Hanzo KMS Go SDK
If you're working with Go, the official Hanzo KMS Go SDK package is the easiest way to fetch and work with secrets for your application.
Basic Usage
package main
"fmt"
"os"
"context"
kms "github.com/kms/go-sdk"
)
func main() {
client := kms.NewHanzo KMSClient(context.Background(), kms.Config{
SiteUrl: "https://app.kms.hanzo.ai", // Optional, default is https://app.kms.hanzo.ai
AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
})
_, err := client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")
if err != nil {
fmt.Printf("Authentication failed: %v", err)
os.Exit(1)
}
apiKeySecret, err := client.Secrets().Retrieve(kms.RetrieveSecretOptions{
SecretKey: "API_KEY",
Environment: "dev",
ProjectID: "YOUR_PROJECT_ID",
SecretPath: "/",
})
if err != nil {
fmt.Printf("Error: %v", err)
os.Exit(1)
}
fmt.Printf("API Key Secret: %v", apiKeySecret)
}This example demonstrates how to use the Hanzo KMS Go SDK in a simple Go application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.
We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.
Installation
$ go get github.com/kms/go-sdkConfiguration
Import the SDK and create a client instance.
client := kms.NewHanzo KMSClient(context.Background(), kms.Config{
SiteUrl: "https://app.kms.hanzo.ai", // Optional, default is https://api.kms.hanzo.ai
})Configuration Options
The URL of the Hanzo KMS API..
Optionally set the user agent that will be used for HTTP requests. (Not recommended)
Whether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
Whether or not to suppress logs such as warnings from the token refreshing process. Defaults to false if not specified.
Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
Allows you to pass custom headers to the HTTP requests made by the SDK. Expected format is a map of Header1: Value1, Header2: Value 2.
Automatic token refreshing
The Hanzo KMS Go SDK supports automatic token refreshing. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed.
This behavior is enabled by default, but you can opt-out by setting AutoTokenRefresh to false in the client settings.
client := kms.NewHanzo KMSClient(context.Background(), kms.Config{
AutoTokenRefresh: false, // <- Disable automatic token refreshing
})When using automatic token refreshing it's important to understand how your application uses the Infiiscal client. If you are instantiating new instances of the client often, it's important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely.
ctx, cancel := context.WithCancel(context.Background())
defer cancel() // Cancel the context when the client is no longer needed
client := kms.NewHanzo KMSClient(ctx, kms.Config{
AutoTokenRefresh: true,
})
// Use the clientThis is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle. If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don't need to worry about this.
Authentication
The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
Universal Auth
Using environment variables
Call .Auth().UniversalAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_UNIVERSAL_AUTH_CLIENT_ID- Your machine identity client ID.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET- Your machine identity client secret.
Using the SDK directly
_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
if err != nil {
fmt.Println(err)
os.Exit(1)
}GCP ID Token Auth
Please note that this authentication method will only work if you're running your application on Google Cloud Platform. Please read more about this authentication method.
Using environment variables
Call .Auth().GcpIdTokenAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_GCP_AUTH_IDENTITY_ID- Your Hanzo KMS Machine Identity ID.
Using the SDK directly
_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}GCP IAM Auth
Using environment variables
Call .Auth().GcpIamAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_GCP_IAM_AUTH_IDENTITY_ID- Your Hanzo KMS Machine Identity ID.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH- The path to your GCP service account key file.
Using the SDK directly
_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")
if err != nil {
fmt.Println(err)
os.Exit(1)
}AWS IAM Auth
Please note that this authentication method will only work if you're running your application on AWS. Please read more about this authentication method.
Using environment variables
Call .Auth().AwsIamAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_AWS_IAM_AUTH_IDENTITY_ID- Your Hanzo KMS Machine Identity ID.
Using the SDK directly
_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}Azure Auth
Please note that this authentication method will only work if you're running your application on Azure. Please read more about this authentication method.
Using environment variables
Call .Auth().AzureAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_AZURE_AUTH_IDENTITY_ID- Your Hanzo KMS Machine Identity ID.
Using the SDK directly
_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}Kubernetes Auth
Please note that this authentication method will only work if you're running your application on Kubernetes. Please read more about this authentication method.
Using environment variables
Call .Auth().KubernetesAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_KUBERNETES_IDENTITY_ID- Your Hanzo KMS Machine Identity ID.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME- The environment variable name that contains the path to the service account token. This is optional and will default to/var/run/secrets/kubernetes.io/serviceaccount/token.
