Skip to main content

Description

The infisical pam command provides brokered, credential-less access to your PAM-managed resources — databases, servers, and cloud accounts — through Infisical’s Gateway. All PAM commands require the user to be logged in via infisical login.

Command Structure

infisical pam access

Access your PAM-managed resources. This unified command handles every account type — the CLI adapts its behavior to whichever type the account’s template defines (see Account Types and Behavior below).

Arguments

Flags

Session duration. Supports Go duration format (e.g., 1h, 30m, 2h30m).Default value: 1h
Audit reason for access. Required by some policies; prompts interactively if TTY available.
Local proxy port. Use 0 for auto-assign.Default value: 0
Target host for multi-host accounts (e.g., Windows AD environments).
Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

Account Types and Behavior

Based on the account’s template, the CLI starts the appropriate local proxy or credential helper.
Starts a local database proxy on 127.0.0.1. Connect using standard database clients — no password required as authentication is handled by the proxy.
The output includes connection details and CLI examples:
Starts a local SSH proxy. Use standard SSH/SCP/SFTP/rsync commands to connect.
Then connect using your SSH client:
Starts a local Kubernetes proxy and automatically configures kubectl context.
kubectl is automatically configured with a context named infisical-k8s-pam/folder/account-name. Use kubectl normally:
The original kubeconfig context is restored when the session ends.
Writes temporary STS credentials to your AWS credentials file (~/.aws/credentials or wherever AWS_SHARED_CREDENTIALS_FILE points).
The credentials are written as a named profile: infisical-pam/folder/account-nameUse with the AWS CLI:
The session blocks until Ctrl+C or credential expiry. When the session ends, the profile is removed from the credentials file.
Starts a local proxy on 127.0.0.1 and automatically configures gcloud to route through it (via the proxy/*, auth/access_token_file, and core/custom_ca_certs_file config properties). Requires the gcloud CLI to be installed. All traffic is proxied through the Infisical Gateway, which injects the brokered credentials before forwarding to googleapis.com.
Run gcloud and other Google Cloud tooling as normal — no per-command configuration needed:
The session blocks until Ctrl+C or expiry. On shutdown, your gcloud configuration is restored.
Starts an isolated, authenticated az shell for the session (using a temporary AZURE_CONFIG_DIR, so your own az login is untouched). Requires the Azure CLI (az) to be installed. All traffic is proxied through the Infisical Gateway, which injects the brokered token before forwarding to management.azure.com.
Run az as normal inside the session shell:
Type exit to end the session (or press Ctrl+C, or wait for expiry). The isolated session state is wiped on shutdown.
Starts a local RDP proxy. Connect your RDP client to 127.0.0.1 on the assigned port.
Connect using your preferred RDP client (e.g., Microsoft Remote Desktop, xfreerdp, Remmina).

MFA Support

If your organization requires MFA for PAM access:
  1. CLI detects SESSION_MFA_REQUIRED response
  2. Browser opens to MFA verification page
  3. CLI polls for up to 5 minutes for completion
  4. Access continues automatically after MFA verification

Reason Prompting

Some PAM policies require an audit reason. Behavior:

Error Messages