Log in to your harness - The Modern Software Delivery Platform® account to give feedback

Feature Requests

Anonymous

Feature Requests for Harness. Select 'Category' based on the module you are requesting the feature for.
BuildAndPushECR on Harness Cloud — cannot pass Docker BuildKit named build contexts
What works elsewhere: Local Docker Compose: additional_ contexts.aws : ~/.aws works as expected. GitHub Actions: docker/build-push-action@v6 with build-contexts: aws=backend/python/docker/ci-aws works as expected. What fails on Harness Cloud: Failure mode 1 — caching: false (plain docker build) With caching: false, build logs show plain docker build (no buildx, no --build-context). BuildKit then resolves from=aws as a Docker Hub image: #6 [internal] load metadata for docker.io/library/aws:latest #6 ERROR: pull access denied, repository does not exist or may require authorization Base image stages without from=aws succeed; service image stages that use the named context fail. Failure mode 2 — caching: true + PLUGIN_BUILDX_OPTIONS Per your docs, caching: true enables buildx, and named contexts should be passed via PLUGIN_BUILDX_OPTIONS. We configured: caching: true envVariables: PLUGIN_BUILDX_OPTIONS: "--build-context aws=/harness/backend/python/docker/ci-aws" Build fails immediately with: unknown flag: --build-context aws Usage: docker buildx build [OPTIONS] PATH | URL | - It appears Harness splits PLUGIN_BUILDX_OPTIONS on =, so --build-context aws=/harness/... becomes an invalid flag --build-context aws (path dropped). A prepare step runs before the build and writes credentials to /harness/backend/python/docker/ci-aws/ (verified present on the VM). Failure mode 3 — buildAdditionalContext YAML field We also tried (not in your published BuildAndPushECR docs): caching: true buildAdditionalContext: aws: backend/python/docker/ci-aws Same docker.io/library/aws:latest error as failure mode 1 — suggests the field is ignored or not wired to the drone-docker/buildx plugin on Harness Cloud. Questions for Harness: What is the supported, documented way to pass Docker BuildKit named build contexts (--build-context name=path) from a BuildAndPushECR step on Harness Cloud? Is buildAdditionalContext a valid field for BuildAndPushECR? If yes, what is the correct schema, and which build infrastructures/plugin versions support it? Is the PLUGIN_BUILDX_OPTIONS = splitting behavior a known bug? Is there a workaround (e.g. PLUGIN_BUILDX_OPTIONS_SEMICOLON, stage variables, or another env var) to pass --build-context aws=/harness/... intact? Does PLUGIN_BUILDX_OPTIONS_SEMICOLON work on Harness Cloud for this use case, or is it only for comma-containing values like --output=type=tar,dest=...? Are named build contexts supported only on Kubernetes build infra (e.g. with CI_USE_BUILDX_ON_K8), and not on Harness Cloud?
0
·
Continuous Integration
Runtime-Generated Short-Lived Harness API Tokens for CI Pipelines
Summary Harness currently lacks a native mechanism to generate ephemeral, short-lived API tokens at pipeline runtime — comparable to GitHub Actions' GITHUB_TOKEN or the OIDC-based tokens available for GCP and Azure in Harness CI. Reviewed Documentation & Why It Is Insufficient API Keys & Token Expiry https://developer.harness.io/docs/platform/automation/api/add-and-manage-api-keys https://developer.harness.io/docs/platform/automation/api/add-and-manage-api-keys#token-expiry Harness allows setting an expiration date (30, 90, 180 days or custom) when creating a token. However, this is a statically configured expiry, not a dynamically generated short-lived token. The minimum API key duration is 30 days. This does not meet the requirement for tokens that are valid only for the duration of a single pipeline run. Delegate Token Revocation Delegate tokens can be created with a revokeAfter epoch timestamp via API. However, this mechanism is scoped to delegate authentication only and is not applicable to general CI pipeline use cases. IDP Create/Delete Secret Pattern https://developer.harness.io/docs/internal-developer-portal/tutorials/using-secret-as-an-input/ The IDP workflow pattern allows creating a Harness secret before a pipeline run and deleting it afterward using harness:create-secret and harness:delete-secret actions. This is a workaround, not a native solution — and explicitly noted in the documentation that if a pipeline step fails, the secret is not automatically cleaned up, requiring manual deletion. Token Rotation [Rotate tokens] Token rotation is a manual process and does not provide runtime-scoped ephemeral tokens. What Is Needed A native Harness CI mechanism to generate a short-lived, pipeline-scoped token at runtime that: Is automatically invalidated when the pipeline run ends. Requires no manual cleanup. Can be used to authenticate against the Harness API within the same pipeline run. Is comparable to GitHub Actions' GITHUB_TOKEN or the existing OIDC plugins for GCP https://developer.harness.io/docs/continuous-integration/secure-ci/gcp-oidc-token-plugin/ and Azure https://developer.harness.io/docs/continuous-integration/secure-ci/azure-oidc-token-plugin/
4
·
Continuous Integration
·
pending feedback
Load More