If you’re working with Go Lang, the official Infisical Go SDK package is the easiest way to fetch and work with secrets for your application.

Basic Usage

package main

import (
  "fmt"
  "os"
  "context"
  infisical "github.com/infisical/go-sdk"
)

func main() {

	client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
		SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com
    AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
	})

	_, err := client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")

	if err != nil {
		fmt.Printf("Authentication failed: %v", err)
		os.Exit(1)
	}

	apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
		SecretKey:   "API_KEY",
		Environment: "dev",
		ProjectID:   "YOUR_PROJECT_ID",
		SecretPath:  "/",
	})

	if err != nil {
		fmt.Printf("Error: %v", err)
		os.Exit(1)
	}

	fmt.Printf("API Key Secret: %v", apiKeySecret)

}

This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

$ go get github.com/infisical/go-sdk

Configuration

Import the SDK and create a client instance.

client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
		SiteUrl: "https://app.infisical.com", // Optional, default is https://api.infisical.com
	})

Configuration Options

options

object

Show properties

SiteUrl

string

default:"https://app.infisical.com"

The URL of the Infisical API..

UserAgent

string

Optionally set the user agent that will be used for HTTP requests. (Not recommended)

AutoTokenRefresh

boolean

default:true

Whether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.

SilentMode

boolean

default:false

Whether or not to suppress logs such as warnings from the token refreshing process. Defaults to false if not specified.

CacheExpiryInSeconds

number

default:0

Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.

CustomHeaders

map[string]string

Allows you to pass custom headers to the HTTP requests made by the SDK. Expected format is a map of Header1: Value1, Header2: Value 2.

Automatic token refreshing

The Infisical Go SDK supports automatic token refreshing. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed. This behavior is enabled by default, but you can opt-out by setting AutoTokenRefresh to false in the client settings.

  client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
    AutoTokenRefresh: false, // <- Disable automatic token refreshing
  })

When using automatic token refreshing it’s important to understand how your application uses the Infiiscal client. If you are instantiating new instances of the client often, it’s important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely.

  ctx, cancel := context.WithCancel(context.Background())
  defer cancel() // Cancel the context when the client is no longer needed

  client := infisical.NewInfisicalClient(ctx, infisical.Config{
    AutoTokenRefresh: true,
  })

  // Use the client

This is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle. If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don’t need to worry about this.

Authentication

The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.

Universal Auth

Using environment variables

Call .Auth().UniversalAuthLogin() with empty arguments to use the following environment variables:

INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.
INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.

Using the SDK directly

_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

GCP ID Token Auth

Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.

Using environment variables

Call .Auth().GcpIdTokenAuthLogin() with empty arguments to use the following environment variables:

INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

GCP IAM Auth

Using environment variables

Call .Auth().GcpIamAuthLogin() with empty arguments to use the following environment variables:

INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.

Using the SDK directly

_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

AWS IAM Auth

Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.

Using environment variables

Call .Auth().AwsIamAuthLogin() with empty arguments to use the following environment variables:

INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

Azure Auth

Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.

Using environment variables

Call .Auth().AzureAuthLogin() with empty arguments to use the following environment variables:

INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

Kubernetes Auth

Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.

Using environment variables

Call .Auth().KubernetesAuthLogin() with empty arguments to use the following environment variables:

INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.
INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.

Using the SDK directly

// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

Secrets

List Secrets

client.Secrets().List(options)

Retrieve all secrets within the Infisical project and environment that client is connected to.

secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
  ProjectID:          "PROJECT_ID",
  Environment:        "dev",
  SecretPath:         "/foo/bar",
  AttachToProcessEnv: false,
})

Parameters

object

Show properties

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

ProjectID

string

The project ID where the secret lives in.

SecretPath

string

The path from where secrets should be fetched from.

AttachToProcessEnv

boolean

default:"false"

Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so System.getenv("SECRET_NAME").

IncludeImports

boolean

default:"false"

Whether or not to include imported secrets from the current path. Read about secret import

Recursive

boolean

default:"false"

Whether or not to fetch secrets recursively from the specified path. Please note that there’s a 20-depth limit for recursive fetching.

ExpandSecretReferences

boolean

default:"true"

Whether or not to expand secret references in the fetched secrets. Read about secret reference

Retrieve Secret

client.Secrets().Retrieve(options)

Retrieve a secret from Infisical. By default Secrets().Retrieve() fetches and returns a shared secret.

secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
  SecretKey:   "API_KEY",
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
})

Parameters

object

Show properties

SecretKey

string

required

The key of the secret to retrieve.

