Gateway - Infisical

The Infisical Gateway provides secure access to private resources within your network without needing direct inbound connections to your environment. This method keeps your resources fully protected from external access while enabling Infisical to securely interact with resources like databases. Common use cases include generating dynamic credentials or rotating credentials for private databases.

Gateway is a paid feature available under the Enterprise Tier for Infisical Cloud users. Self-hosted Infisical users can contact sales@infisical.com to purchase an enterprise license.

How It Works

The Gateway serves as a secure intermediary that facilitates direct communication between the Infisical server and your private network. It’s a lightweight daemon packaged within the Infisical CLI, making it easy to deploy and manage. Once set up, the Gateway establishes a connection with a relay server, ensuring that all communication between Infisical and your Gateway is fully end-to-end encrypted. This setup guarantees that only the platform and your Gateway can decrypt the transmitted information, keeping communication with your resources secure, private and isolated.

Deployment

The Infisical Gateway is seamlessly integrated into the Infisical CLI under the gateway command, making it simple to deploy and manage. You can install the Gateway in all the same ways you install the Infisical CLI—whether via npm, Docker, or a binary. For detailed installation instructions, refer to the Infisical CLI Installation instructions. To function, the Gateway must authenticate with Infisical. This requires a machine identity configured with the appropriate permissions to create and manage a Gateway. Once authenticated, the Gateway establishes a secure connection with Infisical to allow your private resources to be reachable.

Get started

Create a Gateway Identity

Navigate to Organization Access Control in your Infisical dashboard.
Create a dedicated machine identity for your Gateway.
Best Practice: Assign a unique identity to each Gateway for better security and management.

Configure Authentication Method

You’ll need to choose an authentication method to initiate communication with Infisical. View the available machine identity authentication methods here.

Deploy the Gateway

Use the Infisical CLI to deploy the Gateway. You can run it directly or install it as a systemd service for production:

Production (systemd)
Production (Helm)
Local Installation (testing)

For production deployments on Linux, install the Gateway as a systemd service:

sudo infisical gateway install --token <your-machine-identity-token> --domain <your-infisical-domain>
sudo systemctl start infisical-gateway

This will install and start the Gateway as a secure systemd service that:

Runs with restricted privileges:
- Runs as root user (required for secure token management)
- Restricted access to home directories
- Private temporary directory
Automatically restarts on failure
Starts on system boot
Manages token and domain configuration securely in /etc/infisical/gateway.conf

The install command requires:

Linux operating system
Root/sudo privileges
Systemd

The Gateway can be installed via Helm. Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.For production deployments on Kubernetes, install the Gateway using the Infisical Helm chart:

Install the latest Helm Chart repository

helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'

Update the Helm Chart repository

helm repo update

Create a Kubernetes Secret containing gateway environment variables

The gateway supports all identity authentication methods through the use of environment variables. The environment variables must be set in the infisical-gateway-environment Kubernetes secret.

Supported authentication methods

Universal Auth

The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.

Environment Variables

Show properties

INFISICAL_UNIVERSAL_AUTH_CLIENT_ID

string

required

Your machine identity client ID.

INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET

string

required

Your machine identity client secret.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be universal-auth when using Universal Auth.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=universal-auth --from-literal=INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=<client-id> --from-literal=INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=<client-secret>

Native Kubernetes

The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.

Environment Variables

Show properties

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH

string

Path to the Kubernetes service account token to use. Default: /var/run/secrets/kubernetes.io/serviceaccount/token.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be kubernetes when using Native Kubernetes.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=kubernetes --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Native Azure

The Native Azure method is used to authenticate with Infisical when running in an Azure environment.

Environment Variables

Show properties

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be azure when using Native Azure.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=azure --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Native GCP ID Token

The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.

Environment Variables

Show properties

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be gcp-id-token when using Native GCP ID Token.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=gcp-id-token --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

GCP IAM

The GCP IAM method is used to authenticate with Infisical with a GCP service account key.

