Install Infisical CLI
Official documentation: https://infisical.com/docs/integrations/platforms/infisical-agent
Debian/Ubuntu
Add Infisical repository
curl -1sLf \
'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bashInstall CLI
sudo apt-get update && sudo apt-get install -y infisicalQuick start Infisical Agent
Create Infisical dir and files
mkdir -p /opt/infisical /
touch /opt/infisical/token
touch /opt/infisical/.clientid
touch /opt/infisical/.clientsecret- Insert the machine client id in
/opt/infisical/.clientid - Insert the client secret in
/opt/infisical/.clientsecret
Create config file
infisical:
address: "https://secrets.example.com"
auth:
type: "universal-auth"
config:
client-id: "./clientid"
client-secret: "./clientsecret"
remove_client_secret_on_read: false
sinks:
- type: "file"
config:
path: "opt/infisical/token"
templates:
- source-path: my-dot-ev-secret-template
destination-path: /some/path/.env
config:
polling-interval: 60sCreate template file
The template file defines how the output file will look like. The following example will create a .env like file with key=value pairs.
The name that you make this file should match the templates.source-path in the config path. The templates.destination-path will be where the generated file will be placed.
Retrieve all secrets in a project in the production environment
{{- with listSecrets "[secret UUID]" "[environment slug]" "[path]" }}
{{- range . }}
{{ .Key }}={{ .Value }}
{{- end }}
{{- end }}- [secret UUID] = the UUID of the secret. This can be obtained from the URL bar of the project or through the GUI in the
Project Settingsof the project underProject Overview. Click the “Copy Project ID” button. - [environment slug] = The environment slug to use. This can be found in the
Project SettingsunderEnvironments. - [path] = The path of the secret. If you do not have any folders in the project, the path would be
/. If you have secrets in folders, then the path would be/folder/.
Example: This will list all secrets in the base folder of the production environment for the project.
{{ with listSecrets "d821f21d-aa90-453b-8448-8c78c1160a0e" "dev" "/" -}}
{{ range . -}}
{{ .Key }}={{ .Value }}
{{ end -}}
{{ end -}}Retrieve a single in a project in the production environment
{{ with getSecretByName "[secret UUID]" "[environment slug]" "[path]" "[SECRET_NAME]" -}}
{{ if .Value -}}
password = "{{ .Value }}"
{{ end -}}
{{ end -}}- [secret UUID] = the UUID of the secret. This can be obtained from the URL bar of the project or through the GUI in the
Project Settingsof the project underProject Overview. Click the “Copy Project ID” button. - [environment slug] = The environment slug to use. This can be found in the
Project SettingsunderEnvironments. - [path] = The path of the secret. If you do not have any folders in the project, the path would be
/. If you have secrets in folders, then the path would be/folder/. - [SECRET_NAME] is the name of the secret.
Example:
This will obtain the secret POSTHOG_HOST in the base folder of the production environment for the project.
{{ with getSecretByName "d821f21d-aa90-453b-8448-8c78c1160a0e" "prod" "/" "SECRET" -}}
{{ if .Value -}}
password = "{{ .Value }}"
{{ end -}}
{{ end -}}If you need to grab multiple secrets, you can just repeat the above code and change the necessary info:
{{ with getSecretByName "d821f21d-aa90-453b-8448-8c78c1160a0e" "prod" "/" "SECRET" -}}
{{ if .Value -}}
password = "{{ .Value }}"
{{ end -}}
{{ end -}}
{{ with getSecretByName "d821f21d-aa90-453b-8448-8c78c1160a0e" "prod" "/" "ANOTHER_SECRET" -}}
{{ if .Value -}}
password = "{{ .Value }}"
{{ end -}}
{{ end -}}Run the CLI to generate files
infisical agent --config /opt/infisical/config.yaml
This will run the agent and generate the files. After the files have been created, press CTRL+C to close the agent. You could create a service so that the files would be updated automatically.