improve docs

2026-01-09 15:38:03 -05:00 · 2025-11-21 13:38:21 -05:00
parent 6bcd9896f4
commit 221054c2df
5 changed files with 152 additions and 34 deletions
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -833,7 +833,8 @@
                      "documentation/platform/pam/getting-started/resources",
                      "documentation/platform/pam/getting-started/accounts"
                    ]
-                  }
+                  },
+                  "documentation/platform/pam/architecture"
                ]
              },
              {
--- a/docs/documentation/platform/pam/architecture.mdx
+++ b/docs/documentation/platform/pam/architecture.mdx
@@ -0,0 +1,60 @@
+---
+title: "Architecture"
+sidebarTitle: "Architecture"
+description: "Learn about the architecture, components, and security model of Infisical PAM."
+---
+
+Infisical PAM utilizes a secure, proxy-based architecture designed to provide access to private resources without exposing them directly to the internet. This system relies on a combination of the Infisical CLI, a Relay server, and a self-hosted Gateway. For more information on Gateways, refer to the [Gateway Overview](/documentation/platform/gateways/overview).
+
+## Core Components
+
+The architecture consists of four main components working in unison:
+
+<Steps>
+  <Step title="Infisical CLI">
+    The client-side interface used to initiate access requests. It creates a local listener that forwards traffic securely to the Gateway.
+  </Step>
+  <Step title="Relay Server">
+    An intermediary routing service that facilitates communication between the CLI/Platform and the Gateway. It enables connectivity without requiring direct inbound access to your network.
+  </Step>
+  <Step title="Infisical Gateway">
+    A lightweight service deployed within your private network (e.g., VPC, on-prem). It acts as a proxy, intercepting traffic to enforce policies and record sessions before forwarding requests to the target resource.
+  </Step>
+  <Step title="Target Resource">
+    The actual infrastructure being accessed, such as a PostgreSQL database, a Linux server, or a web application.
+  </Step>
+</Steps>
+
+## Access Flow
+
+When a user accesses a resource (e.g., via `infisical access`), the following workflow occurs:
+
+1. **Connection Initiation**: The Infisical CLI initiates a connection to the Relay server.
+2. **Tunnel Establishment**: The Relay facilitates an end-to-end encrypted tunnel between the CLI and the Gateway.
+3. **Proxy & Authentication**: The Gateway authenticates the request and establishes a connection to the target resource on the user's behalf.
+4. **Traffic Forwarding**: Traffic flows securely from the user's machine, through the Relay, to the Gateway, and finally to the resource.
+
+## Session Recording & Auditing
+
+A key feature of the Gateway is its ability to act as a "middleman" for all session traffic.
+
+- **Interception**: Because the Gateway sits between the secure tunnel and the target resource, it intercepts all data flowing through the connection.
+- **Logging**: This traffic is logged as part of [Session Recording](/documentation/platform/pam/product-reference/session-recording). The Gateway temporarily stores encrypted session logs locally.
+- **Upload**: Once the session concludes, the logs are securely uploaded to the Infisical platform for storage and review.
+
+## Security Architecture
+
+The PAM security model allows you to maintain a zero-trust environment while enabling convenient access.
+
+### End-to-End Encryption
+The connection between the Infisical CLI (client) and the Gateway is end-to-end encrypted. The Relay server acts solely as a router for encrypted packets and **cannot decrypt or inspect** the traffic passing through it.
+
+### Network Security
+The Gateway uses **SSH reverse tunnels** to connect to the Relay. This design offers significant security benefits:
+- **No Inbound Ports**: You do not need to open any inbound firewall ports (like 22 or 5432) to the internet.
+- **Outbound-Only**: The Gateway only requires outbound connectivity to the Relay server and Infisical API.
+
+For a deep dive into the underlying cryptography, certificate management, and isolation guarantees, refer to the [Gateway Security Architecture](/documentation/platform/gateways/security).
+
+### Deployment
+For instructions on setting up the necessary infrastructure, see the [Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment).
--- a/docs/documentation/platform/pam/getting-started/accounts.mdx
+++ b/docs/documentation/platform/pam/getting-started/accounts.mdx
@@ -4,31 +4,46 @@ sidebarTitle: "Accounts"
 description: "Learn how to create and manage accounts in PAM to control access to resources like databases and servers."
 ---

-An account represents a specific set of credentials (e.g., a username and password) used to access a [resource](/documentation/platform/pam/getting-started/resources).
+An **Account** represents a specific identity or set of credentials (username/password) used to authenticate against a [Resource](/documentation/platform/pam/getting-started/resources).
+
+## Relationship to Resources
+
+Accounts are children of Resources. A single Resource can have multiple Accounts associated with it, each with different permission levels.
+
+For example:
+- **Resource**: `Production Database` (PostgreSQL)
+    - **Account 1**: `postgres` (Superuser)
+    - **Account 2**: `app_user` (Read/Write)
+    - **Account 3**: `analytics` (Read-only)
+
+When a user requests access in PAM, they request access to a specific **Account** on a **Resource**.

