github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 23:48:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

improvements: address feedback

Browse Source
This commit is contained in:
Scott Wilson
2025-04-14 13:22:25 -07:00
parent 8bfbae1037
commit 25d3fb6a8c
9 changed files with 10 additions and 935 deletions
Download Patch File Download Diff File Expand all files Collapse all files

197
docs/integrations/cloud/aws-parameter-store.mdx
View File

@@ -5,199 +5,4 @@ description: "Learn how to sync secrets from Infisical to AWS Parameter Store."
<Note> <Note>
The AWS Parameter Store Native Integration will be deprecated in 2026. Please migrate to our new [AWS Parameter Store Sync](../secret-syncs/aws-parameter-store). The AWS Parameter Store Native Integration will be deprecated in 2026. Please migrate to our new [AWS Parameter Store Sync](../secret-syncs/aws-parameter-store).
</Note> </Note>
<Tabs>
<Tab title="Assume Role (Recommended)">
Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
<Accordion title="Self-Hosted Users">
To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration.
If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
The following steps are for instances not deployed on AWS
<Steps>
<Step title="Create an IAM User">
Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
</Step>
<Step title="Create an Inline Policy">
Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeAnyRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
```
</Step>
<Step title="Obtain the IAM User Credentials">
Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.
![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
</Step>
<Step title="Set Up Integration Keys">
1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**.
2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**.
</Step>
</Steps>
</Accordion>
<Steps>
<Step title="Create the Managing User IAM Role for AWS Parameter Store">
1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png)
2. Select **AWS Account** as the **Trusted Entity Type**.
3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security.
</Step>
<Step title="Add Required Permissions for the IAM Role">
![IAM Role Permissions](../../images/integrations/aws/integration-aws-iam-assume-permission.png)
Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSMAccess",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:DescribeParameters",
"ssm:DeleteParameters",
"ssm:AddTagsToResource", // if you need to add tags to secrets
"kms:ListKeys", // if you need to specify the KMS key
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
</Step>
<Step title="Copy the AWS IAM Role ARN">
![Copy IAM Role ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png)
</Step>
<Step title="Authorize Infisical for AWS Parameter Store">
1. Navigate to your project's integrations tab in Infisical.
2. Click on the **AWS Parameter Store** tile.
![Select AWS Parameter Store](../../images/integrations.png)
3. Select the **AWS Assume Role** option.
![Select Assume Role](../../images/integrations/aws/integration-aws-parameter-store-iam-assume-select.png)
4. Provide the **AWS IAM Role ARN** obtained from the previous step and press connect.
</Step>
<Step title="Start integration">
Select which Infisical environment secrets you want to sync to which AWS Parameter Store region and indicate the path for your secrets. Then, press create integration to start syncing secrets to AWS Parameter Store.
![integration create](../../images/integrations/aws/integrations-aws-parameter-store-create.png)
<Tip>
Infisical requires you to add a path for your secrets to be stored in AWS
Parameter Store and recommends setting the path structure to
`/[project_name]/[environment]/` according to best practices. This enables a
secret like `TEST` to be stored as `/[project_name]/[environment]/TEST` in AWS
Parameter Store.
</Tip>
</Step>
</Steps>
</Tab>
<Tab title="Access Key">
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
<Steps>
<Step title="Grant the IAM user permissions to access AWS Parameter Store">
Navigate to your IAM user permissions and add a permission policy to grant access to AWS Parameter Store.
![integration IAM 1](../../images/integrations/aws/integrations-aws-iam-1.png)
![integration IAM 2](../../images/integrations/aws/integrations-aws-parameter-store-iam-2.png)
![integrations IAM 3](../../images/integrations/aws/integrations-aws-parameter-store-iam-3.png)
For enhanced security, here's a custom policy containing the minimum permissions required by Infisical to sync secrets to AWS Parameter Store for the IAM user that you can use:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSMAccess",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:DescribeParameters",
"ssm:DeleteParameters",
"ssm:AddTagsToResource", // if you need to add tags to secrets
"kms:ListKeys", // if you need to specify the KMS key
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
</Step>
<Step title="Authorize Infisical for AWS Parameter store">
Obtain a AWS access key ID and secret access key for your IAM user in IAM > Users > User > Security credentials > Access keys
![access key 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
![access key 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
![access key 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
Navigate to your project's integrations tab in Infisical.
![integrations](../../images/integrations.png)
Press on the AWS Parameter Store tile and select Access Key as the authentication mode. Input your AWS access key ID and secret access key from the previous step.
