Infisical

Overview

Infisical is an open-source secrets management platform designed for teams to securely sync secrets, API keys, and configurations across environments and infrastructure. It provides enterprise-grade features like secret rotation, dynamic secrets, PKI/certificate management, audit logging, and integrations with major cloud platforms and CI/CD systems.

Installation

Docker Compose (Self-Hosted)

# Clone Infisical repository
git clone https://github.com/Infisical/infisical.git
cd infisical

# Using Docker Compose
docker-compose up -d

# Access at http://localhost:8080

Kubernetes Deployment

# Add Helm repository
helm repo add infisical https://infisical.com/helm-charts
helm repo update

# Install Infisical
helm install infisical infisical/infisical \
  --namespace infisical \
  --create-namespace \
  -f values.yaml

# Verify deployment
kubectl get pods -n infisical

Cloud-Hosted

# Sign up at https://app.infisical.com
# Create account via email or OAuth (GitHub, Google, GitLab)
# No installation required

CLI Setup and Authentication

Install Infisical CLI

# macOS (Homebrew)
brew install infisical

# Linux
curl -1sLf 'https://dl.infisical.com/install.sh' | sudo -E bash
sudo apt-get update && sudo apt-get install infisical

# Windows (Scoop)
scoop install infisical

# Verify installation
infisical --version

Authentication

# Login to Infisical
infisical login

# Follow browser prompt to authorize
# Token stored in ~/.infisical/credentials

# Login with service token (CI/CD)
infisical login --service-token <SERVICE_TOKEN>

# Check authentication status
infisical status

Project and Environment Management

Project Operations

# List projects
infisical projects list

# Create project
infisical projects create --name "my-project"

# Switch project context
infisical projects use <PROJECT_ID>

# Get project details
infisical projects get

# Delete project
infisical projects delete <PROJECT_ID>

Environment Management

# List environments
infisical env list

# Create environment
infisical env create --name "staging"

# Rename environment
infisical env rename --name "staging" --new-name "stage"

# Delete environment
infisical env delete --name "staging"

# Set working environment
infisical env use "production"

Secret Creation and Management

Basic Secret Operations

# Create secret
infisical secrets create \
  --path "/api" \
  --key "DATABASE_URL" \
  --value "postgres://user:pass@localhost:5432/db"

# List secrets
infisical secrets list --path "/api"

# Get secret value
infisical secrets get --key "DATABASE_URL"

# Update secret
infisical secrets update \
  --key "API_KEY" \
  --value "new-api-key-value"

# Delete secret
infisical secrets delete --key "OLD_SECRET"

# Retrieve in JSON format
infisical secrets list --json

Secret Paths and Organization

# Create secrets in specific paths
infisical secrets create \
  --path "/database" \
  --key "USERNAME" \
  --value "admin"

# List secrets by path
infisical secrets list --path "/database"

# List all secrets recursively
infisical secrets list --recursive

# Create secrets with tags
infisical secrets create \
  --key "SECRET" \
  --value "value" \
  --tags "production,critical"

Bulk Operations

# Pull all secrets to .env file
infisical secrets pull --outFile .env

# Export to JSON
infisical secrets pull --outFile secrets.json --jsonFormat

# Push secrets from file
infisical secrets push --envFile .env

Secret Rotation

Automatic Secret Rotation

# Enable secret rotation
infisical secret-rotation create \
  --secret-key "DATABASE_PASSWORD" \
  --rotation-interval "30 days"

# List active rotations
infisical secret-rotation list

# Manually trigger rotation
infisical secret-rotation trigger \
  --rotation-id "<ROTATION_ID>"

# Update rotation policy
infisical secret-rotation update \
  --rotation-id "<ROTATION_ID>" \
  --rotation-interval "7 days"

# Disable rotation
infisical secret-rotation disable \
  --rotation-id "<ROTATION_ID>"

Database Credential Rotation

# Rotate PostgreSQL credentials
infisical secret-rotation create \
  --type "postgres" \
  --host "db.example.com" \
  --port "5432" \
  --username "admin" \
  --rotation-interval "30 days"

# Rotate MySQL credentials
infisical secret-rotation create \
  --type "mysql" \
  --host "mysql.example.com" \
  --rotation-interval "14 days"

