Infisical
Overview
Sezione intitolata “Overview”Infisical is an open-source secrets management platform designed for teams to securely sync secrets, API keys, and configurations across environments and infrastructure. It provides enterprise-grade features like secret rotation, dynamic secrets, PKI/certificate management, audit logging, and integrations with major cloud platforms and CI/CD systems.
Installation
Sezione intitolata “Installation”Docker Compose (Self-Hosted)
Sezione intitolata “Docker Compose (Self-Hosted)”# Clone Infisical repository
git clone https://github.com/Infisical/infisical.git
cd infisical
# Using Docker Compose
docker-compose up -d
# Access at http://localhost:8080Kubernetes Deployment
Sezione intitolata “Kubernetes Deployment”# Add Helm repository
helm repo add infisical https://infisical.com/helm-charts
helm repo update
# Install Infisical
helm install infisical infisical/infisical \
--namespace infisical \
--create-namespace \
-f values.yaml
# Verify deployment
kubectl get pods -n infisicalCloud-Hosted
Sezione intitolata “Cloud-Hosted”# Sign up at https://app.infisical.com
# Create account via email or OAuth (GitHub, Google, GitLab)
# No installation requiredCLI Setup and Authentication
Sezione intitolata “CLI Setup and Authentication”Install Infisical CLI
Sezione intitolata “Install Infisical CLI”# macOS (Homebrew)
brew install infisical
# Linux
curl -1sLf 'https://dl.infisical.com/install.sh' | sudo -E bash
sudo apt-get update && sudo apt-get install infisical
# Windows (Scoop)
scoop install infisical
# Verify installation
infisical --versionAuthentication
Sezione intitolata “Authentication”# Login to Infisical
infisical login
# Follow browser prompt to authorize
# Token stored in ~/.infisical/credentials
# Login with service token (CI/CD)
infisical login --service-token <SERVICE_TOKEN>
# Check authentication status
infisical statusProject and Environment Management
Sezione intitolata “Project and Environment Management”Project Operations
Sezione intitolata “Project Operations”# List projects
infisical projects list
# Create project
infisical projects create --name "my-project"
# Switch project context
infisical projects use <PROJECT_ID>
# Get project details
infisical projects get
# Delete project
infisical projects delete <PROJECT_ID>Environment Management
Sezione intitolata “Environment Management”# List environments
infisical env list
# Create environment
infisical env create --name "staging"
# Rename environment
infisical env rename --name "staging" --new-name "stage"
# Delete environment
infisical env delete --name "staging"
# Set working environment
infisical env use "production"Secret Creation and Management
Sezione intitolata “Secret Creation and Management”Basic Secret Operations
Sezione intitolata “Basic Secret Operations”# Create secret
infisical secrets create \
--path "/api" \
--key "DATABASE_URL" \
--value "postgres://user:pass@localhost:5432/db"
# List secrets
infisical secrets list --path "/api"
# Get secret value
infisical secrets get --key "DATABASE_URL"
# Update secret
infisical secrets update \
--key "API_KEY" \
--value "new-api-key-value"
# Delete secret
infisical secrets delete --key "OLD_SECRET"
# Retrieve in JSON format
infisical secrets list --jsonSecret Paths and Organization
Sezione intitolata “Secret Paths and Organization”# Create secrets in specific paths
infisical secrets create \
--path "/database" \
--key "USERNAME" \
--value "admin"
# List secrets by path
infisical secrets list --path "/database"
# List all secrets recursively
infisical secrets list --recursive
# Create secrets with tags
infisical secrets create \
--key "SECRET" \
--value "value" \
--tags "production,critical"Bulk Operations
Sezione intitolata “Bulk Operations”# Pull all secrets to .env file
infisical secrets pull --outFile .env
# Export to JSON
infisical secrets pull --outFile secrets.json --jsonFormat
# Push secrets from file
infisical secrets push --envFile .envSecret Rotation
Sezione intitolata “Secret Rotation”Automatic Secret Rotation
Sezione intitolata “Automatic Secret Rotation”# Enable secret rotation
infisical secret-rotation create \
--secret-key "DATABASE_PASSWORD" \
--rotation-interval "30 days"
# List active rotations
infisical secret-rotation list