![integration auth](../../images/integrations/aws/integrations-aws-parameter-store-auth.png)
</Step>
<Step title="Start integration">
Select which Infisical environment secrets you want to sync to which AWS Parameter Store region and indicate the path for your secrets. Then, press create integration to start syncing secrets to AWS Parameter Store.
![integration create](../../images/integrations/aws/integrations-aws-parameter-store-create.png)
<Tip>
Infisical requires you to add a path for your secrets to be stored in AWS
Parameter Store and recommends setting the path structure to
`/[project_name]/[environment]/` according to best practices. This enables a
secret like `TEST` to be stored as `/[project_name]/[environment]/TEST` in AWS
Parameter Store.
</Tip>
</Step>
</Steps>
</Tab>
</Tabs>

269
docs/integrations/cloud/aws-secret-manager.mdx
View File

@@ -5,271 +5,4 @@ description: "Learn how to sync secrets from Infisical to AWS Secrets Manager."
<Note> <Note>
The AWS Secrets Manager Native Integration will be deprecated in 2026. Please migrate to our new [AWS Secrets Manager Sync](../secret-syncs/aws-secrets-manager). The AWS Secrets Manager Native Integration will be deprecated in 2026. Please migrate to our new [AWS Secrets Manager Sync](../secret-syncs/aws-secrets-manager).
</Note> </Note>
<Tabs>
<Tab title="Assume Role (Recommended)">
Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
<Accordion title="Self-Hosted Users">
To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration.
If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
The following steps are for instances not deployed on AWS
<Steps>
<Step title="Create an IAM User">
Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
</Step>
<Step title="Create an Inline Policy">
Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeAnyRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
```
</Step>
<Step title="Obtain the IAM User Credentials">
Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.
![Access Key Step 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
![Access Key Step 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
![Access Key Step 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
</Step>
<Step title="Set Up Integration Keys">
1. Set the access key as **CLIENT_ID_AWS_INTEGRATION**.
2. Set the secret key as **CLIENT_SECRET_AWS_INTEGRATION**.
</Step>
</Steps>
</Accordion>
<Steps>
<Step title="Create the Managing User IAM Role for AWS Secrets Manager">
1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png)
2. Select **AWS Account** as the **Trusted Entity Type**.
3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
4. Optionally, enable **Require external ID** and enter your **project ID** to further enhance security.
</Step>
<Step title="Add Required Permissions for the IAM Role">
![IAM Role Permissions](../../images/integrations/aws/integration-aws-iam-assume-permission.png)
Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"kms:ListKeys",
"kms:ListAliases",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
```
</Step>
<Step title="Copy the AWS IAM Role ARN">
![Copy IAM Role
ARN](../../images/integrations/aws/integration-aws-iam-assume-arn.png)
</Step>
<Step title="Authorize Infisical for AWS Secrets Manager">
1. Navigate to your project's integrations tab in Infisical.
2. Click on the **AWS Secrets Manager** tile.
![Select AWS Secrets Manager](../../images/integrations.png)
3. Select the **AWS Assume Role** option.
![Select Assume Role](../../images/integrations/aws/integration-aws-iam-assume-select.png)
4. Provide the **AWS IAM Role ARN** obtained from the previous step.
</Step> <Step title="Start integration">
Select how you want to integration to work by specifying a number of parameters:
<ParamField path="Project Environment" type="string" required>
The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.
</ParamField>
<ParamField path="Secrets Path" type="string" required>
The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.
</ParamField>
<ParamField path="AWS Region" type="string" required>
The region that you want to integrate with in AWS Secrets Manager.
</ParamField>
<ParamField path="Mapping Behavior" type="string" required>
How you want the integration to map the secrets. The selected value could be either one to one or one to many.
</ParamField>
<ParamField path="AWS SM Secret Name" type="string" required>
The secret name/path in AWS into which you want to sync the secrets from Infisical.
</ParamField>
![integration create](../../images/integrations/aws/integrations-aws-secret-manager-create.png)
Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:
<ParamField path="Tag Sync Mode" type="string" optional>
The sync mode for AWS tags. The supported options are `Secret Metadata` and `Custom`. If `Secret Metadata` is selected,
the metadata of the Infisical secrets are used as tags in AWS. If custom is selected, then the key/value of the **Secret Tag** field is used. `Secret Metadata` mode
is only supported for one-to-one integrations.
</ParamField>
<ParamField path="Secret Tag" type="string" optional>
The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.
</ParamField>
<ParamField path="Encryption Key" type="string" optional>
The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.
