Hanzo
PlatformHanzo KMSGuides

Python

This guide demonstrates how to use Hanzo KMS to manage secrets for your Python stack from local development to production. It uses:

Project Setup

To begin, we need to set up a project in Hanzo KMS and add secrets to an environment in it.

Create a project

  1. Create a new project in Hanzo KMS.
  2. Add a secret to the development environment of this project so we can pull it back for local development. In the Secrets Overview page, press Explore Development and add a secret with the key NAME and value YOUR_NAME.

Create a Machine Identity

Now that we've created a project and added a secret to its development environment, we need to configure an Hanzo KMS Machine Identity that our Python application can use to access the secret.

Create a Python app

For this demonstration, we use a minimal Flask application. However, the same principles will apply to any Python application such as those built with Django.

Create a Flask app

First, create a virtual environment and activate it.

python3 -m venv env
source env/bin/activate

Install Flask and kmssdk, the client Python SDK for Hanzo KMS.

pip install flask kmssdk

Finally, create an app.py file containing the application code.

from flask import Flask
from kms_sdk import Hanzo KMSSDKClient

app = Flask(__name__)

client = Hanzo KMSSDKClient(host="https://app.kms.hanzo.ai") # host is optional, defaults to https://app.kms.hanzo.ai

client.auth.universal_auth.login(
  "<machine-identity-client-id>",
  "<machine-identity-client-secret>"
)

@app.route("/")
def hello_world():
    # access value
     name = client.secrets.get_secret_by_name(
      secret_name="NAME",
      project_id="<project-id>",
      environment_slug="dev",
      secret_path="/"
     )

    return f"Hello! My name is: {name.secretValue}"

Here, we initialized a client instance of the Hanzo KMS Python SDK with the KMS Token that we created earlier, giving access to the secrets in the development environment of the project in Hanzo KMS that we created earlier.

Finally, start the app and head to http://localhost:5000 to see the message Hello, Your Name.

flask run

The client fetched the secret with the key NAME from Hanzo KMS that we returned in the response of the endpoint.

At this stage, you know how to fetch secrets from Hanzo KMS back to your Python application. By using KMS Tokens scoped to different environments, you can easily manage secrets across various stages of your project in Hanzo KMS, from local development to production.

FAQ

The token enables the SDK to authenticate with Hanzo KMS to fetch back your secrets. Although the SDK requires you to pass in a token, it enables greater efficiency and security than if you managed dozens of secrets yourself without it. Here're some benefits:

  • You always pull in the right secrets because they're fetched on demand from a centralized source that is Hanzo KMS.
  • You can use the Hanzo KMS which comes with tons of benefits like secret versioning, access controls, audit logs, etc.
  • You now risk leaking one token that can be revoked instead of dozens of raw secrets.

And much more.

See also:

How is this guide?

Last updated on

Node

Next.js + Vercel

On this page

Project Setup
Create a project
Create a Machine Identity
Create a Python app
Create a Flask app
FAQ