Hanzo
PlatformHanzo KMSIntegrationsPlatforms

KMS Agent

This page describes how to manage secrets using KMS Agent.

KMS Agent is a client daemon that simplifies the adoption of Hanzo KMS by providing a more scalable and user-friendly approach for applications to interact with Hanzo KMS. It eliminates the need to modify application logic by enabling clients to decide how they want their secrets rendered through the use of templates.

agent diagram

Key Features

  • Token lifecycle management: Automatically authenticates with Hanzo KMS and deposits renewed access tokens at specified path for applications to consume
  • Templating: Renders secrets and dynamic secret leases via user provided templates to desired formats for applications to consume

Token Renewal

The Hanzo KMS agent can help manage the life cycle of access tokens. The token renewal process is split into two main components: a Method, which is the authentication process suitable for your current setup, and Sinks, which are the places where the agent deposits the new access token whenever it receives updates.

When the KMS Agent is started, it will attempt to obtain a valid access token using the authentication method you have configured. If the agent is unable to fetch a valid token, the agent will keep trying, increasing the time between each attempt.

Once a access token is successfully fetched, the agent will make sure the access token stays valid, continuing to renew it before it expires.

Every time the agent successfully retrieves a new access token, it writes the new token to the Sinks you've configured.

Access tokens can be utilized with Hanzo KMS SDKs or directly in API requests to retrieve secrets from Hanzo KMS

Templating

The Hanzo KMS agent can help deliver formatted secrets to your application in a variety of environments. To achieve this, the agent will retrieve secrets from Hanzo KMS, format them using a specified template, and then save these formatted secrets to a designated file path.

Templating process is done through the use of Go language's text/template feature.You can refer to the available secret template functions here. Multiple template definitions can be set in the agent configuration file to generate a variety of formatted secret files.

When the agent is started and templates are defined in the agent configuration file, the agent will attempt to acquire a valid access token using the set authentication method outlined in the agent's configuration. If this initial attempt is unsuccessful, the agent will momentarily pauses before continuing to make more attempts.

Once the agent successfully obtains a valid access token, the agent proceeds to fetch the secrets from Hanzo KMS using it. It then formats these secrets using the user provided templates and writes the formatted data to configured file paths.

Available secret template functions

The secret template functions is what you will use to fetch resources such as static secrets and dynamic secret leases from Hanzo KMS. Below is a list of the available secret template functions that you can use in your templates.

  secret "<project-id>" "environment-slug" "<secret-path>" "<optional-modifier>"
{{- with secret "6553ccb2b7da580d7f6e7260" "dev" "/" `{"recursive": false, "expandSecretReferences": true}` }}
{{- range . }}
{{ .Key }}={{ .Value }}
{{- end }}
{{- end }}
{{- with secret "da8056c8-01e2-4d24-b39f-cb4e004b8d44" "staging" "/" `{"recursive": true, "expandSecretReferences": true}` }}
{{- range . }}
{{- if eq .SecretPath "/"}}
{{ .Key }}={{ .Value }}
{{- else}}
{{ .SecretPath }}/{{ .Key }}={{ .Value }}
{{- end}}
{{- end }}
{{- end }}

Function name: secret

Description: This function can be used to render the full list of secrets within a given project, environment and secret path.

An optional JSON argument is also available. It includes the properties recursive, which defaults to false, and expandSecretReferences, which defaults to true and expands the returned secrets.

Returns: A single secret object with the following keys Key, WorkspaceId, Value, SecretPath, Type, ID, and Comment

getSecretByName "<project-id>" "<environment-slug>" "<secret-path>" "<secret-name>"
{{ with getSecretByName "d821f21d-aa90-453b-8448-8c78c1160a0e" "dev" "/" "POSTHOG_HOST"}}
{{ if .Value }}
password = "{{ .Value }}"
{{ end }}
{{ end }}

Function name: getSecretByName

Description: This function can be used to render a single secret by it's name.

Returns: A list of secret objects with the following keys Key, WorkspaceId, Value, Type, ID, and Comment

dynamic_secret "<project-slug>" "<environment-slug>" "<secret-path>" "<dynamic-secret-name>" "<lease-ttl>"
  {{ with dynamic_secret "aaa-o7en-s5qm" "dev" "/" "redis" "1m" }}
  {{ .DB_USERNAME }}={{ .DB_PASSWORD }}
  {{- end }}

Function Name: dynamic_secret

Description: This function can be used to render a dynamic secret lease credentials. The credentials are automatically renewed before they expire, ensuring that the rendered credentials are always up-to-date.

Returns: An object with keys corresponding to the dynamic secret lease credentials.

Note that if you have multiple dynamic secret templates with identical configurations, only one lease will be created in Hanzo KMS for those templates, and the same lease will be written to your specified destination paths.

Caching

The KMS Agent supports clientside caching of Dynamic Secret leases. If the cache is enabled, the agent will persist the dynamic secret leases to the cache across restarts of the agent.

Persistent Caching

The Agent currently only supports persistent caching. To utilize persistent caching, you must be within a Kubernetes environment. We recommend using the KMS Agent Injector to inject the agent into pods within your Kubernetes cluster on demand.