# Rotate MongoDB credentials
infisical secret-rotation create \
  --type "mongodb" \
  --connection-string "mongodb+srv://..." \
  --rotation-interval "30 days"

Dynamic Secrets

Create Dynamic Secrets

# Generate temporary AWS credentials
infisical dynamic-secrets create \
  --type "aws" \
  --name "aws-temp" \
  --aws-access-key-id "<KEY>" \
  --aws-secret-access-key "<SECRET>" \
  --ttl "1h"

# Generate temporary database credentials
infisical dynamic-secrets create \
  --type "postgres" \
  --name "db-temp" \
  --db-host "db.example.com" \
  --db-admin-user "admin" \
  --db-admin-password "password" \
  --ttl "30m"

# List dynamic secrets
infisical dynamic-secrets list

# Delete dynamic secret
infisical dynamic-secrets delete --name "aws-temp"

Consume Dynamic Secrets

# Retrieve temporary credentials
infisical dynamic-secrets get --name "aws-temp"

# Use in environment
export AWS_ACCESS_KEY_ID=$(infisical dynamic-secrets get --name "aws-temp" --key "access_key")
export AWS_SECRET_ACCESS_KEY=$(infisical dynamic-secrets get --name "aws-temp" --key "secret_key")

PKI and Certificate Management

Certificate Creation

# Create Certificate Authority (CA)
infisical pki create-ca \
  --name "my-ca" \
  --common-name "example.com" \
  --organization "My Organization"

# List CAs
infisical pki list-cas

# Get CA details
infisical pki get-ca --ca-id "<CA_ID>"

Certificate Issuance

# Issue certificate
infisical pki issue-cert \
  --ca-id "<CA_ID>" \
  --common-name "app.example.com" \
  --ttl "365 days"

# Issue certificate with alternative names
infisical pki issue-cert \
  --ca-id "<CA_ID>" \
  --common-name "app.example.com" \
  --alt-names "api.example.com,cdn.example.com" \
  --ttl "365 days"

# List issued certificates
infisical pki list-certs --ca-id "<CA_ID>"

# Revoke certificate
infisical pki revoke-cert --cert-id "<CERT_ID>"

Integrations

Kubernetes Integration

# Create Kubernetes service account
infisical integrations create \
  --type "kubernetes" \
  --name "k8s-prod" \
  --cluster-name "production"

# Deploy Infisical agent
kubectl apply -f infisical-agent.yaml

# Mount secrets as environment variables
spec:
  containers:
  - name: app
    env:
    - name: DATABASE_URL
      valueFrom:
        secretKeyRef:
          name: infisical-secrets
          key: database-url

Docker Integration

# Create Docker integration
infisical integrations create \
  --type "docker" \
  --registry "myregistry.azurecr.io" \
  --username "registryuser"

# Run container with secrets
docker run \
  -e INFISICAL_TOKEN="<SERVICE_TOKEN>" \
  -e INFISICAL_PROJECT_ID="<PROJECT_ID>" \
  myapp:latest

AWS Integration

# Create AWS Secrets Manager integration
infisical integrations create \
  --type "aws-secrets-manager" \
  --name "aws-prod" \
  --access-key-id "<KEY>" \
  --secret-access-key "<SECRET>" \
  --region "us-east-1"

# Sync secrets to AWS
infisical integrations sync --integration-id "<INTEGRATION_ID>"

# List AWS integrations
infisical integrations list --type "aws"

GCP Integration

# Create Google Cloud Secret Manager integration
infisical integrations create \
  --type "gcp-secret-manager" \
  --name "gcp-prod" \
  --project-id "<PROJECT_ID>" \
  --service-account-json '<SERVICE_ACCOUNT_JSON>'

# Enable automatic sync
infisical integrations update \
  --integration-id "<INTEGRATION_ID>" \
  --auto-sync true

GitHub Actions Integration

# .github/workflows/deploy.yml
name: Deploy
on: [push]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Fetch secrets from Infisical
        uses: infisical/inject-secrets-action@v1
        with:
          client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
          client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
          project-id: ${{ secrets.INFISICAL_PROJECT_ID }}
          path: /
          expand: true
      
