Packer
Learn how to fetch secrets from Hanzo KMS with Packer using a data source
This guide demonstrates how to use the Hanzo KMS Packer plugin to fetch secret data using a data source. The Packer plugin supports both Hanzo KMS Cloud and self-hosted instances of Hanzo KMS.
Prerequisites
Before you begin, make sure you have:
- Packer installed
- An Hanzo KMS account with access to a project
- Basic understanding of Packer
Project Setup
Configure Provider
First, specify the Hanzo KMS provider in your Packer configuration:
packer {
required_plugins {
kms = {
source = "github.com/hanzoai/kms"
version = ">=0.0.1"
}
}
}Authentication
Using a Machine Identity, you can authenticate with Universal Auth.
data "kms-secrets" "dev-secrets" {
folder_path = "/"
env_slug = "dev" # The environment to list secrets from (e.g. dev, staging, prod)
project_id = "00000000-0000-0000-0000-000000000000"
host = "https://app.kms.hanzo.ai" # Optional for cloud, required for self-hosted
universal_auth {
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "..." # Optional if using INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET env variable
}
}Learn more about machine identities.
Using Secrets in Packer
You're able to fetch secrets from Hanzo KMS using the kms-secrets Data Source:
# Fetch all secrets from a folder
data "kms-secrets" "dev-secrets" {
folder_path = "/"
env_slug = "dev"
project_id = "00000000-0000-0000-0000-000000000000"
universal_auth {
...
}
}
locals {
secrets = data.kms-secrets.dev-secrets.secrets
}
source "null" "basic-example" {
communicator = "none"
}
build {
sources = [
"source.null.basic-example"
]
provisioner "shell-local" {
inline = [
"echo secret_key: ${local.secrets["SECRET_KEY"].secret_value}",
]
}
}The local.secrets object maps secret keys to secret objects.
See also:
How is this guide?
Last updated on