If you’re working with Go Lang, the official Infisical Go SDK package is the easiest way to fetch and work with secrets for your application.

Basic Usage

package main

import (
  "fmt"
  "os"
  "context"
  infisical "github.com/infisical/go-sdk"
)

func main() {

	client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
		SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com
    AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
	})

	_, err = client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")

	if err != nil {
		fmt.Printf("Authentication failed: %v", err)
		os.Exit(1)
	}

	apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
		SecretKey:   "API_KEY",
		Environment: "dev",
		ProjectID:   "YOUR_PROJECT_ID",
		SecretPath:  "/",
	})

	if err != nil {
		fmt.Printf("Error: %v", err)
		os.Exit(1)
	}

	fmt.Printf("API Key Secret: %v", apiKeySecret)

}

This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

$ go get github.com/infisical/go-sdk

Configuration

Import the SDK and create a client instance.

client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
		SiteUrl: "https://app.infisical.com", // Optional, default is https://api.infisical.com
	})

Configuration Options

options
object

Automatic token refreshing

The Infisical Go SDK supports automatic token refreshing. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed. This behavior is enabled by default, but you can opt-out by setting AutoTokenRefresh to false in the client settings.

  client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
    AutoTokenRefresh: false, // <- Disable automatic token refreshing
  })

When using automatic token refreshing it’s important to understand how your application uses the Infiiscal client. If you are instantiating new instances of the client often, it’s important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely.

  ctx, cancel := context.WithCancel(context.Background())
  defer cancel() // Cancel the context when the client is no longer needed

  client := infisical.NewInfisicalClient(ctx, infisical.Config{
    AutoTokenRefresh: true,
  })

  // Use the client

This is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle. If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don’t need to worry about this.

Authentication

The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.

Universal Auth

Using environment variables

Call .Auth().UniversalAuthLogin() with empty arguments to use the following environment variables:

  • INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.

Using the SDK directly

_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

GCP ID Token Auth

Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.

Using environment variables

Call .Auth().GcpIdTokenAuthLogin() with empty arguments to use the following environment variables:

  • INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

GCP IAM Auth

Using environment variables

Call .Auth().GcpIamAuthLogin() with empty arguments to use the following environment variables:

  • INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
  • INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.

Using the SDK directly

_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

AWS IAM Auth

Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.

Using environment variables

Call .Auth().AwsIamAuthLogin() with empty arguments to use the following environment variables:

  • INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

Azure Auth

Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.

Using environment variables

Call .Auth().AzureAuthLogin() with empty arguments to use the following environment variables:

  • INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

Kubernetes Auth

Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.

Using environment variables

Call .Auth().KubernetesAuthLogin() with empty arguments to use the following environment variables:

  • INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.
  • INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.

Using the SDK directly

// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}

Working With Secrets

List Secrets

client.Secrets().List(options)

Retrieve all secrets within the Infisical project and environment that client is connected to.

secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
  ProjectID:          "PROJECT_ID",
  Environment:        "dev",
  SecretPath:         "/foo/bar",
  AttachToProcessEnv: false,
})

Parameters

Parameters
object

Retrieve Secret

client.Secrets().Retrieve(options)

Retrieve a secret from Infisical. By default Secrets().Retrieve() fetches and returns a shared secret.

secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
  SecretKey:   "API_KEY",
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
})

Parameters

Parameters
object

Create Secret

client.Secrets().Create(options)

Create a new secret in Infisical.

secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",

  SecretKey:     "NEW_SECRET_KEY",
  SecretValue:   "NEW_SECRET_VALUE",
  SecretComment: "This is a new secret",
})

Parameters

Parameters
object

Update Secret

client.Secrets().Update(options)

Update an existing secret in Infisical.

secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
  ProjectID:                "PROJECT_ID",
  Environment:              "dev",
  SecretKey:                "NEW_SECRET_KEY",
  NewSecretValue:           "NEW_SECRET_VALUE",
  NewSkipMultilineEncoding: false,
})

Parameters

Parameters
object

Delete Secret

client.Secrets().Delete(options)

Delete a secret in Infisical.

secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  SecretKey:   "SECRET_KEY",
})

Parameters

Parameters
object

Working With folders

List Folders

client.Folders().List(options)

Retrieve all within the Infisical project and environment that client is connected to.

folders, err := client.Folders().List(infisical.ListFoldersOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
})

Parameters

Parameters
object

Create Folder

client.Folders().Create(options)

Create a new folder in Infisical.

folder, err := client.Folders().Create(infisical.CreateFolderOptions{
  ProjectID:   "PROJECT_ID",
  Name:        "new=folder-name",
  Environment: "dev",
  Path:        "/",
})

Parameters

Parameters
object

Update Folder

client.Folders().Update(options)

Update an existing folder in Infisical.

folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
  FolderID:    "FOLDER_ID_TO_UPDATE",
  NewName:     "new-folder-name",
})

Parameters

Parameters
object

Delete Folder

client.Folders().Delete(options)

Delete a folder in Infisical.

deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
  // Either folder ID or folder name is required.
  FolderName:  "name-of-folder-to-delete",
  FolderID:    "folder-id-to-delete",
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
})

Parameters

Parameters
object

Was this page helpful?

JavaRuby