Docs: Plugin installation

rate limit based on identity

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -122,19 +122,19 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true

.github/workflows/update-be-new-migration-latest-timestamp.yml

@@ -38,13 +38,15 @@ jobs:
           rm added_files.txt
           git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
 
-      - name: Get the username of the person who closed the PR
-        run: |       
+      - name: Get PR details
+        id: pr_details
+        run: |
           PR_NUMBER=${{ github.event.pull_request.number }}
-          PR_CLOSER=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.closed_by.login')
+          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
+          
           echo "PR Number: $PR_NUMBER"
-          echo "PR Closer: $PR_CLOSER"
-          echo "pr_closer=$PR_CLOSER" >> $GITHUB_OUTPUT
+          echo "PR Merger: $PR_MERGER"
+          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
 
       - name: Create Pull Request
         if: env.SKIP_RENAME != 'true'
@@ -54,3 +56,4 @@ jobs:
           commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
           title: 'GH Action: rename new migration file timestamp'
           branch-suffix: timestamp
+          reviewers: ${{ steps.pr_details.outputs.pr_merger }}

backend/package-lock.json

@@ -34,11 +34,13 @@
         "axios": "^1.6.7",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
-        "bullmq": "^5.3.3",
+        "bullmq": "^5.4.2",
         "cassandra-driver": "^4.7.2",
         "dotenv": "^16.4.1",
         "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
+        "google-auth-library": "^9.9.0",
+        "googleapis": "^137.1.0",
         "handlebars": "^4.7.8",
         "ioredis": "^5.3.2",
         "jmespath": "^0.16.0",
@@ -49,7 +51,7 @@
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.7",
         "nanoid": "^5.0.4",
         "nodemailer": "^6.9.9",
         "ora": "^7.0.1",
@@ -2938,6 +2940,7 @@
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
       "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "2.0.5",
         "run-parallel": "^1.1.9"
@@ -2950,6 +2953,7 @@
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
       "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -2958,6 +2962,7 @@
       "version": "1.2.8",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
       "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
       "dependencies": {
         "@nodelib/fs.scandir": "2.1.5",
         "fastq": "^1.6.0"
@@ -6183,6 +6188,14 @@
       "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
       "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
     },
+    "node_modules/bignumber.js": {
+      "version": "9.1.2",
+      "resolved": "https://registry.npmjs.org/bignumber.js/-/bignumber.js-9.1.2.tgz",
+      "integrity": "sha512-2/mKyZH9K85bzOEfhXDBFZTGd1CTs+5IHpeFQo9luiBG7hghdC851Pj2WAhb6E3R6b9tZj/XKhbg4fum+Kepug==",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
@@ -6285,6 +6298,7 @@
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
       "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "dev": true,
       "dependencies": {
         "fill-range": "^7.0.1"
       },
@@ -6334,15 +6348,13 @@
       }
     },
     "node_modules/bullmq": {
-      "version": "5.3.3",
-      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.3.3.tgz",
-      "integrity": "sha512-Gc/68HxiCHLMPBiGIqtINxcf8HER/5wvBYMY/6x3tFejlvldUBFaAErMTLDv4TnPsTyzNPrfBKmFCEM58uVnJg==",
+      "version": "5.4.2",
+      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.4.2.tgz",
+      "integrity": "sha512-dkR/KGUw18miLe3QWtvSlmGvEe08aZF+w1jZyqEHMWFW3RP4162qp6OGud0/QCAOjusiRI8UOxUhbnortPY+rA==",
       "dependencies": {
         "cron-parser": "^4.6.0",
-        "fast-glob": "^3.3.2",
         "ioredis": "^5.3.2",
         "lodash": "^4.17.21",
-        "minimatch": "^9.0.3",
         "msgpackr": "^1.10.1",
         "node-abort-controller": "^3.1.1",
         "semver": "^7.5.4",
@@ -6350,28 +6362,6 @@
         "uuid": "^9.0.0"
       }
     },
-    "node_modules/bullmq/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/bullmq/node_modules/minimatch": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
-      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
     "node_modules/bundle-require": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/bundle-require/-/bundle-require-4.0.2.tgz",
@@ -7759,6 +7749,11 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
+    "node_modules/extend": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g=="
+    },
     "node_modules/extsprintf": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.4.1.tgz",
@@ -7798,6 +7793,7 @@
       "version": "3.3.2",
       "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.2.tgz",
       "integrity": "sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==",
+      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "^2.0.2",
         "@nodelib/fs.walk": "^1.2.3",
@@ -7949,6 +7945,7 @@
       "version": "7.0.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
       "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
       "dependencies": {
         "to-regex-range": "^5.0.1"
       },
@@ -8286,6 +8283,88 @@
         "node": ">=8"
       }
     },
+    "node_modules/gaxios": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-6.5.0.tgz",
+      "integrity": "sha512-R9QGdv8j4/dlNoQbX3hSaK/S0rkMijqjVvW3YM06CoBdbU/VdKd159j4hePpng0KuE6Lh6JJ7UdmVGJZFcAG1w==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "https-proxy-agent": "^7.0.1",
+        "is-stream": "^2.0.0",
+        "node-fetch": "^2.6.9",
+        "uuid": "^9.0.1"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/gaxios/node_modules/agent-base": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.1.tgz",
+      "integrity": "sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==",
+      "dependencies": {
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/gaxios/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/gaxios/node_modules/https-proxy-agent": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.4.tgz",
+      "integrity": "sha512-wlwpilI7YdjSkWaQ/7omYBMTliDcmCN8OLihO6I9B86g06lMyAoqgoDpV0XqoaPOKj+0DIdAvnsWfyAAhmimcg==",