Using the SDK directly
// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")
if err != nil {
fmt.Println(err)
os.Exit(1)
}JWT Auth
Please note that this authentication method requires a valid JWT token from your JWT issuer. Please read more about this authentication method.
Using the SDK
credential, err := client.Auth().JwtAuthLogin("MACHINE_IDENTITY_ID", "JWT_TOKEN")
if err != nil {
fmt.Println(err)
os.Exit(1)
}LDAP Auth
Please note that this authentication method requires LDAP credentials. Please read more about this authentication method.
Using environment variables
You can set the INFISICAL_LDAP_AUTH_IDENTITY_ID environment variable and pass empty string for the identity ID:
credential, err := client.Auth().LdapAuthLogin("", "LDAP_USERNAME", "LDAP_PASSWORD")
if err != nil {
fmt.Println(err)
os.Exit(1)
}Using the SDK directly
credential, err := client.Auth().LdapAuthLogin("MACHINE_IDENTITY_ID", "LDAP_USERNAME", "LDAP_PASSWORD")
if err != nil {
fmt.Println(err)
os.Exit(1)
}OCI Auth
Please note that this authentication method will only work if you're running your application on Oracle Cloud Infrastructure. Please read more about this authentication method.
Using environment variables
You can set the INFISICAL_OCI_AUTH_IDENTITY_ID environment variable and omit the IdentityID field:
credential, err := client.Auth().OciAuthLogin(kms.OciAuthLoginOptions{
UserID: "USER_OCID",
TenancyID: "TENANCY_OCID",
Fingerprint: "FINGERPRINT",
PrivateKey: "PRIVATE_KEY",
Region: "REGION",
})
if err != nil {
fmt.Println(err)
os.Exit(1)
}Using the SDK directly
credential, err := client.Auth().OciAuthLogin(kms.OciAuthLoginOptions{
IdentityID: "MACHINE_IDENTITY_ID",
UserID: "USER_OCID",
TenancyID: "TENANCY_OCID",
Fingerprint: "FINGERPRINT",
PrivateKey: "PRIVATE_KEY",
Region: "REGION",
Passphrase: nil, // Optional: pointer to string if your private key has a passphrase
})
if err != nil {
fmt.Println(err)
os.Exit(1)
}OciAuthLoginOptions fields:
IdentityID(string) - Your Hanzo KMS Machine Identity ID. Can be set viaINFISICAL_OCI_AUTH_IDENTITY_IDenvironment variable.UserID(string) - Your OCI user OCID.TenancyID(string) - Your OCI tenancy OCID.Fingerprint(string) - Your OCI API key fingerprint.PrivateKey(string) - Your OCI private key (PEM format).Region(string) - Your OCI region (e.g.,us-ashburn-1).Passphrase(*string) - Optional: pointer to passphrase string if your private key is encrypted.
Organization Authentication
All SDK authentication methods support logging into a sub-organization that your machine identity has access to. This is optional and only necessary when attempting to authenticate into a sub-organization using an identity created at the root organization.
Use the .Auth().WithOrganizationSlug("<organization-slug>") method to specify which organization to authenticate against:
_, err := client.Auth().WithOrganizationSlug("ORGANIZATION_SLUG").UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
if err != nil {
fmt.Println(err)
os.Exit(1)
}If no organization slug is provided, the authentication session defaults to the organization where the machine identity was originally created.
Secrets
List Secrets
client.Secrets().List(options)
Retrieve all secrets within the Hanzo KMS project and environment that client is connected to.
secrets, err := client.Secrets().List(kms.ListSecretsOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretPath: "/foo/bar",
AttachToProcessEnv: false,
})Parameters
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The project ID where the secret lives in.
The path from where secrets should be fetched from.
Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so System.getenv("SECRET_NAME").
Whether or not to include imported secrets from the current path. Read about secret import
Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
Whether or not to expand secret references in the fetched secrets. Read about secret reference
Retrieve Secret
client.Secrets().Retrieve(options)
Retrieve a secret from Hanzo KMS. By default Secrets().Retrieve() fetches and returns a shared secret.
secret, err := client.Secrets().Retrieve(kms.RetrieveSecretOptions{
SecretKey: "API_KEY",
ProjectID: "PROJECT_ID",
Environment: "dev",
})Parameters
The key of the secret to retrieve.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be fetched from.
The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
The version of the secret to retrieve.
