Hanzo
PlatformHanzo KMSCLICommands

kms secrets

Perform CRUD operations with Hanzo KMS secrets

kms secrets

Description

This command enables you to perform CRUD (create, read, update, delete) operations on secrets within your Hanzo KMS project. With it, you can view, create, update, and delete secrets in your environment.

Sub-commands

Use this command to print out all of the secrets in your project

$ kms secrets

Environment variables

Used to fetch secrets via a machine identity apposed to logged in credentials. Simply, export this variable in the terminal before running this command.

# Example
export INFISICAL_TOKEN=$(kms login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.

Alternatively, you may use service tokens.

# Example
export INFISICAL_TOKEN=<service-token>

Used to disable the check for new CLI versions. This can improve the time it takes to run this command. Recommended for production environments.

To use, simply export this variable in the terminal before running this command.

# Example
export INFISICAL_DISABLE_UPDATE_CHECK=true

Flags

Parse shell parameter expansions in your secrets

Default value: true

The project ID to fetch secrets from. This is required when using a machine identity to authenticate.

# Example
kms secrets --projectId=<project-id>

Used to select the environment name on which actions should be taken on

Default value: dev

The --path flag indicates which project folder secrets will be injected from.

# Example
kms secrets --path="/" --env=dev

The --plain flag will output all your secret values without formatting, one per line.

# Example
kms secrets --plain --silent

The --silent flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines.

# Example
kms secrets --silent

Can be used inline to replace INFISICAL_DISABLE_UPDATE_CHECK

This command allows you selectively print the requested secrets by name

$ kms secrets get <secret-name-a> <secret-name-b> ...

# Example
$ kms secrets get DOMAIN
$ kms secrets get DOMAIN PORT

Flags

Used to select the environment name on which actions should be taken on

Default value: dev

The --plain flag will output all your requested secret values without formatting, one per line.

Default value: false

# Example
kms secrets get FOO --plain
kms secrets get FOO BAR --plain

# Fetch a single value and assign it to a variable
API_KEY=$(kms secrets get FOO --plain --silent)

When running in CI/CD environments or in a script, set INFISICAL_DISABLE_UPDATE_CHECK=true or add the --silent flag. This will help hide any CLI info/debug output and only show the secret value.

The --silent flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines.

# Example
kms secrets get FOO --plain --silent

Can be used inline to replace INFISICAL_DISABLE_UPDATE_CHECK

Use --plain instead, as it supports single and multiple secrets.

Used to print the plain value of a single requested secret without any table style.

Default value: false

Example: kms secrets get DOMAIN --raw-value

When running in CI/CD environments or in a script, set INFISICAL_DISABLE_UPDATE_CHECK=true or add the --silent flag. This will help hide any CLI info/debug output and only show the secret value.

This command allows you to set or update secrets in your environment. If the secret key provided already exists, its value will be updated with the new value. If the secret key does not exist, a new secret will be created using both the key and value provided.

$ kms secrets set <key1=value1> <key2=value2> <key3=@/path/to/file>...

## Example
$ kms secrets set STRIPE_API_KEY=sjdgwkeudyjwe DOMAIN=example.com HASH=jebhfbwe SECRET_PEM_KEY=@secret.pem

When setting secret values:

  • Use secretName=@path/to/file to load the secret value from a file
  • Use secretName=\@value if you need the literal '@' character at the beginning of your value

Example:

# Set a secret with the value loaded from a certificate file
$ secrets set CERTIFICATE=@/path/to/certificate.pem

# Set a secret with the literal value "@example.com"
$ secrets set email="\@example.com"

Flags

Used to select the environment name on which actions should be taken on

Default value: dev

Used to select the project folder in which the secrets will be set. This is useful when creating new secrets under a particular path.

# Example
kms secrets set DOMAIN=example.com --path="common/backend"

Used to select the type of secret to create. This could be either personal or shared (defaults to shared)

# Example
kms secrets set DOMAIN=example.com --type=personal

Used to set secrets from a file, supporting both .env and YAML formats. The file path can be either absolute or relative to the current working directory.

The file should contain secrets in the following formats:

  • key=value for .env files
  • key: value for YAML files

Comments can be written using # comment or // comment. Empty lines will be ignored during processing.

# Example
kms secrets set --file="./.env"

This command allows you to delete secrets by their name(s).

$ kms secrets delete <keyName1> <keyName2>...

## Example
$ kms secrets delete STRIPE_API_KEY DOMAIN HASH

Flags

Used to select the environment name on which actions should be taken on

Default value: dev

The --path flag indicates which project folder secrets will be injected from.

# Example
kms secrets delete <keyName1> <keyName2>... --path="/"

This command allows you to fetch, create and delete folders from within a path from a given project.

$ kms secrets folders

sub commands

Used to fetch all folders within a path in a given project

kms secrets folders get --path=/some/path/to/folder

Flags

The path from where folders should be fetched from

Default value: /

Fetch folders using a machine identity access token.

Default value: ``

Used to create a folder by name within a path.

kms secrets folders create --path=/some/path/to/folder --name=folder-name

Flags

Path to where the folder should be created

Default value: /

Name of the folder to be created in selected --path

Default value: ``

Used to delete a folder by name within a path.

kms secrets folders delete --path=/some/path/to/folder --name=folder-name

Flags

Path to where the folder should be created

Default value: /

Name of the folder to be deleted within selected --path

Default value: ``

This command allows you to generate an example .env file from your secrets and with their associated comments and tags. This is useful when you would like to let others who work on the project but do not use Hanzo KMS become aware of the required environment variables and their intended values.

To place default values in your example .env file, you can simply include the syntax DEFAULT:<value> within your secret's comment in Hanzo KMS. This will result in the specified value being extracted and utilized as the default.

$ kms secrets generate-example-env

## Example
$ kms secrets generate-example-env > .example-env

Flags

Used to select the environment name on which actions should be taken on

Default value: dev

How is this guide?

Last updated on

scan install

Add various scanning tools seamlessly into your development lifecycle

kms service-token

Manage Hanzo KMS service tokens

On this page

Description
Sub-commands
Environment variables
Flags
Flags
Flags
Flags
sub commands
Flags
Flags
Flags
Flags