Programmatic Provisioning
Learn how to provision and configure Infisical instances programmatically without UI interaction
Infisical’s Automated Bootstrapping feature enables you to provision and configure an Infisical instance without using the UI, allowing for complete automation through static configuration files, API calls, or CLI commands. This is especially valuable for enterprise environments where automated deployment and infrastructure-as-code practices are essential.
The bootstrapping workflow automates creating an admin user account, initializing an organization for the entire instance, establishing an instance admin machine identity with full administrative permissions, and returning the machine identity credentials for further automation.
Prerequisites
- An Infisical instance launched with all required configuration variables
- Access to the Infisical CLI or the ability to make API calls to the instance
- Network connectivity to the Infisical instance
Key Concepts
- Instance Initialization: Infisical requires configuration variables to be set during launch, after which the bootstrap process can be triggered.
- Instance Admin Machine Identity: The bootstrapping process creates a machine identity with instance-level admin privileges, which can be used to programmatically manage all aspects of the Infisical instance.
- Token Auth: The instance admin machine identity uses Token Auth, providing a JWT token that can be used directly to make authenticated requests to the Infisical API.
Bootstrap Methods
You can bootstrap an Infisical instance using the API, CLI, or Helm chart.
Make a POST request to the bootstrap endpoint:
Example using curl:
API Response Structure
The bootstrap process returns a JSON response with details about the created user, organization, and machine identity:
Make a POST request to the bootstrap endpoint:
Example using curl:
API Response Structure
The bootstrap process returns a JSON response with details about the created user, organization, and machine identity:
Use the Infisical CLI to bootstrap the instance and extract the token for immediate use in automation:
This example command pipes the output through jq to extract only the machine identity token, making it easy to capture and use directly in automation scripts or export as an environment variable for tools like Terraform.
API Response Structure
The bootstrap process returns a JSON response with details about the created user, organization, and machine identity:
When deploying Infisical using the official Helm chart, you can enable automatic bootstrapping that runs as part of the deployment process. This eliminates the need to manually bootstrap the instance after deployment.
The bootstrapping process automatically generates a Kubernetes secret containing the instance admin token, which can then be referenced by Crossplane providers, Terraform operators, or other automation systems for further infrastructure provisioning and configuration.
Configuration
Enable auto bootstrapping in your Helm values by setting autoBootstrap.enabled: true and providing the necessary configuration:
You’ll also need to create a secret containing the bootstrap credentials before deployment. The secret must contain INFISICAL_ADMIN_EMAIL and INFISICAL_ADMIN_PASSWORD keys:
How It Works
The Helm chart auto bootstrap feature:
- Post-Install Hook: Runs automatically after the main Infisical deployment is complete
- Readiness Check: Uses an init container with curl to wait for Infisical to be ready by polling the
/api/statusendpoint - Bootstrap Execution: Uses the Infisical CLI to bootstrap the instance
- Kubernetes Secret Creation: Creates a Kubernetes secret directly via the Kubernetes API using the rendered template
- RBAC: Automatically configures the necessary permissions (
get,create,updateon secrets) for the bootstrap job
Template System
The secretTemplate field allows you to customize the data section of the created Kubernetes secret. The template has access to the full bootstrap response with the following available data fields:
{{ .Identity.Credentials.Token }}: The admin machine identity token{{ .Identity.ID }}: The identity ID{{ .Identity.Name }}: The identity name{{ .Organization.ID }}: The organization ID{{ .Organization.Name }}: The organization name{{ .Organization.Slug }}: The organization slug{{ .User.Email }}: The admin user email{{ .User.ID }}: The admin user ID{{ .User.FirstName }}: The admin user first name{{ .User.LastName }}: The admin user last name
The template also supports the encodeBase64 function for base64 encoding values.
Example template for storing multiple values:
Benefits
- Zero-Touch Deployment: Complete Infisical setup without manual intervention
- Infrastructure as Code: Bootstrap configuration is versioned with your Helm values
- Secure Token Storage: Admin identity credentials are immediately stored in Kubernetes secrets
- Integration Ready: The created secret can be referenced by other applications or automation tools
Security Considerations
- The bootstrap job requires permissions to create secrets in the specified namespace
- Bootstrap credentials should be stored securely and rotated regularly
- The generated admin token has full instance privileges and should be protected accordingly
- Consider using Kubernetes RBAC to restrict access to the generated secret
Using the Instance Admin Machine Identity Token
The bootstrap process automatically creates a machine identity with Token Auth configured. The returned token has instance-level admin privileges (the highest level of access) and should be treated with the same security considerations as a root credential.
The token enables full programmatic control of your Infisical instance and can be used in the following ways:
1. Infrastructure Automation
Store the token securely for use with infrastructure automation tools. Due to the sensitive nature of this token, ensure it’s protected using appropriate secret management practices:
Kubernetes Secret (with appropriate RBAC restrictions)
Environment Variable for Terraform
2. Programmatic Resource Management
Use the token to authenticate API calls for creating and managing Infisical resources. The token works exactly like any other Token Auth access token in the Infisical API:
Important Notes
- Security Warning: The instance admin machine identity has the highest level of privileges in your Infisical deployment. The token should be treated with the utmost security and handled like a root credential. Unauthorized access to this token could compromise your entire Infisical instance.
- Security controls prevent privilege escalation: instance admin identities cannot be managed by non-instance admin users and identities
- The instance admin permission of the generated identity can be revoked later in the server admin panel if needed
- The generated admin user account can still be used for UI access if needed, or can be removed if you prefer to manage everything through the machine identity
- This process is designed to work with future Crossplane providers and the existing Terraform provider for full infrastructure-as-code capabilities
- All necessary configuration variables should be set during the initial launch of the Infisical instance