Skip to main content
  • Start relay
  • Start relay as background daemon (Linux only)
infisical relay start --host=<host> --name=<name> --auth-method=<auth-method>

Description

Relay-related commands for Infisical that provide identity-aware relay infrastructure for routing encrypted traffic. Relays are organization-deployed servers that route encrypted traffic between Infisical and your gateways.

Subcommands & flags

infisical relay start

Run the Infisical relay component. The relay handles network traffic routing between Infisical and your gateways.
infisical relay start --host=<host> --name=<name> --auth-method=<auth-method>

Flags

The host (IP address or hostname) of the instance where the relay is deployed. This must be a static public IP or resolvable hostname that gateways can reach.
# Example with IP address
infisical relay start --host=203.0.113.100 --name=my-relay

# Example with hostname
infisical relay start --host=relay.example.com --name=my-relay
The name of the relay. This is an arbitrary identifier for your relay instance.
# Example
infisical relay start --name=my-relay --host=192.168.1.100

Authentication

Relays support all standard Infisical authentication methods. Choose the authentication method that best fits your environment and set the corresponding flags when starting the relay.
# Example with Universal Auth
infisical relay start --host=192.168.1.100 --name=my-relay --auth-method=universal-auth --client-id=<client-id> --client-secret=<client-secret>

Available Authentication Methods

The Infisical CLI supports multiple authentication methods for relays. Below are the available authentication methods, with their respective flags.
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
Flags
  infisical relay start --auth-method=universal-auth --client-id=<client-id> --client-secret=<client-secret> --host=<host> --name=<name>
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Flags
  infisical relay start --auth-method=kubernetes --machine-identity-id=<machine-identity-id> --host=<host> --name=<name>
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
Flags
  infisical relay start --auth-method=azure --machine-identity-id=<machine-identity-id> --host=<host> --name=<name>
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
Flags
  infisical relay start --auth-method=gcp-id-token --machine-identity-id=<machine-identity-id> --host=<host> --name=<name>
The GCP IAM method is used to authenticate with Infisical with a GCP service account key.
Flags
  infisical relay start --auth-method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path> --host=<host> --name=<name>
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
Flags
  infisical relay start --auth-method=aws-iam --machine-identity-id=<machine-identity-id> --host=<host> --name=<name>
The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.
Flags
  infisical relay start --auth-method=oidc-auth --machine-identity-id=<machine-identity-id> --jwt=<oidc-jwt> --host=<host> --name=<name>
The JWT Auth method is used to authenticate with Infisical via a JWT token.
Flags
  infisical relay start --auth-method=jwt-auth --jwt=<jwt> --machine-identity-id=<machine-identity-id> --host=<host> --name=<name>
You can use the INFISICAL_TOKEN environment variable to authenticate with Infisical with a raw machine identity access token.
Flags
  infisical relay start --token=<token> --host=<host> --name=<name>
Manage systemd service for Infisical relay. This allows you to install and run the relay as a systemd service on Linux systems.

Requirements

  • Operating System: Linux only (systemd is not supported on other operating systems)
  • Privileges: Root/sudo privileges required for both install and uninstall operations
  • Systemd: The system must be running systemd as the init system
infisical relay systemd <subcommand>

Subcommands

Install and enable systemd service for the relay. Must be run with sudo on Linux systems.
sudo infisical relay systemd install --host=<host> --name=<name> --token=<token> [flags]

Flags

The host (IP address or hostname) of the instance where the relay is deployed. This must be a static public IP or resolvable hostname that gateways can reach.
# Example with IP address
sudo infisical relay systemd install --host=203.0.113.100 --name=my-relay --token=<token>

# Example with hostname
sudo infisical relay systemd install --host=relay.example.com --name=my-relay --token=<token>
The name of the relay.
# Example
sudo infisical relay systemd install --name=my-relay --host=192.168.1.100 --token=<token>
Connect with Infisical using machine identity access token.
# Example
sudo infisical relay systemd install --token=<machine-identity-token> --host=<host> --name=<name>
Domain of your self-hosted Infisical instance. Optional flag for specifying a custom domain.
# Example
sudo infisical relay systemd install --domain=http://localhost:8080 --token=<token> --host=<host> --name=<name>

Examples

# Install relay with token authentication
sudo infisical relay systemd install --host=192.168.1.100 --name=my-relay --token=<machine-identity-token>

# Install with custom domain
sudo infisical relay systemd install --domain=http://localhost:8080 --token=<token> --host=<host> --name=<name>

Post-installation

After successful installation, the service will be enabled but not started. To start the service:
sudo systemctl start infisical-relay
To check the service status:
sudo systemctl status infisical-relay
To view service logs:
sudo journalctl -u infisical-relay -f
Uninstall and remove systemd service for the relay. Must be run with sudo on Linux systems.
sudo infisical relay systemd uninstall

Examples

# Uninstall the relay systemd service
sudo infisical relay systemd uninstall

What it does

  • Stops the infisical-relay systemd service if it’s running
  • Disables the service from starting on boot
  • Removes the systemd service file
  • Cleans up the service configuration