> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# infisical pam

> Securely access your infrastructure through Infisical's Privileged Access Management

```bash theme={"dark"}
infisical pam access <path> [flags]
```

## Description

The `infisical pam` command provides brokered, credential-less access to your PAM-managed resources — databases, servers, and cloud accounts — through Infisical's Gateway.

All PAM commands require the user to be logged in via `infisical login`.

### Command Structure

```
infisical pam
└── access <path>     # unified, path-based access to all PAM resources
```

## infisical pam access

Access your PAM-managed resources. This unified command handles every account type — the CLI adapts its behavior to whichever type the account's template defines (see [Account Types and Behavior](#account-types-and-behavior) below).

```bash theme={"dark"}
infisical pam access <path> [flags]
```

### Arguments

| Argument | Description                                                           |
| -------- | --------------------------------------------------------------------- |
| `<path>` | **Required.** Path to the PAM account in format `folder/account-name` |

### Flags

<Accordion title="--duration">
  Session duration. Supports Go duration format (e.g., `1h`, `30m`, `2h30m`).

  Default value: `1h`

  ```bash theme={"dark"}
  # Example
  infisical pam access production/postgres-main --duration 4h
  ```
</Accordion>

<Accordion title="--reason">
  Audit reason for access. Required by some policies; prompts interactively if TTY available.

  ```bash theme={"dark"}
  # Example
  infisical pam access production/database --reason "Investigating incident INC-1234"
  ```
</Accordion>

<Accordion title="--port">
  Local proxy port. Use `0` for auto-assign.

  Default value: `0`

  ```bash theme={"dark"}
  # Example
  infisical pam access staging/mysql-replica --port 3306
  ```
</Accordion>

<Accordion title="--target">
  Target host for multi-host accounts (e.g., Windows AD environments).

  ```bash theme={"dark"}
  # Example
  infisical pam access windows/domain-admin --target dc01.corp.local
  ```
</Accordion>

<Accordion title="--domain">
  Domain of your self-hosted Infisical instance. If not specified, defaults to Infisical Cloud.

  ```bash theme={"dark"}
  # Example
  infisical pam access production/database --domain https://your-infisical-instance.com
  ```
</Accordion>

## Account Types and Behavior

Based on the account's template, the CLI starts the appropriate local proxy or credential helper.

<AccordionGroup>
  <Accordion title="Databases (PostgreSQL, MySQL, SQL Server, MongoDB)">
    Starts a local database proxy on `127.0.0.1`. Connect using standard database clients — no password required as authentication is handled by the proxy.

    ```bash theme={"dark"}
    # Example
    infisical pam access production/postgres-main --duration 2h
    ```

    The output includes connection details and CLI examples:

    | Database Type | Connection String Format                                      |
    | ------------- | ------------------------------------------------------------- |
    | PostgreSQL    | `postgres://<username>@127.0.0.1:<port>/<database>`           |
    | MySQL         | `mysql://<username>@127.0.0.1:<port>/<database>`              |
    | SQL Server    | `sqlserver://<username>@127.0.0.1:<port>?database=<database>` |
    | MongoDB       | `mongodb://127.0.0.1:<port>/<database>`                       |
  </Accordion>

  <Accordion title="SSH">
    Starts a local SSH proxy. Use standard SSH/SCP/SFTP/rsync commands to connect.

    ```bash theme={"dark"}
    # Start the proxy
    infisical pam access servers/prod-bastion
    ```

    Then connect using your SSH client:

    ```bash theme={"dark"}
    # SSH
    ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@127.0.0.1

    # SCP file transfer
    scp -P <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null file.txt user@127.0.0.1:/path/

    # rsync
    rsync -e "ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" local-dir/ user@127.0.0.1:/remote/path/
    ```
  </Accordion>

  <Accordion title="Kubernetes">
    Starts a local Kubernetes proxy and automatically configures kubectl context.

    ```bash theme={"dark"}
    # Example
    infisical pam access clusters/prod-cluster --duration 4h
    ```

    kubectl is automatically configured with a context named `infisical-k8s-pam/folder/account-name`. Use kubectl normally:

    ```bash theme={"dark"}
    kubectl get pods
    kubectl get namespaces
    ```

    The original kubeconfig context is restored when the session ends.
  </Accordion>

  <Accordion title="AWS IAM">
    Writes temporary STS credentials to your AWS credentials file (`~/.aws/credentials` or wherever `AWS_SHARED_CREDENTIALS_FILE` points).