ProjectID

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

SecretPath

string

The path from where secret should be fetched from.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Version

number

The version of the secret to retrieve.

Create Secret

client.Secrets().Create(options)

Create a new secret in Infisical.

secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",

  SecretKey:     "NEW_SECRET_KEY",
  SecretValue:   "NEW_SECRET_VALUE",
  SecretComment: "This is a new secret",
})

Parameters

object

Show properties

SecretKey

string

required

The key of the secret to create.

SecretValue

string

required

The value of the secret.

SecretComment

string

A comment for the secret.

ProjectID

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

SecretPath

string

The path from where secret should be created.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Update Secret

client.Secrets().Update(options)

Update an existing secret in Infisical.

secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
  ProjectID:                "PROJECT_ID",
  Environment:              "dev",
  SecretKey:                "NEW_SECRET_KEY",
  NewSecretValue:           "NEW_SECRET_VALUE",
  NewSkipMultilineEncoding: false,
})

Parameters

object

Show properties

SecretKey

string

required

The key of the secret to update.

NewSecretValue

string

required

The new value of the secret.

NewSkipMultilineEncoding

boolean

default:"false"

Whether or not to skip multiline encoding for the new secret value.

ProjectID

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

SecretPath

string

The path from where secret should be updated.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Delete Secret

client.Secrets().Delete(options)

Delete a secret in Infisical.

secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  SecretKey:   "SECRET_KEY",
})

Parameters

object

Show properties

SecretKey

string

The key of the secret to update.

ProjectID

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

SecretPath

string

The path from where secret should be deleted.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Batch Create Secrets

client.Secrets().Batch().Create(options)

Create multiple secrets in Infisical.

	createdSecrets, err := client.Secrets().Batch().Create(infisical.BatchCreateSecretsOptions{
		Environment: "<environment-slug>",
		SecretPath:  "<secret-path>",
		ProjectID:   "<project-id>",
		Secrets: []infisical.BatchCreateSecret{
			{
				SecretKey:   "SECRET-1",
				SecretValue: "test-value-1",
			},
			{
				SecretKey:   "SECRET-2",
				SecretValue: "test-value-2",
			},
		},
	})

Parameters

object

Show properties

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

ProjectID

string

required

The project ID where the secret lives in.

SecretPath

string

The path from where secret should be created.

Secrets

array

required

Show child attributes

SecretKey

string

required

The key of the secret to create.

SecretValue

string

required

The value of the secret.

SecretComment

string

The comment to add to the secret.

SkipMultiLineEncoding

boolean

Whether or not to skip multiline encoding for the secret value.

TagIDs

string[]

The tag IDs to associate with the secret.

SecretMetadata

object

Show child attributes

Key

string

required

The key of the metadata.

Value

string

required

The value of the metadata.

Folders

List Folders

client.Folders().List(options)

Retrieve all within the Infisical project and environment that client is connected to.

folders, err := client.Folders().List(infisical.ListFoldersOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
})

Parameters

object

Show properties

Environment

string

required

The slug name (dev, prod, etc) of the environment from where folders should be fetched from.

ProjectID

string

The project ID where the folder lives in.

Path

string

The path from where folders should be fetched from.

Create Folder

client.Folders().Create(options)

Create a new folder in Infisical.

folder, err := client.Folders().Create(infisical.CreateFolderOptions{
  ProjectID:   "PROJECT_ID",
  Name:        "new=folder-name",
  Environment: "dev",
  Path:        "/",
})

Parameters

object

Show properties

ProjectID

string

required

The ID of the project where the folder will be created.

Environment

string

required

The slug name (dev, prod, etc) of the environment where the folder will be created.

Path

string

The path to create the folder in. The root path is /.

Name

string

The name of the folder to create.

Update Folder

client.Folders().Update(options)

Update an existing folder in Infisical.

folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
  FolderID:    "FOLDER_ID_TO_UPDATE",
  NewName:     "new-folder-name",
})

Parameters

object

Show properties

ProjectID

string

required

The ID of the project where the folder will be updated.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where the folder lives in.

Path

string

The path from where the folder should be updated.

FolderID

string

required

The ID of the folder to update.

NewName

string

required

The new name of the folder.

