Description
The Infisical gateway provides secure access to private resources using modern TCP-based SSH tunnel architecture with enhanced security and flexible deployment options. The gateway system uses SSH reverse tunnels over TCP, eliminating firewall complexity and providing excellent performance for enterprise environments.Deprecation and Migration Notice: The legacy
infisical gateway command (v1) will be removed in a future release. Please migrate to infisical gateway start (Gateway v2).If you are moving from Gateway v1 to Gateway v2, this is NOT a drop-in switch. Gateway v2 creates new gateway instances with new gateway IDs. You must update any existing resources that reference gateway IDs (for example: dynamic secret configs, app connections, or other gateway-bound resources) to point to the new Gateway v2 gateway ID. Until you update those references, traffic will continue to target the old v1 gateway.Subcommands & flags
infisical gateway start
infisical gateway start
Run the Infisical gateway component within your VPC. The gateway establishes an SSH reverse tunnel to the specified relay server and provides secure access to private resources.The gateway component:
- Establishes outbound SSH reverse tunnels to relay servers (no inbound firewall rules needed)
- Authenticates using SSH certificates issued by Infisical
- Automatically reconnects if the connection is lost
- Provides access to private resources within your network
Authentication
The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.Universal Auth
Universal Auth
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
Flags
Native Kubernetes
Native Kubernetes
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Flags
Native Azure
Native Azure
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
Flags
Native GCP ID Token
Native GCP ID Token
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
Flags
GCP IAM
GCP IAM
Native AWS IAM
Native AWS IAM
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
Flags
OIDC Auth
OIDC Auth
JWT Auth
JWT Auth
Token Auth
Token Auth
You can use the
INFISICAL_TOKEN environment variable to authenticate with Infisical with a raw machine identity access token.Flags
Other Flags
--relay
--relay
The name of the relay that this gateway should connect to. The relay must be running and registered before starting the gateway.Note: If using organization relays or self-hosted instance relays, you must first start a relay server using
infisical relay start before connecting gateways to it. For Infisical Cloud users using instance relays, the relay infrastructure is already running and managed by Infisical.--name
--name
The name of the gateway instance.
--domain
--domain
Domain of your self-hosted Infisical instance.
infisical gateway systemd install
infisical gateway systemd install
Install and enable the gateway as a systemd service. This command must be run with sudo on Linux.
Requirements
- Must be run on Linux
- Must be run with root/sudo privileges
- Requires systemd
Flags
--token
--token
The machine identity access token to authenticate with Infisical.You may also expose the token to the CLI by setting the environment variable
INFISICAL_TOKEN before executing the install command.--domain
--domain
Domain of your self-hosted Infisical instance.
--name
--name
The name of the gateway instance.
--relay
--relay
The name of the relay that this gateway should connect to.
Service Details
The systemd service is installed with secure defaults:- Service file:
/etc/systemd/system/infisical-gateway.service - Config file:
/etc/infisical/gateway.conf - Runs with restricted privileges:
- InaccessibleDirectories=/home
- PrivateTmp=yes
- Resource limits configured for stability
- Automatically restarts on failure
- Enabled to start on boot
- Maintains persistent SSH reverse tunnel connections to the specified relay
- Handles certificate rotation and connection recovery automatically
Legacy Gateway Commands (Deprecated)
infisical gateway (deprecated)
infisical gateway (deprecated)
This command is deprecated and will be removed in a future release.Please migrate to
infisical gateway start for the new TCP-based SSH tunnel architecture.Migration required: If you are currently using Gateway v1 (via infisical gateway), moving to Gateway v2 is not in-place. Gateway v2 provisions new gateway instances with new gateway IDs. Update any resources that reference a gateway ID (for example: dynamic secret configs, app connections, or other gateway-bound resources) to use the new Gateway v2 gateway ID. Until you update those references, traffic will continue to target the old v1 gateway.Authentication
The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.Universal Auth
Universal Auth
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
Flags
Native Kubernetes
Native Kubernetes
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Flags
Native Azure
Native Azure
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
Flags
Native GCP ID Token
Native GCP ID Token
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
Flags
GCP IAM
GCP IAM
Native AWS IAM
Native AWS IAM
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
Flags
OIDC Auth
OIDC Auth
JWT Auth
JWT Auth
Token Auth
Token Auth
You can use the
INFISICAL_TOKEN environment variable to authenticate with Infisical with a raw machine identity access token.Flags
Other Flags
--domain
--domain
Domain of your self-hosted Infisical instance.
infisical gateway install (deprecated)
infisical gateway install (deprecated)
This command is deprecated and will be removed in a future release.Please migrate to
infisical gateway systemd install for the new TCP-based SSH tunnel architecture with enhanced security and better performance.Migration required: If you previously installed Gateway v1 via infisical gateway install, moving to Gateway v2 is not in-place. Gateway v2 provisions new gateway instances with new gateway IDs. Update any resources that reference a gateway ID (for example: dynamic secret configs, app connections, or other gateway-bound resources) to use the new Gateway v2 gateway ID. Until you update those references, traffic will continue to target the old v1 gateway.Requirements
- Must be run on Linux
- Must be run with root/sudo privileges
- Requires systemd
Flags
--token
--token
The machine identity access token to authenticate with Infisical.You may also expose the token to the CLI by setting the environment variable
INFISICAL_TOKEN before executing the install command.--domain
--domain
Domain of your self-hosted Infisical instance.
Service Details
The systemd service is installed with secure defaults:- Service file:
/etc/systemd/system/infisical-gateway.service - Config file:
/etc/infisical/gateway.conf - Runs with restricted privileges:
- InaccessibleDirectories=/home
- PrivateTmp=yes
- Resource limits configured for stability
- Automatically restarts on failure
- Enabled to start on boot