Concept

Infisical SSH lets you configure host groups to organize and manage multiple SSH hosts with shared access configuration. These host groups can be created based on environments (development, staging, production), geographical regions (us-east, eu-west, ap-northeast), or functions (web-servers, database-servers, worker-nodes) to streamline access management across your infrastructure.

Using a host group, you can define login mappings at the group level and have them be applied to all hosts assigned to that group. For example, you can specify that [email protected] can login as ubuntu on all hosts assigned to the production host group.

Workflow

The typical workflow for using Infisical SSH with host groups consists of the following steps:

  1. The administrator creates host groups based on logical groupings (environments, regions, functions, etc.).
  2. The administrator configures login mappings at the host group level to define access policies.
  3. The administrator registers remote hosts with Infisical using the Infisical CLI via the infisical ssh add-host command and assigns them to appropriate host groups either using the --host-group flag or by adding them to the host group via UI.
  4. User(s) access the remote hosts using the Infisical CLI via the infisical ssh connect command, with access determined by the login mappings defined at both host and host group levels.

Admin Guide for Configuring Host Groups

In the following steps, we’ll walk through how to create and configure Host Groups in Infisical SSH, and how to add hosts to these groups.

1

Create a host group

1.1. Navigate to your Infisical SSH project and select the Hosts tab.

1.2. Click Add Group in the Host Groups section to create a new group.

Enter a name (e.g., production-servers or tokyo-region) and login mapping(s) for the host group.

A login mapping for a host group applies to all hosts assigned to the group and dictates what user(s) will be allowed access to the remote hosts in that group under specific login user(s); in the allowed principals, you should select user(s) part of the Infisical SSH project that will be allowed to login to the remote host as the login user.

For instance, if you add a mapping to a host group with the login user ec2-user to some users John and Alice in Infisical, then they will be allowed to login to any remote host that is part of the group as ec2-user which is a system user that exists on the remote host(s).

1.3. Click Add to create the host group.

2

Add host(s) to the host group

After creating the host group, you can assign a host to it from inside the host group page in the SSH Hosts section. Generally, this is where you’ll manage the hosts in a group.