# Manually trigger rotation
infisical secret-rotation trigger \
--rotation-id "<ROTATION_ID>"
# Update rotation policy
infisical secret-rotation update \
--rotation-id "<ROTATION_ID>" \
--rotation-interval "7 days"
# Disable rotation
infisical secret-rotation disable \
--rotation-id "<ROTATION_ID>"Database Credential Rotation
Sezione intitolata “Database Credential Rotation”# Rotate PostgreSQL credentials
infisical secret-rotation create \
--type "postgres" \
--host "db.example.com" \
--port "5432" \
--username "admin" \
--rotation-interval "30 days"
# Rotate MySQL credentials
infisical secret-rotation create \
--type "mysql" \
--host "mysql.example.com" \
--rotation-interval "14 days"
# Rotate MongoDB credentials
infisical secret-rotation create \
--type "mongodb" \
--connection-string "mongodb+srv://..." \
--rotation-interval "30 days"Dynamic Secrets
Sezione intitolata “Dynamic Secrets”Create Dynamic Secrets
Sezione intitolata “Create Dynamic Secrets”# Generate temporary AWS credentials
infisical dynamic-secrets create \
--type "aws" \
--name "aws-temp" \
--aws-access-key-id "<KEY>" \
--aws-secret-access-key "<SECRET>" \
--ttl "1h"
# Generate temporary database credentials
infisical dynamic-secrets create \
--type "postgres" \
--name "db-temp" \
--db-host "db.example.com" \
--db-admin-user "admin" \
--db-admin-password "password" \
--ttl "30m"
# List dynamic secrets
infisical dynamic-secrets list
# Delete dynamic secret
infisical dynamic-secrets delete --name "aws-temp"Consume Dynamic Secrets
Sezione intitolata “Consume Dynamic Secrets”# Retrieve temporary credentials
infisical dynamic-secrets get --name "aws-temp"
# Use in environment
export AWS_ACCESS_KEY_ID=$(infisical dynamic-secrets get --name "aws-temp" --key "access_key")
export AWS_SECRET_ACCESS_KEY=$(infisical dynamic-secrets get --name "aws-temp" --key "secret_key")PKI and Certificate Management
Sezione intitolata “PKI and Certificate Management”Certificate Creation
Sezione intitolata “Certificate Creation”# Create Certificate Authority (CA)
infisical pki create-ca \
--name "my-ca" \
--common-name "example.com" \
--organization "My Organization"
# List CAs
infisical pki list-cas
# Get CA details
infisical pki get-ca --ca-id "<CA_ID>"Certificate Issuance
Sezione intitolata “Certificate Issuance”# Issue certificate
infisical pki issue-cert \
--ca-id "<CA_ID>" \
--common-name "app.example.com" \
--ttl "365 days"
# Issue certificate with alternative names
infisical pki issue-cert \
--ca-id "<CA_ID>" \
--common-name "app.example.com" \
--alt-names "api.example.com,cdn.example.com" \
--ttl "365 days"
# List issued certificates
infisical pki list-certs --ca-id "<CA_ID>"
# Revoke certificate
infisical pki revoke-cert --cert-id "<CERT_ID>"Integrations
Sezione intitolata “Integrations”Kubernetes Integration
Sezione intitolata “Kubernetes Integration”# Create Kubernetes service account
infisical integrations create \
--type "kubernetes" \
--name "k8s-prod" \
--cluster-name "production"
# Deploy Infisical agent
kubectl apply -f infisical-agent.yaml
# Mount secrets as environment variables
spec:
containers:
- name: app
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: infisical-secrets
key: database-urlDocker Integration
Sezione intitolata “Docker Integration”# Create Docker integration
infisical integrations create \
--type "docker" \
--registry "myregistry.azurecr.io" \
--username "registryuser"
# Run container with secrets
docker run \
-e INFISICAL_TOKEN="<SERVICE_TOKEN>" \
-e INFISICAL_PROJECT_ID="<PROJECT_ID>" \
myapp:latestAWS Integration
Sezione intitolata “AWS Integration”# Create AWS Secrets Manager integration
infisical integrations create \
--type "aws-secrets-manager" \
--name "aws-prod" \
--access-key-id "<KEY>" \
--secret-access-key "<SECRET>" \
--region "us-east-1"
# Sync secrets to AWS
infisical integrations sync --integration-id "<INTEGRATION_ID>"
# List AWS integrations
infisical integrations list --type "aws"GCP Integration
Sezione intitolata “GCP Integration”# Create Google Cloud Secret Manager integration
infisical integrations create \
--type "gcp-secret-manager" \
--name "gcp-prod" \
--project-id "<PROJECT_ID>" \
--service-account-json '<SERVICE_ACCOUNT_JSON>'
# Enable automatic sync
infisical integrations update \
--integration-id "<INTEGRATION_ID>" \
