Hanzo
PlatformHanzo KMSSDKsLanguages

Hanzo KMS Ruby SDK

If you're working with Ruby, the official Hanzo KMS Ruby SDK package is the easiest way to fetch and work with secrets for your application.

Deprecation Notice

All versions prior to 2.3.9 should be considered deprecated and are no longer supported by Hanzo KMS. Please update to version 2.3.9 or newer. All changes are fully backwards compatible with older versions.

Basic Usage

require 'kms-sdk'

# 1. Create the Hanzo KMS client
kms = Hanzo KMSSDK::Hanzo KMSClient.new('https://app.kms.hanzo.ai')

kms.auth.universal_auth(client_id: 'YOUR_CLIENT_ID', client_secret: 'YOUR_CLIENT_SECRET')

test_secret = kms.secrets.get(
  secret_name: 'API_KEY',
  project_id: 'project-id',
  environment: 'dev'
)
puts "Secret: #{single_test_secret}"

This example demonstrates how to use the Hanzo KMS Ruby SDK in a simple Ruby application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

$ gem install kms-sdk

Configuration

Import the SDK and create a client instance.

kms = Hanzo KMSSDK::Hanzo KMSClient.new('https://app.kms.hanzo.ai') # Optional parameter, default is https://api.kms.hanzo.ai

Client parameters

The URL of the Hanzo KMS API. Default is https://api.kms.hanzo.ai.

How long the client should cache secrets for. Default is 5 minutes. Disable by setting to 0.

Authentication

The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.

Universal Auth

Using environment variables

Call auth.universal_auth() with empty arguments to use the following environment variables:

  • INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.

Using the SDK directly

kms.auth.universal_auth(client_id: 'your-client-id', client_secret: 'your-client-secret')

GCP ID Token Auth

Please note that this authentication method will only work if you're running your application on Google Cloud Platform. Please read more about this authentication method.

Using environment variables

Call .auth.gcp_id_token_auth() with empty arguments to use the following environment variables:

  • INFISICAL_GCP_AUTH_IDENTITY_ID - Your Hanzo KMS Machine Identity ID.

Using the SDK directly

kms.auth.gcp_id_token_auth(identity_id: 'MACHINE_IDENTITY_ID')

GCP IAM Auth

Using environment variables

Call .auth.gcp_iam_auth() with empty arguments to use the following environment variables:

  • INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Hanzo KMS Machine Identity ID.
  • INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.

Using the SDK directly

kms.auth.gcp_iam_auth(identity_id: 'MACHINE_IDENTITY_ID', service_account_key_file_path: 'SERVICE_ACCOUNT_KEY_FILE_PATH')

AWS IAM Auth

Please note that this authentication method will only work if you're running your application on AWS. Please read more about this authentication method.

Using environment variables

Call .auth.aws_iam_auth() with empty arguments to use the following environment variables:

  • INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Hanzo KMS Machine Identity ID.

Using the SDK directly

kms.auth.aws_iam_auth(identity_id: 'MACHINE_IDENTITY_ID')

Azure Auth

Please note that this authentication method will only work if you're running your application on Azure. Please read more about this authentication method.

Using environment variables

Call .auth.azure_auth() with empty arguments to use the following environment variables:

  • INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Hanzo KMS Machine Identity ID.

Using the SDK directly

kms.auth.azure_auth(identity_id: 'MACHINE_IDENTITY_ID')

Kubernetes Auth

Please note that this authentication method will only work if you're running your application on Kubernetes. Please read more about this authentication method.

Using environment variables

Call .auth.kubernetes_auth() with empty arguments to use the following environment variables:

  • INFISICAL_KUBERNETES_IDENTITY_ID - Your Hanzo KMS Machine Identity ID.
  • INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.

