Command line
infisical gateway
Run the Infisical gateway or manage its systemd service
infisical gateway --token=<token>
infisical gateway --token=<token>
sudo infisical gateway install --token=<token> --domain=<domain>
Description
Run the Infisical gateway in the foreground or manage its systemd service installation. The gateway allows secure communication between your self-hosted Infisical instance and client applications.
Subcommands & flags
Run the Infisical gateway in the foreground. The gateway will connect to the relay service and maintain a persistent connection.
infisical gateway --domain=<domain> --auth-method=<auth-method>
Authentication
The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
infisical gateway --auth-method=universal-auth --client-id=<client-id> --client-secret=<client-secret>
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Your machine identity ID.
Path to the Kubernetes service account token to use. Default: /var/run/secrets/kubernetes.io/serviceaccount/token.
The authentication method to use. Must be kubernetes when using Native Kubernetes.
infisical gateway --auth-method=kubernetes --machine-identity-id=<machine-identity-id>
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
infisical gateway --auth-method=azure --machine-identity-id=<machine-identity-id>
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
infisical gateway --auth-method=gcp-id-token --machine-identity-id=<machine-identity-id>
The GCP IAM method is used to authenticate with Infisical with a GCP service account key.
infisical gateway --auth-method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path>
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
infisical gateway --auth-method=aws-iam --machine-identity-id=<machine-identity-id>
The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.
infisical gateway --auth-method=oidc-auth --machine-identity-id=<machine-identity-id> --jwt=<oidc-jwt>
The JWT Auth method is used to authenticate with Infisical via a JWT token.
infisical gateway --auth-method=jwt-auth --jwt=<jwt> --machine-identity-id=<machine-identity-id>
Other Flags
Domain of your self-hosted Infisical instance.
# Example
infisical gateway --domain=https://app.your-domain.com
Install and enable the gateway as a systemd service. This command must be run with sudo on Linux.
sudo infisical gateway install --token=<token> --domain=<domain>
Requirements
- Must be run on Linux
- Must be run with root/sudo privileges
- Requires systemd
Flags
The machine identity access token to authenticate with Infisical.
# Example
sudo infisical gateway install --token=<token>
You may also expose the token to the CLI by setting the environment variable INFISICAL_TOKEN before executing the install command.
Domain of your self-hosted Infisical instance.
# Example
sudo infisical gateway install --domain=https://app.your-domain.com
Service Details
The systemd service is installed with secure defaults:
- Service file:
/etc/systemd/system/infisical-gateway.service - Config file:
/etc/infisical/gateway.conf - Runs with restricted privileges:
- InaccessibleDirectories=/home
- PrivateTmp=yes
- Resource limits configured for stability
- Automatically restarts on failure
- Enabled to start on boot
After installation, manage the service with standard systemd commands:
sudo systemctl start infisical-gateway # Start the service
sudo systemctl stop infisical-gateway # Stop the service
sudo systemctl status infisical-gateway # Check service status
sudo systemctl disable infisical-gateway # Disable auto-start on boot
Was this page helpful?