Infisical Python SDK
If you’re working with Python, the official infisical-python package is the easiest way to fetch and work with secrets for your application.
Basic Usage
from flask import Flask
from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions, AuthenticationOptions, UniversalAuthMethod
app = Flask(__name__)
client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
universal_auth=UniversalAuthMethod(
client_id="CLIENT_ID",
client_secret="CLIENT_SECRET",
)
)
))
@app.route("/")
def hello_world():
# access value
name = client.getSecret(options=GetSecretOptions(
environment="dev",
project_id="PROJECT_ID",
secret_name="NAME"
))
return f"Hello! My name is: {name.secret_value}"
This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named “NAME” and responds to requests with a greeting that includes the secret value.
We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.
Installation
Run pip to add infisical-python to your project
$ pip install infisical-python
Note: You need Python 3.7+.
Configuration
Import the SDK and create a client instance with your Machine Identity.
from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, UniversalAuthMethod
client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
universal_auth=UniversalAuthMethod(
client_id="CLIENT_ID",
client_secret="CLIENT_SECRET",
)
)
))
Parameters
Authentication
The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
Universal Auth
Using environment variables
INFISICAL_UNIVERSAL_AUTH_CLIENT_ID- Your machine identity client ID.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET- Your machine identity client secret.
Using the SDK directly
from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, UniversalAuthMethod
client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
universal_auth=UniversalAuthMethod(
client_id="CLIENT_ID",
client_secret="CLIENT_SECRET",
)
)
))
GCP ID Token Auth
Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.
Using environment variables
INFISICAL_GCP_AUTH_IDENTITY_ID- Your Infisical Machine Identity ID.
Using the SDK directly
from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, GCPIDTokenAuthMethod
client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
gcp_id_token=GCPIDTokenAuthMethod(
identity_id="MACHINE_IDENTITY_ID",
)
)
))
GCP IAM Auth
Using environment variables
INFISICAL_GCP_IAM_AUTH_IDENTITY_ID- Your Infisical Machine Identity ID.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH- The path to your GCP service account key file.
Using the SDK directly
from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, GCPIamAuthMethod
client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
gcp_iam=GCPIamAuthMethod(
identity_id="MACHINE_IDENTITY_ID",
service_account_key_file_path="./path/to/service_account_key.json"
)
)
))
AWS IAM Auth
Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.
Using environment variables
INFISICAL_AWS_IAM_AUTH_IDENTITY_ID- Your Infisical Machine Identity ID.
Using the SDK directly
from infisical_client import ClientSettings, InfisicalClient, AuthenticationOptions, AWSIamAuthMethod
client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
aws_iam=AWSIamAuthMethod(identity_id="MACHINE_IDENTITY_ID")
)
))
Azure Auth
Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.
Using environment variables
INFISICAL_AZURE_AUTH_IDENTITY_ID- Your Infisical Machine Identity ID.
Using the SDK directly
from infisical_client import InfisicalClient, ClientSettings, AuthenticationOptions, AzureAuthMethod
kubernetes_client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
azure=AzureAuthMethod(
identity_id="YOUR_IDENTITY_ID",
)
)
))
Kubernetes Auth
Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.
Using environment variables
INFISICAL_KUBERNETES_IDENTITY_ID- Your Infisical Machine Identity ID.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME- The environment variable name that contains the path to the service account token. This is optional and will default to/var/run/secrets/kubernetes.io/serviceaccount/token.
Using the SDK directly
from infisical_client import InfisicalClient, ClientSettings, AuthenticationOptions, KubernetesAuthMethod
kubernetes_client = InfisicalClient(ClientSettings(
auth=AuthenticationOptions(
kubernetes=KubernetesAuthMethod(
identity_id="YOUR_IDENTITY_ID",
service_account_token_path="/var/run/secrets/kubernetes.io/serviceaccount/token" # Optional
)
)
))
Caching
To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it’s first fetched. Each time it’s fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the “cache_ttl” option when creating the client.
Working with Secrets
client.listSecrets(options)
client.listSecrets(options=ListSecretsOptions(
environment="dev",
project_id="PROJECT_ID"
))
Retrieve all secrets within the Infisical project and environment that client is connected to
Parameters
client.getSecret(options)
secret = client.getSecret(options=GetSecretOptions(
environment="dev",
project_id="PROJECT_ID",
secret_name="API_KEY"
))
value = secret.secret_value # get its value
By default, getSecret() fetches and returns a shared secret. If not found, it returns a personal secret.
Parameters
client.createSecret(options)
api_key = client.createSecret(options=CreateSecretOptions(
secret_name="API_KEY",
secret_value="Some API Key",
environment="dev",
project_id="PROJECT_ID"
))
Create a new secret in Infisical.
Parameters
client.updateSecret(options)
client.updateSecret(options=UpdateSecretOptions(
secret_name="API_KEY",
secret_value="NEW_VALUE",
environment="dev",
project_id="PROJECT_ID"
))
Update an existing secret in Infisical.
Parameters
client.deleteSecret(options)
client.deleteSecret(options=DeleteSecretOptions(
environment="dev",
project_id="PROJECT_ID",
secret_name="API_KEY"
))
Delete a secret in Infisical.
Parameters
Cryptography
Create a symmetric key
Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.
key = client.createSymmetricKey()
Returns (string)
key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.
Encrypt symmetric
encryptOptions = EncryptSymmetricOptions(
key=key,
plaintext="Infisical is awesome!"
)
encryptedData = client.encryptSymmetric(encryptOptions)
Parameters
Returns (object)
tag (string): A base64-encoded, 128-bit authentication tag. iv (string): A base64-encoded, 96-bit initialization vector. ciphertext (string): A base64-encoded, encrypted ciphertext.
Decrypt symmetric
decryptOptions = DecryptSymmetricOptions(
ciphertext=encryptedData.ciphertext,
iv=encryptedData.iv,
tag=encryptedData.tag,
key=key
)
decryptedString = client.decryptSymmetric(decryptOptions)
Parameters
Returns (string)
plaintext (string): The decrypted plaintext.