Using the SDK directly

# Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
kms.auth.kubernetes_auth(identity_id: 'MACHINE_IDENTITY_ID', service_account_token_path: nil)

Working with Secrets

client.secrets.list(options)

secrets = kms.secrets.list(
  project_id: 'PROJECT_ID',
  environment: 'dev',
  path: '/foo/bar',
)

Retrieve all secrets within the Hanzo KMS project and environment that client is connected to

Parameters

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

The project ID where the secret lives in.

The path from where secrets should be fetched from.

Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so System.getenv("SECRET_NAME").

Whether or not to include imported secrets from the current path. Read about secret import

Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.

Whether or not to expand secret references in the fetched secrets. Read about secret reference

client.secrets.get(options)

secret = kms.secrets.get(
  secret_name: 'API_KEY',
  project_id: project_id,
  environment: env_slug
)

Retrieve a secret from Hanzo KMS.

By default, Secrets().Retrieve() fetches and returns a shared secret.

Parameters

The key of the secret to retrieve.

The project ID where the secret lives in.

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

The path from where secret should be fetched from.

The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".

client.secrets.create(options)

new_secret = kms.secrets.create(
  secret_name: 'NEW_SECRET',
  secret_value: 'SECRET_VALUE',
  project_id: 'PROJECT_ID',
  environment: 'dev',
)

Create a new secret in Hanzo KMS.

Parameters

The key of the secret to create.

The value of the secret.

A comment for the secret.

The project ID where the secret lives in.

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

The path from where secret should be created.

The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".

client.secrets.update(options)

updated_secret = kms.secrets.update(
  secret_name: 'SECRET_KEY_TO_UPDATE',
  secret_value: 'NEW_SECRET_VALUE',
  project_id: 'PROJECT_ID',
  environment: 'dev',
)

Update an existing secret in Hanzo KMS.

Parameters

The key of the secret to update.

The new value of the secret.

Whether or not to skip multiline encoding for the new secret value.

The project ID where the secret lives in.

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

The path from where secret should be updated.

The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".

client.secrets.delete(options)

deleted_secret = kms.secrets.delete(
  secret_name: 'SECRET_TO_DELETE',
  project_id: 'PROJECT_ID',
  environment: 'dev',
)

Delete a secret in Hanzo KMS.

Parameters

The key of the secret to update.

The project ID where the secret lives in.

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

The path from where secret should be deleted.

The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".

Cryptography

Create a symmetric key

Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.

key = kms.cryptography.create_symmetric_key

Returns (string)

key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.

Encrypt symmetric

encrypted_data = kms.cryptography.encrypt_symmetric(data: "Hello World!", key: key)

Parameters

The plaintext you want to encrypt.

The symmetric key to use for encryption.

Returns (object)

tag (string): A base64-encoded, 128-bit authentication tag. iv (string): A base64-encoded, 96-bit initialization vector. ciphertext (string): A base64-encoded, encrypted ciphertext.

Decrypt symmetric

decrypted_data = kms.cryptography.decrypt_symmetric(
  ciphertext: encrypted_data['ciphertext'],
  iv: encrypted_data['iv'],
  tag: encrypted_data['tag'],
  key: key
)

Parameters

The ciphertext you want to decrypt.

The symmetric key to use for encryption.

The initialization vector to use for decryption.

The authentication tag to use for decryption.

Returns (string)

Plaintext (string): The decrypted plaintext.

How is this guide?

Last updated on

Hanzo KMS Java SDK

Hanzo KMS .NET SDK

On this page

Basic Usage
Installation
Configuration
Client parameters
Authentication
Universal Auth
GCP ID Token Auth
GCP IAM Auth
AWS IAM Auth
Azure Auth
Kubernetes Auth
Working with Secrets
client.secrets.list(options)
Parameters
client.secrets.get(options)
Parameters
client.secrets.create(options)
Parameters
client.secrets.update(options)
Parameters
client.secrets.delete(options)
Parameters
Cryptography
Create a symmetric key
Returns (string)
Encrypt symmetric
Parameters
Returns (object)
Decrypt symmetric
Parameters
Returns (string)