kms run

kms run [options] -- [your application start command]

# Example
kms run [options] -- npm run dev

kms run [options] --command [string command]

# Example
kms run [options] --command "npm run bootstrap && npm run dev start; other-bash-command"

Description

Subcommands & flags

Use this command to inject secrets into your applications process

$ kms run -- <your application command>

# Example
$ kms run -- npm run dev

Environment variables

Used to fetch secrets via a machine identity apposed to logged in credentials. Simply, export this variable in the terminal before running this command.

  # Example
  export INFISICAL_TOKEN=$(kms login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.

Alternatively, you may use service tokens.

  # Example
  export INFISICAL_TOKEN=<service-token>

Used to disable the check for new CLI versions. This can improve the time it takes to run this command. Recommended for production environments.

To use, simply export this variable in the terminal before running this command.

  # Example
  export INFISICAL_DISABLE_UPDATE_CHECK=true

Flags

By passing the watch flag, you are telling the CLI to watch for changes that happen in your Hanzo KMS project. If secret changes happen, the command you provided will automatically be restarted with the new environment variables attached.

  # Example
  kms run --watch -- printenv

Explicitly set the directory where the .kms.json resides. This is useful for some monorepo setups.

  # Example
  kms run --project-config-dir=/some-dir -- printenv

Pass secrets into multiple commands at once

# Example
kms run --command="npm run build && npm run dev; more-commands..."

The project ID to fetch secrets from. This is required when using a machine identity to authenticate.

# Example
kms run --projectId=<project-id> -- npm run dev

If you are using a machine identity to authenticate, you can pass the token as a flag

# Example
kms run --token="<universal-auth-access-token>" --projectId=<project-id> -- npm run start

You may also expose the token to the CLI by setting the environment variable INFISICAL_TOKEN before executing the run command. This will have the same effect as setting the token with --token flag

Turn on or off the shell parameter expansion in your secrets. If you have used shell parameters in your secret(s), activating this feature will populate them before injecting them into your application process.

Default value: true

By default imported secrets are available, you can disable it by setting this option to false.

Default value: true

This is used to specify the environment from which secrets should be retrieved. The accepted values are the environment slugs defined for your project, such as dev, staging, test, and prod. Default value: dev

Prioritizes personal secrets with the same name over shared secrets

Default value: true

When working with tags, you can use this flag to filter and retrieve only secrets that are associated with a specific tag(s).

# Example
kms run --tags=tag1,tag2,tag3 -- npm run dev

Note: you must reference the tag by its slug name not its fully qualified name. Go to project settings to view all tag slugs.

By default, all secrets are fetched

The --path flag indicates which project folder secrets will be injected from.

# Example
kms run --path="/nextjs" -- npm run dev

Automatically reload command when secrets change

kms run --watch -- npm run dev

Please note that this feature is intended for development purposes. It is not recommended to use this in production environments. Generally it's not recommended to automatically reload your application in production when remote changes are made.