This guide demonstrates how to use the Infisical Packer plugin to fetch secret data using a data source. The Packer plugin supports both Infisical Cloud and self-hosted instances of Infisical.
Prerequisites
Before you begin, make sure you have:
- Packer installed
- An Infisical account with access to a project
- Basic understanding of Packer
Project Setup
First, specify the Infisical provider in your Packer configuration:
packer {
required_plugins {
infisical = {
source = "github.com/infisical/infisical"
version = ">=0.0.1"
}
}
}
Authentication
Using a Machine Identity, you can authenticate with Universal Auth.
data "infisical-secrets" "dev-secrets" {
folder_path = "/"
env_slug = "dev" # The environment to list secrets from (e.g. dev, staging, prod)
project_id = "00000000-0000-0000-0000-000000000000"
host = "https://app.infisical.com" # Optional for cloud, required for self-hosted
universal_auth {
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "..." # Optional if using INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET env variable
}
}
Learn more about machine identities.
Using Secrets in Packer
You’re able to fetch secrets from Infisical using the infisical-secrets Data Source:
# Fetch all secrets from a folder
data "infisical-secrets" "dev-secrets" {
folder_path = "/"
env_slug = "dev"
project_id = "00000000-0000-0000-0000-000000000000"
universal_auth {
...
}
}
locals {
secrets = data.infisical-secrets.dev-secrets.secrets
}
source "null" "basic-example" {
communicator = "none"
}
build {
sources = [
"source.null.basic-example"
]
provisioner "shell-local" {
inline = [
"echo secret_key: ${local.secrets["SECRET_KEY"].secret_value}",
]
}
}
The local.secrets object maps secret keys to secret objects.
See also:
