Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical-feat-gateway-connector.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

infisical network gateway --token=<token>

Description

Network-related commands for Infisical that provide secure access to private resources:
  • Gateway: Lightweight agent deployed within your VPCs to provide access to private resources
  • Proxy: Identity-aware relay infrastructure that routes encrypted traffic (can be instance-wide or organization-specific)
The gateway system uses SSH reverse tunnels over TCP, eliminating firewall complexity and providing excellent performance for enterprise environments.

Subcommands & flags

infisical network gateway

Run the Infisical gateway component within your VPC. The gateway establishes an SSH reverse tunnel to the specified proxy server and provides secure access to private resources.
infisical network gateway --proxy-name=<proxy-name> --name=<name> --auth-method=<auth-method>
The gateway component:
  • Establishes outbound SSH reverse tunnels to proxy servers (no inbound firewall rules needed)
  • Authenticates using SSH certificates issued by Infisical
  • Automatically reconnects if the connection is lost
  • Provides access to private resources within your network

Authentication

The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
Flags
  infisical network gateway --auth-method=universal-auth --client-id=<client-id> --client-secret=<client-secret> --proxy-name=<proxy-name> --name=<name>
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Flags
  infisical network gateway --auth-method=kubernetes --machine-identity-id=<machine-identity-id> --proxy-name=<proxy-name> --name=<name>
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
Flags
  infisical network gateway --auth-method=azure --machine-identity-id=<machine-identity-id> --proxy-name=<proxy-name> --name=<name>
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
Flags
  infisical network gateway --auth-method=gcp-id-token --machine-identity-id=<machine-identity-id> --proxy-name=<proxy-name> --name=<name>
The GCP IAM method is used to authenticate with Infisical with a GCP service account key.
Flags
  infisical network gateway --auth-method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path> --proxy-name=<proxy-name> --name=<name>
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
Flags
  infisical network gateway --auth-method=aws-iam --machine-identity-id=<machine-identity-id> --proxy-name=<proxy-name> --name=<name>
The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.
Flags
  infisical network gateway --auth-method=oidc-auth --machine-identity-id=<machine-identity-id> --jwt=<oidc-jwt> --proxy-name=<proxy-name> --name=<name>
The JWT Auth method is used to authenticate with Infisical via a JWT token.
Flags
  infisical network gateway --auth-method=jwt-auth --jwt=<jwt> --machine-identity-id=<machine-identity-id> --proxy-name=<proxy-name> --name=<name>
You can use the INFISICAL_TOKEN environment variable to authenticate with Infisical with a raw machine identity access token.
Flags
  infisical network gateway --token=<token> --proxy-name=<proxy-name> --name=<name>

Other Flags

The name of the proxy that this gateway should connect to. The proxy must be running and registered before starting the gateway.
# Example
infisical network gateway --proxy-name=my-proxy --name=my-gateway --token=<token>
Note: If using organization proxies or self-hosted instance proxies, you must first start a proxy server using infisical network proxy before connecting gateways to it. For Infisical Cloud users using instance proxies, the proxy infrastructure is already running and managed by Infisical.
The name of the gateway instance.
# Example
infisical network gateway --name=my-gateway --proxy-name=my-proxy --token=<token>
Domain of your self-hosted Infisical instance.
# Example
infisical network gateway --domain=https://app.your-domain.com --proxy-name=<proxy-name> --name=<name>
Install and enable the gateway as a systemd service. This command must be run with sudo on Linux.
sudo infisical network gateway install --token=<token> --domain=<domain> --name=<name> --proxy-name=<proxy-name>

Requirements

  • Must be run on Linux
  • Must be run with root/sudo privileges
  • Requires systemd

Flags

The machine identity access token to authenticate with Infisical.
# Example
sudo infisical network gateway install --token=<token> --name=<name> --proxy-name=<proxy-name>
You may also expose the token to the CLI by setting the environment variable INFISICAL_TOKEN before executing the install command.
Domain of your self-hosted Infisical instance.
# Example
sudo infisical network gateway install --domain=https://app.your-domain.com --name=<name> --proxy-name=<proxy-name>
The name of the gateway instance.
# Example
sudo infisical network gateway install --name=my-gateway --token=<token> --proxy-name=<proxy-name>
The name of the proxy that this gateway should connect to.
# Example
sudo infisical network gateway install --proxy-name=my-proxy --token=<token> --name=<name>

