Docker Entrypoint

This approach allows you to inject secrets from Infisical directly into your application. This is achieved by installing the Infisical CLI into your docker image and modifying your start command to execute with Infisical.

Add the Infisical CLI to your Dockerfile

RUN apk add --no-cache bash curl && curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
&& apk add infisical

RUN apk add --no-cache bash curl && curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
&& apk add infisical

RUN curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.rpm.sh' | sh \ 
&& yum install -y infisical

RUN apt-get update && apt-get install -y bash curl && curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
&& apt-get update && apt-get install -y infisical

We recommend you to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. View versions

Modify the start command in your Dockerfile

Starting your service with the Infisical CLI pulls your secrets from Infisical and injects them into your service.

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "[your service start command]"]

# example with single single command

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "npm", "run", "start"]

# example with multiple commands

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--command", "npm run start && ..."]

Generate a machine identity

Generate a machine identity for your project by following the steps in the Machine Identity guide. The machine identity will allow you to authenticate and fetch secrets from Infisical.

Obtain an access token for the machine identity

Obtain an access token for the machine identity by running the following command:

export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --plain --silent)

Please note that the access token has a limited lifespan. The infisical token renew command can be used to renew the token if needed.

Feed the access token to the docker container

The last step is to give the Infisical CLI installed in your Docker container access to the access token. This will allow the CLI to fetch and inject the secrets into your application.

To feed the access token to the container, use the INFISICAL_TOKEN environment variable as shown below.

docker run --env INFISICAL_TOKEN=$INFISICAL_TOKEN [DOCKER-IMAGE]...

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "[your service start command]"]

# example with single single command

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "npm", "run", "start"]

# example with multiple commands

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--command", "npm run start && ..."]

Generate a machine identity

Generate a machine identity for your project by following the steps in the Machine Identity guide. The machine identity will allow you to authenticate and fetch secrets from Infisical.

Obtain an access token for the machine identity

Obtain an access token for the machine identity by running the following command:

export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --plain --silent)

Please note that the access token has a limited lifespan. The infisical token renew command can be used to renew the token if needed.

Feed the access token to the docker container

The last step is to give the Infisical CLI installed in your Docker container access to the access token. This will allow the CLI to fetch and inject the secrets into your application.

To feed the access token to the container, use the INFISICAL_TOKEN environment variable as shown below.

docker run --env INFISICAL_TOKEN=$INFISICAL_TOKEN [DOCKER-IMAGE]...

Service tokens are being deprecated in favor of machine identities.

They will be removed in the future in accordance with the deprecation notice and timeline stated here.

CMD ["infisical", "run", "--", "[your service start command]"]

# example with single single command
CMD ["infisical", "run", "--", "npm", "run", "start"]

# example with multiple commands
CMD ["infisical", "run", "--command", "npm run start && ..."]

Generate a service token

Head to your project settings in the Infisical dashboard to generate an service token. This service token will allow you to authenticate and fetch secrets from Infisical. Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI installed in your docker container.

Feed service token to docker container

The last step is to give the Infisical CLI installed in your Docker container access to the service token. This will allow the CLI to fetch and inject the secrets into your application.

To feed the service token to the container, use the INFISICAL_TOKEN environment variable as shown below.

docker run --env INFISICAL_TOKEN=[token] [DOCKER-IMAGE]...

Infrastructure Integrations

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Add the Infisical CLI to your Dockerfile

Modify the start command in your Dockerfile

Infrastructure Integrations

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

​Add the Infisical CLI to your Dockerfile

​

​Modify the start command in your Dockerfile

Add the Infisical CLI to your Dockerfile

Modify the start command in your Dockerfile