Cache eviction

Cache eviction is the process of removing cached data from the cache. The Agent will automatically evict cached data when the cache is full during a garbage collection cycle which is triggered every 10 minutes.

The cache will also automatically evict cached data that has gone stale or is about to go stale. For dynamic resources (such as dynamic secret leases), there's a TTL (Time-to-Live) associated with each lease which is used to determine if the lease is stale or about to go stale. If a stale dynamic secret lease is detected, it will be automatically evicted from the cache and replaced with a new up-to-date lease.

Cache Configuration

Configuring the cache is done through the agent configuration file. The following fields are available to configure the cache:

The type of persistent caching to use. Currently only kubernetes is available, and will only work within Kubernetes environments.

The path to where your persistent cache will be stored.

Persistent caching is only supported within kubernetes environments at the moment. Please refer to the KMS Agent Injector documentation for more information on how to use persistent caching within Kubernetes environments.

cache:
persistent:
  type: "kubernetes"
  path: "/home/kms/cache"
  service-account-token-path: "/var/run/secrets/kubernetes.io/serviceaccount/token"

Retrying mechanism

The agent will automatically attempt to retry failed API requests such as authentication, secrets retrieval, dynamic secret lease provisioning, etc. By default, the agent will retry up to 3 times with a base delay of 200ms and a maximum delay of 5s.

You can configure the retrying mechanism through the agent configuration file. The following fields are available to configure the retrying mechanism:

How many times to retry failed API requests such as authentication, secret retrieval, etc. Defaults to 3 retries.

The maximum delay between retries. Defaults to 5s (5 seconds).

The base delay between retries. Defaults to 200ms (200 milliseconds).

kms:
  address: "https://app.kms.hanzo.ai"
  retry-strategy:
    max-retries: 3
    max-delay: "5s"
    base-delay: "200ms"

# ... rest of the agent configuration file

Agent configuration file

To set up the authentication method for token renewal and to define secret templates, the Hanzo KMS agent requires a YAML configuration file containing properties defined below. While specifying an authentication method is mandatory to start the agent, configuring sinks and secret templates are optional.

FieldDescription
kms.addressThe URL of the Hanzo KMS service. Default: "https://app.kms.hanzo.ai".
kms.exit-after-authWhether to exit the agent after authentication and first secret render. Default: "false".
kms.revoke-credentials-on-shutdownWhether to revoke all managed dynamic secret leases and identity access tokens on shutdown. Default: "false".
kms.retry-strategy.max-retriesHow many times to retry failed API requests such as authentication, secret retrieval, etc. Defaults to 3 retries.
kms.retry-strategy.max-delayThe maximum delay between retries. Defaults to 5s (5 seconds).
kms.retry-strategy.base-delayThe base delay between retries. Defaults to 200ms (200 milliseconds).
auth.typeThe type of authentication method used. Available options: universal-auth, kubernetes, azure, gcp-id-token, gcp-iam, aws-iam
auth.config.identity-idThe file path where the machine identity id is stored

This field is required when using any of the following auth types: kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.
auth.config.service-account-tokenPath to the Kubernetes service account token to use (optional)

Default: /var/run/secrets/kubernetes.io/serviceaccount/token
auth.config.service-account-keyPath to your GCP service account key file. This field is required when using gcp-iam auth type.

Please note that the file should be in JSON format.
auth.config.client-idThe file path where the universal-auth client id is stored.
auth.config.client-secretThe file path where the universal-auth client secret is stored.
auth.config.remove_client_secret_on_readThis will instruct the agent to remove the client secret from disk.
sinks[].typeThe type of sink in a list of sinks. Each item specifies a sink type. Currently, only "file" type is available.
sinks[].config.pathThe file path where the access token should be stored for each sink in the list.
cache.persistent.typeThe type of persistent caching to use. Currently only kubernetes is available, and will only work within Kubernetes environments.
cache.persistent.pathThe path to where your persistent cache will be stored.
cache.persistent.service-account-token-pathThe path to the Kubernetes service account token to use for encrypting the persistent cache. Required when using kubernetes cache type. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token
templates[].source-pathThe path to the template file that should be used to render secrets.
templates[].template-contentThe inline secret template to be used for rendering the secrets.
templates[].destination-pathThe path where the rendered secrets from the source template will be saved to.
templates[].config.polling-intervalHow frequently to check for secret changes. Default: 5m (5 minutes) (optional)
templates[].config.execute.commandThe command to execute when secret change is detected (optional)
templates[].config.execute.timeoutHow long in seconds to wait for command to execute before timing out (optional)

Authentication

The Hanzo KMS agent supports multiple authentication methods. Below are the available authentication methods, with their respective configurations.

The Universal Auth method is a simple and secure way to authenticate with Hanzo KMS. It requires a client ID and a client secret to authenticate with Hanzo KMS.

Path to the file containing the universal auth client ID.

Path to the file containing the universal auth client secret.

Instructs the agent to remove the client secret from disk after reading it.

To create a universal auth machine identity, follow the step by step guide outlined here.