--auto-sync trueGitHub Actions Integration
Sezione intitolata “GitHub Actions Integration”# .github/workflows/deploy.yml
name: Deploy
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Fetch secrets from Infisical
uses: infisical/inject-secrets-action@v1
with:
client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
project-id: ${{ secrets.INFISICAL_PROJECT_ID }}
path: /
expand: true
- run: npm install && npm run buildVercel Integration
Sezione intitolata “Vercel Integration”# Create Vercel integration
infisical integrations create \
--type "vercel" \
--name "vercel-prod" \
--access-token "<VERCEL_TOKEN>" \
--project-id "<VERCEL_PROJECT_ID>"
# Auto-sync to Vercel environment
infisical integrations update \
--integration-id "<INTEGRATION_ID>" \
--auto-sync trueNetlify Integration
Sezione intitolata “Netlify Integration”# Create Netlify integration
infisical integrations create \
--type "netlify" \
--name "netlify-prod" \
--access-token "<NETLIFY_TOKEN>" \
--site-id "<NETLIFY_SITE_ID>"Access Control and RBAC
Sezione intitolata “Access Control and RBAC”User Management
Sezione intitolata “User Management”# Invite user to project
infisical access-control invite-user \
--email "dev@example.com" \
--project-id "<PROJECT_ID>" \
--role "developer"
# List project members
infisical access-control list-members
# Update user role
infisical access-control update-member \
--member-id "<MEMBER_ID>" \
--role "admin"
# Remove user
infisical access-control remove-member \
--member-id "<MEMBER_ID>"Role Management
Sezione intitolata “Role Management”# Available roles: admin, member, developer, viewer
# admin: Full project access
# member: Can read/write secrets
# developer: Can read secrets
# viewer: Read-only access
# Create custom role
infisical rbac create-role \
--name "senior-developer" \
--permissions "secrets:read,secrets:write,audit:read"
# List roles
infisical rbac list-roles
# Assign custom role
infisical rbac assign-role \
--user-id "<USER_ID>" \
--role-id "<ROLE_ID>"Environment-Level Access
Sezione intitolata “Environment-Level Access”# Restrict access to specific environments
infisical access-control set-env-permission \
--member-id "<MEMBER_ID>" \
--environment "production" \
--permission "read-only"
# Grant write access to staging
infisical access-control set-env-permission \
--member-id "<MEMBER_ID>" \
--environment "staging" \
--permission "read-write"Audit Logging
Sezione intitolata “Audit Logging”View Audit Logs
Sezione intitolata “View Audit Logs”# List audit logs
infisical audit logs list
# Filter by action
infisical audit logs list --action "secret-read"
# Filter by user
infisical audit logs list --user-id "<USER_ID>"
# Filter by time range
infisical audit logs list \
--start-date "2026-04-01" \
--end-date "2026-04-25"
# Export audit logs
infisical audit logs export --format "csv" --outFile audit.csvAudit Log Events
Sezione intitolata “Audit Log Events”# Track secret operations
# - secret-created
# - secret-updated
# - secret-deleted
# - secret-read
# Track user actions
# - user-invited
# - user-removed
# - member-role-updated
# - member-access-changed
# Track integrations
# - integration-created
# - integration-synced
# - integration-deletedSDK Usage
Sezione intitolata “SDK Usage”Node.js
Sezione intitolata “Node.js”# Install SDK
npm install @infisical/sdk// Import and initialize
const { InfisicalClient } = require("@infisical/sdk");
const client = new InfisicalClient({
clientId: process.env.INFISICAL_CLIENT_ID,
clientSecret: process.env.INFISICAL_CLIENT_SECRET,
});
// Get secret
const secret = await client.getSecret({
secretName: "DATABASE_URL",
projectId: process.env.INFISICAL_PROJECT_ID,
environment: "production",
});
console.log(secret.value);
// Get all secrets
const secrets = await client.getAllSecrets({
projectId: process.env.INFISICAL_PROJECT_ID,
environment: "production",
});
secrets.forEach(secret => {
console.log(`${secret.key}: ${secret.value}`);
});
// Create secret
await client.createSecret({
secretName: "NEW_API_KEY",
secretValue: "secret-value",
projectId: process.env.INFISICAL_PROJECT_ID,
environment: "staging",
});# Install SDK
pip install infisicalfrom infisical import InfisicalClient
# Initialize client
client = InfisicalClient(
client_id=os.getenv("INFISICAL_CLIENT_ID"),
client_secret=os.getenv("INFISICAL_CLIENT_SECRET"),
