diff --git a/docs/documentation/platform/gateways/overview.mdx b/docs/documentation/platform/gateways/overview.mdx index a64575d56d..1b0de1b194 100644 --- a/docs/documentation/platform/gateways/overview.mdx +++ b/docs/documentation/platform/gateways/overview.mdx @@ -1,99 +1,80 @@ --- title: "Gateway" sidebarTitle: "Overview" -description: "Learn how to provide access on private resources to Infisical." +description: "How to provide access to your private resources from Infisical" --- +The Infisical Gateway provides secure access to private resources within your network without needing direct inbound connections to your environment. +This method keeps your resources fully protected from external access while enabling Infisical to securely interact with resources like databases. +Common use cases include generating dynamic credentials or rotating credentials for private databases. + - Note that Gateway is a paid feature. - - If you're using Infisical Cloud, then it is available under the **Enterprise Tier** - If you're self-hosting Infisical, then you should contact sales@infisical.com to purchase an enterprise license to use it. - + **Note:** Gateway is a paid feature. + + - **Infisical Cloud users:** Gateway is available under the **Enterprise Tier**. + - **Self-Hosted Infisical:** Please contact [sales@infisical.com](mailto:sales@infisical.com) to purchase an enterprise license. -## Introduction - -Gateway is Infisical's solution for providing secure access to your private resources without exposing them to the internet. - -By "without exposing," we mean that your resources remain completely closed to inbound connections - no SSH ports, no TCP ports are open. -This level of security ensures that even port scanning cannot detect your resources. - ## How It Works -A gateway is a simple server that acts as a bridge for direct communication between the Infisical server and your private, closed resources (such as databases). +The Gateway serves as a secure intermediary that facilitates direct communication between the Infisical server and your private network. +It’s a lightweight daemon packaged within the Infisical CLI, making it easy to deploy and manage. Once set up, the Gateway establishes a connection with a relay server, ensuring that all communication between Infisical and your Gateway is fully end-to-end encrypted. +This setup guarantees that only the platform and your Gateway can decrypt the transmitted information, keeping communication with your resources secure, private and isolated. -When deployed, the gateway establishes a connection with the relay server. Infisical then communicates with your gateway through these relays. -All communication between Infisical and the gateway is end-to-end encrypted, ensuring that only the platform and your gateway can decrypt the transmitted information. ## Deployment +The Infisical Gateway is seamlessly integrated into the Infisical CLI under the `gateway` command, making it simple to deploy and manage. +You can install the Gateway in all the same ways you install the Infisical CLI—whether via npm, Docker, or a binary. +For detailed installation instructions, refer to the Infisical [CLI Installation instructions](/cli/overview). -You can easily deploy a gateway using the Infisical CLI by following these steps: +To function, the Gateway must authenticate with Infisical. This requires a machine identity configured with the appropriate permissions to create and manage a Gateway. +Once authenticated, the Gateway establishes a secure connection with Infisical to allow your private resources to be reachable. +### Deployment process - 1. Navigate to your **Organization Access Control**. - 2. Create a dedicated identity for the gateway. - 3. Best practice: Use one unique identity per gateway. - ![create-gateway](../../../images/platform/gateways/create-identity-for-gateway.png) + 1. Navigate to **Organization Access Control** in your Infisical dashboard. + 2. Create a dedicated machine identity for your Gateway. + 3. **Best Practice:** Assign a unique identity to each Gateway for better security and management. + ![Create Gateway Identity](../../../images/platform/gateways/create-identity-for-gateway.png) - Set up authentication by following the [Identity Auth Method Configuration](../identities/universal-auth) guide. + You'll need to choose an authentication method to initiate communication with Infisical. View the available machine identity authentication methods [here](/documentation/platform/identities/machine-identities). - 1. Deploy the gateway using Infisical CLI with this command: + Use the Infisical CLI to deploy the Gateway. You can log in with your machine identity and start the Gateway in one command: ```bash - INFISICAL_TOKEN=$(infisical login ...) infisical gateway + infisical gateway --token $(infisical login --method=universal-auth --client-id=<> --client-secret=<> --plain) ``` - - Verify that the deployed gateway has access to your private resources - - + Alternatively, if you already have the token, use it directly with the `--token` flag: + ```bash + infisical gateway --token + ``` + Or set it as an environment variable: + ```bash + export INFISICAL_TOKEN= + infisical gateway + ``` + + Ensure the deployed Gateway has network access to the private resources you intend to connect with Infisical. + - - 1. Check gateway deployment status: - - Look for the message "**Gateway started successfully**" in the gateway logs - - This confirms your gateway is running correctly - 2. Verify gateway registration: - - Open your Infisical dashboard - - Navigate to **Organization Access Control** - - Select the **Gateways** tab - - Your newly deployed gateway should appear in the list - ![Gateway list in Organization Access Control](../../../images/platform/gateways/gateway-list.png) - + + To confirm your Gateway is working, check the deployment status by looking for the message **"Gateway started successfully"** in the Gateway logs. This indicates the Gateway is running properly. Next, verify its registration by opening your Infisical dashboard, navigating to **Organization Access Control**, and selecting the **Gateways** tab. Your newly deployed Gateway should appear in the list. + ![Gateway List](../../../images/platform/gateways/gateway-list.png) + + - 1. Access gateway settings: - - Find your gateway in the list - - Click the options menu (⋮) - - Select **Edit Details** - ![Edit gateway option](../../../images/platform/gateways/edit-gateway.png) - - 2. Configure project access: - - In the edit modal, you'll see a list of available projects - - Select the projects you want to grant gateway access to - - Click Save to apply your changes - ![Project assignment modal](../../../images/platform/gateways/assign-project.png) - - - -## Using Your Gateway - -### Configuring Dynamic Secrets - -To use your gateway with dynamic secrets: - -1. Navigate to your dynamic secret provider settings -2. Under **Gateway** options, switch from **Internet Gateway** to your deployed gateway - ![dynamic-secret-gateway](../../../images/platform/gateways/dynamic-secret.png) - -### Supported Providers - -Currently, gateways are supported for the following dynamic secret providers: - -- SQL Database Providers (MySQL, PostgreSQL, etc.) - -Additional provider support will be added in future updates. + To enable Infisical features like dynamic secrets or secret rotation to access private resources through the Gateway, you need to link the Gateway to the relevant projects. + + Start by accessing the **Gateway settings** then locate the Gateway in the list, click the options menu (**:**), and select **Edit Details**. + ![Edit Gateway Option](../../../images/platform/gateways/edit-gateway.png) + In the edit modal that appears, choose the projects you want the Gateway to access and click **Save** to confirm your selections. + ![Project Assignment Modal](../../../images/platform/gateways/assign-project.png) + Once added to a project, the Gateway becomes available for use by any feature that supports Gateways within that project. + + \ No newline at end of file