</ParamField>
![integration options](../../images/integrations/aws/integrations-aws-secret-manager-options.png)
Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager.
<Info>
Infisical currently syncs environment variables to AWS Secrets Manager as
key-value pairs under one secret. We're actively exploring ways to help users
group environment variable key-pairs under multiple secrets for greater
control.
</Info>
<Info>
Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.
</Info>
</Step>
</Steps>
</Tab>
<Tab title="Access Key">
Infisical will access your account using the provided AWS access key and secret key.
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
- Set up AWS and have/create an IAM user
<Steps>
<Step title="Grant the IAM user permissions to access AWS Secrets Manager">
Navigate to your IAM user permissions and add a permission policy to grant access to AWS Secrets Manager.
![integration IAM 1](../../images/integrations/aws/integrations-aws-iam-1.png)
![integration IAM 2](../../images/integrations/aws/integrations-aws-secret-manager-iam-2.png)
![integrations IAM 3](../../images/integrations/aws/integrations-aws-secret-manager-iam-3.png)
For better security, here's a custom policy containing the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager for the IAM user that you can use:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret", // if you need to add tags to secrets
"secretsmanager:TagResource", // if you need to add tags to secrets
"secretsmanager:UntagResource", // if you need to add tags to secrets
"kms:ListKeys", // if you need to specify the KMS key
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
</Step>
<Step title="Authorize Infisical for AWS Secrets Manager">
Obtain a AWS access key ID and secret access key for your IAM user in IAM > Users > User > Security credentials > Access keys
![access key 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
![access key 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
![access key 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
1. Navigate to your project's integrations tab in Infisical.
2. Click on the **AWS Secrets Manager** tile.
![Select AWS Secrets Manager](../../images/integrations.png)
3. Select the **Access Key** option for Authentication Mode.
![Select Access Key](../../images/integrations/aws/integrations-aws-secret-manager-auth.png)
4. Provide the **access key** and **secret key** for the AWS Iam User.
</Step>
<Step title="Start integration">
Select how you want to integration to work by specifying a number of parameters:
<ParamField path="Project Environment" type="string" required>
The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.
</ParamField>
<ParamField path="Secrets Path" type="string" required>
The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.
</ParamField>
<ParamField path="AWS Region" type="string" required>
The region that you want to integrate with in AWS Secrets Manager.
</ParamField>
<ParamField path="Mapping Behavior" type="string" required>
How you want the integration to map the secrets. The selected value could be either one to one or one to many.
</ParamField>
<ParamField path="AWS SM Secret Name" type="string" required>
The secret name/path in AWS into which you want to sync the secrets from Infisical.
</ParamField>
![integration create](../../images/integrations/aws/integrations-aws-secret-manager-create.png)
Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:
<ParamField path="Secret Tag" type="string" optional>
The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.
</ParamField>
<ParamField path="Encryption Key" type="string" optional>
The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.
</ParamField>
![integration options](../../images/integrations/aws/integrations-aws-secret-manager-options.png)
Then, press `Create Integration` to start syncing secrets to AWS Secrets Manager.
<Info>
Infisical currently syncs environment variables to AWS Secrets Manager as
key-value pairs under one secret. We're actively exploring ways to help users
group environment variable key-pairs under multiple secrets for greater
control.
</Info>
<Info>
Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.
</Info>
</Step>
</Steps>
</Tab>
</Tabs>

110
docs/integrations/cloud/azure-app-configuration.mdx
View File

@@ -5,112 +5,4 @@ description: "How to sync secrets from Infisical to Azure App Configuration"
<Note> <Note>
The Azure App Configuration Native Integration will be deprecated in 2026. Please migrate to our new [Azure App Configuration Sync](../secret-syncs/azure-app-configuration). The Azure App Configuration Native Integration will be deprecated in 2026. Please migrate to our new [Azure App Configuration Sync](../secret-syncs/azure-app-configuration).
</Note> </Note>
<Tabs>
<Tab title="Usage">
**Prerequisites:**
- Set up and add envars to [Infisical Cloud](https://app.infisical.com).
- Set up Azure and have an existing App Configuration instance.
- User setting up the integration on Infisical must have the `App Configuration Data Owner` role for the intended Azure App Configuration instance.
- Azure App Configuration instance must be reachable by Infisical.
<Steps>
<Step title="Authorize Infisical for Azure App Configuration">
Navigate to your project's integrations tab
![integrations](../../images/integrations/azure-app-configuration/new-infisical-integration.png)
Press on the Azure App Configuration tile and grant Infisical access to App Configuration.
