github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

address reviews

Browse Source
This commit is contained in:
x032205
2025-11-21 17:13:19 -05:00
parent 221054c2df
commit c8add06785
7 changed files with 112 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/docs.json
View File

@@ -841,7 +841,8 @@
"group": "Product Reference",
"pages": [
"documentation/platform/pam/product-reference/auditing",
"documentation/platform/pam/product-reference/session-recording"
"documentation/platform/pam/product-reference/session-recording",
"documentation/platform/pam/product-reference/credential-rotation"
]
}
]

27
docs/documentation/platform/pam/architecture.mdx
View File

@@ -8,15 +8,12 @@ Infisical PAM utilizes a secure, proxy-based architecture designed to provide ac
## Core Components
The architecture consists of four main components working in unison:
The architecture consists of three main components working in unison:
<Steps>
<Step title="Infisical CLI">
The client-side interface used to initiate access requests. It creates a local listener that forwards traffic securely to the Gateway.
</Step>
<Step title="Relay Server">
An intermediary routing service that facilitates communication between the CLI/Platform and the Gateway. It enables connectivity without requiring direct inbound access to your network.
</Step>
<Step title="Infisical Gateway">
A lightweight service deployed within your private network (e.g., VPC, on-prem). It acts as a proxy, intercepting traffic to enforce policies and record sessions before forwarding requests to the target resource.
</Step>
@@ -27,15 +24,35 @@ The architecture consists of four main components working in unison:
## Access Flow
```mermaid
graph LR
subgraph Client ["User Environment"]
CLI["Infisical CLI"]
end
Relay["Relay Server"]
subgraph Network ["Private Network (VPC)"]
Gateway["Infisical Gateway"]
DB[("Target Resource (Database/Server)")]
end
CLI <-->|Encrypted Tunnel| Relay
Relay <-->|Reverse Tunnel| Gateway
Gateway <-->|Native Protocol| DB
```
When a user accesses a resource (e.g., via `infisical access`), the following workflow occurs:
1. **Connection Initiation**: The Infisical CLI initiates a connection to the Relay server.
2. **Tunnel Establishment**: The Relay facilitates an end-to-end encrypted tunnel between the CLI and the Gateway.
3. **Proxy & Authentication**: The Gateway authenticates the request and establishes a connection to the target resource on the user's behalf.
3. **Proxy & Credential Injection**: The Gateway authenticates the request and connects to the target resource on the user's behalf. It automatically injects the necessary credentials (e.g., database passwords, SSH keys), ensuring the user never directly handles sensitive secrets.
4. **Traffic Forwarding**: Traffic flows securely from the user's machine, through the Relay, to the Gateway, and finally to the resource.
## Session Recording & Auditing
![Session Logging](/images/pam/architecture/session-logging.png)
A key feature of the Gateway is its ability to act as a "middleman" for all session traffic.
- **Interception**: Because the Gateway sits between the secure tunnel and the target resource, it intercepts all data flowing through the connection.

16
docs/documentation/platform/pam/getting-started/accounts.mdx
View File

@@ -4,13 +4,15 @@ sidebarTitle: "Accounts"
description: "Learn how to create and manage accounts in PAM to control access to resources like databases and servers."
---
An **Account** represents a specific identity or set of credentials (username/password) used to authenticate against a [Resource](/documentation/platform/pam/getting-started/resources).
An **Account** contains the credentials (such as a username and password) used to connect to a [Resource](/documentation/platform/pam/getting-started/resources).
## Relationship to Resources
Accounts are children of Resources. A single Resource can have multiple Accounts associated with it, each with different permission levels.
Accounts belong to Resources. A single Resource can have multiple Accounts associated with it, each with different permission levels.
For example:
For example, your database would normally have multiple accounts. You might have a superuser account for admins, a standard read/write account for applications, and a read-only account for reporting.
In PAM, these are represented as:
- **Resource**: `Production Database` (PostgreSQL)
- **Account 1**: `postgres` (Superuser)
- **Account 2**: `app_user` (Read/Write)
@@ -40,10 +42,6 @@ Clicking **Create Account** will trigger a validation check. Infisical will atte
## Automated Credential Rotation
Accounts for certain resources, such as PostgreSQL, support automated credential rotation. This feature automatically changes the password for the account at a set interval.
Infisical supports automated credential rotation for some accounts on select resources, allowing you to automatically change passwords at set intervals to enhance security.
**Requirements:**
1. The parent Resource must have a [Rotation Account](/documentation/platform/pam/getting-started/resources#automated-credential-rotation) configured (a master account with permission to change other users' passwords).
2. You must enable rotation in the Account settings.
![Rotate Credentials Account](/images/pam/getting-started/resources/rotate-credentials-account.png)
To learn more about how to configure this, please refer to the [Credential Rotation guide](/documentation/platform/pam/product-reference/credential-rotation).

