_id, and project_id claims cannot be used to determine whether the requestor should be provided production, integration testing, or development secrets. Please provide a way to expose the environment to an external secrets manager so that proper secrets governance/controls can be applied by the secrets manager.

The banner on harness UI comes by default with dismissible option. Since one of our banner is highly important. There shouldn't be any way that it can get dismissed by user

Currently delegate streams logs directly to the google stackdriver. This request is to have the streaming of logs through harness.io instead of directly streaming to google stack driver over http://logging.googleapis.com/ as there could be restrictions to stream the logs directly to stackdriver.

I would like to have the ability to impersonate a user based on their role. Currently, the role assigned to a user is automatically used during impersonation, and there is no option to change it. It would be beneficial to have a feature that allows selecting a specific role for impersonation to facilitate testing and management.

When using the impersonation feature, an email notification is sent to the user being impersonated. This can be annoying for users who are approving pipelines. It would be helpful to have an option to disable this email notification to streamline the approval process.

I want to create a local admin account that can bypass Azure authentication, especially useful if Azure is down. This account should not require an email, similar to a service account, to avoid the need for monitoring or logging into an email. It would be beneficial to have this feature to ensure access even when Azure is unavailable.