Infisical Plugin
Our Infisical plugin enables secure loading of secrets from Infisical using declarative instructions within your .env files.
The plugin uses machine identities with Universal Auth for programmatic access to your Infisical secrets, making it suitable for both CI/CD and production environments.
Features
Section titled “Features”- Fetch secrets from Infisical projects and environments
- Universal Auth with Client ID and Client Secret
- Support for self-hosted Infisical instances
- Secret paths for hierarchical organization
- Multiple plugin instances for different projects/environments
- Auto-infer secret names from variable names for convenience
- Helpful error messages with resolution tips
Installation and setup
Section titled “Installation and setup”In a JS/TS project, you may install the @varlock/infisical-plugin package as a normal dependency.
Otherwise you can just load it directly from your .env.schema file, as long as you add a version specifier.
See the plugins guide for more instructions on installing plugins.
# 1. Load the plugin# @plugin(@varlock/infisical-plugin)## 2. Initialize the plugin - see below for more details on options# @initInfisical(# projectId=your-project-id,# environment=dev,# clientId=$INFISICAL_CLIENT_ID,# clientSecret=$INFISICAL_CLIENT_SECRET# )# ---
# 3. Add machine identity credentials# @type=infisicalClientIdINFISICAL_CLIENT_ID=
# @type=infisicalClientSecret @sensitiveINFISICAL_CLIENT_SECRET=Machine identity setup
Section titled “Machine identity setup”-
Create a machine identity in Infisical
Navigate to your Infisical project settings → Access Control → Machine Identities → Click Create Identity.
-
Select Universal Auth
Choose Universal Auth as the authentication method.
-
Save the credentials (displayed only once!)
Copy the Client ID and Client Secret immediately - they will only be displayed once.
-
Grant access to your project and environment
Ensure the machine identity has access to the specific project and environment you’ll be using.
-
Wire up the credentials in your config
.env.schema # @plugin(@varlock/infisical-plugin)# @initInfisical(# projectId=your-project-id,# environment=dev,# clientId=$INFISICAL_CLIENT_ID,# clientSecret=$INFISICAL_CLIENT_SECRET# )# ---# @type=infisicalClientIdINFISICAL_CLIENT_ID=# @type=infisicalClientSecret @sensitiveINFISICAL_CLIENT_SECRET= -
Set your credentials in environments
Use your CI/CD system or platform’s env var management to securely inject the credential values.
For detailed instructions, see Infisical Machine Identities documentation.
Self-hosted Infisical
Section titled “Self-hosted Infisical”For self-hosted Infisical instances, specify the siteUrl:
# @plugin(@varlock/infisical-plugin)# @initInfisical(# projectId=my-project,# environment=production,# clientId=$CLIENT_ID,# clientSecret=$CLIENT_SECRET,# siteUrl=https://infisical.mycompany.com# )# ---Multiple instances
Section titled “Multiple instances”If you need to connect to multiple projects or environments, register multiple named instances:
# @initInfisical(id=dev, projectId=dev-project, environment=development, clientId=$DEV_CLIENT_ID, clientSecret=$DEV_CLIENT_SECRET)# @initInfisical(id=prod, projectId=prod-project, environment=production, clientId=$PROD_CLIENT_ID, clientSecret=$PROD_CLIENT_SECRET)# ---
DEV_DATABASE=infisical(dev, "DATABASE_URL")PROD_DATABASE=infisical(prod, "DATABASE_URL")Loading secrets
Section titled “Loading secrets”Once the plugin is installed and initialized, you can start adding config items that load values using the infisical() resolver function.
Basic usage
Section titled “Basic usage”Fetch secrets from Infisical:
# Secret name defaults to the config item keyDATABASE_URL=infisical()API_KEY=infisical()
# Or explicitly specify the secret nameSTRIPE_SECRET=infisical("STRIPE_SECRET_KEY")When called without arguments, infisical() automatically uses the config item key as the secret name in Infisical. This provides a convenient convention-over-configuration approach.
Using secret paths
Section titled “Using secret paths”Organize secrets with hierarchical paths:
# Default path for all secrets# @initInfisical(projectId=my-project, environment=production, clientId=$ID, clientSecret=$SECRET, secretPath=/production/app)# ---
# Fetches from /production/app/DB_PASSWORDDB_PASSWORD=infisical("DB_PASSWORD")Or specify path per secret:
# @initInfisical(projectId=my-project, environment=production, clientId=$ID, clientSecret=$SECRET)# ---
DB_PASSWORD=infisical("DB_PASSWORD", "/database")API_KEY=infisical("API_KEY", "/api")Reference
Section titled “Reference”Root decorators
Section titled “Root decorators”@initInfisical()
Section titled “@initInfisical()”Initialize an Infisical plugin instance for accessing secrets.