 ## Creating an Account

 <Info>
-    Before you can create an account, you must first [Create a Resource](/documentation/platform/pam/getting-started/resources#creating-a-resource).
+    **Prerequisite**: You must have at least one [Resource](/documentation/platform/pam/getting-started/resources) created before adding accounts.
 </Info>

 To add an account, navigate to the **Accounts** tab in your PAM project and click **Add Account**.

 ![Add Account Button](/images/pam/getting-started/accounts/add-account-button.png)

-Next, select the resource where you want to add the account.
+Next, select the **Resource** that this account belongs to.

 ![Select Resource](/images/pam/getting-started/accounts/select-resource.png)

-After selecting a resource, provide the necessary credentials. The required fields vary depending on the resource type. For example, an SSH resource needs the username and password for a Unix user.
+After selecting a resource, provide the credentials (username, password, etc.) for this account. The required fields vary depending on the resource type. For example, for a Linux server, you would enter the username and the corresponding password or SSH key.

 ![Create Account](/images/pam/getting-started/accounts/create-account.png)

-Clicking **Create Account** triggers a validation check to verify the credentials. If the validation fails, an error message is displayed to help you troubleshoot.
+Clicking **Create Account** will trigger a validation check. Infisical will attempt to connect to the resource using the provided credentials to verify they are valid.

 ## Automated Credential Rotation

-Accounts for certain resources, such as PostgreSQL, support automated credential rotation.
+Accounts for certain resources, such as PostgreSQL, support automated credential rotation. This feature automatically changes the password for the account at a set interval.
+
+**Requirements:**
+1. The parent Resource must have a [Rotation Account](/documentation/platform/pam/getting-started/resources#automated-credential-rotation) configured (a master account with permission to change other users' passwords).
+2. You must enable rotation in the Account settings.

-You can enable rotation when creating or editing an account and set a desired interval (e.g., every 30 days). This option is only available if a [rotation account is configured](/documentation/platform/pam/getting-started/resources#automated-credential-rotation) on the resource.
 ![Rotate Credentials Account](/images/pam/getting-started/resources/rotate-credentials-account.png)
--- a/docs/documentation/platform/pam/getting-started/resources.mdx
+++ b/docs/documentation/platform/pam/getting-started/resources.mdx
@@ -10,11 +10,15 @@ A resource represents a target system, such as a database, server, or applicatio
 - Linux Server
 - Web Application

-## Creating a Resource
+## Prerequisites

-<Warning>
-    Certain resources require you to have a Gateway deployed on the same network as your target resource. [Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment)
-</Warning>
+Before you can create a resource, you must have an **Infisical Gateway** deployed and running on the same network as the target resource.
+
+The Gateway acts as a secure bridge, allowing Infisical to reach your private infrastructure without exposing it to the public internet. When creating a resource, you will be asked to specify which Gateway should be used to connect to it.
+
+[Read the Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment)
+
+## Creating a Resource

 To add a resource, navigate to the **Resources** tab in your PAM project and click **Add Resource**.

@@ -24,11 +28,15 @@ Next, select the type of resource you want to add.

 ![Select Resource Type](/images/pam/getting-started/resources/select-resource-type.png)

-After selecting a resource type, provide the necessary connection details. The required fields vary depending on the resource type. In this PostgreSQL example, you need to provide details such as host, port, gateway, and database name.
+After selecting a resource type, provide the necessary connection details. The required fields vary depending on the resource type.
+
+**Important**: You must select the **Gateway** that has network access to this resource.
+
+In this PostgreSQL example, you provide details such as host, port, gateway, and database name.

 ![Create Resource](/images/pam/getting-started/resources/create-resource.png)

-Clicking **Create Resource** will run a validation to check if your resource is reachable by the platform or Gateway. If the connection fails, an error message will be displayed to help you troubleshoot.
+Clicking **Create Resource** will trigger a connection test from the selected Gateway to your target resource. If the connection fails, an error message will be displayed to help you troubleshoot (usually indicating a network firewall issue between the Gateway and the Resource).