Create Secret
client.Secrets().Create(options)
Create a new secret in Hanzo KMS.
secret, err := client.Secrets().Create(kms.CreateSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "NEW_SECRET_KEY",
SecretValue: "NEW_SECRET_VALUE",
SecretComment: "This is a new secret",
})Parameters
The key of the secret to create.
The value of the secret.
A comment for the secret.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be created.
The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
Update Secret
client.Secrets().Update(options)
Update an existing secret in Hanzo KMS.
secret, err := client.Secrets().Update(kms.UpdateSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "NEW_SECRET_KEY",
NewSecretValue: "NEW_SECRET_VALUE",
NewSkipMultilineEncoding: false,
})Parameters
The key of the secret to update.
The new value of the secret.
Whether or not to skip multiline encoding for the new secret value.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be updated.
The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
Delete Secret
client.Secrets().Delete(options)
Delete a secret in Hanzo KMS.
secret, err := client.Secrets().Delete(kms.DeleteSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "SECRET_KEY",
})Parameters
The key of the secret to update.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be deleted.
The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
Batch Create Secrets
client.Secrets().Batch().Create(options)
Create multiple secrets in Hanzo KMS.
createdSecrets, err := client.Secrets().Batch().Create(kms.BatchCreateSecretsOptions{
Environment: "<environment-slug>",
SecretPath: "<secret-path>",
ProjectID: "<project-id>",
Secrets: []kms.BatchCreateSecret{
{
SecretKey: "SECRET-1",
SecretValue: "test-value-1",
},
{
SecretKey: "SECRET-2",
SecretValue: "test-value-2",
},
},
})Parameters
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The project ID where the secret lives in.
The path from where secret should be created.
The key of the secret to create.
The value of the secret.
The comment to add to the secret.
Whether or not to skip multiline encoding for the secret value.
The tag IDs to associate with the secret.
The key of the metadata.
The value of the metadata.
Folders
List Folders
client.Folders().List(options)
Retrieve all within the Hanzo KMS project and environment that client is connected to.
folders, err := client.Folders().List(kms.ListFoldersOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
})Parameters
The slug name (dev, prod, etc) of the environment from where folders should be fetched from.
The project ID where the folder lives in.
The path from where folders should be fetched from.
Create Folder
client.Folders().Create(options)
Create a new folder in Hanzo KMS.
folder, err := client.Folders().Create(kms.CreateFolderOptions{
ProjectID: "PROJECT_ID",
Name: "new=folder-name",
Environment: "dev",
Path: "/",
})Parameters
The ID of the project where the folder will be created.
The slug name (dev, prod, etc) of the environment where the folder will be created.
The path to create the folder in. The root path is /.
The name of the folder to create.
Update Folder
client.Folders().Update(options)
Update an existing folder in Hanzo KMS.
folder, err := client.Folders().Update(kms.UpdateFolderOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
FolderID: "FOLDER_ID_TO_UPDATE",
NewName: "new-folder-name",
})Parameters
The ID of the project where the folder will be updated.
The slug name (dev, prod, etc) of the environment from where the folder lives in.
The path from where the folder should be updated.
The ID of the folder to update.
The new name of the folder.
Delete Folder
client.Folders().Delete(options)
Delete a folder in Hanzo KMS.
deletedFolder, err := client.Folders().Delete(kms.DeleteFolderOptions{
// Either folder ID or folder name is required.
FolderName: "name-of-folder-to-delete",
FolderID: "folder-id-to-delete",
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
})Parameters
The name of the folder to delete. Note that either FolderName or FolderID is required.
The ID of the folder to delete. Note that either FolderName or FolderID is required.
The ID of the project where the folder lives in.
The slug name (dev, prod, etc) of the environment from where the folder lives in.
The path from where the folder should be deleted.
KMS
Create Key
client.Kms().Keys().Create(options)
Create a new key in Hanzo KMS.
newKey, err := client.Kms().Keys().Create(kms.KmsCreateKeyOptions{
KeyUsage: "<sign-verify>|<encrypt-decrypt>",
Description: "<key-description>",
Name: "<key-name>",
EncryptionAlgorithm: "<rsa-4096>|<ecc-nist-p256>|<aes-256-gcm>|<aes-128-gcm>",
ProjectId: "<project-id>",
})Parameters
The usage of the key. Valid options are sign-verify or encrypt-decrypt.
The usage dictates what the key can be used for.
The description of the key.
The name of the key.
The encryption algorithm of the key.
Valid options for Signing/Verifying keys are:
rsa-4096ecc-nist-p256
Valid options for Encryption/Decryption keys are:
aes-256-gcmaes-128-gcm
The ID of the project where the key will be created.
