Hanzo
PlatformHanzo KMSCLICommands

kms export

Export Hanzo KMS secrets from CLI into different file formats

kms export [options]

Description

Export environment variables from the platform into a file format. By default, output is sent to stdout (standard output), but you can use the --output-file flag to save directly to a file.

Subcommands & flags

Use this command to export environment variables from the platform into a raw file formats

$ kms export

# Export variables to a .env file
kms export > .env
kms export --output-file=./.env

# Export variables to a .env file (with export keyword)
kms export --format=dotenv-export > .env
kms export --format=dotenv-export --output-file=./.env

# Export variables to a JSON file
kms export --format=json > secrets.json
kms export --format=json --output-file=./secrets.json

# Export variables to a YAML file
kms export --format=yaml > secrets.yaml
kms export --format=yaml --output-file=./secrets.yaml

# Render secrets using a custom template file
kms export --template=<path to template>

Environment variables

Used to fetch secrets via a machine identities apposed to logged in credentials. Simply, export this variable in the terminal before running this command.

# Example
export INFISICAL_TOKEN=$(kms login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.

Alternatively, you may use service tokens.

# Example
export INFISICAL_TOKEN=<service-token>

Used to disable the check for new CLI versions. This can improve the time it takes to run this command. Recommended for production environments.

To use, simply export this variable in the terminal before running this command.

# Example
export INFISICAL_DISABLE_UPDATE_CHECK=true

flags

The path to write the output file to. Can be a full file path, directory, or filename.

# Export to specific file
kms export --format=json --output-file=./secrets.json

# Export to directory (uses default filename based on format)
kms export --format=yaml --output-file=./

When --output-file is specified:

  • Secrets are saved directly to the specified file
  • A success message is displayed showing the file path
  • For directories: adds default filename secrets.{format} (e.g., secrets.json, secrets.yaml)
  • For dotenv formats in directories: uses .env as the filename

When --output-file is NOT specified (default behavior):

  • Output is sent to stdout (standard output)
  • You can use shell redirection like kms export > secrets.json
  • Maintains backwards compatibility with existing scripts

If you're using shell redirection and your token expires, re-authentication will fail because the prompt can't display properly due to the redirection.

The --template flag specifies the path to the Go template file used for rendering secrets. When using templates, you can omit the other format flags.

{{$secrets := secret "<kms-project-id>" "<environment-slug>" "<folder-path>"}}
{{$length := len $secrets}}
{{- "{"}}
{{- with $secrets }}
{{- range $index, $secret := . }}
"{{ $secret.Key }}": "{{ $secret.Value }}"{{if lt $index (minus $length 1)}},{{end}}
{{- end }}
{{- end }}
{{ "}" -}}
# Example
kms export --template="/path/to/template/file"

The KMS CLI templating engine also supports Sprig library templating functions to help you transform your secrets further. You can read more about the available functions here.

Used to set the environment that secrets are pulled from.

# Example
kms export --env=prod

Note: this flag only accepts environment slug names not the fully qualified name. To view the slug name of an environment, visit the project settings page.

default value: dev

By default the project id is retrieved from the .kms.json located at the root of your local project. This flag allows you to override this behavior by explicitly defining the project to fetch your secrets from.

# Example

kms export --projectId=XXXXXXXXXXXXXX

Parse shell parameter expansions in your secrets (e.g., ${DOMAIN})

Default value: true

By default imported secrets are available, you can disable it by setting this option to false.

Default value: true

Format of the output file. Accepted values: dotenv, dotenv-export, csv, json and yaml

Default value: dotenv

Prioritizes personal secrets with the same name over shared secrets

Default value: true

The --path flag indicates which project folder secrets will be injected from.

# Example
kms export --path="/path/to/folder" --env=dev

When working with tags, you can use this flag to filter and retrieve only secrets that are associated with a specific tag(s).

# Example
kms export --tags=tag1,tag2,tag3 --env=dev

Note: you must reference the tag by its slug name not its fully qualified name. Go to project settings to view all tag slugs.

By default, all secrets are fetched

How is this guide?

Last updated on

kms dynamic-secrets

Perform dynamic secret operations directly with the CLI

kms gateway

Run the Hanzo KMS gateway or manage its systemd service

On this page

Description
Subcommands & flags
Environment variables
flags