+      "dependencies": {
+        "agent-base": "^7.0.2",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/gaxios/node_modules/is-stream": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
+      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/gaxios/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/gcp-metadata": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-6.1.0.tgz",
+      "integrity": "sha512-Jh/AIwwgaxan+7ZUUmRLCjtchyDiqh4KjBJ5tW3plBZb5iL/BPcso8A5DlzeD9qlw0duCamnNdpFjxwaT0KyKg==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "json-bigint": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/generate-function": {
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz",
@@ -8400,6 +8479,7 @@
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
       "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
       "dependencies": {
         "is-glob": "^4.0.1"
       },
@@ -8482,6 +8562,69 @@
       "integrity": "sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==",
       "dev": true
     },
+    "node_modules/google-auth-library": {
+      "version": "9.9.0",
+      "resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-9.9.0.tgz",
+      "integrity": "sha512-9l+zO07h1tDJdIHN74SpnWIlNR+OuOemXlWJlLP9pXy6vFtizgpEzMuwJa4lqY9UAdiAv5DVd5ql0Am916I+aA==",
+      "dependencies": {
+        "base64-js": "^1.3.0",
+        "ecdsa-sig-formatter": "^1.0.11",
+        "gaxios": "^6.1.1",
+        "gcp-metadata": "^6.1.0",
+        "gtoken": "^7.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/google-auth-library/node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/google-auth-library/node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/googleapis": {
+      "version": "137.1.0",
+      "resolved": "https://registry.npmjs.org/googleapis/-/googleapis-137.1.0.tgz",
+      "integrity": "sha512-2L7SzN0FLHyQtFmyIxrcXhgust77067pkkduqkbIpDuj9JzVnByxsRrcRfUMFQam3rQkWW2B0f1i40IwKDWIVQ==",
+      "dependencies": {
+        "google-auth-library": "^9.0.0",
+        "googleapis-common": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/googleapis-common": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/googleapis-common/-/googleapis-common-7.2.0.tgz",
+      "integrity": "sha512-/fhDZEJZvOV3X5jmD+fKxMqma5q2Q9nZNSF3kn1F18tpxmA86BcTxAGBQdM0N89Z3bEaIs+HVznSmFJEAmMTjA==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "gaxios": "^6.0.3",
+        "google-auth-library": "^9.7.0",
+        "qs": "^6.7.0",
+        "url-template": "^2.0.8",
+        "uuid": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/gopd": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
@@ -8504,6 +8647,37 @@
       "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
       "dev": true
     },
+    "node_modules/gtoken": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-7.1.0.tgz",
+      "integrity": "sha512-pCcEwRi+TKpMlxAQObHDQ56KawURgyAf6jtIY046fJ5tIv3zDe/LEIubckAO8fj6JnAxLdmWkUfNyulQ2iKdEw==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/gtoken/node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/gtoken/node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
     "node_modules/handlebars": {
       "version": "4.7.8",
       "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz",
@@ -9000,6 +9174,7 @@
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
       "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "dev": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -9030,6 +9205,7 @@
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
       "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
       "dependencies": {
         "is-extglob": "^2.1.1"
       },
@@ -9064,6 +9240,7 @@
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
       "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true,
       "engines": {
         "node": ">=0.12.0"
       }
@@ -9277,6 +9454,14 @@
       "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz",
       "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A=="
     },
+    "node_modules/json-bigint": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-bigint/-/json-bigint-1.0.0.tgz",
+      "integrity": "sha512-SiPv/8VpZuWbvLSMtTDU8hEfrZWg/mH/nV/b4o0CYbSxu1UIQPLdwKOCIyLQX+VIPO5vrLX3i8qtqFyhdPSUSQ==",
+      "dependencies": {
+        "bignumber.js": "^9.0.0"
+      }
+    },
     "node_modules/json-buffer": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
@@ -9892,6 +10077,7 @@
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
       "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -9908,6 +10094,7 @@
       "version": "4.0.5",
       "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
       "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
+      "dev": true,
       "dependencies": {
         "braces": "^3.0.2",
         "picomatch": "^2.3.1"
@@ -9920,6 +10107,7 @@
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
       "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "dev": true,
       "engines": {
         "node": ">=8.6"
       },
@@ -10102,9 +10290,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.7",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.7.tgz",
+      "integrity": "sha512-KnJT8vYRcNAZv73uf9zpXqNbvBG7DJrs+1nACsjZP1HMJ1TgXEy8wnNilXAn/5i57JizXKtrUtwDB7HxT9DDpw==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",
@@ -11549,6 +11737,7 @@
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
       "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -11901,6 +12090,7 @@
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
       "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -12701,6 +12891,7 @@
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
       "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
       "dependencies": {
         "is-number": "^7.0.0"
       },
@@ -13703,6 +13894,11 @@
         "querystring": "0.2.0"
       }
     },
+    "node_modules/url-template": {
+      "version": "2.0.8",
+      "resolved": "https://registry.npmjs.org/url-template/-/url-template-2.0.8.tgz",
+      "integrity": "sha512-XdVKMF4SJ0nP/O7XIPB0JwAEuT9lDIYnNsK8yGVe43y0AWoKeJNdv3ZNWh7ksJ6KqQFjOO6ox/VEitLnaVNufw=="
+    },
     "node_modules/url/node_modules/punycode": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.3.2.tgz",