Delete Folder

client.Folders().Delete(options)

Delete a folder in Infisical.

deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
  // Either folder ID or folder name is required.
  FolderName:  "name-of-folder-to-delete",
  FolderID:    "folder-id-to-delete",
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
})

Parameters

object

Show properties

FolderName

string

The name of the folder to delete. Note that either FolderName or FolderID is required.

FolderID

string

The ID of the folder to delete. Note that either FolderName or FolderID is required.

ProjectID

string

required

The ID of the project where the folder lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where the folder lives in.

Path

string

The path from where the folder should be deleted.

KMS

Create Key

client.Kms().Keys().Create(options)

Create a new key in Infisical.

	newKey, err := client.Kms().Keys().Create(infisical.KmsCreateKeyOptions{
		KeyUsage:            "<sign-verify>|<encrypt-decrypt>",
		Description:         "<key-description>",
		Name:                "<key-name>",
		EncryptionAlgorithm: "<rsa-4096>|<ecc-nist-p256>|<aes-256-gcm>|<aes-128-gcm>",
		ProjectId:           "<project-id>",
	})

Parameters

object

Show properties

KeyUsage

string

required

The usage of the key. Valid options are sign-verify or encrypt-decrypt. The usage dictates what the key can be used for.

Description

string

The description of the key.

Name

string

required

The name of the key.

EncryptionAlgorithm

string

required

The encryption algorithm of the key.

Valid options for Signing/Verifying keys are:

rsa-4096
ecc-nist-p256

Valid options for Encryption/Decryption keys are:

aes-256-gcm
aes-128-gcm

ProjectId

string

required

The ID of the project where the key will be created.

Return (object)

Return

object

Show properties

KeyId

string

required

The ID of the key that was created.

Name

string

required

The name of the key that was created.

Description

string

required

The description of the key that was created.

IsDisabled

boolean

required

Whether or not the key is disabled.

OrgId

string

required

The ID of the organization that the key belongs to.

ProjectId

string

required

The ID of the project that the key belongs to.

KeyUsage

string

required

The intended usage of the key that was created.

EncryptionAlgorithm

string

required

The encryption algorithm of the key that was created.

Version

string

required

The version of the key that was created.

Delete Key

client.Kms().Keys().Delete(options)

Delete a key in Infisical.

deletedKey, err = client.Kms().Keys().Delete(infisical.KmsDeleteKeyOptions{
		KeyId: "<key-id>",
	})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to delete.

Return (object)

Return

object

Show properties

KeyId

string

required

The ID of the key that was deleted

Name

string

required

The name of the key that was deleted.

Description

string

required

The description of the key that was deleted.

IsDisabled

boolean

required

Whether or not the key is disabled.

OrgId

string

required

The ID of the organization that the key belonged to.

ProjectId

string

required

The ID of the project that the key belonged to.

KeyUsage

string

required

The intended usage of the key that was deleted.

EncryptionAlgorithm

string

required

The encryption algorithm of the key that was deleted.

Version

string

required

The version of the key that was deleted.

Signing Data

client.Kms().Signing().Sign(options) Sign data in Infisical.

res, err := client.Kms().Signing().SignData(infisical.KmsSignDataOptions{
  KeyId:            "<key-id>",
  Data:             "<data-to-sign>", // Must be a base64 encoded string.
  SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that will be used to sign the data.
})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to sign the data with.

Data

string

required

The data to sign. Must be a base64 encoded string.

IsDigest

boolean

Whether the data is already digested or not.

SigningAlgorithm

string

required

The signing algorithm to use. You must use a signing algorithm that matches the key usage.

If you are unsure about which signing algorithms are available for your key, you can use the client.Kms().Signing().ListSigningAlgorithms() method. It will return an array of signing algorithms that are available for your key.

Valid options for RSA 4096 keys are:

RSASSA_PSS_SHA_512
RSASSA_PSS_SHA_384
RSASSA_PSS_SHA_256
RSASSA_PKCS1_V1_5_SHA_512
RSASSA_PKCS1_V1_5_SHA_384
RSASSA_PKCS1_V1_5_SHA_256

Valid options for ECC NIST P256 keys are:

ECDSA_SHA_512
ECDSA_SHA_384
ECDSA_SHA_256

Return ([]byte)

Return

[]byte

The signature of the data that was signed.

