Machine identities

​ Many clients use machine identities (MIs) to authenticate and read/write secrets from/to Hanzo KMS; they can be created in your organization settings.

On this page, we discuss MIs, the new and improved authentication method.

A MI in Hanzo KMS comes with a JWT-based refresh token authentication credential. The refresh token can be exchanged for an access token with a time-to-live (TTL) to access the Hanzo KMS API.

The storage backend model for a MI contains the following notable data:

Separately, another model stores the mapping of a MI and the organization or project-role it is bound to. ​

You should consider the principle of least privilege(PoLP) when creating and assigning roles to MIs.

For example, if an MI only requires read access to the secrets in the /config path of the staging environment, then you should scope the role of the MI to the /config path of that environment only with read permission.

We recommend considering whether or not a MI should be able to access secrets indefinitely or within a finite lifetime such as until 6 months or 1 year from now

We recommend configuring the IP allowlist configuration of each MI to restrict its usage to specific IP addresses or CIDR-notated range of addresses.

Since MIs grant access to your secrets, we recommend storing the refresh token credential securely across your development cycle whether it be in a .env file in local development or as an environment variable of your deployment platform.

We recommend periodically rotating the MI refresh token, even in the absence of compromise. If using the KMS Agent, we recommend enabling the Refresh Token Rotation option on your MI; this will issue a new refresh token and invalidate the old one upon a refresh token exchange operation — In doing so, the refresh token is kept as a moving target and secret zero risk is mitigated.