backend/package.json

@@ -95,11 +95,13 @@
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.3.3",
+    "bullmq": "^5.4.2",
     "cassandra-driver": "^4.7.2",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
+    "google-auth-library": "^9.9.0",
+    "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",

backend/src/@types/fastify.d.ts

@@ -32,7 +32,9 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsIamAuthServiceFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-service";
+import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -116,7 +118,9 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      identityAwsIamAuth: TIdentityAwsIamAuthServiceFactory;
+      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
+      identityGcpAuth: TIdentityGcpAuthServiceFactory;
+      identityAwsAuth: TIdentityAwsAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;

backend/src/@types/knex.d.ts

@@ -59,9 +59,15 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAwsIamAuths,
-  TIdentityAwsIamAuthsInsert,
-  TIdentityAwsIamAuthsUpdate,
+  TIdentityAwsAuths,
+  TIdentityAwsAuthsInsert,
+  TIdentityAwsAuthsUpdate,
+  TIdentityGcpAuths,
+  TIdentityGcpAuthsInsert,
+  TIdentityGcpAuthsUpdate,
+  TIdentityKubernetesAuths,
+  TIdentityKubernetesAuthsInsert,
+  TIdentityKubernetesAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -228,6 +234,7 @@ import {
   TWebhooksInsert,
   TWebhooksUpdate
 } from "@app/db/schemas";
+import { TSecretReferences, TSecretReferencesInsert, TSecretReferencesUpdate } from "@app/db/schemas/secret-references";
 
 declare module "knex/types/tables" {
   interface Tables {
@@ -301,6 +308,11 @@ declare module "knex/types/tables" {
     >;
     [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
     [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
+    [TableName.SecretReference]: Knex.CompositeTableType<
+      TSecretReferences,
+      TSecretReferencesInsert,
+      TSecretReferencesUpdate
+    >;
     [TableName.SecretBlindIndex]: Knex.CompositeTableType<
       TSecretBlindIndexes,
       TSecretBlindIndexesInsert,
@@ -329,10 +341,20 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
-    [TableName.IdentityAwsIamAuth]: Knex.CompositeTableType<
-      TIdentityAwsIamAuths,
-      TIdentityAwsIamAuthsInsert,
-      TIdentityAwsIamAuthsUpdate
+    [TableName.IdentityKubernetesAuth]: Knex.CompositeTableType<
+      TIdentityKubernetesAuths,
+      TIdentityKubernetesAuthsInsert,
+      TIdentityKubernetesAuthsUpdate
+    >;
+    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
+      TIdentityGcpAuths,
+      TIdentityGcpAuthsInsert,
+      TIdentityGcpAuthsUpdate
+    >;
+    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
+      TIdentityAwsAuths,
+      TIdentityAwsAuthsInsert,
+      TIdentityAwsAuthsUpdate
     >;
     [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,

backend/src/db/migrations/20240507162180_test

@@ -1 +0,0 @@
-

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -4,8 +4,8 @@ import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 
 export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsIamAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsIamAuth, (t) => {
+  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
+    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
       t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
@@ -14,16 +14,17 @@ export async function up(knex: Knex): Promise<void> {
       t.timestamps(true, true, true);
       t.uuid("identityId").notNullable().unique();
       t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
       t.string("stsEndpoint").notNullable();
       t.string("allowedPrincipalArns").notNullable();
       t.string("allowedAccountIds").notNullable();
     });
   }
 
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsIamAuth);
+  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
 }
 
 export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsIamAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsIamAuth);
+  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
 }

backend/src/db/migrations/20240514041650_identity-gcp-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
+    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("allowedServiceAccounts").notNullable();
+      t.string("allowedProjects").notNullable();
+      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}

backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
+    await knex.schema.createTable(TableName.SecretReference, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("environment").notNullable();
+      t.string("secretPath").notNullable();
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretReference);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretReference);
+  await dropOnUpdateTrigger(knex, TableName.SecretReference);
+}

backend/src/db/migrations/20240518142614_kubernetes-auth.ts

@@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
+    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("kubernetesHost").notNullable();
+      t.text("encryptedCaCert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.text("encryptedTokenReviewerJwt").notNullable();
+      t.string("tokenReviewerJwtIV").notNullable();
+      t.string("tokenReviewerJwtTag").notNullable();
+      t.string("allowedNamespaces").notNullable();
+      t.string("allowedNames").notNullable();
+      t.string("allowedAudience").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -11,8 +11,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  envId: z.string().uuid(),
   secretPath: z.string().nullable().optional(),
+  envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

backend/src/db/schemas/identity-aws-auths.ts

@@ -7,7 +7,7 @@ import { z } from "zod";
 
 import { TImmutableDBKeys } from "./models";
 
-export const IdentityAwsIamAuthsSchema = z.object({
+export const IdentityAwsAuthsSchema = z.object({
   id: z.string().uuid(),
   accessTokenTTL: z.coerce.number().default(7200),
   accessTokenMaxTTL: z.coerce.number().default(7200),
@@ -16,11 +16,12 @@ export const IdentityAwsIamAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   identityId: z.string().uuid(),
+  type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
   allowedAccountIds: z.string()
 });
 