      - run: npm install && npm run build

Vercel Integration

# Create Vercel integration
infisical integrations create \
  --type "vercel" \
  --name "vercel-prod" \
  --access-token "<VERCEL_TOKEN>" \
  --project-id "<VERCEL_PROJECT_ID>"

# Auto-sync to Vercel environment
infisical integrations update \
  --integration-id "<INTEGRATION_ID>" \
  --auto-sync true

Netlify Integration

# Create Netlify integration
infisical integrations create \
  --type "netlify" \
  --name "netlify-prod" \
  --access-token "<NETLIFY_TOKEN>" \
  --site-id "<NETLIFY_SITE_ID>"

Access Control and RBAC

User Management

# Invite user to project
infisical access-control invite-user \
  --email "dev@example.com" \
  --project-id "<PROJECT_ID>" \
  --role "developer"

# List project members
infisical access-control list-members

# Update user role
infisical access-control update-member \
  --member-id "<MEMBER_ID>" \
  --role "admin"

# Remove user
infisical access-control remove-member \
  --member-id "<MEMBER_ID>"

Role Management

# Available roles: admin, member, developer, viewer
# admin: Full project access
# member: Can read/write secrets
# developer: Can read secrets
# viewer: Read-only access

# Create custom role
infisical rbac create-role \
  --name "senior-developer" \
  --permissions "secrets:read,secrets:write,audit:read"

# List roles
infisical rbac list-roles

# Assign custom role
infisical rbac assign-role \
  --user-id "<USER_ID>" \
  --role-id "<ROLE_ID>"

Environment-Level Access

# Restrict access to specific environments
infisical access-control set-env-permission \
  --member-id "<MEMBER_ID>" \
  --environment "production" \
  --permission "read-only"

# Grant write access to staging
infisical access-control set-env-permission \
  --member-id "<MEMBER_ID>" \
  --environment "staging" \
  --permission "read-write"

Audit Logging

View Audit Logs

# List audit logs
infisical audit logs list

# Filter by action
infisical audit logs list --action "secret-read"

# Filter by user
infisical audit logs list --user-id "<USER_ID>"

# Filter by time range
infisical audit logs list \
  --start-date "2026-04-01" \
  --end-date "2026-04-25"

# Export audit logs
infisical audit logs export --format "csv" --outFile audit.csv

Audit Log Events

# Track secret operations
# - secret-created
# - secret-updated
# - secret-deleted
# - secret-read

# Track user actions
# - user-invited
# - user-removed
# - member-role-updated
# - member-access-changed

# Track integrations
# - integration-created
# - integration-synced
# - integration-deleted

SDK Usage

Node.js

# Install SDK
npm install @infisical/sdk

// Import and initialize
const { InfisicalClient } = require("@infisical/sdk");

const client = new InfisicalClient({
  clientId: process.env.INFISICAL_CLIENT_ID,
  clientSecret: process.env.INFISICAL_CLIENT_SECRET,
});

// Get secret
const secret = await client.getSecret({
  secretName: "DATABASE_URL",
  projectId: process.env.INFISICAL_PROJECT_ID,
  environment: "production",
});

console.log(secret.value);

// Get all secrets
const secrets = await client.getAllSecrets({
  projectId: process.env.INFISICAL_PROJECT_ID,
  environment: "production",
});

secrets.forEach(secret => {
  console.log(`${secret.key}: ${secret.value}`);
});

// Create secret
await client.createSecret({
  secretName: "NEW_API_KEY",
  secretValue: "secret-value",
  projectId: process.env.INFISICAL_PROJECT_ID,
  environment: "staging",
});

Python

# Install SDK
pip install infisical

from infisical import InfisicalClient

# Initialize client
client = InfisicalClient(
    client_id=os.getenv("INFISICAL_CLIENT_ID"),
    client_secret=os.getenv("INFISICAL_CLIENT_SECRET"),
)

# Get secret
secret = client.get_secret(
    secret_name="DATABASE_URL",
    project_id=os.getenv("INFISICAL_PROJECT_ID"),
    environment="production",
)
print(secret.value)

