Skip to main content

Infisical CLI

The Infisical CLI provides direct access to secrets management from the command line. Use it for local development, CI/CD pipelines, and injecting secrets into processes.

Installation

# Linux/macOS
curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
sudo apt-get update && sudo apt-get install -y infisical

# macOS (Homebrew)
brew install infisical/get-cli/infisical

# npm
npm install -g @infisical/cli

Authentication

Interactive Login (Development)

# Opens browser for authentication
infisical login

# CLI prompts for credentials
infisical login --interactive

# Direct login
infisical login --email you@company.com --password=yourpass --organization-id=org-id

Machine Identity (Production/CI)

# Universal Auth (recommended)
infisical login --method=universal-auth \
  --client-id=<client-id> \
  --client-secret=<client-secret>

# AWS IAM
infisical login --method=aws-iam --machine-identity-id=<id>

# Kubernetes
infisical login --method=kubernetes --machine-identity-id=<id>

Get Token for Scripts

export INFISICAL_TOKEN=$(infisical login \
  --email x@y.com \
  --password=pwd \
  --organization-id=org \
  --plain --silent)

Core Commands

Inject Secrets into Process

Run any command with secrets as environment variables:

# Basic usage
infisical run -- npm run dev

# With environment
infisical run --env=prod -- python app.py

# With secret path
infisical run --path=/myservice -- ./start.sh

# Watch for changes (auto-restart on secret update)
infisical run --watch -- node server.js

# Chained commands
infisical run --command "npm install && npm run build && npm start"

List Secrets

# All secrets in project
infisical secrets

# From specific environment
infisical secrets --env=prod

# From specific path
infisical secrets --path=/myservice

Get Specific Secrets

# Get and display
infisical secrets get API_KEY DATABASE_URL

# Get plain value for scripts
API_KEY=$(infisical secrets get API_KEY --plain --silent)

Set Secrets

# Set one or more
infisical secrets set API_KEY=value DATABASE_URL=postgres://...

# Set from file (certificates, keys)
infisical secrets set CERTIFICATE=@/path/to/cert.pem

# Bulk import from .env
infisical secrets set --file=./.env

Delete Secrets

infisical secrets delete API_KEY OLD_SECRET

Folder Management

# List folders
infisical secrets folders get --path=/

# Create folder
infisical secrets folders create --path=/ --name=myservice

# Delete folder
infisical secrets folders delete --path=/ --name=old-service

Export Secrets

Export secrets to various formats:

# .env format (default)
infisical export > .env

# With export keyword
infisical export --format=dotenv-export > .env

# JSON
infisical export --format=json > secrets.json

# YAML
infisical export --format=yaml > secrets.yaml

# Direct to file
infisical export --output-file=./.env

Common Options

FlagPurpose
--envEnvironment slug: dev, staging, prod
--pathSecret path: /myservice, /shared
--projectIdProject ID (overrides .infisical.json)
--tokenAuth token (or use INFISICAL_TOKEN env var)
--silentSuppress output messages
--plainOutput only value (for scripting)

Project Setup

Initialize project with .infisical.json:

infisical init

Creates config file linking to your Infisical project.

CI/CD Examples

GitHub Actions

- name: Inject secrets and run tests
  env:
    INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }}
  run: infisical run --env=staging -- npm test

Docker

# At runtime, not build time
CMD ["infisical", "run", "--", "python", "app.py"]

Local Development

# Create .env from Infisical
infisical export --env=dev > .env

# Or run directly
infisical run --env=dev -- npm run dev

Jetta Infrastructure

For Jetta services, secrets are organized at:

PathPurpose
/jetta-toolsMCPammer credentials
/myservicePer-service secrets
/sharedShared across services
/infrastructureAWS, Coolify tokens

Example:

# Get service secrets
infisical secrets --path=/myservice --env=dev

# Set production DB password
infisical secrets set --path=/myservice --env=prod DB_PASSWORD=new-password

# Run with service secrets
infisical run --path=/myservice --env=dev -- python app.py

References