Quick usage - Infisical

The CLI is designed for a variety of applications, ranging from local secret management to CI/CD and production scenarios. The distinguishing factor, however, is the authentication method used.

To use the Infisical CLI in your local development environment, simply run the command below and follow the interactive guide.

infisical login

If you are in a containerized environment such as WSL 2 or Codespaces, run infisical login -i to avoid browser based login

Initialize Infisical for your project

# navigate to your project
cd /path/to/project

# initialize infisical
infisical init

This will create .infisical.json file at the location the command was executed. This file contains your local project settings. It does not contain any sensitive data.

To use the Infisical CLI in your local development environment, simply run the command below and follow the interactive guide.

infisical login

If you are in a containerized environment such as WSL 2 or Codespaces, run infisical login -i to avoid browser based login

Initialize Infisical for your project

# navigate to your project
cd /path/to/project

# initialize infisical
infisical init

This will create .infisical.json file at the location the command was executed. This file contains your local project settings. It does not contain any sensitive data.

To use Infisical for non local development scenarios, please create a service token. The service token will allow you to authenticate and interact with Infisical. Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI.

Pass as flag

You may use the —token flag to set the token

infisical export --token=<>
infisical secrets --token=<>
infisical run --token=<> -- npm run dev

Pass via shell environment variable

The CLI is configured to look for an environment variable named INFISICAL_TOKEN. If set, it’ll attempt to use it for authentication.

export INFISICAL_TOKEN=<>

Inject environment variables

infisical run --env=dev --path=/apps/firefly -- [your application start command]

# example with node (nodemon)
infisical run --env=staging --path=/apps/spotify -- nodemon index.js

# example with flask
infisical run --env=prod --path=/apps/backend -- flask run

# example with spring boot - maven
infisical run --env=dev --path=/apps/ -- ./mvnw spring-boot:run --quiet

infisical run --env=dev --path=/apps/firefly -- [your application start command]

# example with node (nodemon)
infisical run --env=staging --path=/apps/spotify -- nodemon index.js

# example with flask
infisical run --env=prod --path=/apps/backend -- flask run

# example with spring boot - maven
infisical run --env=dev --path=/apps/ -- ./mvnw spring-boot:run --quiet

Custom aliases can utilize secrets from Infisical. Suppose there is a custom alias yd in custom.sh that runs yarn dev and needs the secrets provided by Infisical.

#!/bin/sh

yd() {
  yarn dev
}

To make the secrets available from Infisical to yd, you can run the following command:

infisical run --env=prod --path=/apps/reddit --command="source custom.sh && yd"

View all available options for run command here

Connect CLI to self hosted Infisical

The CLI is set to connect to Infisical Cloud by default, but if you’re running your own instance of Infisical, you can direct the CLI to it using one of the methods provided below.

Method 1: Use the updated CLI

Beginning with CLI version V0.4.0, it is now possible to choose between logging in through the Infisical cloud or your own self-hosted instance. Simply execute the infisical login command and follow the on-screen instructions.

Method 2: Export environment variable

You can point the CLI to the self hosted Infisical instance by exporting the environment variable INFISICAL_API_URL in your terminal.

# Set backend host 
export INFISICAL_API_URL="https://your-self-hosted-infisical.com/api"

# Remove backend host 
unset INFISICAL_API_URL

# Set backend host 
export INFISICAL_API_URL="https://your-self-hosted-infisical.com/api"

# Remove backend host 
unset INFISICAL_API_URL

# Set backend host 
setx INFISICAL_API_URL "https://your-self-hosted-infisical.com/api"

# Remove backend host 
setx INFISICAL_API_URL ""

# NOTE: Once set or removed, please restart powershell for the change to take effect

Method 3: Set manually on every command

Another option to point the CLI to your self hosted Infisical instance is to set it via a flag on every command you run.

# Example
infisical <any-command> --domain="https://your-self-hosted-infisical.com/api"

History

Your terminal keeps a history with the commands you run. When you create Infisical secrets directly from your terminal, they’ll stay there for a while.

For security and privacy concerns, we recommend you to configure your terminal to ignore those specific Infisical commands.

$HOME/.profile is pretty common but, you could place it under $HOME/.profile.d/infisical.sh or any profile file run at login

cat <<EOF >> $HOME/.profile && source $HOME/.profile

# Ignoring specific Infisical CLI commands
DEFAULT_HISTIGNORE=$HISTIGNORE
export HISTIGNORE="*infisical secrets set*:$DEFAULT_HISTIGNORE"
EOF

$HOME/.profile is pretty common but, you could place it under $HOME/.profile.d/infisical.sh or any profile file run at login

cat <<EOF >> $HOME/.profile && source $HOME/.profile

# Ignoring specific Infisical CLI commands
DEFAULT_HISTIGNORE=$HISTIGNORE
export HISTIGNORE="*infisical secrets set*:$DEFAULT_HISTIGNORE"
EOF

If you’re on WSL, then you can use the Unix/Linux method.

Here’s some documentation about how to clear the terminal history, in PowerShell and CMD

Command line

​Initialize Infisical for your project

​Initialize Infisical for your project

​Pass as flag

​Pass via shell environment variable

​Inject environment variables

​Connect CLI to self hosted Infisical

​History

Initialize Infisical for your project

Initialize Infisical for your project

Pass as flag

Pass via shell environment variable

Inject environment variables

Connect CLI to self hosted Infisical

History