</Step>
<Step title="Start integration">
Obtain the Azure App Configuration endpoint from the overview tab.
![integrations](../../images/integrations/azure-app-configuration/azure-app-config-endpoint.png)
Select which Infisical environment secrets you want to sync to your Azure App Configuration. Then, input your App Configuration instance endpoint. Optionally, you can define a prefix for your secrets which will be appended to the keys upon syncing.
![integrations](../../images/integrations/azure-app-configuration/create-integration-form.png)
Press create integration to start syncing secrets to Azure App Configuration.
<Warning>
The Azure App Configuration integration requires the following permissions to be set on the user / service principal
for Infisical to sync secrets to Azure App Configuration: `Read Key-Value`, `Write Key-Value`, `Delete Key-Value`.
Any role with these permissions would work such as the **App Configuration Data Owner** role. Alternatively, you can use the
**App Configuration Data Reader** role for read-only access or **App Configuration Data Contributor** role for read/write access.
</Warning>
</Step>
<Step title="Additional Configuration">
#### Azure references
When adding secrets in Infisical that reference Azure Key Vault secrets, Infisical will automatically sets the content type to `application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8` in Azure App Configuration.
The following reference formats are automatically detected when added on Infisical's side:
- `{ "uri": "https://my-key-vault.vault.azure.net/secrets/my-secret" }`
- `https://my-key-vault.vault.azure.net/secrets/my-secret`
#### Azure Labels
You can sync secrets from Infisical to Azure with custom labels by enabling the `Use Labels` option during setup:
**When enabled**: Secrets will be pushed to Azure with your specified label
**When disabled**: Secrets will be pushed with an empty (null) label
<Info>
If you have set the initial sync to `import` have behavior, the label selection affects which secrets are imported from Azure:
- With `Use Labels` disabled: Only secrets with empty labels are imported on initial sync
- With `Use Labels` enabled: Only secrets matching your specified label are imported on initial sync
</Info>
</Step>
</Steps>
</Tab>
<Tab title="Self-Hosted Setup">
Using the Azure App Configuration integration on a self-hosted instance of Infisical requires configuring an application in Azure
and registering your instance with it.
**Prerequisites:**
- Set up Azure and have an existing App Configuration instance.
<Steps>
<Step title="Create an application in Azure">
Navigate to Azure Active Directory > App registrations to create a new application.
<Info>
Azure Active Directory is now Microsoft Entra ID.
</Info>
![integrations Azure app config](../../images/integrations/azure-app-configuration/config-aad.png)
![integrations Azure app config](../../images/integrations/azure-app-configuration/config-new-app.png)
Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/integrations/azure-app-configuration/oauth2/callback`.
<Tip>
The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
</Tip>
![integrations Azure app config](../../images/integrations/azure-app-configuration/app-registration-redirect.png)
After registration, set the API permissions of the app to include the following Azure App Configuration permissions: KeyValue.Delete, KeyValue.Read, and KeyValue.Write.
![integrations Azure app config](../../images/integrations/azure-app-configuration/app-api-permissions.png)
</Step>
<Step title="Add your application credentials to Infisical">
Obtain the **Application (Client) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
![integrations Azure app config](../../images/integrations/azure-app-configuration/config-credentials-1.png)
![integrations Azure app config](../../images/integrations/azure-app-configuration/config-credentials-2.png)
![integrations Azure app config](../../images/integrations/azure-app-configuration/config-credentials-3.png)
Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.
- `CLIENT_ID_AZURE`: The **Application (Client) ID** of your Azure application.
- `CLIENT_SECRET_AZURE`: The **Client Secret** of your Azure application.
Once added, restart your Infisical instance and use the Azure App Configuration integration.
</Step>
</Steps>
</Tab>
</Tabs>

79
docs/integrations/cloud/azure-key-vault.mdx
View File

@@ -5,81 +5,4 @@ description: "How to sync secrets from Infisical to Azure Key Vault"
<Note> <Note>
The Azure Key Vault Native Integration will be deprecated in 2026. Please migrate to our new [Azure Key Vault Sync](../secret-syncs/azure-key-vault). The Azure Key Vault Native Integration will be deprecated in 2026. Please migrate to our new [Azure Key Vault Sync](../secret-syncs/azure-key-vault).
</Note> </Note>
<Tabs>
<Tab title="Usage">
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
- Set up Azure and have an existing key vault
<Steps>
<Step title="Authorize Infisical for Azure Key Vault">
Navigate to your project's integrations tab
![integrations](../../images/integrations.png)
Press on the Azure Key Vault tile and grant Infisical access to Azure Key Vault.
