Login into Infisical from the CLI
user
, an access token will be printed to the console upon successful login. This token can be used to authenticate with the Infisical API and the CLI by passing it in the --token
flag when applicable.Use flag --plain
along with --silent
to print only the token in plain text when using a machine identity auth method.Universal Auth
Create a universal auth machine identity
Obtain an access token
login
command with the following flags to obtain an access token:Native Kubernetes
Create a Kubernetes machine identity
Obtain access an token
login
command with the following flags to obtain an access token:Native Azure
Create an Azure machine identity
Obtain an access token
login
command with the following flags to obtain an access token:Native GCP ID Token
Create a GCP machine identity
Obtain an access token
login
command with the following flags to obtain an access token:GCP IAM
Native AWS IAM
Create an AWS machine identity
Obtain an access token
login
command with the following flags to obtain an access token:OIDC Auth
Create an OIDC machine identity
Obtain an access token
login
command with the following flags to obtain an access token:JWT Auth
Obtain an access token
login
command with the following flags to obtain an access token:--method
method
flag are:user
: Login using email and password. (default)universal-auth
: Login using a universal auth client ID and client secret.kubernetes
: Login using a Kubernetes native auth.azure
: Login using an Azure native auth.gcp-id-token
: Login using a GCP ID token native auth.gcp-iam
: Login using a GCP IAM.aws-iam
: Login using an AWS IAM native auth.oidc-auth
: Login using oidc auth.--client-id
--method
flag is set to universal-auth
.client-id
flag can be substituted with the INFISICAL_UNIVERSAL_AUTH_CLIENT_ID
environment variable.--client-secret
--method
flag is set to universal-auth
.client-secret
flag can be substituted with the INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET
environment variable.--machine-identity-id
--method
flag is set to kubernetes
, azure
, gcp-id-token
, gcp-iam
, or aws-iam
.machine-identity-id
flag can be substituted with the INFISICAL_MACHINE_IDENTITY_ID
environment variable.--service-account-token-path
/var/run/secrets/kubernetes.io/serviceaccount/token
.service-account-token-path
flag can be substituted with the INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH
environment variable.--service-account-key-file-path
--method
flag is set to gcp-iam
.service-account-key-path
flag can be substituted with the INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH
environment variable.--oidc-jwt
oidc-jwt
flag can be substituted with the INFISICAL_OIDC_AUTH_JWT
environment variable.universal-auth
method to login to obtain an Infisical access token, which we will then use to fetch secrets with.
Obtain an access token
INFISICAL_TOKEN
environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the INFISICAL_TOKEN
environment variable and use it for authentication.Alternatively, if you would rather use the --token
flag to pass the token directly, you can do so by running the following command:Fetch all secrets from an evironment
dev
environment in your project, including all secrets in subfolders.--recursive
, and --env
flag is optional and will fetch all secrets in subfolders. The default environment is dev
if no --env
flag is provided.