Infisical SSH
Learn how to organize SSH hosts into groups and manage access policies at scale.
Concept
Infisical SSH lets you configure host groups to organize and manage multiple SSH hosts with shared access configuration.
These host groups can be created based on environments (development
, staging
, production
), geographical regions (us-east
, eu-west
, ap-northeast
), or functions (web-servers
, database-servers
, worker-nodes
) to streamline access management across your infrastructure.
Using a host group, you can define login mappings at the group level and have them be applied to all hosts assigned to that group. For example, you can specify that [email protected]
can login as ubuntu
on all hosts assigned to the production
host group.
Workflow
The typical workflow for using Infisical SSH with host groups consists of the following steps:
- The administrator creates host groups based on logical groupings (environments, regions, functions, etc.).
- The administrator configures login mappings at the host group level to define access policies.
- The administrator registers remote hosts with Infisical using the Infisical CLI via the
infisical ssh add-host
command and assigns them to appropriate host groups either using the--host-group
flag or by adding them to the host group via UI. - User(s) access the remote hosts using the Infisical CLI via the
infisical ssh connect
command, with access determined by the login mappings defined at both host and host group levels.
Admin Guide for Configuring Host Groups
In the following steps, we’ll walk through how to create and configure Host Groups in Infisical SSH, and how to add hosts to these groups.
Create a host group
1.1. Navigate to your Infisical SSH project and select the Hosts tab.
1.2. Click Add Group in the Host Groups section to create a new group.
Enter a name (e.g., production-servers
or tokyo-region
) and login mapping(s) for the host group.
A login mapping for a host group applies to all hosts assigned to the group and dictates what user(s) will be allowed access to the remote hosts in that group under specific login user(s); in the allowed principals, you should select user(s) part of the Infisical SSH project that will be allowed to login to the remote host as the login user.
For instance, if you add a mapping to a host group with the login user ec2-user
to some users John and Alice in Infisical, then they will be allowed to login to any remote host that is part of the group as ec2-user
which is a system user that
exists on the remote host(s).
1.3. Click Add to create the host group.
Add host(s) to the host group
After creating the host group, you can assign a host to it from inside the host group page in the SSH Hosts section. Generally, this is where you’ll manage the hosts in a group.