You can optionally authenticate against a specific tenant by providing the Azure tenant or directory ID.
![integrations](/images/integrations/azure-key-vault/integrations-azure-key-vault-tenant-select.png)
</Step>
<Step title="Start integration">
Obtain the Vault URI of your key vault in the Overview tab.
![integrations](../../images/integrations/azure-key-vault/integrations-azure-key-vault-vault-uri.png)
Select which Infisical environment secrets you want to sync to your key vault. Then, input your Vault URI from the previous step. Finally, press create integration to start syncing secrets to Azure Key Vault.
![integrations](../../images/integrations/azure-key-vault/integrations-azure-key-vault-create.png)
![integrations](../../images/integrations/azure-key-vault/integrations-azure-key-vault.png)
<Note>
The Azure Key Vault integration requires the following secrets permissions to be set on the user / service principal
for Infisical to sync secrets to Azure Key Vault: `secrets/list`, `secrets/get`, `secrets/set`, `secrets/recover`.
Any role with these permissions would work such as the **Key Vault Secrets Officer** role.
</Note>
</Step>
</Steps>
</Tab>
<Tab title="Self-Hosted Setup">
Using the Azure KV integration on a self-hosted instance of Infisical requires configuring an application in Azure
and registering your instance with it.
<Steps>
<Step title="Create an application in Azure">
Navigate to Azure Active Directory > App registrations to create a new application.
<Info>
Azure Active Directory is now Microsoft Entra ID.
</Info>
![integrations Azure KV config](../../images/integrations/azure-key-vault/integrations-azure-key-vault-config-aad.png)
![integrations Azure KV config](../../images/integrations/azure-key-vault/integrations-azure-key-vault-config-new-app.png)
Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/integrations/azure-key-vault/oauth2/callback`.
![integrations Azure KV config](../../images/integrations/azure-key-vault/integrations-azure-key-vault-config-new-app-form.png)
</Step>
<Step title="Add your application credentials to Infisical">
Obtain the **Application (Client) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
![integrations Azure KV config](../../images/integrations/azure-key-vault/integrations-azure-key-vault-config-credentials-1.png)
![integrations Azure KV config](../../images/integrations/azure-key-vault/integrations-azure-key-vault-config-credentials-2.png)
![integrations Azure KV config](../../images/integrations/azure-key-vault/integrations-azure-key-vault-config-credentials-3.png)
Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.
- `CLIENT_ID_AZURE`: The **Application (Client) ID** of your Azure application.
- `CLIENT_SECRET_AZURE`: The **Client Secret** of your Azure application.
Once added, restart your Infisical instance and use the Azure KV integration.
</Step>
</Steps>
</Tab>
</Tabs>

35
docs/integrations/cloud/databricks.mdx
View File

@@ -5,37 +5,4 @@ description: "Learn how to sync secrets from Infisical to Databricks."
<Note> <Note>
The Databricks Native Integration will be deprecated in 2026. Please migrate to our new [Databricks Sync](../secret-syncs/databricks). The Databricks Native Integration will be deprecated in 2026. Please migrate to our new [Databricks Sync](../secret-syncs/databricks).
</Note> </Note>
Prerequisites:
- Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
<Note>
When integrating with Databricks, Infisical is intended to be the source of truth for the secrets in the configured Databricks scope.
Any secrets not present in Infisical will be removed from the specified scope. To prevent removal of secrets not managed by Infisical, Infisical recommends creating a designated secret scope for your integration.
</Note>
<Steps>
<Step title="Authorize Infisical for Databricks">
Obtain a Personal Access Token in **User Settings** > **Developer** > **Access Tokens**.
![integrations databricks token](../../images/integrations/databricks/pat-token.png)
Navigate to your project's integrations tab in Infisical.
![integrations](../../images/integrations.png)
Press on the Databricks tile and enter your Databricks instance URL in the following format: `https://xxx.cloud.databricks.com`. Then, input your Databricks Access Token to grant Infisical the necessary permissions in your Databricks account.
![integrations databricks authorization](../../images/integrations/databricks/integrations-databricks-auth.png)
</Step>
<Step title="Start integration">
Select which Infisical environment and secret path you want to sync to which Databricks scope. Then, press create integration to start syncing secrets to Databricks.