-export type TIdentityAwsIamAuths = z.infer<typeof IdentityAwsIamAuthsSchema>;
-export type TIdentityAwsIamAuthsInsert = Omit<z.input<typeof IdentityAwsIamAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAwsIamAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsIamAuthsSchema>, TImmutableDBKeys>>;
+export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
+export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityGcpAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  allowedServiceAccounts: z.string(),
+  allowedProjects: z.string(),
+  allowedZones: z.string()
+});
+
+export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
+export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -0,0 +1,35 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityKubernetesAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  kubernetesHost: z.string(),
+  encryptedCaCert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  encryptedTokenReviewerJwt: z.string(),
+  tokenReviewerJwtIV: z.string(),
+  tokenReviewerJwtTag: z.string(),
+  allowedNamespaces: z.string(),
+  allowedNames: z.string(),
+  allowedAudience: z.string()
+});
+
+export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
+export type TIdentityKubernetesAuthsInsert = Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityKubernetesAuthsUpdate = Partial<
+  Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/index.ts

@@ -17,7 +17,9 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-aws-iam-auths";
+export * from "./identity-aws-auths";
+export * from "./identity-gcp-auths";
+export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/models.ts

@@ -28,6 +28,7 @@ export enum TableName {
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
   Secret = "secrets",
+  SecretReference = "secret_references",
   SecretBlindIndex = "secret_blind_indexes",
   SecretVersion = "secret_versions",
   SecretFolder = "secret_folders",
@@ -44,8 +45,10 @@ export enum TableName {
   Identity = "identities",
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
+  IdentityKubernetesAuth = "identity_kubernetes_auths",
+  IdentityGcpAuth = "identity_gcp_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAwsIamAuth = "identity_aws_iam_auths",
+  IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -144,5 +147,7 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   Univeral = "universal-auth",
-  AWS_IAM_AUTH = "aws-iam-auth"
+  KUBERNETES_AUTH = "kubernetes-auth",
+  GCP_AUTH = "gcp-auth",
+  AWS_AUTH = "aws-auth"
 }

backend/src/db/schemas/secret-references.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretReferencesSchema = z.object({
+  id: z.string().uuid(),
+  environment: z.string(),
+  secretPath: z.string(),
+  secretId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretReferences = z.infer<typeof SecretReferencesSchema>;
+export type TSecretReferencesInsert = Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>;
+export type TSecretReferencesUpdate = Partial<Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/users.ts

@@ -22,7 +22,7 @@ export const UsersSchema = z.object({
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
   username: z.string(),
-  isEmailVerified: z.boolean().nullable().optional()
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -8,7 +8,7 @@ import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { PermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
+import { ProjectPermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@@ -39,7 +39,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
@@ -90,7 +90,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         temporaryMode: z
           .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@@ -155,7 +155,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                 message: "Slug must be a valid slug"
               })
               .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
             temporaryMode: z
               .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -63,13 +63,21 @@ export enum EventType {
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
   GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
+  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
+  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
+  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  LOGIN_IDENTITY_AWS_IAM_AUTH = "login-identity-aws-iam-auth",
-  ADD_IDENTITY_AWS_IAM_AUTH = "add-identity-aws-iam-auth",
-  UPDATE_IDENTITY_AWS_IAM_AUTH = "update-identity-aws-iam-auth",
-  GET_IDENTITY_AWS_IAM_AUTH = "get-identity-aws-iam-auth",
+  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
+  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
+  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
+  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
+  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
+  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -387,6 +395,50 @@ interface GetIdentityUniversalAuthEvent {
   };
 }
 
+interface LoginIdentityKubernetesAuthEvent {
+  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+    identityKubernetesAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityKubernetesAuthEvent {
+  type: EventType.ADD_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+    kubernetesHost: string;
+    allowedNamespaces: string;
+    allowedNames: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityKubernetesAuthEvent {
+  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
+  metadata: {
+    identityId: string;
+    kubernetesHost?: string;
+    allowedNamespaces?: string;
+    allowedNames?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityKubernetesAuthEvent {
+  type: EventType.GET_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface CreateIdentityUniversalAuthClientSecretEvent {
   type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
   metadata: {
@@ -410,17 +462,63 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
-interface LoginIdentityAwsIamAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AWS_IAM_AUTH;
+interface LoginIdentityGcpAuthEvent {
+  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
   metadata: {
     identityId: string;
-    identityAwsIamAuthId: string;
+    identityGcpAuthId: string;
     identityAccessTokenId: string;
   };
 }
 
-interface AddIdentityAwsIamAuthEvent {
-  type: EventType.ADD_IDENTITY_AWS_IAM_AUTH;
+interface AddIdentityGcpAuthEvent {
+  type: EventType.ADD_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    type: string;
+    allowedServiceAccounts: string;
+    allowedProjects: string;
+    allowedZones: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityGcpAuthEvent {
+  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    type?: string;
+    allowedServiceAccounts?: string;
+    allowedProjects?: string;
+    allowedZones?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityGcpAuthEvent {
+  type: EventType.GET_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface LoginIdentityAwsAuthEvent {
+  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+    identityAwsAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAwsAuthEvent {
+  type: EventType.ADD_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
     stsEndpoint: string;
@@ -433,8 +531,8 @@ interface AddIdentityAwsIamAuthEvent {
   };
 }
 
-interface UpdateIdentityAwsIamAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AWS_IAM_AUTH;
+interface UpdateIdentityAwsAuthEvent {
+  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
     stsEndpoint?: string;
@@ -447,8 +545,8 @@ interface UpdateIdentityAwsIamAuthEvent {
   };
 }
 