Verifying Data

client.Kms().Signing().Verify(options) Verify data in Infisical.

res, err := client.Kms().Signing().Verify(infisical.KmsVerifyDataOptions{
  KeyId:            "<key-id>",
  Data:             "<data-to-verify>", // Must be a base64 encoded string.
  SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that was used to sign the data.
})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to verify the data with.

Data

string

required

The data to verify. Must be a base64 encoded string.

IsDigest

boolean

Whether the data is already digested or not.

SigningAlgorithm

string

required

The signing algorithm that was used to sign the data.

Return (object)

Return

object

Show properties

SignatureValid

boolean

required

Whether or not the data is valid.

KeyId

string

required

The ID of the key that was used to verify the data.

SigningAlgorithm

string

required

The signing algorithm that was used to verify the data.

List Signing Algorithms

client.Kms().Signing().ListSigningAlgorithms(options) List signing algorithms in Infisical.

res, err := client.Kms().Signing().ListSigningAlgorithms(infisical.KmsListSigningAlgorithmsOptions{
  KeyId: "<key-id>",
})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to list signing algorithms for.

Return ([]string)

Return

[]string

The signing algorithms that are available for the key.

Get Public Key

This method is only available for keys with key usage sign-verify. If you attempt to use this method on a key that is intended for encryption/decryption, it will return an error.

client.Kms().Signing().GetPublicKey(options) Get the public key in Infisical.

publicKey, err := client.Kms().Signing().GetPublicKey(infisical.KmsGetPublicKeyOptions{
  KeyId: "<key-id>",
})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to get the public key for.

Return (string)

Return

string

The public key for the key.

Encrypt Data

client.Kms().Encryption().Encrypt(options) Encrypt data with a key in Infisical KMS.

res, err := client.Kms().EncryptData(infisical.KmsEncryptDataOptions{
  KeyId: "<key-id>",
  Plaintext: "<data-to-encrypt>",
})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to encrypt the data with.

Return (string)

Return

string

The encrypted data.

Decrypt Data

client.Kms().DecryptData(options) Decrypt data with a key in Infisical KMS.

res, err := client.Kms().DecryptData(infisical.KmsDecryptDataOptions{
  KeyId: "<key-id>",
  Ciphertext: "<encrypted-data>",
})

Parameters

object

Show properties

KeyId

string

required

The ID of the key to decrypt the data with.

Ciphertext

string

required

The encrypted data to decrypt.

Return (string)

Return

string

The decrypted data.

Overview

SDK's

​Basic Usage

​Installation

​Configuration

​Configuration Options

​Automatic token refreshing

​Authentication

​Universal Auth

​GCP ID Token Auth

​GCP IAM Auth

​AWS IAM Auth

​Azure Auth

​Kubernetes Auth

​Secrets

​List Secrets

​Parameters

​Retrieve Secret

​Parameters

​Create Secret

​Parameters

​Update Secret

​Parameters

​Delete Secret

​Parameters

​Batch Create Secrets

​Parameters

​Folders

​List Folders

​Parameters

​Create Folder

​Parameters

​Update Folder

​Parameters

​Delete Folder

​Parameters

​KMS

​Create Key

​Parameters

​Return (object)

​Delete Key

​Parameters

​Return (object)

​Signing Data

​Parameters

​Return ([]byte)

​Verifying Data

​Parameters

​Return (object)

​List Signing Algorithms

​Parameters

​Return ([]string)

​Get Public Key

​Parameters

​Return (string)

​Encrypt Data

​Parameters

​Return (string)

​Decrypt Data

​Parameters

​Return (string)

Basic Usage

Installation

Configuration

Configuration Options

Automatic token refreshing

Authentication

Universal Auth

GCP ID Token Auth

GCP IAM Auth

AWS IAM Auth

Azure Auth

Kubernetes Auth

Secrets

List Secrets

Parameters

Retrieve Secret

Parameters

Create Secret

Parameters

Update Secret

Parameters

Delete Secret

Parameters

Batch Create Secrets

Parameters

Folders

List Folders

Parameters

Create Folder

Parameters

Update Folder

Parameters

Delete Folder

Parameters

KMS

Create Key

Parameters

Return (object)

Delete Key

Parameters

Return (object)

Signing Data

Parameters

Return ([]byte)

Verifying Data

Parameters

Return (object)

List Signing Algorithms

Parameters

Return ([]string)

Get Public Key

Parameters

Return (string)

Encrypt Data

Parameters

Return (string)

Decrypt Data

Parameters

Return (string)