Return (object)
The ID of the key that was created.
The name of the key that was created.
The description of the key that was created.
Whether or not the key is disabled.
The ID of the organization that the key belongs to.
The ID of the project that the key belongs to.
The intended usage of the key that was created.
The encryption algorithm of the key that was created.
The version of the key that was created.
Delete Key
client.Kms().Keys().Delete(options)
Delete a key in Hanzo KMS.
deletedKey, err = client.Kms().Keys().Delete(kms.KmsDeleteKeyOptions{
KeyId: "<key-id>",
})Parameters
The ID of the key to delete.
Return (object)
The ID of the key that was deleted
The name of the key that was deleted.
The description of the key that was deleted.
Whether or not the key is disabled.
The ID of the organization that the key belonged to.
The ID of the project that the key belonged to.
The intended usage of the key that was deleted.
The encryption algorithm of the key that was deleted.
The version of the key that was deleted.
Signing Data
client.Kms().Signing().Sign(options)
Sign data in Hanzo KMS.
res, err := client.Kms().Signing().SignData(kms.KmsSignDataOptions{
KeyId: "<key-id>",
Data: "<data-to-sign>", // Must be a base64 encoded string.
SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that will be used to sign the data.
})Parameters
The ID of the key to sign the data with.
The data to sign. Must be a base64 encoded string.
Whether the data is already digested or not.
The signing algorithm to use. You must use a signing algorithm that matches the key usage.
If you are unsure about which signing algorithms are available for your key, you can use the client.Kms().Signing().ListSigningAlgorithms() method. It will return an array of signing algorithms that are available for your key.
Valid options for RSA 4096 keys are:
RSASSA_PSS_SHA_512RSASSA_PSS_SHA_384RSASSA_PSS_SHA_256RSASSA_PKCS1_V1_5_SHA_512RSASSA_PKCS1_V1_5_SHA_384RSASSA_PKCS1_V1_5_SHA_256
Valid options for ECC NIST P256 keys are:
ECDSA_SHA_512ECDSA_SHA_384ECDSA_SHA_256
Return ([]byte)
The signature of the data that was signed.
Verifying Data
client.Kms().Signing().Verify(options)
Verify data in Hanzo KMS.
res, err := client.Kms().Signing().Verify(kms.KmsVerifyDataOptions{
KeyId: "<key-id>",
Data: "<data-to-verify>", // Must be a base64 encoded string.
SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that was used to sign the data.
})Parameters
The ID of the key to verify the data with.
The data to verify. Must be a base64 encoded string.
Whether the data is already digested or not.
The signing algorithm that was used to sign the data.
Return (object)
Whether or not the data is valid.
The ID of the key that was used to verify the data.
The signing algorithm that was used to verify the data.
List Signing Algorithms
client.Kms().Signing().ListSigningAlgorithms(options)
List signing algorithms in Hanzo KMS.
res, err := client.Kms().Signing().ListSigningAlgorithms(kms.KmsListSigningAlgorithmsOptions{
KeyId: "<key-id>",
})Parameters
The ID of the key to list signing algorithms for.
Return ([]string)
The signing algorithms that are available for the key.
Get Public Key
This method is only available for keys with key usage sign-verify. If you
attempt to use this method on a key that is intended for
encryption/decryption, it will return an error.
client.Kms().Signing().GetPublicKey(options)
Get the public key in Hanzo KMS.
publicKey, err := client.Kms().Signing().GetPublicKey(kms.KmsGetPublicKeyOptions{
KeyId: "<key-id>",
})Parameters
The ID of the key to get the public key for.
Return (string)
The public key for the key.
Encrypt Data
client.Kms().Encryption().Encrypt(options)
Encrypt data with a key in Hanzo KMS.
res, err := client.Kms().EncryptData(kms.KmsEncryptDataOptions{
KeyId: "<key-id>",
Plaintext: "<data-to-encrypt>",
})Parameters
The ID of the key to encrypt the data with.
Return (string)
The encrypted data.
Decrypt Data
client.Kms().DecryptData(options)
Decrypt data with a key in Hanzo KMS.
res, err := client.Kms().DecryptData(kms.KmsDecryptDataOptions{
KeyId: "<key-id>",
Ciphertext: "<encrypted-data>",
})Parameters
The ID of the key to decrypt the data with.
The encrypted data to decrypt.
Return (string)
The decrypted data.
How is this guide?
Last updated on