Infisical is designed to provide comprehensive, centralized, and efficient management of secrets, certificates, and encryption keys within organizations. Below is an overview of Infisical’s structured components, which developers and administrators can leverage for optimal project management and security posture.

1. Projects

  • Definition and Role: Projects are the highest-level construct within an organization in Infisical. They serve as the primary container for all functionalities.
  • Correspondence to Code Repositories: Projects typically align with specific code repositories.
  • Functional Capabilities: Each project encompasses features for managing secrets, certificates, and encryption keys, serving as the central hub for these resources.

2. Environments

  • Purpose: Environments are designed for organizing and compartmentalizing secrets within projects.
  • Customization Options: Environments can be tailored to align with existing infrastructure setups of any project. Default options include Development, Staging, and Production.
  • Structure: Each environment inherently has a root level for storing secrets, but additional sub-organizations can be created through folders for better secret management.

3. Folders

  • Use Case: Folders are available for more advanced organizational needs, allowing logical separation of secrets.
  • Typical Structure: Folders can correspond to specific logical units, such as microservices or different layers of an application, providing refined control over secrets.

4. Imports

  • Purpose and Benefits: To promote reusability and avoid redundancy, Infisical supports the use of imports. This allows secrets, folders, or entire environments to be referenced across multiple projects as needed.
  • Best Practice: Utilizing secret imports or references ensures consistency and minimizes manual overhead.

5. Approval Workflows

  • Importance: Implementing approval workflows is recommended for organizations aiming to enhance efficiency and strengthen their security posture.
  • Types of Workflows:
    • Access Requests: This workflow allows developers to request access to sensitive resources. Such access can be configured for temporary use, a practice known as “just-in-time” access.
    • Change Requests: Facilitates reviews and approvals when changes are proposed for sensitive environments or specific folders, ensuring proper oversight.

6. Access Controls

Infisical’s access control framework is unified for both human users and machine identities, ensuring consistent management across the board.

6.1 Roles

  • 2 Role Types:
    • Organization-Level Roles: Provide broad access across the organization (e.g., ability to manage billing, configure settings, etc.).
    • Project-Level Roles: Essential for configuring access to specific secrets and other sensitive assets within a project.
  • Granular Permissions: While default roles are available, custom roles can be created for more tailored access controls.
  • Admin Considerations: Note that admin users are able to access all projects. This role should be assigned judiciously to prevent unintended overreach.
Project access is defined not via an organization-level role, but rather through specific project memberships of both human and machine identities. Admin roles bypass this by default.

6.2 Additional Privileges

Additional privileges can be assigned to users and machines on an ad-hoc basis for specific scenarios where roles alone are insufficient. If you find yourself using additional privileges too much, it is recommended to create custom roles. Additional privileges can be temporary or permanent.

6.3 Attribute-Based Access Control (ABAC)

Attribute-based Access Controls allow restrictions based on tags or attributes linked to secrets. These can be integrated with SAML assertions and other security frameworks for dynamic access management.

6.4 User Groups

  • Application: Organizations should use users groups in situations when they have a lot of developers with the same level of access (e.g., separated by team, department, seniority, etc.).
  • Synchronization: User groups can be synced with an identity provider to maintain consistency and reduce manual management.

Implementation Note

For larger-scale organizations, automating configurations through Terraform or other infrastructure-as-code (IaC) tools is advisable. Manual configurations may lead to errors, so leveraging IaC enhances reliability and consistency in managing Infisical’s robust capabilities.

This structured approach ensures that Infisical’s functionalities are fully leveraged, providing both flexibility and rigorous control over an organization’s sensitive information and access needs.