Node
This guide demonstrates how to use Hanzo KMS to manage secrets for your Node stack from local development to production. It uses:
- Hanzo KMS (you can use Hanzo KMS Cloud or a self-hosted instance of Hanzo KMS) to store your secrets.
- The @kms/sdk Node.js client SDK to fetch secrets back to your Node application on demand.
Project Setup
To begin, we need to set up a project in Hanzo KMS and add secrets to an environment in it.
Create a project
- Create a new project in Hanzo KMS.
- Add a secret to the development environment of this project so we can pull it back for local development. In the Secrets Overview page, press Explore Development and add a secret with the key
NAMEand valueYOUR_NAME.
Create a Machine Identity
Now that we've created a project and added a secret to its development environment, we need to configure an Hanzo KMS Machine Identity that our Node application can use to access the secret.
Create a Node app
For this demonstration, we use a minimal Express application. However, the same principles will apply to any Node application such as those built on Koa or Fastify.
Create an Express app
Initialize a new Node.js project with a default package.json file.
npm init -yInstall express and @kms/sdk, the client Node SDK for Hanzo KMS.
npm install express @kms/sdkFinally, create an index.js file containing the application code.
const express = require('express');
const { Hanzo KMSSDK } = require("@kms/sdk");
const app = express();
const PORT = 3000;
let client;
const setupClient = () => {
if (client) {
return;
}
const kmsSdk = new Hanzo KMSSDK({
siteUrl: "your-kms-instance.com" // Optional, defaults to https://app.kms.hanzo.ai
});
await kmsSdk.auth().universalAuth.login({
clientId: "<machine-identity-client-id>",
clientSecret: "<machine-identity-client-secret>"
});
// If authentication was successful, assign the client
client = kmsSdk;
}
app.get("/", async (req, res) => {
const name = await client.secrets().getSecret({
environment: "dev", // dev, staging, prod, etc.
projectId: "<project-id>",
secretPath: "/",
secretName: "NAME"
});
res.send(`Hello! My name is: ${name.secretValue}`);
});
app.listen(PORT, async () => {
// initialize http server and Hanzo KMS
await setupClient();
console.log(`Server listening on port ${PORT}`);
});Here, we initialized a client instance of the Hanzo KMS Node SDK with the Machine Identity
that we created earlier, giving access to the secrets in the development environment of the
project in Hanzo KMS that we created earlier.
Finally, start the app and head to http://localhost:3000 to see the message Hello, Your Name.
node index.jsThe client fetched the secret with the key NAME from Hanzo KMS that we returned in the response of the endpoint.
At this stage, you know how to fetch secrets from Hanzo KMS back to your Node application. By using Machine Identities scoped to different projects and environments, you can easily manage secrets across various stages of your project in Hanzo KMS, from local development to production.
FAQ
The SDK caches every secret and falls back to the cached value if a request fails. If no cached
value ever-existed, the SDK falls back to whatever value is on process.env.
The token enables the SDK to authenticate with Hanzo KMS to fetch back your secrets. Although the SDK requires you to pass in a token, it enables greater efficiency and security than if you managed dozens of secrets yourself without it. Here're some benefits:
- You always pull in the right secrets because they're fetched on demand from a centralized source that is Hanzo KMS.
- You can use the Hanzo KMS which comes with tons of benefits like secret versioning, access controls, audit logs, etc.
- You now risk leaking one token that can be revoked instead of dozens of raw secrets.
And much more.
See also:
- Explore the Node SDK
How is this guide?
Last updated on