-interface GetIdentityAwsIamAuthEvent {
-  type: EventType.GET_IDENTITY_AWS_IAM_AUTH;
+interface GetIdentityAwsAuthEvent {
+  type: EventType.GET_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
   };
@@ -705,13 +803,21 @@ export type Event =
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
   | GetIdentityUniversalAuthEvent
+  | LoginIdentityKubernetesAuthEvent
+  | AddIdentityKubernetesAuthEvent
+  | UpdateIdentityKubernetesAuthEvent
+  | GetIdentityKubernetesAuthEvent
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
-  | LoginIdentityAwsIamAuthEvent
-  | AddIdentityAwsIamAuthEvent
-  | UpdateIdentityAwsIamAuthEvent
-  | GetIdentityAwsIamAuthEvent
+  | LoginIdentityGcpAuthEvent
+  | AddIdentityGcpAuthEvent
+  | UpdateIdentityGcpAuthEvent
+  | GetIdentityGcpAuthEvent
+  | LoginIdentityAwsAuthEvent
+  | AddIdentityAwsAuthEvent
+  | UpdateIdentityAwsAuthEvent
+  | GetIdentityAwsAuthEvent
   | CreateEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -7,12 +7,15 @@ import {
   SecretType,
   TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
+import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
+import { getAllNestedSecretReferences } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@@ -53,6 +56,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
+  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   secretService: Pick<
     TSecretServiceFactory,
     | "fnSecretBulkInsert"
@@ -80,7 +84,8 @@ export const secretApprovalRequestServiceFactory = ({
   snapshotService,
   secretService,
   secretVersionDAL,
-  secretQueueService
+  secretQueueService,
+  projectBotService
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -352,7 +357,7 @@ export const secretApprovalRequestServiceFactory = ({
     }
 
     const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === CommitType.Delete);
-
+    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
     const mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
       const newSecrets = secretCreationCommits.length
         ? await secretService.fnSecretBulkInsert({
@@ -379,7 +384,17 @@ export const secretApprovalRequestServiceFactory = ({
               ]),
               tags: el?.tags.map(({ id }) => id),
               version: 1,
-              type: SecretType.Shared
+              type: SecretType.Shared,
+              references: botKey
+                ? getAllNestedSecretReferences(
+                    decryptSymmetric128BitHexKeyUTF8({
+                      ciphertext: el.secretValueCiphertext,
+                      iv: el.secretValueIV,
+                      tag: el.secretValueTag,
+                      key: botKey
+                    })
+                  )
+                : undefined
             })),
             secretDAL,
             secretVersionDAL,
@@ -414,7 +429,17 @@ export const secretApprovalRequestServiceFactory = ({
                   "secretReminderNote",
                   "secretReminderRepeatDays",
                   "secretBlindIndex"
-                ])
+                ]),
+                references: botKey
+                  ? getAllNestedSecretReferences(
+                      decryptSymmetric128BitHexKeyUTF8({
+                        ciphertext: el.secretValueCiphertext,
+                        iv: el.secretValueIV,
+                        tag: el.secretValueTag,
+                        key: botKey
+                      })
+                    )
+                  : undefined
               }
             })),
             secretDAL,

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,15 +90,17 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    await Promise.all(
-      repositories.map(({ id, full_name }) =>
-        secretScanningQueue.startFullRepoScan({
-          organizationId: session.orgId,
-          installationId,
-          repository: { id, fullName: full_name }
-        })
-      )
-    );
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await Promise.all(
+        repositories.map(({ id, full_name }) =>
+          secretScanningQueue.startFullRepoScan({
+            organizationId: session.orgId,
+            installationId,
+            repository: { id, fullName: full_name }
+          })
+        )
+      );
+    }
     return { installatedApp };
   };
 
@@ -151,6 +153,7 @@ export const secretScanningServiceFactory = ({
   };
 
   const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
+    const appCfg = getConfig();
     const { commits, repository, installation, pusher } = payload;
     if (!commits || !repository || !installation || !pusher) {
       return;
@@ -161,13 +164,15 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    await secretScanningQueue.startPushEventScan({
-      commits,
-      pusher: { name: pusher.name, email: pusher.email },
-      repository: { fullName: repository.full_name, id: repository.id },
-      organizationId: installationLink.orgId,
-      installationId: String(installation?.id)
-    });
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await secretScanningQueue.startPushEventScan({
+        commits,
+        pusher: { name: pusher.name, email: pusher.email },
+        repository: { fullName: repository.full_name, id: repository.id },
+        organizationId: installationLink.orgId,
+        installationId: String(installation?.id)
+      });
+    }
   };
 
   const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {

backend/src/lib/api-docs/constants.ts

@@ -89,10 +89,13 @@ export const UNIVERSAL_AUTH = {
   },
   RENEW_ACCESS_TOKEN: {
     accessToken: "The access token to renew."
+  },
+  REVOKE_ACCESS_TOKEN: {
+    accessToken: "The access token to revoke."
   }
 } as const;
 
-export const AWS_IAM_AUTH = {
+export const AWS_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login.",
     iamHttpRequestMethod: "The HTTP request method used in the signed request.",
@@ -145,36 +148,6 @@ export const PROJECTS = {
     name: "The new name of the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project."
   },
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: "A list of roles to update the membership to."
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
   },
@@ -213,6 +186,70 @@ export const PROJECTS = {
   }
 } as const;
 