Update the agent configuration file with the specified auth method, client ID, and client secret. In the snippet below you can see a sample configuration of the auth field when using the Universal Auth method.

auth:
  type: "universal-auth"
  config:
    client-id: "./client-id" # Path to the file containing the client ID
    client-secret: "./client" # Path to the file containing the client secret
    remove_client_secret_on_read: false # Optional field, instructs the agent to remove the client secret from disk after reading it

The Native Kubernetes method is used to authenticate with Hanzo KMS when running in a Kubernetes environment. It requires a service account token to authenticate with Hanzo KMS.

Path to the file containing the machine identity ID.

Path to the Kubernetes service account token to use. Default: /var/run/secrets/kubernetes.io/serviceaccount/token.

To create a Kubernetes machine identity, follow the step by step guide outlined here.

Update the agent configuration file with the specified auth method, identity ID, and service account token. In the snippet below you can see a sample configuration of the auth field when using the Kubernetes method.

auth:
  type: "kubernetes"
  config:
    identity-id: "./identity-id" # Path to the file containing the machine identity ID
    service-account-token: "/var/run/secrets/kubernetes.io/serviceaccount/token" # Optional field, custom path to the Kubernetes service account token to use

The Native Azure method is used to authenticate with Hanzo KMS when running in an Azure environment.

Path to the file containing the machine identity ID.

To create an Azure machine identity, follow the step by step guide outlined here.

Update the agent configuration file with the specified auth method and identity ID. In the snippet below you can see a sample configuration of the auth field when using the Azure method.

auth:
  type: "azure"
  config:
    identity-id: "./identity-id" # Path to the file containing the machine identity ID

The Native GCP ID Token method is used to authenticate with Hanzo KMS when running in a GCP environment.

Path to the file containing the machine identity ID.

To create a GCP machine identity, follow the step by step guide outlined here.

Update the agent configuration file with the specified auth method and identity ID. In the snippet below you can see a sample configuration of the auth field when using the GCP ID Token method.

auth:
  type: "gcp-id-token"
  config:
    identity-id: "./identity-id" # Path to the file containing the machine identity ID

The GCP IAM method is used to authenticate with Hanzo KMS with a GCP service account key.

Path to the file containing the machine identity ID.

Path to your GCP service account key file.

To create a GCP machine identity, follow the step by step guide outlined here.

Update the agent configuration file with the specified auth method, identity ID, and service account key. In the snippet below you can see a sample configuration of the auth field when using the GCP IAM method.

auth:
  type: "gcp-iam"
  config:
    identity-id: "./identity-id" # Path to the file containing the machine identity ID
    service-account-key: "./service-account-key.json" # Path to your GCP service account key file

The AWS IAM method is used to authenticate with Hanzo KMS with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.

Path to the file containing the machine identity ID.

To create an AWS machine identity, follow the step by step guide outlined here.

Update the agent configuration file with the specified auth method and identity ID. In the snippet below you can see a sample configuration of the auth field when using the AWS IAM method.

auth:
  type: "aws-iam"
  config:
    identity-id: "./identity-id" # Path to the file containing the machine identity ID

Quick start KMS Agent

To install the Hanzo KMS agent, you must first install the KMS CLI in the desired environment where you'd like the agent to run. This is because the Hanzo KMS agent is a sub-command of the KMS CLI.

Once you have the CLI installed, you will need to provision programmatic access for the agent via Universal Auth. To obtain a Client ID and a Client Secret, follow the step by step guide outlined here.

Next, create agent config file as shown below. The example agent configuration file defines the token authentication method, one sink location, and a secret template.

kms:
  address: "https://app.kms.hanzo.ai"
auth:
  type: "universal-auth"
  config:
    client-id: "./client-id"
    client-secret: "./client-secret"
    remove_client_secret_on_read: false
sinks:
  - type: "file"
    config:
      path: "/some/path/to/store/access-token/file-name"
templates:
  - source-path: my-dot-ev-secret-template
    destination-path: /some/path/.env
    config:
      polling-interval: 60s
      execute:
        timeout: 30
        command: ./reload-app.sh

The secret template below will be used to render the secrets with the key and the value separated by = sign. You'll notice that a custom function named secret is used to fetch the secrets. This function takes the following arguments: secret "<project-id>" "<environment-slug>" "<secret-path>".

{{- with secret "6553ccb2b7da580d7f6e7260" "dev" "/" }}
{{- range . }}
{{ .Key }}={{ .Value }}
{{- end }}
{{- end }}

After defining the agent configuration file, run the command below pointing to the path where the agent configuration file is located.

kms agent --config example-agent-config-file.yaml

How is this guide?

Last updated on

Docker Swarm

Learn how to manage secrets in Docker Swarm services.

Hanzo KMS Proxy

Learn how to use the Hanzo KMS Proxy to proxy requests to Hanzo KMS with built-in caching for high availability.

On this page

Key Features
Token Renewal
Templating
Available secret template functions
Caching
Persistent Caching
Cache eviction
Cache Configuration
Retrying mechanism
Agent configuration file
Authentication
Quick start KMS Agent