Service Details

The systemd service is installed with secure defaults:
  • Service file: /etc/systemd/system/infisical-gateway.service
  • Config file: /etc/infisical/gateway.conf
  • Runs with restricted privileges:
    • InaccessibleDirectories=/home
    • PrivateTmp=yes
    • Resource limits configured for stability
  • Automatically restarts on failure
  • Enabled to start on boot
  • Maintains persistent SSH reverse tunnel connections to the specified proxy
  • Handles certificate rotation and connection recovery automatically
After installation, manage the service with standard systemd commands:
sudo systemctl start infisical-gateway    # Start the service
sudo systemctl stop infisical-gateway     # Stop the service
sudo systemctl status infisical-gateway   # Check service status
sudo systemctl disable infisical-gateway  # Disable auto-start on boot
Run the Infisical proxy component. The proxy handles network traffic routing and can operate in different modes.
infisical network proxy --type=<type> --ip=<ip> --name=<name> --auth-method=<auth-method>

Flags

The type of proxy to run. Must be either ‘instance’ or ‘org’.
  • instance: Shared proxy server that can be used by all organizations on your Infisical instance. Set up by the instance administrator. Uses INFISICAL_PROXY_AUTH_SECRET environment variable for authentication, which must be configured by the instance admin.
  • org: Dedicated proxy server that individual organizations deploy and manage in their own infrastructure. Provides enhanced security, custom geographic placement, and compliance benefits. Uses standard Infisical authentication methods.
# Organization proxy (customer-deployed)
infisical network proxy --type=org --ip=192.168.1.100 --name=my-org-proxy

# Instance proxy (configured by instance admin)
INFISICAL_PROXY_AUTH_SECRET=<secret> infisical network proxy --type=instance --ip=10.0.1.50 --name=shared-proxy
The public IP address of the instance where the proxy is deployed. This must be a static public IP that gateways can reach.
# Example
infisical network proxy --ip=203.0.113.100 --type=org --name=my-proxy
The name of the proxy.
# Example
infisical network proxy --name=my-proxy --type=org --ip=192.168.1.100

Authentication

Organization Proxies (--type=org): Deploy your own proxy server in your infrastructure for enhanced security and reduced latency. Supports all standard Infisical authentication methods documented above in the gateway section.Instance Proxies (--type=instance): Shared proxy servers that serve all organizations on your Infisical instance. For Infisical Cloud, these are already running and ready to use. For self-hosted deployments, they’re set up by the instance administrator. Authentication is handled via the INFISICAL_PROXY_AUTH_SECRET environment variable.
# Organization proxy with Universal Auth (customer-deployed)
infisical network proxy --type=org --ip=192.168.1.100 --name=my-org-proxy --auth-method=universal-auth --client-id=<client-id> --client-secret=<client-secret>

# Instance proxy (configured by instance admin)
INFISICAL_PROXY_AUTH_SECRET=<secret> infisical network proxy --type=instance --ip=10.0.1.50 --name=shared-proxy

Deployment Considerations

When to use Instance Proxies (--type=instance):
  • You want to get started quickly without setting up your own proxy infrastructure
  • You’re using Infisical Cloud and want to leverage the existing proxy infrastructure
  • You’re on a self-hosted instance where the admin has already set up shared proxies
  • You don’t need custom geographic placement of proxy servers
  • You don’t have specific compliance requirements that require dedicated infrastructure
  • You want to minimize operational overhead by using shared infrastructure
When to use Organization Proxies (--type=org):
  • You need lower latency by deploying proxy servers closer to your resources
  • You have security requirements that mandate running infrastructure in your own environment
  • You have compliance requirements such as data sovereignty or air-gapped environments
  • You need custom network policies or specific networking configurations
  • You have high-scale performance requirements that shared infrastructure can’t meet
  • You want full control over your proxy infrastructure and its configuration