 ## Automated Credential Rotation

--- a/docs/documentation/platform/pam/overview.mdx
+++ b/docs/documentation/platform/pam/overview.mdx
@@ -6,29 +6,63 @@ description: "Manage and secure access to critical infrastructure like databases

 Infisical Privileged Access Management (PAM) provides a centralized way to manage and secure access to your critical infrastructure. It allows you to enforce fine-grained, policy-based controls over resources like databases, servers, and more, ensuring that only authorized users can access sensitive systems, and only when they need to.

-Infisical PAM organizes access around your resources (e.g., databases, servers, web apps). This resource-centric approach makes it intuitive to manage permissions and scale your security policies as your infrastructure grows.
+## Core Concepts
+
+To successfully implement Infisical PAM, it is essential to understand the relationship between the following components:
+
+<CardGroup cols={3}>
+  <Card title="Gateway" icon="server">
+    A lightweight service deployed in your network that acts as a secure bridge to your private infrastructure.
+  </Card>
+  <Card title="Resource" icon="database">
+    The specific target you are protecting (e.g., a PostgreSQL database or an Ubuntu server) that resides behind a Gateway.
+  </Card>
+  <Card title="Account" icon="user-lock">
+    Specific credentials (username/password) used to authenticate against a Resource. One Resource can have multiple Accounts.
+  </Card>
+</CardGroup>
+
+### Relationship Model
+
+The hierarchy is structured as follows:
+
+1.  **Gateway**: Deployed once per network/VPC. It provides connectivity to all resources in that environment.
+2.  **Resource**: Configured within Infisical. It points to a specific IP/Host accessible by the Gateway.
+3.  **Account**: Defined under a Resource. Users request access to a specific *Account* on a *Resource*.
+
+## How it Works
+
+Infisical PAM uses a proxy-based architecture. When a user accesses a resource, their connection is routed securely through a Relay to your self-hosted Gateway, which then connects to the target resource. This ensures zero-trust access without exposing your infrastructure to the public internet.
+
+For a deep dive into the technical architecture and security model, see [Architecture](/documentation/platform/pam/architecture).
+
+## Setup Workflow
+
+Follow this sequence to get up and running with PAM:
+
+<Steps>
+  <Step title="Deploy a Gateway">
+    Before you can manage any resources, you must deploy an **Infisical Gateway** within your infrastructure. This component is responsible for brokering connections to your private resources.
+    
+    [Read the Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment)
+  </Step>
+  <Step title="Create a Resource">
+    Once the Gateway is active, define a **Resource** in Infisical (e.g., "Production Database"). You will link this resource to your deployed Gateway so Infisical knows how to reach it.
+    
+    [Learn about Resources](/documentation/platform/pam/getting-started/resources)
+  </Step>
+  <Step title="Add Accounts">
+    Add **Accounts** to your Resource (e.g., `postgres` or `read_only_user`). These are the actual credentials Infisical will inject when a user connects.
+    
+    [Learn about Accounts](/documentation/platform/pam/getting-started/accounts)
+  </Step>
+  <Step title="Connect">
+    Users can now use the Infisical CLI to securely connect to the resource using the defined accounts, with full auditing and session recording enabled.
+  </Step>
+</Steps>

 ## Core Capabilities

 - **[Auditing](/documentation/platform/pam/product-reference/auditing)**: Track and review a comprehensive log of all user actions and system events.
 - **[Session Recording](/documentation/platform/pam/product-reference/session-recording)**: Record and playback user sessions for security reviews, compliance, and troubleshooting.
 - **[Automated Credential Rotation](/documentation/platform/pam/getting-started/resources#automated-credential-rotation)**: Automatically rotate credentials for supported resources to minimize the risk of compromised credentials.
-
-## Getting Started
-
-<Columns cols="2">
-    <Card
-        icon="box"
-        title="Creating a Resource"
-        href="/documentation/platform/pam/getting-started/resources#creating-a-resource"
-    >
-        Add and configure the databases, servers, and other infrastructure you want to protect.
-    </Card>
-    <Card
-        icon="user"
-        title="Creating an Account"
-        href="/documentation/platform/pam/getting-started/accounts#creating-an-account"
-    >
-        Create accounts that users will use to access your protected resources.
-    </Card>
-</Columns>