    ```bash theme={"dark"}
    # Example
    infisical pam access aws/production-role
    ```

    The credentials are written as a named profile: `infisical-pam/folder/account-name`

    Use with the AWS CLI:

    ```bash theme={"dark"}
    # Use --profile flag
    aws s3 ls --profile "infisical-pam/aws/production-role"

    # Or export the profile
    export AWS_PROFILE="infisical-pam/aws/production-role"
    aws s3 ls
    ```

    The session blocks until `Ctrl+C` or credential expiry. When the session ends, the profile is removed from the credentials file.
  </Accordion>

  <Accordion title="GCP Service Account">
    Starts a local proxy on `127.0.0.1` and automatically configures `gcloud` to route through it (via the `proxy/*`, `auth/access_token_file`, and `core/custom_ca_certs_file` config properties). Requires the [`gcloud` CLI](https://cloud.google.com/sdk/docs/install) to be installed. All traffic is proxied through the Infisical Gateway, which injects the brokered credentials before forwarding to `googleapis.com`.

    ```bash theme={"dark"}
    # Example
    infisical pam access gcp/prod-deployer
    ```

    Run `gcloud` and other Google Cloud tooling as normal — no per-command configuration needed:

    ```bash theme={"dark"}
    gcloud compute instances list
    gcloud storage ls
    ```

    The session blocks until `Ctrl+C` or expiry. On shutdown, your `gcloud` configuration is restored.
  </Accordion>

  <Accordion title="Azure CLI">
    Starts an isolated, authenticated `az` shell for the session (using a temporary `AZURE_CONFIG_DIR`, so your own `az` login is untouched). Requires the [Azure CLI (`az`)](https://learn.microsoft.com/cli/azure/install-azure-cli) to be installed. All traffic is proxied through the Infisical Gateway, which injects the brokered token before forwarding to `management.azure.com`.

    ```bash theme={"dark"}
    # Example
    infisical pam access azure/prod-reader
    ```

    Run `az` as normal inside the session shell:

    ```bash theme={"dark"}
    az account show
    az group list
    ```

    Type `exit` to end the session (or press `Ctrl+C`, or wait for expiry). The isolated session state is wiped on shutdown.
  </Accordion>

  <Accordion title="Windows / RDP">
    Starts a local RDP proxy. Connect your RDP client to `127.0.0.1` on the assigned port.

    ```bash theme={"dark"}
    # Single-server Windows account
    infisical pam access windows/admin-server

    # Windows AD with multiple targets
    infisical pam access windows/domain-admin --target dc01.corp.local
    ```

    Connect using your preferred RDP client (e.g., Microsoft Remote Desktop, xfreerdp, Remmina).
  </Accordion>
</AccordionGroup>

## MFA Support

If your organization requires MFA for PAM access:

1. CLI detects `SESSION_MFA_REQUIRED` response
2. Browser opens to MFA verification page
3. CLI polls for up to 5 minutes for completion
4. Access continues automatically after MFA verification

## Reason Prompting

Some PAM policies require an audit reason. Behavior:

| Scenario                   | Behavior                                             |
| -------------------------- | ---------------------------------------------------- |
| With `--reason` flag       | Uses provided reason                                 |
| Interactive terminal (TTY) | Prompts for reason if required                       |
| Non-interactive (CI/CD)    | Fails with error if reason required but not provided |

```bash theme={"dark"}
# Provide reason via flag
infisical pam access production/database --reason "Investigating incident INC-1234"
```

## Error Messages

| Error                                            | Cause                          | Solution                              |
| ------------------------------------------------ | ------------------------------ | ------------------------------------- |
| `Invalid duration format`                        | Malformed `--duration` value   | Use formats like `1h`, `30m`, `2h30m` |
| `a reason is required to access this account`    | Policy requires reason, no TTY | Pass `--reason` flag                  |
| `Gateway does not support '{type}' PAM accounts` | Gateway version too old        | Upgrade Infisical Gateway             |
| `PAM response metadata is missing`               | API response incomplete        | Contact support                       |