Key/value args:
projectId(required): Infisical project IDenvironment(required): Environment name (e.g.,dev,staging,production)clientId(required): Universal Auth Client ID. Should be a reference to a config item of typeinfisicalClientId.clientSecret(required): Universal Auth Client Secret. Should be a reference to a config item of typeinfisicalClientSecret.siteUrl(optional): Custom Infisical instance URL (defaults tohttps://app.infisical.com)secretPath(optional): Default secret path for all secrets (defaults to/)id(optional): Instance identifier for multiple instances
# @initInfisical(# projectId=your-project-id,# environment=dev,# clientId=$INFISICAL_CLIENT_ID,# clientSecret=$INFISICAL_CLIENT_SECRET# )# ---# @type=infisicalClientIdINFISICAL_CLIENT_ID=# @type=infisicalClientSecret @sensitiveINFISICAL_CLIENT_SECRET=Data types
Section titled “Data types”infisicalClientId
Section titled “infisicalClientId”Represents an Infisical Universal Auth Client ID. This is not marked as sensitive.
# @type=infisicalClientIdINFISICAL_CLIENT_ID=infisicalClientSecret
Section titled “infisicalClientSecret”Represents an Infisical Universal Auth Client Secret. This type is marked as @sensitive.
# @type=infisicalClientSecretINFISICAL_CLIENT_SECRET=Resolver functions
Section titled “Resolver functions”infisical()
Section titled “infisical()”Fetch a secret from Infisical.
Array args:
instanceId(optional): instance identifier to use when multiple plugin instances are initializedsecretName(optional): secret name in Infisical. If omitted, uses the variable name.secretPath(optional): path to the secret (overrides default path)
# Auto-infer secret name from variableDATABASE_URL=infisical()
# Explicit secret nameSTRIPE_KEY=infisical("STRIPE_SECRET_KEY")
# With custom pathDB_PASSWORD=infisical("DB_PASSWORD", "/database")
# With instance IDDEV_SECRET=infisical(dev, "DATABASE_URL")
# Full formPROD_SECRET=infisical(prod, "DATABASE_URL", "/production")Example Configurations
Section titled “Example Configurations”Development setup with auto-named secrets
Section titled “Development setup with auto-named secrets”# @plugin(@varlock/infisical-plugin)# @initInfisical(projectId=dev-app, environment=dev, clientId=$INFISICAL_CLIENT_ID, clientSecret=$INFISICAL_CLIENT_SECRET)# ---# @type=infisicalClientIdINFISICAL_CLIENT_ID=# @type=infisicalClientSecret @sensitiveINFISICAL_CLIENT_SECRET=
# Secret names automatically match config keysDATABASE_URL=infisical()REDIS_URL=infisical()STRIPE_KEY=infisical()Production with path organization
Section titled “Production with path organization”# @plugin(@varlock/infisical-plugin)# @initInfisical(# projectId=prod-app,# environment=production,# clientId=$INFISICAL_CLIENT_ID,# clientSecret=$INFISICAL_CLIENT_SECRET,# secretPath=/production# )# ---
# Database secrets at /production/databaseDB_HOST=infisical("DB_HOST", "/database")DB_PASSWORD=infisical("DB_PASSWORD", "/database")
# API keys at /production/apiSTRIPE_KEY=infisical("STRIPE_KEY", "/api")SENDGRID_KEY=infisical("SENDGRID_KEY", "/api")Multi-region setup
Section titled “Multi-region setup”# @plugin(@varlock/infisical-plugin)# @initInfisical(id=us, projectId=app-us, environment=production, clientId=$US_CLIENT_ID, clientSecret=$US_CLIENT_SECRET)# @initInfisical(id=eu, projectId=app-eu, environment=production, clientId=$EU_CLIENT_ID, clientSecret=$EU_CLIENT_SECRET)# ---
US_DATABASE=infisical(us, "DATABASE_URL")EU_DATABASE=infisical(eu, "DATABASE_URL")Troubleshooting
Section titled “Troubleshooting”Secret not found
Section titled “Secret not found”- Verify the secret exists in your Infisical project and environment
- Check the secret name matches exactly (including case)
- Verify the secret path is correct if using paths
- Ensure your machine identity has access to the secret
Access denied
Section titled “Access denied”- Check that your machine identity has been granted access to the project and environment
- Verify the machine identity permissions in Infisical console
- Ensure the project ID and environment match your configuration
Authentication failed
Section titled “Authentication failed”- Verify the client ID and client secret are correct
- Check if the machine identity has been revoked or disabled
- For self-hosted: verify
siteUrlis correct
Wrong environment
Section titled “Wrong environment”- Double-check the
environmentparameter matches the environment where your secret is stored - Remember that secrets in Infisical are environment-specific