Concept

An Infisical machine identity is an entity that represents a workload or application that require access to various resources in Infisical. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).

Each identity must authenticate with the Infisical API using a supported authentication method like Universal Auth, Kubernetes Auth, AWS Auth, Azure Auth, or GCP Auth to get back a short-lived access token to be used in subsequent requests.

Key Features:

  • Role Assignment: Identities must be assigned roles. These roles determine the scope of access to resources, either at the organization level or project level.
  • Auth/Token Configuration: Identities must be configured with corresponding authentication methods and access token properties to securely interact with the Infisical API.

Workflow

A typical workflow for using identities consists of four steps:

  1. Creating the identity with a name and role in Organization Access Control > Machine Identities. This step also involves configuring an authentication method for it.
  2. Adding the identity to the project(s) you want it to have access to.
  3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
  4. Authenticating subsequent requests with the Infisical API using the short-lived access token.

Currently, identities can only be used to make authenticated requests to the Infisical API, SDKs, Terraform, Kubernetes Operator, and Infisical Agent. They do not work with clients such as CLI, Ansible look up plugin, etc.

Machine Identity support for the rest of the clients is planned to be released in the current quarter.

Authentication Methods

To interact with various resources in Infisical, Machine Identities are able to authenticate using:

  • Universal Auth: A platform-agnostic authentication method that can be configured on an identity suitable to authenticate from any platform/environment.
  • Kubernetes Auth: A Kubernetes-native authentication method for applications (e.g. pods) to authenticate with Infisical.
  • AWS Auth: An AWS-native authentication method for AWS services (e.g. EC2, Lambda functions, etc.) to authenticate with Infisical.
  • Azure Auth: An Azure-native authentication method for Azure resources (e.g. Azure VMs, Azure App Services, Azure Functions, Azure Kubernetes Service, etc.) to authenticate with Infisical.
  • GCP Auth: A GCP-native authentication method for GCP resources (e.g. Compute Engine, App Engine, Cloud Run, Google Kubernetes Engine, IAM service accounts, etc.) to authenticate with Infisical.

FAQ