![create integration Databricks](../../images/integrations/databricks/integrations-databricks-create.png)
![integrations Databricks](../../images/integrations/databricks/integrations-databricks.png)
</Step>
</Steps>

138
docs/integrations/cloud/gcp-secret-manager.mdx
View File

@@ -5,140 +5,4 @@ description: "How to sync secrets from Infisical to GCP Secret Manager"
<Note> <Note>
The GCP Secret Manager Native Integration will be deprecated in 2026. Please migrate to our new [GCP Secret Manager Sync](../secret-syncs/gcp-secret-manager). The GCP Secret Manager Native Integration will be deprecated in 2026. Please migrate to our new [GCP Secret Manager Sync](../secret-syncs/gcp-secret-manager).
</Note> </Note>
<Tabs>
<Tab title="Usage">
<AccordionGroup>
<Accordion title="Connect with OAuth2">
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
<Steps>
<Step title="Authorize Infisical for GCP">
Navigate to your project's integrations tab in Infisical.
![integrations](../../images/integrations.png)
Press on the GCP Secret Manager tile and select **Continue with OAuth**
![integrations GCP authorization options](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-auth-options.png)
Grant Infisical access to GCP.
![integrations GCP authorization](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-auth.png)
</Step>
<Step title="Start integration">
In the **Connection** tab, select which Infisical environment secrets you want to sync to which GCP secret manager project. Lastly, press create integration to start syncing secrets to GCP secret manager.
![integrations GCP secret manager](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-create.png)
Note that the GCP Secret Manager integration supports a few options in the **Options** tab:
- Secret Prefix: If inputted, the prefix is appended to the front of every secret name prior to being synced.
- Secret Suffix: If inputted, the suffix to appended to the back of every name of every secret prior to being synced.
- Label in GCP Secret Manager: If selected, every secret will be labeled in GCP Secret Manager (e.g. as `managed-by:infisical`); labels can be customized.
Setting a secret prefix, suffix, or enabling the labeling option ensures that existing secrets in GCP Secret Manager are not overwritten during the sync. As part of this process, Infisical abstains from mutating any secrets in GCP Secret Manager without the specified prefix, suffix, or attached label.
![integrations GCP secret manager options](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-create-options.png)
![integrations GCP secret manager](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager.png)
<Warning>
Using Infisical to sync secrets to GCP Secret Manager requires that you enable
the Service Usage API and Cloud Resource Manager API in the Google Cloud project you want to sync secrets to. More on that [here](https://cloud.google.com/service-usage/docs/set-up-development-environment).
Additionally, ensure that your GCP account has sufficient permission to manage secret and service resources (you can assign Secret Manager Admin and Service Usage Admin roles for testing purposes)
</Warning>
</Step>
</Steps>
</Accordion>
<Accordion title="Connect with Service Account JSON">
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
- Have a GCP project and have/create a [service account](https://cloud.google.com/iam/docs/service-account-overview) in it
<Steps>
<Step title="Authorize Infisical for GCP">
Navigate to **IAM & Admin** page in GCP and add the **Secret Manager Admin** and **Service Usage Admin** roles to the service account.
![integrations GCP secret manager IAM](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-iam.png)
<Info>
For enhanced security, you may want to assign more granular permissions to the service account. At minimum,
the service account should be able to read/write secrets from/to GCP Secret Manager (e.g. **Secret Manager Admin** role)
and list which GCP services are enabled/disabled (e.g. **Service Usage Admin** role).
</Info>
Navigate to your project's integrations tab in Infisical.
![integrations](../../images/integrations.png)
Press on the GCP Secret Manager tile and paste in your **GCP Service Account JSON** (you can create and download the JSON for your
service account in IAM & Admin > Service Accounts > Service Account > Keys).
![integrations GCP authorization IAM key](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-iam-key.png)
![integrations GCP authorization options](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-auth-options.png)
</Step>
<Step title="Start integration">
In the **Connection** tab, select which Infisical environment secrets you want to sync to the GCP secret manager project. Lastly, press create integration to start syncing secrets to GCP secret manager.
![integrations GCP secret manager](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-create.png)
Note that the GCP Secret Manager integration supports a few options in the **Options** tab:
- Secret Prefix: If inputted, the prefix is appended to the front of every secret name prior to being synced.
- Secret Suffix: If inputted, the suffix to appended to the back of every name of every secret prior to being synced.
- Label in GCP Secret Manager: If selected, every secret will be labeled in GCP Secret Manager (e.g. as `managed-by:infisical`); labels can be customized.
Setting a secret prefix, suffix, or enabling the labeling option ensures that existing secrets in GCP Secret Manager are not overwritten during the sync. As part of this process, Infisical abstains from mutating any secrets in GCP Secret Manager without the specified prefix, suffix, or attached label.
