infisical pam - Infisical

infisical pam <resource-type> <subcommand> [flags]

Description

The infisical pam command provides privileged access management capabilities for securely accessing databases, SSH servers, Kubernetes clusters, and Redis instances through Infisical’s Gateway. All PAM commands require the user to be logged in via infisical login.

Command Structure

infisical pam
├── db
│   └── access       (start local database proxy)
├── ssh
│   ├── access       (start interactive SSH session)
│   ├── exec         (execute single command over SSH)
│   └── proxy        (start SSH proxy for SCP/SFTP/rsync)
├── kubernetes       (alias: k8s)
│   └── access       (start local Kubernetes proxy)
└── redis
    └── access       (start local Redis proxy)

Subcommands & flags

infisical pam db

Access PAM database accounts. Starts a local database proxy server that you can use to connect to databases directly (PostgreSQL, MySQL, MS SQL Server).

$ infisical pam db access --resource <resource-name> --account <account-name> [flags]

# Example
$ infisical pam db access --resource infisical-shared-cloud-instances --account infisical --project-id <project-uuid> --duration 4h

Flags

--resource

Name of the PAM resource to access.

# Example
infisical pam db access --resource=my-database-resource --account=admin

--account

Name of the account within the resource.

# Example
infisical pam db access --resource=my-database-resource --account=admin

--project-id

Project ID of the account to access. If not provided, uses the project from .infisical.json (run infisical init to configure).

# Example
infisical pam db access --resource=my-database-resource --account=admin --project-id=<project-uuid>

--duration

Duration for database access session. Supports Go duration format (e.g., 1h, 30m, 2h30m).Default value: 1h

# Example
infisical pam db access --resource=my-database-resource --account=admin --duration=4h

--port

Port for the local database proxy server. Use 0 for auto-assign.Default value: 0

# Example
infisical pam db access --resource=my-database-resource --account=admin --port=5432

--domain

Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

# Example
infisical pam db access --resource=my-database-resource --account=admin --domain=https://your-infisical-instance.com

Output

The command displays a connection string based on the database type:

Database Type	Connection String Format
PostgreSQL	`postgres://<username>@localhost:<port>/<database>`
MySQL	`mysql://<username>@localhost:<port>/<database>`
MS SQL Server	`sqlserver://<username>@localhost:<port>?database=<database>&encrypt=false&trustServerCertificate=true`

infisical pam ssh

Access PAM SSH accounts. Provides interactive sessions, single command execution, and proxy mode for file transfers.

$ infisical pam ssh <subcommand> --resource <resource-name> --account <account-name> [flags]

Subcommands

access

Start an interactive SSH session to a PAM-managed SSH account. This command automatically launches an SSH client connected through the Infisical Gateway.

$ infisical pam ssh access --resource <resource-name> --account <account-name> [flags]

# Example
$ infisical pam ssh access --resource prod-servers --account root --project-id <project-uuid> --duration 1h

exec

Execute a single command on a PAM-managed SSH account and return the output. This is useful for CI/CD pipelines and scripting where interactive sessions are not needed.

$ infisical pam ssh exec "<command>" --resource <resource-name> --account <account-name> [flags]

# Example
$ infisical pam ssh exec "ls -la /var/log" --resource prod-servers --account root --project-id <project-uuid>

# Use in a script to capture output
$ OUTPUT=$(infisical pam ssh exec "cat /etc/hostname" --resource prod-servers --account root --project-id <project-uuid>)

The exit code from the remote command is propagated to the CLI exit code, making this suitable for scripts that check command success.

Argument	Description
`command`	The command to execute on the remote server (passed as first argument)

proxy

Start an SSH proxy without launching an interactive session. This is useful for file transfers using SCP, SFTP, rsync, or other SSH-based tools. The proxy prints connection details and waits until terminated with Ctrl+C.

$ infisical pam ssh proxy --resource <resource-name> --account <account-name> [flags]

# Example
$ infisical pam ssh proxy --resource prod-servers --account root --project-id <project-uuid>
# Output:
# SSH proxy listening on 127.0.0.1:53619
# Username: root
# Session expires: 2026-04-02T09:25:08+08:00
#
# Use this proxy with SSH, SCP, SFTP, or rsync:
#   ssh -p 53619 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@127.0.0.1
#   scp -P 53619 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null <local-file> root@127.0.0.1:<remote-path>
#
# Press Ctrl+C to stop the proxy.

