Docker
The KMS CLI can be added to Dockerfiles to fetch secrets from Hanzo KMS and make them available as environment variables within containers at runtime.
Prerequisites:
- Have a project with secrets ready in Hanzo KMS Cloud.
- Create an KMS Token scoped to an environment in your project in Hanzo KMS.
Dockerfile Modification
Follow the instructions for your specific Linux distribution to add the KMS CLI to your Dockerfile.
RUN apk add --no-cache bash sudo wget && wget -qO- \
'https://artifacts-cli.kms.hanzo.ai/setup.apk.sh' | sh \
&& apk add kmsRUN curl -1sLf \
'https://artifacts-cli.kms.hanzo.ai/setup.rpm.sh' | sh \
&& yum install -y kmsRUN apt-get update && apt-get install -y bash curl && curl -1sLf \
'https://artifacts-cli.kms.hanzo.ai/setup.deb.sh' | bash \
&& apt-get update && apt-get install -y kmsNext, modify the start command of your Dockerfile:
CMD ["kms", "run", "--", "[your service start command]"]Launch
Spin up your container with the docker run command and feed in your KMS Token.
docker run --env INFISICAL_TOKEN=<your_kms_token> <DOCKER-IMAGE>Your containerized application should now be up and running with secrets from Hanzo KMS exposed as environment variables within your application's process.
Example Dockerfile
# Select your base image (based on your Linux distribution, e.g., Alpine, Debian, Ubuntu, etc.)
FROM alpine
# Add the KMS CLI to your Dockerfile (choose the appropriate block based on your base image)
RUN apk add --no-cache bash sudo wget && wget -qO- \
'https://artifacts-cli.kms.hanzo.ai/setup.apk.sh' | sh \
&& apk add kms
# Install any additional dependencies or packages your service requires
# RUN <additional commands for your service>
# Copy your service files to the container
COPY . /app
# Set the working directory
WORKDIR /app
# Modify the start command of your Dockerfile
CMD ["kms", "run", "--", "npm run start"]Dockerfile Modifications
Follow the instructions for your specific Linux distributions to add the KMS CLI to your Dockerfiles.
RUN apk add --no-cache bash sudo wget && wget -qO- \
'https://artifacts-cli.kms.hanzo.ai/setup.apk.sh' | sh \
&& apk add kmsRUN curl -1sLf \
'https://artifacts-cli.kms.hanzo.ai/setup.rpm.sh' | sh \
&& yum install -y kmsRUN apt-get update && apt-get install -y bash curl && curl -1sLf \
'https://artifacts-cli.kms.hanzo.ai/setup.deb.sh' | bash \
&& apt-get update && apt-get install -y kmsNext, modify the start commands of your Dockerfiles:
CMD ["kms", "run", "--", "[your service start command]"]Example Dockerfile
# Select your base image (based on your Linux distribution, e.g., Alpine, Debian, Ubuntu, etc.)
FROM alpine
# Add the KMS CLI to your Dockerfile (choose the appropriate block based on your base image)
RUN apk add --no-cache bash sudo wget && wget -qO- \
'https://artifacts-cli.kms.hanzo.ai/setup.apk.sh' | sh \
&& apk add kms
# Install any additional dependencies or packages your service requires
# RUN <additional commands for your service>
# Copy your service files to the container
COPY . /app
# Set the working directory
WORKDIR /app
# Modify the start command of your Dockerfile
CMD ["kms", "run", "--", "[your service start command]"]Docker Compose File Modification
For each service you want to inject secrets into, set an environment variable called INFISICAL_TOKEN equal to a unique identifier variable. For example:
services:
api:
build: .
image: example-service-2
environment:
- INFISICAL_TOKEN=${INFISICAL_TOKEN_FOR_API}
...Export shell variables
Next, set the shell variables you defined in your compose file. Continuing from the previous example:
export INFISICAL_TOKEN_FOR_API=<your_kms_token>Launch
Spin up your containers with the docker-compose up command.
docker-compose upYour containers should now be running with the secrets from Hanzo KMS available inside as environment variables.
See also:
How is this guide?
Last updated on