+export const PROJECT_USERS = {
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  GET_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to get memberships from.",
+    username: "The username to get project membership of. Email is the default username."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  }
+};
+
+export const PROJECT_IDENTITIES = {
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  GET_IDENTITY_MEMBERSHIP_BY_ID: {
+    identityId: "The ID of the identity to get the membership for.",
+    projectId: "The ID of the project to get the identity membership for."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: {
+      description: "A list of role slugs to assign to the identity project membership.",
+      role: "The role slug to assign to the newly created identity project membership.",
+      isTemporary: "Whether the assigned role is temporary.",
+      temporaryMode: "Type of temporary expiry.",
+      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
+      temporaryAccessStartTime: "Time to which the temporary access starts"
+    }
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
+  CREATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to create the identity membership from.",
+    identityId: "The ID of the identity to create the membership from.",
+    role: "The role slug to assign to the newly created identity project membership.",
+    roles: {
+      description: "A list of role slugs to assign to the newly created identity project membership.",
+      role: "The role slug to assign to the newly created identity project membership.",
+      isTemporary: "Whether the assigned role is temporary.",
+      temporaryMode: "Type of temporary expiry.",
+      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
+      temporaryAccessStartTime: "Time to which the temporary access starts"
+    }
+  }
+};
+
 export const ENVIRONMENTS = {
   CREATE: {
     workspaceId: "The ID of the project to create the environment in.",
@@ -252,6 +289,7 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -288,7 +326,8 @@ export const RAW_SECRETS = {
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    workspaceSlug:
+      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -307,6 +346,7 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
+    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -625,7 +665,8 @@ export const INTEGRATION = {
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      kmsKeyId: "The ID of the encryption key from AWS KMS.",
+      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
     }
   },
   UPDATE: {

backend/src/lib/config/env.ts

@@ -13,6 +13,10 @@ const zodStrBool = z
 const envSchema = z
   .object({
     PORT: z.coerce.number().default(4000),
+    DISABLE_SECRET_SCANNING: z
+      .enum(["true", "false"])
+      .default("false")
+      .transform((el) => el === "true"),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(

backend/src/queue/queue-service.ts

@@ -65,7 +65,13 @@ export type TQueueJobTypes = {
   };
   [QueueName.IntegrationSync]: {
     name: QueueJobs.IntegrationSync;
-    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
+    payload: {
+      projectId: string;
+      environment: string;
+      secretPath: string;
+      depth?: number;
+      deDupeQueue?: Record<string, boolean>;
+    };
   };
   [QueueName.SecretFullRepoScan]: {
     name: QueueJobs.SecretScan;

backend/src/server/app.ts

@@ -8,8 +8,6 @@ import cors from "@fastify/cors";
 import fastifyEtag from "@fastify/etag";
 import fastifyFormBody from "@fastify/formbody";
 import helmet from "@fastify/helmet";
-import type { FastifyRateLimitOptions } from "@fastify/rate-limit";
-import ratelimiter from "@fastify/rate-limit";
 import fasitfy from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
@@ -19,7 +17,6 @@ import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 
-import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
@@ -67,10 +64,6 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
     await server.register(fastifyFormBody);
     await server.register(fastifyErrHandler);
 
-    // Rate limiters and security headers
-    if (appCfg.isProductionMode) {
-      await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
-    }
     await server.register(helmet, { contentSecurityPolicy: false });
 
     await server.register(maintenanceMode);

backend/src/server/config/rateLimiter.ts

@@ -1,20 +1,34 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
+import { FastifyRequest } from "fastify";
 import { Redis } from "ioredis";
 
 import { getConfig } from "@app/lib/config/env";
+import { ActorType } from "@app/services/auth/auth-type";
+
+const getDistinctRequestActorId = (req: FastifyRequest) => {
+  if (req?.auth?.actor === ActorType.USER) {
+    return req.auth.user.username;
+  }
+  if (req?.auth?.actor === ActorType.IDENTITY) {
+    return `${req.auth.identityId}-machine-identity-`;
+  }
+  if (req?.auth?.actor === ActorType.SERVICE) {
+    return `${req.auth.serviceToken.id}-service-token`; // when user gets removed from system
+  }
+  return req.realIp;
+};
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   const appCfg = getConfig();
   const redis = appCfg.isRedisConfigured
     ? new Redis(appCfg.REDIS_URL, { connectTimeout: 500, maxRetriesPerRequest: 1 })
     : null;
-
   return {
     timeWindow: 60 * 1000,
     max: 600,
     redis,
     allowList: (req) => req.url === "/healthcheck" || req.url === "/api/status",
-    keyGenerator: (req) => req.realIp
+    keyGenerator: (req) => getDistinctRequestActorId(req)
   };
 };
 
@@ -22,14 +36,14 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 export const readLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 600,
-  keyGenerator: (req) => req.realIp
+  keyGenerator: (req) => getDistinctRequestActorId(req)
 };
 
 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 50,
-  keyGenerator: (req) => req.realIp
+  keyGenerator: (req) => getDistinctRequestActorId(req)
 };
 
