Skip to content
Latchkey

Harness "Secret ... could not be resolved" in CI

Harness resolves secret references through a secret manager (built-in, Vault, AWS/GCP) via a delegate at runtime. "Could not be resolved" means the reference did not return a value: the key is missing, the manager is unreachable, or the delegate is not authorized.

What this error means

A step fails with "Secret 'my-secret' could not be resolved" or "Failed to decrypt", often on a connector credential or an environment variable that pulls from the secret manager.

Harness
Failed to resolve secret: 'account.dockerPassword'
Secret Manager: HashiCorp Vault
Error: permission denied reading secret/data/harness/docker

Common causes

The secret key or path does not exist

The referenced secret identifier or Vault path is wrong or was deleted, so no value comes back.

The delegate lacks access to the secret manager

The delegate cannot authenticate to Vault/cloud secret manager, or its policy denies the path, so resolution fails.

How to fix it

Verify the secret reference and manager

  1. Confirm the secret identifier/path exists in the configured manager.
  2. Ensure the delegate can authenticate to the secret manager.
  3. Grant the delegate read permission on the secret path, then re-run.

Fix the secret manager auth/policy

For Vault, confirm the auth method and policy grant read on the referenced path; for cloud managers, confirm the delegate IAM role allows GetSecretValue.

How to prevent it

  • Keep secret references pointing at existing keys/paths.
  • Grant the delegate least-privilege read on required secrets.
  • Test secret resolution after any secret manager change.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →