Currently, identities can only be used to make authenticated requests to the Infisical API, SDKs, and Agent. They do not work with clients such as CLI, K8s Operator, Terraform Provider, etc.

We will be releasing compatibility with it across clients in the coming quarter.

Concept

A (machine) identity is an entity that you can create in an Infisical organization to represent a workload or application that requires access to the Infisical API. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).

Each identity must authenticate with the API using a supported authentication method like Universal Auth to get back a short-lived access token to be used in subsequent requests.

Key Features:

  • Role Assignment: Identities must be assigned roles. These roles determine the scope of access to resources, either at the organization level or project level.
  • Auth/Token Configuration: Identities must be configured with auth methods and access token properties to securely interact with the Infisical API.

Workflow

A typical workflow for using identities consists of four steps:

  1. Creating the identity with a name and role in Organization Access Control > Machine Identities. This step also involves configuring an authentication method for it such as Universal Auth.
  2. Adding the identity to the project(s) you want it to have access to.
  3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
  4. Authenticating subsequent requests with the Infisical API using the short-lived access token.

Check out the following authentication method-specific guides for step-by-step instruction on how to use identities to access Infisical:

FAQ