15
docs/documentation/platform/pam/getting-started/resources.mdx
View File

@@ -12,7 +12,7 @@ A resource represents a target system, such as a database, server, or applicatio
## Prerequisites
Before you can create a resource, you must have an **Infisical Gateway** deployed and running on the same network as the target resource.
Before you can create a resource, you must have an **Infisical Gateway** deployed that is able to reach the target resource over the network.
The Gateway acts as a secure bridge, allowing Infisical to reach your private infrastructure without exposing it to the public internet. When creating a resource, you will be asked to specify which Gateway should be used to connect to it.
@@ -40,15 +40,6 @@ Clicking **Create Resource** will trigger a connection test from the selected Ga
## Automated Credential Rotation
Some resources, such as PostgreSQL, support automated credential rotation to enhance your security posture. This requires configuration on both the resource and the accounts that use it.
Some resources, such as PostgreSQL, support automated credential rotation to enhance your security posture. This feature requires configuring a privileged "Rotation Account" on the resource.
<Steps>
<Step title="Configure Rotation Account on Resource">
When creating or editing a resource, configure a "rotation account." This is a master or privileged account that has the necessary permissions to change the passwords of other accounts on that same resource.
![Credential Rotation Account](/images/pam/getting-started/resources/credential-rotation-account.png)
</Step>
<Step title="Enable Rotation on Account">
For each individual account you want to rotate, enable rotation in the account's settings and set a desired interval (e.g., every 30 days). This option is only available if the account's resource has a rotation account configured.
![Rotate Credentials Account](/images/pam/getting-started/resources/rotate-credentials-account.png)
</Step>
</Steps>
To learn more about how to configure this, please refer to the [Credential Rotation guide](/documentation/platform/pam/product-reference/credential-rotation).