# Get all secrets
secrets = client.get_all_secrets(
    project_id=os.getenv("INFISICAL_PROJECT_ID"),
    environment="production",
)
for secret in secrets:
    print(f"{secret.key}: {secret.value}")

# Update secret
client.update_secret(
    secret_name="API_KEY",
    secret_value="updated-value",
    project_id=os.getenv("INFISICAL_PROJECT_ID"),
    environment="staging",
)

Go

# Install SDK
go get -u github.com/infisical/go-sdk

package main

import (
  "fmt"
  "os"
  "github.com/infisical/go-sdk/client"
)

func main() {
  // Initialize client
  infisicalClient := client.NewInfisicalClient(
    os.Getenv("INFISICAL_CLIENT_ID"),
    os.Getenv("INFISICAL_CLIENT_SECRET"),
  )

  // Get secret
  secret, err := infisicalClient.GetSecret(
    client.GetSecretOptions{
      SecretName: "DATABASE_URL",
      ProjectID: os.Getenv("INFISICAL_PROJECT_ID"),
      Environment: "production",
    },
  )
  if err != nil {
    panic(err)
  }
  fmt.Println(secret.Value)

  // Get all secrets
  secrets, err := infisicalClient.GetAllSecrets(
    client.GetAllSecretsOptions{
      ProjectID: os.Getenv("INFISICAL_PROJECT_ID"),
      Environment: "production",
    },
  )
  if err != nil {
    panic(err)
  }
  for _, secret := range secrets {
    fmt.Printf("%s: %s\n", secret.Key, secret.Value)
  }
}

Secret Referencing and Overrides

Secret Variables

# Create interpolated secret
infisical secrets create \
  --key "DATABASE_CONNECTION" \
  --value "postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:5432/db"

# Reference secrets in other secrets
infisical secrets create \
  --key "APP_URL" \
  --value "https://${DOMAIN}/app"

Environment-Specific Overrides

# Base secret in shared path
infisical secrets create \
  --path "/shared" \
  --key "LOG_LEVEL" \
  --value "info"

# Override in development
infisical secrets create \
  --path "/development" \
  --key "LOG_LEVEL" \
  --value "debug"

# Override in production
infisical secrets create \
  --path "/production" \
  --key "LOG_LEVEL" \
  --value "error"

Secret Inheritance

# List with inheritance
infisical secrets list --show-overrides

# Pull with resolved values
infisical secrets pull --outFile .env.production

Webhooks and Event Triggers

Create Webhooks

# Create webhook for secret changes
infisical webhooks create \
  --name "slack-notification" \
  --url "https://hooks.slack.com/services/YOUR/WEBHOOK/URL" \
  --events "secret-created,secret-updated" \
  --active true

# List webhooks
infisical webhooks list

# Update webhook
infisical webhooks update \
  --webhook-id "<WEBHOOK_ID>" \
  --events "secret-deleted" \
  --active false

# Delete webhook
infisical webhooks delete --webhook-id "<WEBHOOK_ID>"

Event Types

Available events:
- secret-created
- secret-updated
- secret-deleted
- integration-synced
- user-invited
- user-removed
- certificate-issued
- certificate-revoked

Webhook Payload

{
  "event": "secret-updated",
  "timestamp": "2026-04-25T10:30:00Z",
  "projectId": "proj_123",
  "environment": "production",
  "secretKey": "API_KEY",
  "user": {
    "id": "user_456",
    "email": "dev@example.com"
  }
}

Best Practices

Practice	Description
Service Tokens	Use for CI/CD and server-to-server auth, never embed personal tokens
Secret Rotation	Enable automatic rotation for credentials; set appropriate intervals
Audit Logs	Regularly review logs for unauthorized access or suspicious activity
RBAC	Follow principle of least privilege; assign minimal required permissions
Path Organization	Use consistent path structure (e.g., `/database`, `/api`, `/external-services`)
Environment Separation	Keep secrets isolated by environment; use overrides for environment-specific values
Backup	Regularly backup encryption keys and certificates for disaster recovery
Monitoring	Set up webhooks to monitor secret creation, updates, and deletions
Documentation	Document secret naming conventions and rotation policies for team consistency