Environment Variables

Show properties

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_GCP_SERVICE_ACCOUNT_KEY_FILE_PATH

string

required

Path to your GCP service account key file (Must be in JSON format!)

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be gcp-iam when using GCP IAM.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=gcp-iam --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id> --from-literal=INFISICAL_GCP_SERVICE_ACCOUNT_KEY_FILE_PATH=<service-account-key-file-path>

Native AWS IAM

The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.

Environment Variables

Show properties

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be aws-iam when using Native AWS IAM.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=aws-iam --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

OIDC Auth

The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.

Environment Variables

Show properties

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_JWT

string

required

The OIDC JWT from the identity provider.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be oidc-auth when using OIDC Auth.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=oidc-auth --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id> --from-literal=INFISICAL_JWT=<oidc-jwt>

JWT Auth

The JWT Auth method is used to authenticate with Infisical via a JWT token.

Environment Variables

Show properties

INFISICAL_JWT

string

required

The JWT token to use for authentication.

INFISICAL_MACHINE_IDENTITY_ID

string

required

Your machine identity ID.

INFISICAL_AUTH_METHOD

string

required

The authentication method to use. Must be jwt-auth when using JWT Auth.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_AUTH_METHOD=jwt-auth --from-literal=INFISICAL_JWT=<jwt> --from-literal=INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Token Auth

You can use the INFISICAL_TOKEN environment variable to authenticate with Infisical with a raw machine identity access token.

Environment Variables

Show properties

INFISICAL_TOKEN

string

required

The machine identity access token to use for authentication.

  kubectl create secret generic infisical-gateway-environment --from-literal=INFISICAL_TOKEN=<token>

Other environment variables

INFISICAL_API_URL

The API URL to use for the gateway. By default, INFISICAL_API_URL is set to https://app.infisical.com.

Install the Infisical Gateway Helm Chart

helm install infisical-gateway infisical-helm-charts/infisical-gateway

Check the gateway logs

After installing the gateway, you can check the logs to ensure it’s running as expected.

kubectl logs deployment/infisical-gateway

You should see the following output which indicates the gateway is running as expected.

$ kubectl logs deployment/infisical-gateway
INF Provided relay port 5349. Using TLS
INF Connected with relay
INF 10.0.101.112:56735
INF Starting relay connection health check
INF Gateway started successfully
INF New connection from: 10.0.1.8:34051
INF Gateway is reachable by Infisical

For development or testing, you can run the Gateway directly. Log in with your machine identity and start the Gateway in one command:

infisical gateway --token $(infisical login --method=universal-auth --client-id=<> --client-secret=<> --plain)

Alternatively, if you already have the token, use it directly with the --token flag:

infisical gateway --token <your-machine-identity-token>

Or set it as an environment variable:

export INFISICAL_TOKEN=<your-machine-identity-token>
infisical gateway

For detailed information about the gateway command and its options, see the gateway command documentation.

Ensure the deployed Gateway has network access to the private resources you intend to connect with Infisical.

Verify Gateway Deployment

To confirm your Gateway is working, check the deployment status by looking for the message “Gateway started successfully” in the Gateway logs. This indicates the Gateway is running properly. Next, verify its registration by opening your Infisical dashboard, navigating to Organization Access Control, and selecting the Gateways tab. Your newly deployed Gateway should appear in the list.

Documentation Index

​How It Works

​Deployment

​Get started

​Install the latest Helm Chart repository

​Update the Helm Chart repository

​Create a Kubernetes Secret containing gateway environment variables

​Supported authentication methods

​Other environment variables

​Install the Infisical Gateway Helm Chart

​Check the gateway logs

How It Works

Deployment

Get started

Install the latest Helm Chart repository

Update the Helm Chart repository

Create a Kubernetes Secret containing gateway environment variables

Supported authentication methods

Other environment variables

Install the Infisical Gateway Helm Chart

Check the gateway logs