38
docs/documentation/platform/pam/overview.mdx
View File

@@ -6,6 +6,17 @@ description: "Manage and secure access to critical infrastructure like databases
Infisical Privileged Access Management (PAM) provides a centralized way to manage and secure access to your critical infrastructure. It allows you to enforce fine-grained, policy-based controls over resources like databases, servers, and more, ensuring that only authorized users can access sensitive systems, and only when they need to.
## The PAM Workflow
At its core, Infisical PAM is designed to decouple **user identity** from **infrastructure credentials**. Instead of sharing static passwords or SSH keys, users authenticate with their SSO identity, and Infisical handles the rest.
Here is how a typical access lifecycle looks:
1. **Discovery**: A user logs into Infisical and sees a catalog of resources (databases, servers) and accounts they are allowed to access.
2. **Connection**: The user selects a resource and an account (e.g., "Production DB" as `read_only`). They initiate the connection via the Infisical CLI.
3. **Credential Injection**: Infisical validates the request. If allowed, it establishes a secure tunnel and automatically injects the credentials for the target account. **The user never sees the underlying password or key.**
4. **Monitoring**: The session is established. All traffic is intercepted, logged, and recorded for audit purposes.
## Core Concepts
To successfully implement Infisical PAM, it is essential to understand the relationship between the following components:
@@ -15,10 +26,10 @@ To successfully implement Infisical PAM, it is essential to understand the relat
A lightweight service deployed in your network that acts as a secure bridge to your private infrastructure.
</Card>
<Card title="Resource" icon="database">
The specific target you are protecting (e.g., a PostgreSQL database or an Ubuntu server) that resides behind a Gateway.
The specific target you are protecting (e.g., a PostgreSQL database or an Ubuntu server).
</Card>
<Card title="Account" icon="user-lock">
Specific credentials (username/password) used to authenticate against a Resource. One Resource can have multiple Accounts.
The specific identity on the Resource that the user is trying to access. One Resource can have multiple Accounts.
</Card>
</CardGroup>
@@ -26,13 +37,26 @@ To successfully implement Infisical PAM, it is essential to understand the relat
The hierarchy is structured as follows:
```mermaid
graph TD
GW[Gateway] --> |Provides Access| DB[Resource: Production DB]
GW[Gateway] --> |Provides Access| SRV[Resource: Linux Server]
DB --> A1[Account: admin]
DB --> A2[Account: readonly]
SRV --> A3[Account: ubuntu]
```
1. **Gateway**: Deployed once per network/VPC. It provides connectivity to all resources in that environment.
2. **Resource**: Configured within Infisical. It points to a specific IP/Host accessible by the Gateway.
3. **Account**: Defined under a Resource. Users request access to a specific *Account* on a *Resource*.
## How it Works
## Network Architecture
Infisical PAM uses a proxy-based architecture. When a user accesses a resource, their connection is routed securely through a Relay to your self-hosted Gateway, which then connects to the target resource. This ensures zero-trust access without exposing your infrastructure to the public internet.
Infisical PAM uses a secure proxy-based architecture to connect users to resources without direct network exposure.
When a user accesses a resource, their connection is routed securely through a Relay to your self-hosted Gateway, which then connects to the target resource. This ensures zero-trust access without exposing your infrastructure to the public internet.
For a deep dive into the technical architecture and security model, see [Architecture](/documentation/platform/pam/architecture).
@@ -52,8 +76,8 @@ Follow this sequence to get up and running with PAM:
[Learn about Resources](/documentation/platform/pam/getting-started/resources)
</Step>
<Step title="Add Accounts">
Add **Accounts** to your Resource (e.g., `postgres` or `read_only_user`). These are the actual credentials Infisical will inject when a user connects.
Add **Accounts** to your Resource (e.g., `postgres` or `read_only_user`). These represent the actual PAM users or privileged identities that are utilized when a user connects.
[Learn about Accounts](/documentation/platform/pam/getting-started/accounts)
</Step>
<Step title="Connect">
@@ -65,4 +89,4 @@ Follow this sequence to get up and running with PAM:
- **[Auditing](/documentation/platform/pam/product-reference/auditing)**: Track and review a comprehensive log of all user actions and system events.
- **[Session Recording](/documentation/platform/pam/product-reference/session-recording)**: Record and playback user sessions for security reviews, compliance, and troubleshooting.
- **[Automated Credential Rotation](/documentation/platform/pam/getting-started/resources#automated-credential-rotation)**: Automatically rotate credentials for supported resources to minimize the risk of compromised credentials.
- **[Automated Credential Rotation](/documentation/platform/pam/product-reference/credential-rotation)**: Automatically rotate credentials for supported resources to minimize the risk of compromised credentials.

47
docs/documentation/platform/pam/product-reference/credential-rotation.mdx Normal file
View File

@@ -0,0 +1,47 @@
---
title: "Credential Rotation"
sidebarTitle: "Credential Rotation"
description: "Learn how to automate credential rotation for your PAM resources."
---
Automated Credential Rotation enhances your security posture by automatically changing the passwords of your accounts at set intervals. This minimizes the risk of compromised credentials by ensuring that even if a password is leaked, it remains valid only for a short period.
## How it Works
When rotation is enabled, Infisical's Gateway connects to the target resource using a privileged "Rotation Account". It then executes the necessary commands to change the password for the target user account to a new, cryptographically secure random value.
## Configuration
Setting up automated rotation requires a two-step configuration: first at the Resource level, and then at the individual Account level.
<Steps>
<Step title="Configure Rotation Account on Resource">
A **Rotation Account** is a master or privileged account that has the necessary permissions to change the passwords of other users on the target system.
When creating or editing a [Resource](/documentation/platform/pam/getting-started/resources), you must provide the credentials for this privileged account.
*Example: For a PostgreSQL database, this would typically be the `postgres` superuser or another role with `ALTER ROLE` privileges.*
![Credential Rotation Account](/images/pam/getting-started/resources/credential-rotation-account.png)
</Step>
<Step title="Enable Rotation on Account">
Once the resource has a rotation account configured, you can enable rotation for individual [Accounts](/documentation/platform/pam/getting-started/accounts) that belong to that resource.
In the account settings:
1. Toggle **Enable Rotation**.
2. Set the **Rotation Interval** (e.g., every 7 days, 30 days).
![Rotate Credentials Account](/images/pam/getting-started/resources/rotate-credentials-account.png)
</Step>
</Steps>
## Supported Resources
Automated rotation is currently supported for the following resource types:
- **PostgreSQL**: Requires a user with `ALTER ROLE` permissions.
<Note>
We are constantly adding support for more resource types.
</Note>

BIN
docs/images/pam/architecture/session-logging.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 293 KiB