 // special endpoints
@@ -37,24 +51,24 @@ export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
   max: 1000,
-  keyGenerator: (req) => req.realIp
+  keyGenerator: (req) => getDistinctRequestActorId(req)
 };
 
 export const authRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 60,
-  keyGenerator: (req) => req.realIp
+  keyGenerator: (req) => getDistinctRequestActorId(req)
 };
 
 export const inviteUserRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
   max: 30,
-  keyGenerator: (req) => req.realIp
+  keyGenerator: (req) => getDistinctRequestActorId(req)
 };
 
 export const creationLimit: RateLimitOptions = {
   // identity, project, org
   timeWindow: 60 * 1000,
   max: 30,
-  keyGenerator: (req) => req.realIp
+  keyGenerator: (req) => getDistinctRequestActorId(req)
 };

backend/src/server/plugins/maintenanceMode.ts

@@ -5,8 +5,13 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
   fastify.addHook("onRequest", async (req) => {
     const serverEnvs = getConfig();
-    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
-      throw new Error("Infisical is in maintenance mode. Please try again later.");
+    if (serverEnvs.MAINTENANCE_MODE) {
+      // skip if its universal auth login or renew
+      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
+      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
+      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
+        throw new Error("Infisical is in maintenance mode. Please try again later.");
+      }
     }
   });
 });

backend/src/server/routes/index.ts

@@ -1,3 +1,4 @@
+import ratelimiter, { FastifyRateLimitOptions } from "@fastify/rate-limit";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -61,7 +62,7 @@ import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { globalRateLimiterCfg, readLimit } from "@app/server/config/rateLimiter";
 import { apiKeyDALFactory } from "@app/services/api-key/api-key-dal";
 import { apiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { authDALFactory } from "@app/services/auth/auth-dal";
@@ -78,8 +79,12 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { identityAwsIamAuthDALFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-dal";
-import { identityAwsIamAuthServiceFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-service";
+import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
+import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
+import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
+import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -156,7 +161,10 @@ export const registerRoutes = async (
     keyStore
   }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  const appCfg = getConfig();
+  if (!appCfg.DISABLE_SECRET_SCANNING) {
+    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  }
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -202,8 +210,11 @@ export const registerRoutes = async (
   const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);
 
   const identityUaDAL = identityUaDALFactory(db);
+  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
-  const identityAwsIamAuthDAL = identityAwsIamAuthDALFactory(db);
+  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
+
+  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -538,8 +549,10 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService
+    snapshotService,
+    projectDAL
   });
+
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -598,6 +611,7 @@ export const registerRoutes = async (
   });
   const sarService = secretApprovalRequestServiceFactory({
     permissionService,
+    projectBotService,
     folderDAL,
     secretDAL,
     secretTagDAL,
@@ -702,9 +716,27 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
-  const identityAWSIAMAuthService = identityAwsIamAuthServiceFactory({
+  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
+    identityKubernetesAuthDAL,
+    identityOrgMembershipDAL,
     identityAccessTokenDAL,
-    identityAwsIamAuthDAL,
+    identityDAL,
+    orgBotDAL,
+    permissionService,
+    licenseService
+  });
+  const identityGcpAuthService = identityGcpAuthServiceFactory({
+    identityGcpAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService
+  });
+
+  const identityAwsAuthService = identityAwsAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityAwsAuthDAL,
     identityOrgMembershipDAL,
     identityDAL,
     licenseService,
@@ -779,7 +811,9 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
-    identityAwsIamAuth: identityAWSIAMAuthService,
+    identityKubernetesAuth: identityKubernetesAuthService,
+    identityGcpAuth: identityGcpAuthService,
+    identityAwsAuth: identityAwsAuthService,
     secretApprovalPolicy: sapService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,
@@ -806,6 +840,11 @@ export const registerRoutes = async (
     user: userDAL
   });
 
+  // Rate limiters and security headers
+  if (appCfg.isProductionMode) {
+    await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
+  }
+
   await server.register(injectIdentity, { userDAL, serviceTokenDAL });
   await server.register(injectPermission);
   await server.register(injectAuditLogInfo);

backend/src/server/routes/sanitizedSchemas.ts

@@ -8,6 +8,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -64,14 +65,12 @@ export const secretRawSchema = z.object({
   secretComment: z.string().optional()
 });
 
-export const PermissionSchema = z.object({
+export const ProjectPermissionSchema = z.object({
   action: z
-    .string()
-    .min(1)
+    .nativeEnum(ProjectPermissionActions)
     .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
   subject: z
-    .string()
-    .min(1)
+    .nativeEnum(ProjectPermissionSub)
     .describe("The entity this permission pertains to. Possible options: secrets, environments"),
   conditions: z
     .object({

backend/src/server/routes/v1/admin-router.ts

@@ -20,16 +20,23 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
-            z.object({ isMigrationModeOn: z.boolean() })
-          )
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
+            isMigrationModeOn: z.boolean(),
+            isSecretScanningDisabled: z.boolean()
+          })
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
-      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
+      return {
+        config: {
+          ...config,
+          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
+          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
+        }
+      };
     }
   });
 

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -36,4 +36,29 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
       };
     }
   });
+
+  server.route({
+    url: "/token/revoke",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Revoke access token",
+      body: z.object({
+        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.REVOKE_ACCESS_TOKEN.accessToken)
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      await server.services.identityAccessToken.revokeAccessToken(req.body.accessToken);
+      return {
+        message: "Successfully revoked access token"
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -1,8 +1,8 @@
 import { z } from "zod";
 
-import { IdentityAwsIamAuthsSchema } from "@app/db/schemas";
+import { IdentityAwsAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_IAM_AUTH } from "@app/lib/api-docs";
+import { AWS_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -10,22 +10,22 @@ import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import {
   validateAccountIds,
   validatePrincipalArns
-} from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-validators";
+} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
 