![integrations GCP secret manager options](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-create-options.png)
![integrations GCP secret manager](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager.png)
<Warning>
Using Infisical to sync secrets to GCP Secret Manager requires that you enable
the Service Usage API and Cloud Resource Manager API in the Google Cloud project you want to sync secrets to. More on that [here](https://cloud.google.com/service-usage/docs/set-up-development-environment).
</Warning>
</Step>
</Steps>
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="Self-Hosted Setup">
Using the GCP Secret Manager integration (via the OAuth2 method) on a self-hosted instance of Infisical requires configuring an OAuth2 application in GCP
and registering your instance with it.
<Steps>
<Step title="Create an OAuth2 application in GCP">
Navigate to your project API & Services > Credentials to create a new OAuth2 application.
![integrations GCP secret manager config](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-config-api-services.png)
![integrations GCP secret manager config](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-config-new-app.png)
Create the application. As part of the form, add to **Authorized redirect URIs**: `https://your-domain.com/integrations/gcp-secret-manager/oauth2/callback`.
![integrations GCP secret manager config](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-config-new-app-form.png)
</Step>
<Step title="Add your OAuth2 application credentials to Infisical">
Obtain the **Client ID** and **Client Secret** for your GCP OAuth2 application.
![integrations GCP secret manager config](../../images/integrations/gcp-secret-manager/integrations-gcp-secret-manager-config-credentials.png)
Back in your Infisical instance, add two new environment variables for the credentials of your GCP OAuth2 application:
- `CLIENT_ID_GCP_SECRET_MANAGER`: The **Client ID** of your GCP OAuth2 application.
- `CLIENT_SECRET_GCP_SECRET_MANAGER`: The **Client Secret** of your GCP OAuth2 application.
Once added, restart your Infisical instance and use the GCP Secret Manager integration.
</Step>
</Steps>
</Tab>
</Tabs>

35
docs/integrations/cloud/terraform-cloud.mdx
View File

@@ -5,37 +5,4 @@ description: "How to sync secrets from Infisical to Terraform Cloud"
<Note> <Note>
The Terraform Cloud Native Integration will be deprecated in 2026. Please migrate to our new [Terraform Cloud Sync](../secret-syncs/terraform-cloud). The Terraform Cloud Native Integration will be deprecated in 2026. Please migrate to our new [Terraform Cloud Sync](../secret-syncs/terraform-cloud).
</Note> </Note>
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
<Steps>
<Step title="Authorize Infisical for Terraform Cloud">
Obtain a Terraform Cloud API Token in User Settings > Tokens
![integrations terraform cloud dashboard](../../images/integrations/terraform/integrations-terraformcloud-dashboard.png)
![integrations terraform cloud tokens](../../images/integrations/terraform/integrations-terraformcloud-tokens.png)
Obtain your Terraform Cloud Workspace Id in Projects & Workspaces > Workspace > ID
![integrations terraform cloud projects & workspaces](../../images/integrations/terraform/integrations-terraformcloud-workspaces.png)
![integrations terraform cloud workspace id](../../images/integrations/terraform/integrations-terraformcloud-workspaceid.png)
Navigate to your project's integrations tab in Infisical.
![integrations](../../images/integrations.png)
Press on the Terraform Cloud tile and input your Terraform Cloud API Token and Workspace Id to grant Infisical access to your Terraform Cloud account.
![integrations terraform cloud authorization](../../images/integrations/terraform/integrations-terraformcloud-auth.png)
</Step>
<Step title="Start integration">
Select which Infisical environment secrets and Terraform Cloud variable type you want to sync to which Terraform Cloud workspace/project and press create integration to start syncing secrets to Terraform Cloud.
![integrations terraform cloud](../../images/integrations/terraform/integrations-terraformcloud-create.png)
![integrations terraform cloud](../../images/integrations/terraform/integrations-terraformcloud.png)
</Step>
</Steps>

78
docs/integrations/cloud/vercel.mdx
View File

@@ -5,80 +5,4 @@ description: "How to sync secrets from Infisical to Vercel"
<Note> <Note>
The Vercel Native Integration will be deprecated in 2026. Please migrate to our new [Vercel Sync](../secret-syncs/vercel). The Vercel Native Integration will be deprecated in 2026. Please migrate to our new [Vercel Sync](../secret-syncs/vercel).
</Note> </Note>
<Tabs>
<Tab title="Usage">
Prerequisites:
- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
<Steps>
<Step title="Authorize Infisical for Vercel">
Navigate to your project's integrations tab in Infisical.
