Description
Theinfisical pam command provides brokered, credential-less access to your PAM-managed resources — databases, servers, and cloud accounts — through Infisical’s Gateway.
All PAM commands require the user to be logged in via infisical login.
Command Structure
infisical pam access
Access your PAM-managed resources. This unified command handles every account type — the CLI adapts its behavior to whichever type the account’s template defines (see Account Types and Behavior below).Arguments
Flags
--duration
--duration
Session duration. Supports Go duration format (e.g.,
1h, 30m, 2h30m).Default value: 1h--reason
--reason
Audit reason for access. Required by some policies; prompts interactively if TTY available.
--port
--port
Local proxy port. Use
0 for auto-assign.Default value: 0--target
--target
Target host for multi-host accounts (e.g., Windows AD environments).
--domain
--domain
Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.
Account Types and Behavior
Based on the account’s template, the CLI starts the appropriate local proxy or credential helper.Databases (PostgreSQL, MySQL, SQL Server, MongoDB)
Databases (PostgreSQL, MySQL, SQL Server, MongoDB)
Starts a local database proxy on The output includes connection details and CLI examples:
127.0.0.1. Connect using standard database clients — no password required as authentication is handled by the proxy.SSH
SSH
Starts a local SSH proxy. Use standard SSH/SCP/SFTP/rsync commands to connect.Then connect using your SSH client:
Kubernetes
Kubernetes
Starts a local Kubernetes proxy and automatically configures kubectl context.kubectl is automatically configured with a context named The original kubeconfig context is restored when the session ends.
infisical-k8s-pam/folder/account-name. Use kubectl normally:AWS IAM
AWS IAM
Writes temporary STS credentials to your AWS credentials file (The credentials are written as a named profile: The session blocks until
~/.aws/credentials or wherever AWS_SHARED_CREDENTIALS_FILE points).infisical-pam/folder/account-nameUse with the AWS CLI:Ctrl+C or credential expiry. When the session ends, the profile is removed from the credentials file.GCP Service Account
GCP Service Account
Starts a local proxy on Run The session blocks until
127.0.0.1 and automatically configures gcloud to route through it (via the proxy/*, auth/access_token_file, and core/custom_ca_certs_file config properties). Requires the gcloud CLI to be installed. All traffic is proxied through the Infisical Gateway, which injects the brokered credentials before forwarding to googleapis.com.gcloud and other Google Cloud tooling as normal — no per-command configuration needed:Ctrl+C or expiry. On shutdown, your gcloud configuration is restored.Azure CLI
Azure CLI
Starts an isolated, authenticated Run Type
az shell for the session (using a temporary AZURE_CONFIG_DIR, so your own az login is untouched). Requires the Azure CLI (az) to be installed. All traffic is proxied through the Infisical Gateway, which injects the brokered token before forwarding to management.azure.com.az as normal inside the session shell:exit to end the session (or press Ctrl+C, or wait for expiry). The isolated session state is wiped on shutdown.Windows / RDP
Windows / RDP
Starts a local RDP proxy. Connect your RDP client to Connect using your preferred RDP client (e.g., Microsoft Remote Desktop, xfreerdp, Remmina).
127.0.0.1 on the assigned port.MFA Support
If your organization requires MFA for PAM access:- CLI detects
SESSION_MFA_REQUIREDresponse - Browser opens to MFA verification page
- CLI polls for up to 5 minutes for completion
- Access continues automatically after MFA verification