The Infisical CSI provider allows you to use Infisical with the Secrets Store CSI driver to inject secrets directly into your Kubernetes pods through a volume mount.
In contrast to the Infisical Kubernetes Operator, the Infisical CSI provider will allow you to sync Infisical secrets directly to pods as files, removing the need for Kubernetes secret resources.
tokenRequests[0].audience=infisical: Sets the audience value for service account token authentication (recommended for environments that support custom audiences)
enableSecretRotation=true: Enables automatic secret updates from Infisical
rotationPollInterval=2m: Checks for secret updates every 2 minutes
syncSecret.enabled=true: Enables syncing secrets to Kubernetes secrets
If you do not wish to use the auto-syncing feature of the secrets store CSI
driver, you can omit the enableSecretRotation and the rotationPollInterval
flags. Do note that by default, secrets from Infisical are only fetched and
mounted during pod creation. If there are any changes made to the secrets in
Infisical, they will not propagate to the pods unless auto-syncing is enabled
for the CSI driver.
Installation for Environments Without Custom Audience Support
Some Kubernetes environments (such as AWS EKS) don’t support custom audiences and will reject tokens with non-default audiences. For these environments, use this installation instead:
Environments without custom audience support: Do not set a custom audience
when installing the CSI driver in environments that reject custom audiences.
Instead, use the installation above and set useDefaultAudience: "true" in
your SecretProviderClass configuration.
In order for the Infisical CSI provider to pull secrets from your Infisical project, you will have to configure
a machine identity with Kubernetes authentication configured with your cluster.
You can refer to the documentation for setting it up here.
Important: The “Allowed Audience” field in your machine identity’s
Kubernetes authentication settings must match your CSI driver installation. If
you used the standard installation with tokenRequests[0].audience=infisical,
set the “Allowed Audience” field to infisical. If you used the installation
for environments without custom audience support, leave the “Allowed Audience”
field empty.
With the Secrets Store CSI driver and the Infisical CSI provider installed, create a Kubernetes SecretProviderClass resource to establish
the connection between the CSI driver and the Infisical CSI provider for secret retrieval. You can create as many Secret Provider Classes as needed for your cluster.
Key difference: The only change from the standard configuration is the
addition of useDefaultAudience: "true". This parameter tells the CSI
provider to use the default Kubernetes audience instead of a custom
“infisical” audience, which is required for environments that reject custom
audiences.
The SecretProviderClass should be provisioned in the same namespace as the pod
you intend to mount secrets to.
The base URL of your Infisical instance. If you’re using Infisical Cloud US,
this should be set to https://app.infisical.com. If you’re using Infisical
Cloud EU, then this should be set to https://eu.infisical.com.
caCertificate
The CA certificate of the Infisical instance in order to establish SSL/TLS
when the instance uses a private or self-signed certificate. Unless necessary,
this should be omitted.
authMethod
The auth method to use for authenticating the Infisical CSI provider with
Infisical. For now, the only supported method is kubernetes.
identityId
The ID of the machine identity to use for authenticating the Infisical CSI
provider with your Infisical organization. This should be the machine identity
configured with Kubernetes authentication.
projectId
The project ID of the Infisical project to pull secrets from.
envSlug
The slug of the project environment to pull secrets from.
secrets
An array that defines which secrets to retrieve and how to mount them. Each
entry requires three properties: secretPath and secretKey work together to
identify the source secret to fetch, while fileName specifies the path where
the secret’s value will be mounted within the pod’s filesystem.
audience
The custom audience value configured for the CSI driver. This defaults to
infisical.
useDefaultAudience
When set to "true", the Infisical CSI provider will use the default
Kubernetes audience instead of a custom audience. This is required for
environments that don’t support custom audiences (such as AWS EKS), which
reject tokens with non-default audiences. When using this option, do not set a
custom audience in the CSI driver installation. This defaults to false.
When enabled, the CSI provider will dynamically create service account
tokens on-demand using the default Kubernetes audience, rather than using
pre-existing tokens from the CSI driver.
To troubleshoot issues with the Infisical CSI provider, refer to the logs of the Infisical CSI provider running on the same node as your pod.
Copy
Ask AI
kubectl logs infisical-csi-provider-7x44t
You can also refer to the logs of the secrets store CSI driver. Modify the command below with the appropriate pod and namespace of your secrets store CSI driver installation.
Mismatch in the audience value of the CSI driver with the machine identity’s Kubernetes auth configuration
SecretProviderClass in the wrong namespace
Invalid machine identity configuration
Incorrect secret paths or keys
Issues in environments without custom audience support:
Token authentication failed with custom audience: If you’re seeing authentication errors in environments that don’t support custom audiences (such as AWS EKS), ensure you’re using the installation without custom audience and have set useDefaultAudience: "true" in your SecretProviderClass
Audience not allowed errors: Make sure the “Allowed Audience” field is left empty in your machine identity’s Kubernetes authentication configuration when using environments that don’t support custom audiences
Is it possible to sync Infisical secrets as environment variables?
Yes, but it requires an indirect approach:
First enable syncing to Kubernetes secrets by setting syncSecret.enabled=true in the CSI driver installation
Configure the Secret Provider Class to sync specific secrets to Kubernetes secrets
Use the resulting Kubernetes secrets in your pod’s environment variables
This means secrets are first synced to Kubernetes secrets before they can be used as environment variables. You can find detailed examples in the Secrets Store CSI driver documentation.
Do I have to list out every Infisical single secret that I want to sync?
Yes, you will need to explicitly list each secret you want to sync in the
Secret Provider Class configuration. This is a common requirement across all
CSI providers as the Secrets Store CSI Driver architecture requires specific
mapping of secrets to their mounted file locations.