)
# Get secret
secret = client.get_secret(
secret_name="DATABASE_URL",
project_id=os.getenv("INFISICAL_PROJECT_ID"),
environment="production",
)
print(secret.value)
# Get all secrets
secrets = client.get_all_secrets(
project_id=os.getenv("INFISICAL_PROJECT_ID"),
environment="production",
)
for secret in secrets:
print(f"{secret.key}: {secret.value}")
# Update secret
client.update_secret(
secret_name="API_KEY",
secret_value="updated-value",
project_id=os.getenv("INFISICAL_PROJECT_ID"),
environment="staging",
)# Install SDK
go get -u github.com/infisical/go-sdkpackage main
import (
"fmt"
"os"
"github.com/infisical/go-sdk/client"
)
func main() {
// Initialize client
infisicalClient := client.NewInfisicalClient(
os.Getenv("INFISICAL_CLIENT_ID"),
os.Getenv("INFISICAL_CLIENT_SECRET"),
)
// Get secret
secret, err := infisicalClient.GetSecret(
client.GetSecretOptions{
SecretName: "DATABASE_URL",
ProjectID: os.Getenv("INFISICAL_PROJECT_ID"),
Environment: "production",
},
)
if err != nil {
panic(err)
}
fmt.Println(secret.Value)
// Get all secrets
secrets, err := infisicalClient.GetAllSecrets(
client.GetAllSecretsOptions{
ProjectID: os.Getenv("INFISICAL_PROJECT_ID"),
Environment: "production",
},
)
if err != nil {
panic(err)
}
for _, secret := range secrets {
fmt.Printf("%s: %s\n", secret.Key, secret.Value)
}
}Secret Referencing and Overrides
Sezione intitolata “Secret Referencing and Overrides”Secret Variables
Sezione intitolata “Secret Variables”# Create interpolated secret
infisical secrets create \
--key "DATABASE_CONNECTION" \
--value "postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:5432/db"
# Reference secrets in other secrets
infisical secrets create \
--key "APP_URL" \
--value "https://${DOMAIN}/app"Environment-Specific Overrides
Sezione intitolata “Environment-Specific Overrides”# Base secret in shared path
infisical secrets create \
--path "/shared" \
--key "LOG_LEVEL" \
--value "info"
# Override in development
infisical secrets create \
--path "/development" \
--key "LOG_LEVEL" \
--value "debug"
# Override in production
infisical secrets create \
--path "/production" \
--key "LOG_LEVEL" \
--value "error"Secret Inheritance
Sezione intitolata “Secret Inheritance”# List with inheritance
infisical secrets list --show-overrides
# Pull with resolved values
infisical secrets pull --outFile .env.productionWebhooks and Event Triggers
Sezione intitolata “Webhooks and Event Triggers”Create Webhooks
Sezione intitolata “Create Webhooks”# Create webhook for secret changes
infisical webhooks create \
--name "slack-notification" \
--url "https://hooks.slack.com/services/YOUR/WEBHOOK/URL" \
--events "secret-created,secret-updated" \
--active true
# List webhooks
infisical webhooks list
# Update webhook
infisical webhooks update \
--webhook-id "<WEBHOOK_ID>" \
--events "secret-deleted" \
--active false
# Delete webhook
infisical webhooks delete --webhook-id "<WEBHOOK_ID>"Event Types
Sezione intitolata “Event Types”Available events:
- secret-created
- secret-updated
- secret-deleted
- integration-synced
- user-invited
- user-removed
- certificate-issued
- certificate-revokedWebhook Payload
Sezione intitolata “Webhook Payload”{
"event": "secret-updated",
"timestamp": "2026-04-25T10:30:00Z",
"projectId": "proj_123",
"environment": "production",
"secretKey": "API_KEY",
"user": {
"id": "user_456",
"email": "dev@example.com"
}
}Best Practices
Sezione intitolata “Best Practices”| Practice | Description |
|---|---|
| Service Tokens | Use for CI/CD and server-to-server auth, never embed personal tokens |
| Secret Rotation | Enable automatic rotation for credentials; set appropriate intervals |
| Audit Logs | Regularly review logs for unauthorized access or suspicious activity |
| RBAC | Follow principle of least privilege; assign minimal required permissions |
| Path Organization | Use consistent path structure (e.g., /database, /api, /external-services) |
| Environment Separation | Keep secrets isolated by environment; use overrides for environment-specific values |
| Backup | Regularly backup encryption keys and certificates for disaster recovery |
| Monitoring | Set up webhooks to monitor secret creation, updates, and deletions |
| Documentation | Document secret naming conventions and rotation policies for team consistency |