Description
The CLI uses authentication to verify your identity. When you enter the correct email and password for your account, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI. To change where the login credentials are stored, visit the vaults command. If you have added multiple users, you can switch between the users by using the user command.When you authenticate with any other method than
user, an access token will be printed to the console upon successful login. This token can be used to authenticate with the Infisical API and the CLI by passing it in the --token flag when applicable.Use flag --plain along with --silent to print only the token in plain text when using a machine identity auth method.Authentication Methods
The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.Universal Auth
Universal Auth
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
Flags
1
Create a universal auth machine identity
To create a universal auth machine identity, follow the step by step guide outlined here.
2
Obtain an access token
Run the
login command with the following flags to obtain an access token:Native Kubernetes
Native Kubernetes
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Flags
1
Create a Kubernetes machine identity
To create a Kubernetes machine identity, follow the step by step guide outlined here.
2
Obtain access an token
Run the
login command with the following flags to obtain an access token:Native Azure
Native Azure
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
Flags
1
Create an Azure machine identity
To create an Azure machine identity, follow the step by step guide outlined here.
2
Obtain an access token
Run the
login command with the following flags to obtain an access token:Native GCP ID Token
Native GCP ID Token
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
Flags
1
Create a GCP machine identity
To create a GCP machine identity, follow the step by step guide outlined here.
2
Obtain an access token
Run the
login command with the following flags to obtain an access token:GCP IAM
GCP IAM
Native AWS IAM
Native AWS IAM
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
Flags
1
Create an AWS machine identity
To create an AWS machine identity, follow the step by step guide outlined here.
2
Obtain an access token
Run the
login command with the following flags to obtain an access token:OIDC Auth
OIDC Auth
The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.
Flags
1
Create an OIDC machine identity
To create an OIDC machine identity, follow the step by step guide outlined here.
2
Obtain an access token
Run the
login command with the following flags to obtain an access token:JWT Auth
JWT Auth
The JWT Auth method is used to authenticate with Infisical via a JWT token.
Flags
1
Obtain an access token
Run the
login command with the following flags to obtain an access token:Flags
The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.--method
--method
Valid values for the method flag are:
user: Login using email and password. (default)universal-auth: Login using a universal auth client ID and client secret.kubernetes: Login using a Kubernetes native auth.azure: Login using an Azure native auth.gcp-id-token: Login using a GCP ID token native auth.gcp-iam: Login using a GCP IAM.aws-iam: Login using an AWS IAM native auth.oidc-auth: Login using oidc auth.
--client-id
--client-id
Description
The client ID of the universal auth machine identity. This is required if the--method flag is set to universal-auth.The
client-id flag can be substituted with the INFISICAL_UNIVERSAL_AUTH_CLIENT_ID environment variable.--client-secret
--client-secret
Description
The client secret of the universal auth machine identity. This is required if the--method flag is set to universal-auth.The
client-secret flag can be substituted with the INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET environment variable.--machine-identity-id
--machine-identity-id
Description
The ID of the machine identity. This is required if the--method flag is set to kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.The
machine-identity-id flag can be substituted with the INFISICAL_MACHINE_IDENTITY_ID environment variable.--service-account-token-path
--service-account-token-path
Description
The path to the Kubernetes service account token to use for authentication. This is optional and will default to/var/run/secrets/kubernetes.io/serviceaccount/token.The
service-account-token-path flag can be substituted with the INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH environment variable.--service-account-key-file-path
--service-account-key-file-path
Description
The path to your GCP service account key file. This is required if the--method flag is set to gcp-iam.The
service-account-key-path flag can be substituted with the INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH environment variable.--oidc-jwt
--oidc-jwt
Description
The JWT provided by an identity provider for OIDC authentication.The
oidc-jwt flag can be substituted with the INFISICAL_OIDC_AUTH_JWT environment variable.Machine Identity Authentication Quick Start
In this example we’ll be using theuniversal-auth method to login to obtain an Infisical access token, which we will then use to fetch secrets with.
1
Obtain an access token
INFISICAL_TOKEN environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the INFISICAL_TOKEN environment variable and use it for authentication.Alternatively, if you would rather use the --token flag to pass the token directly, you can do so by running the following command:2
Fetch all secrets from an evironment
dev environment in your project, including all secrets in subfolders.The
--recursive, and --env flag is optional and will fetch all secrets in subfolders. The default environment is dev if no --env flag is provided.