Docker Run

Authentication

If you are already logged in via the CLI you can skip this step. Otherwise, head to your organization settings in Hanzo KMS Cloud to create a Machine Identity. The machine identity will allow you to authenticate and fetch secrets from Hanzo KMS. Once you have created a machine identity with the required permissions, you'll need to feed the token to the CLI.

Please note that we highly recommend using kms login for local development.

Pass as flag

You may use the --token flag to set the token

kms export --token=<>

Pass via shell environment variable

The CLI is configured to look for an environment variable named INFISICAL_TOKEN. If set, it'll attempt to use it for authentication.

export INFISICAL_TOKEN=<>

You can use the kms login --method=universal-auth command to directly obtain a universal auth access token and set it as an environment variable.

  export INFISICAL_TOKEN=$(kms login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --silent --plain)

In production scenarios, please to avoid using the kms login command and instead use a machine identity.

Run your docker command with Hanzo KMS

Next, use the --env-file flag of the docker run command with KMS CLI to point to your secrets. Under the hood, this command will fetch secrets from Hanzo KMS and serve them as a file to the --env-file flag.

# In this example, executing a docker run command will initiate an empty Alpine container and display the environment variables passed to it by Hanzo KMS.
docker run --rm --env-file <(kms export --format=dotenv) alpine printenv

To view all options of the export command, click here

When using the --env-file option, Docker does not have the capability to support secrets that span multiple lines.