Using the Proxy

In another terminal, use the proxy for file transfers:

# SCP file transfer
scp -P <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null local-file.txt root@127.0.0.1:/remote/path/

# rsync
rsync -e "ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" local-dir/ root@127.0.0.1:/remote/path/

# SFTP
sftp -P <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@127.0.0.1

Flags

All SSH subcommands share the following flags:

--resource

Name of the PAM resource to access.

# Example
infisical pam ssh access --resource=prod-servers --account=root

--account

Name of the account within the resource.

# Example
infisical pam ssh access --resource=prod-servers --account=root

--project-id

Project ID of the account to access. If not provided, uses the project from .infisical.json.

# Example
infisical pam ssh access --resource=prod-servers --account=root --project-id=<project-uuid>

--duration

Duration for SSH access session. Supports Go duration format (e.g., 1h, 30m, 2h30m).Default value: 1h

# Example
infisical pam ssh access --resource=prod-servers --account=root --duration=2h

--port

Port for the local SSH proxy server (only applies to proxy subcommand). Use 0 for auto-assign.Default value: 0

# Example
infisical pam ssh proxy --resource=prod-servers --account=root --port=2222

--domain

Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

# Example
infisical pam ssh access --resource=prod-servers --account=root --domain=https://your-infisical-instance.com

infisical pam kubernetes

Access Kubernetes via a PAM-managed Kubernetes account. This command automatically launches a proxy connected to your Kubernetes cluster through the Infisical Gateway.Alias: infisical pam k8s

$ infisical pam kubernetes access --resource <resource-name> --account <account-name> [flags]

# Example
$ infisical pam kubernetes access --resource prod-cluster --account developer --project-id <project-uuid> --duration 4h

# Using the alias
$ infisical pam k8s access --resource prod-cluster --account developer --project-id <project-uuid>

Flags

--resource

Name of the PAM resource to access.

# Example
infisical pam kubernetes access --resource=prod-cluster --account=developer

--account

Name of the account within the resource.

# Example
infisical pam kubernetes access --resource=prod-cluster --account=developer

--project-id

Project ID of the account to access. If not provided, uses the project from .infisical.json.

# Example
infisical pam kubernetes access --resource=prod-cluster --account=developer --project-id=<project-uuid>

--duration

Duration for Kubernetes access session. Supports Go duration format (e.g., 1h, 30m, 2h30m).Default value: 1h

# Example
infisical pam kubernetes access --resource=prod-cluster --account=developer --duration=4h

--port

Port for the local Kubernetes proxy server. Use 0 for auto-assign.Default value: 0

# Example
infisical pam kubernetes access --resource=prod-cluster --account=developer --port=8080

--domain

Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

# Example
infisical pam kubernetes access --resource=prod-cluster --account=developer --domain=https://your-infisical-instance.com

infisical pam redis

Access PAM Redis accounts. Starts a local Redis proxy server that you can use to connect to Redis directly.

$ infisical pam redis access --resource <resource-name> --account <account-name> [flags]

# Example
$ infisical pam redis access --resource my-redis-resource --account redis-admin --duration 4h --port 6379 --project-id <project-uuid>

Flags

--resource

Name of the PAM resource to access.

# Example
infisical pam redis access --resource=my-redis-resource --account=redis-admin

--account

Name of the account within the resource.

# Example
infisical pam redis access --resource=my-redis-resource --account=redis-admin

--project-id

Project ID of the account to access. If not provided, uses the project from .infisical.json.

# Example
infisical pam redis access --resource=my-redis-resource --account=redis-admin --project-id=<project-uuid>

--duration

Duration for Redis access session. Supports Go duration format (e.g., 1h, 30m, 2h30m).Default value: 1h

# Example
infisical pam redis access --resource=my-redis-resource --account=redis-admin --duration=4h

--port

Port for the local Redis proxy server. Use 0 for auto-assign.Default value: 0

# Example
infisical pam redis access --resource=my-redis-resource --account=redis-admin --port=6379

--domain

Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

# Example
infisical pam redis access --resource=my-redis-resource --account=redis-admin --domain=https://your-infisical-instance.com

Command line

​Description

​Command Structure

​Subcommands & flags

​Flags

​Output

​Subcommands

​Using the Proxy

​Flags

​Flags

​Flags

Description

Command Structure

Subcommands & flags

Flags

Output

Subcommands

Using the Proxy

Flags

Flags

Flags