github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

redo gateway docs

Browse Source
This commit is contained in:
Maidul Islam
2025-02-23 14:55:40 +09:00
committed by =
parent 19d66abc38
commit 38a6fd140c
1 changed files with 51 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
docs/documentation/platform/gateways/overview.mdx
View File

@@ -1,99 +1,80 @@
---
title: "Gateway"
sidebarTitle: "Overview"
description: "Learn how to provide access on private resources to Infisical."
description: "How to provide access to your private resources from Infisical"
---
The Infisical Gateway provides secure access to private resources within your network without needing direct inbound connections to your environment.
This method keeps your resources fully protected from external access while enabling Infisical to securely interact with resources like databases.
Common use cases include generating dynamic credentials or rotating credentials for private databases.
<Info>
Note that Gateway is a paid feature.
If you're using Infisical Cloud, then it is available under the **Enterprise Tier**
If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it.
**Note:** Gateway is a paid feature.
- **Infisical Cloud users:** Gateway is available under the **Enterprise Tier**.
- **Self-Hosted Infisical:** Please contact [sales@infisical.com](mailto:sales@infisical.com) to purchase an enterprise license.
</Info>
## Introduction
Gateway is Infisical's solution for providing secure access to your private resources without exposing them to the internet.
By "without exposing," we mean that your resources remain completely closed to inbound connections - no SSH ports, no TCP ports are open.
This level of security ensures that even port scanning cannot detect your resources.
## How It Works
A gateway is a simple server that acts as a bridge for direct communication between the Infisical server and your private, closed resources (such as databases).
The Gateway serves as a secure intermediary that facilitates direct communication between the Infisical server and your private network.
Its a lightweight daemon packaged within the Infisical CLI, making it easy to deploy and manage. Once set up, the Gateway establishes a connection with a relay server, ensuring that all communication between Infisical and your Gateway is fully end-to-end encrypted.
This setup guarantees that only the platform and your Gateway can decrypt the transmitted information, keeping communication with your resources secure, private and isolated.
When deployed, the gateway establishes a connection with the relay server. Infisical then communicates with your gateway through these relays.
All communication between Infisical and the gateway is end-to-end encrypted, ensuring that only the platform and your gateway can decrypt the transmitted information.
## Deployment
The Infisical Gateway is seamlessly integrated into the Infisical CLI under the `gateway` command, making it simple to deploy and manage.
You can install the Gateway in all the same ways you install the Infisical CLI—whether via npm, Docker, or a binary.
For detailed installation instructions, refer to the Infisical [CLI Installation instructions](/cli/overview).
You can easily deploy a gateway using the Infisical CLI by following these steps:
To function, the Gateway must authenticate with Infisical. This requires a machine identity configured with the appropriate permissions to create and manage a Gateway.
Once authenticated, the Gateway establishes a secure connection with Infisical to allow your private resources to be reachable.
### Deployment process
<Steps>
<Step title="Create a Gateway Identity">
1. Navigate to your **Organization Access Control**.
2. Create a dedicated identity for the gateway.
3. Best practice: Use one unique identity per gateway.
![create-gateway](../../../images/platform/gateways/create-identity-for-gateway.png)
1. Navigate to **Organization Access Control** in your Infisical dashboard.
2. Create a dedicated machine identity for your Gateway.
3. **Best Practice:** Assign a unique identity to each Gateway for better security and management.
![Create Gateway Identity](../../../images/platform/gateways/create-identity-for-gateway.png)
</Step>
<Step title="Configure Authentication Method">
Set up authentication by following the [Identity Auth Method Configuration](../identities/universal-auth) guide.
You'll need to choose an authentication method to initiate communication with Infisical. View the available machine identity authentication methods [here](/documentation/platform/identities/machine-identities).
</Step>
<Step title="Deploy the Gateway">
1. Deploy the gateway using Infisical CLI with this command:
Use the Infisical CLI to deploy the Gateway. You can log in with your machine identity and start the Gateway in one command:
```bash
INFISICAL_TOKEN=$(infisical login ...) infisical gateway
infisical gateway --token $(infisical login --method=universal-auth --client-id=<> --client-secret=<> --plain)
```
<Note>
Verify that the deployed gateway has access to your private resources
</Note>
Alternatively, if you already have the token, use it directly with the `--token` flag:
```bash
infisical gateway --token <your-machine-identity-token>
```
Or set it as an environment variable:
```bash
export INFISICAL_TOKEN=<your-machine-identity-token>
infisical gateway
```
<Note>
Ensure the deployed Gateway has network access to the private resources you intend to connect with Infisical.
</Note>
</Step>
<Step title="Verify Gateway Deployment">
1. Check gateway deployment status:
- Look for the message "**Gateway started successfully**" in the gateway logs
- This confirms your gateway is running correctly
2. Verify gateway registration:
- Open your Infisical dashboard
- Navigate to **Organization Access Control**
- Select the **Gateways** tab
- Your newly deployed gateway should appear in the list
![Gateway list in Organization Access Control](../../../images/platform/gateways/gateway-list.png)
</Step>
<Step title="Verify Gateway Deployment">
To confirm your Gateway is working, check the deployment status by looking for the message **"Gateway started successfully"** in the Gateway logs. This indicates the Gateway is running properly. Next, verify its registration by opening your Infisical dashboard, navigating to **Organization Access Control**, and selecting the **Gateways** tab. Your newly deployed Gateway should appear in the list.
![Gateway List](../../../images/platform/gateways/gateway-list.png)
</Step>
<Step title="Link Gateway to Projects">
1. Access gateway settings:
- Find your gateway in the list
- Click the options menu (⋮)
- Select **Edit Details**
![Edit gateway option](../../../images/platform/gateways/edit-gateway.png)
2. Configure project access:
- In the edit modal, you'll see a list of available projects
- Select the projects you want to grant gateway access to
- Click Save to apply your changes
![Project assignment modal](../../../images/platform/gateways/assign-project.png)
</Step>
</Steps>
## Using Your Gateway
### Configuring Dynamic Secrets
To use your gateway with dynamic secrets:
1. Navigate to your dynamic secret provider settings
2. Under **Gateway** options, switch from **Internet Gateway** to your deployed gateway
![dynamic-secret-gateway](../../../images/platform/gateways/dynamic-secret.png)
### Supported Providers
Currently, gateways are supported for the following dynamic secret providers:
- SQL Database Providers (MySQL, PostgreSQL, etc.)
<Note>Additional provider support will be added in future updates.</Note>
To enable Infisical features like dynamic secrets or secret rotation to access private resources through the Gateway, you need to link the Gateway to the relevant projects.
Start by accessing the **Gateway settings** then locate the Gateway in the list, click the options menu (**:**), and select **Edit Details**.
![Edit Gateway Option](../../../images/platform/gateways/edit-gateway.png)
In the edit modal that appears, choose the projects you want the Gateway to access and click **Save** to confirm your selections.
![Project Assignment Modal](../../../images/platform/gateways/assign-project.png)
Once added to a project, the Gateway becomes available for use by any feature that supports Gateways within that project.
</Step>
</Steps>