![integrations](../../images/integrations.png)
Press on the Vercel tile and grant Infisical access to your Vercel account.
![integrations vercel authorization](../../images/integrations/vercel/integrations-vercel-auth.png)
</Step>
<Step title="Start integration">
Select which Infisical environment secrets you want to sync to which Vercel app and environment. Lastly, press create integration to start syncing secrets to Vercel.
![integrations vercel](../../images/integrations/vercel/integrations-vercel-create.png)
![integrations vercel](../../images/integrations/vercel/integrations-vercel.png)
<Info>
Infisical syncs every envar to Vercel with type `encrypted` unless an existing
envar with the same name in Vercel exists with a different type. Note that
Infisical will not be able to update Vercel envars with type `sensitive` since
they can only be decrypted and modified by Vercel's deployment systems.
</Info>
<Warning>
The following environment variable names are reserved by Vercel and cannot be
synced: `AWS_SECRET_KEY`, `AWS_EXECUTION_ENV`, `AWS_LAMBDA_LOG_GROUP_NAME`,
`AWS_LAMBDA_LOG_STREAM_NAME`, `AWS_LAMBDA_FUNCTION_NAME`,
`AWS_LAMBDA_FUNCTION_MEMORY_SIZE`, `AWS_LAMBDA_FUNCTION_VERSION`,
`NOW_REGION`, `TZ`, `LAMBDA_TASK_ROOT`, `LAMBDA_RUNTIME_DIR`,
`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`,
`AWS_REGION`, and `AWS_DEFAULT_REGION`.
</Warning>
</Step>
</Steps>
</Tab>
<Tab title="Self-Hosted Setup">
Using the Vercel integration on a self-hosted instance of Infisical requires configuring an integration in Vercel.
and registering your instance with it.
<Steps>
<Step title="Create an integration in Vercel">
Navigate to Integrations > Integration Console to create a new integration.
![integrations Vercel config](../../images/integrations/vercel/integrations-vercel-config-integrations-console.png)
![integrations Vercel config](../../images/integrations/vercel/integrations-vercel-config-new-app.png)
Create the application. As part of the form, set a **URL Slug** to a unique slug like `infisical-your-domain` and keep it handy. Also, set **Redirect URL** to `https://your-domain.com/integrations/vercel/oauth2/callback`. Lastly,
be sure to set the API Scopes according to the second screenshot below.
![integrations Vercel config](../../images/integrations/vercel/integrations-vercel-config-new-app-form-1.png)
![integrations Vercel config](../../images/integrations/vercel/integrations-vercel-config-new-app-form-2.png)
</Step>
<Step title="Add your Vercel integration credentials and information to Infisical">
Obtain the **Client (Integration) ID** and **Client (Integration) Secret** as well as the **URL Slug** from earlier for your Vercel integration.
![integrations Vercel config](../../images/integrations/vercel/integrations-vercel-config-credentials.png)
Back in your Infisical instance, add three new environment variables for the credentials of your Vercel integration.
- `CLIENT_ID_VERCEL`: The **Client (Integration) ID** of your Vercel integration.
- `CLIENT_SECRET_VERCEL`: The **Client (Integration) Secret** of your Vercel integration.
- `CLIENT_SLUG_VERCEL`: The **URL Slug** of your Vercel integration.
Once added, restart your Infisical instance and use the Vercel integration.
</Step>
</Steps>
</Tab>
</Tabs>

4
frontend/src/pages/secret-manager/IntegrationsListPage/IntegrationsListPage.tsx
View File

@@ -87,8 +87,8 @@ export const IntegrationsListPage = () => {
Native Integrations Transitioning to Legacy Status Native Integrations Transitioning to Legacy Status
</div> </div>
<p className="mb-2 mt-1 text-sm text-bunker-300"> <p className="mb-2 mt-1 text-sm text-bunker-300">
Native integrations are now a legacy feature and will begin deprecation in 2026. Native integrations are now a legacy feature and we will begin a phased
We recommend migrating to our new{" "} deprecation in 2026. We recommend migrating to our new{" "}
<a <a
className="text-bunker-200 underline decoration-primary-700 underline-offset-4 duration-200 hover:text-mineshaft-100 hover:decoration-primary-600" className="text-bunker-200 underline decoration-primary-700 underline-offset-4 duration-200 hover:text-mineshaft-100 hover:decoration-primary-600"
href="https://infisical.com/docs/integrations/secret-syncs/overview" href="https://infisical.com/docs/integrations/secret-syncs/overview"