-export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvider) => {
+export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
-    url: "/aws-iam-auth/login",
+    url: "/aws-auth/login",
     config: {
       rateLimit: writeLimit
     },
     schema: {
-      description: "Login with AWS IAM Auth",
+      description: "Login with AWS Auth",
       body: z.object({
-        identityId: z.string().describe(AWS_IAM_AUTH.LOGIN.identityId),
-        iamHttpRequestMethod: z.string().default("POST").describe(AWS_IAM_AUTH.LOGIN.iamHttpRequestMethod),
-        iamRequestBody: z.string().describe(AWS_IAM_AUTH.LOGIN.iamRequestBody),
-        iamRequestHeaders: z.string().describe(AWS_IAM_AUTH.LOGIN.iamRequestHeaders)
+        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
+        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
+        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
+        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
       }),
       response: {
         200: z.object({
@@ -37,18 +37,18 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }
     },
     handler: async (req) => {
-      const { identityAwsIamAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAwsIamAuth.login(req.body);
+      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAwsAuth.login(req.body);
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         orgId: identityMembershipOrg?.orgId,
         event: {
-          type: EventType.LOGIN_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
+            identityId: identityAwsAuth.identityId,
             identityAccessTokenId: identityAccessToken.id,
-            identityAwsIamAuthId: identityAwsIamAuth.id
+            identityAwsAuthId: identityAwsAuth.id
           }
         }
       });
@@ -56,21 +56,21 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       return {
         accessToken,
         tokenType: "Bearer" as const,
-        expiresIn: identityAwsIamAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL
+        expiresIn: identityAwsAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
       };
     }
   });
 
   server.route({
     method: "POST",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Attach AWS IAM Auth configuration onto identity",
+      description: "Attach AWS Auth configuration onto identity",
       security: [
         {
           bearerAuth: []
@@ -109,12 +109,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.attachAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -125,35 +125,35 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.ADD_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.ADD_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
-            stsEndpoint: identityAwsIamAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsIamAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsIamAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsIamAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
           }
         }
       });
 
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 
   server.route({
     method: "PATCH",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Update AWS IAM Auth configuration on identity",
+      description: "Update AWS Auth configuration on identity",
       security: [
         {
           bearerAuth: []
@@ -185,12 +185,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.updateAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -201,35 +201,35 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.UPDATE_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
-            stsEndpoint: identityAwsIamAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsIamAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsIamAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsIamAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
           }
         }
       });
 
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 
   server.route({
     method: "GET",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: readLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Retrieve AWS IAM Auth configuration on identity",
+      description: "Retrieve AWS Auth configuration on identity",
       security: [
         {
           bearerAuth: []
@@ -240,12 +240,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.getAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
         identityId: req.params.identityId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -255,15 +255,15 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.GET_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.GET_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId
+            identityId: identityAwsAuth.identityId
           }
         }
       });
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 };

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -0,0 +1,268 @@
+import { z } from "zod";
+
+import { IdentityGcpAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
+
+export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/gcp-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with GCP Auth",
+      body: z.object({
+        identityId: z.string(),
+        jwt: z.string()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityGcpAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityGcpAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityGcpAuthId: identityGcpAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityGcpAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach GCP Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        type: z.enum(["iam", "gce"]),
+        allowedServiceAccounts: validateGcpAuthField,
+        allowedProjects: validateGcpAuthField,
+        allowedZones: validateGcpAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.attachGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            type: identityGcpAuth.type,
+            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
+            allowedProjects: identityGcpAuth.allowedProjects,
+            allowedZones: identityGcpAuth.allowedZones,
+            accessTokenTTL: identityGcpAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        type: z.enum(["iam", "gce"]).optional(),
+        allowedServiceAccounts: validateGcpAuthField,
+        allowedProjects: validateGcpAuthField,
+        allowedZones: validateGcpAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.updateGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            type: identityGcpAuth.type,
+            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
+            allowedProjects: identityGcpAuth.allowedProjects,
+            allowedZones: identityGcpAuth.allowedZones,
+            accessTokenTTL: identityGcpAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.getGcpAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+};

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -0,0 +1,283 @@
+import { z } from "zod";
+
+import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+
+const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.omit({
+  encryptedCaCert: true,
+  caCertIV: true,
+  caCertTag: true,
+  encryptedTokenReviewerJwt: true,
+  tokenReviewerJwtIV: true,
+  tokenReviewerJwtTag: true
+}).extend({
+  caCert: z.string(),
+  tokenReviewerJwt: z.string()
+});
+
+export const registerIdentityKubernetesRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/kubernetes-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with Kubernetes Auth",
+      body: z.object({
+        identityId: z.string().trim(),
+        jwt: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityKubernetesAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityKubernetesAuth.login({
+          identityId: req.body.identityId,
+          jwt: req.body.jwt
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityKubernetesAuthId: identityKubernetesAuth.id
+          }
+        }
+      });
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityKubernetesAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach Kubernetes Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        kubernetesHost: z.string().trim().min(1),
+        caCert: z.string().trim().default(""),
+        tokenReviewerJwt: z.string().trim().min(1),
+        allowedNamespaces: z.string(), // TODO: validation
+        allowedNames: z.string(),
+        allowedAudience: z.string(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.attachKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId,
+            kubernetesHost: identityKubernetesAuth.kubernetesHost,
+            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
+            allowedNames: identityKubernetesAuth.allowedNames,
+            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      body: z.object({
+        kubernetesHost: z.string().trim().min(1).optional(),
+        caCert: z.string().trim().optional(),
+        tokenReviewerJwt: z.string().trim().min(1).optional(),
+        allowedNamespaces: z.string().optional(), // TODO: validation
+        allowedNames: z.string().optional(),
+        allowedAudience: z.string().optional(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.updateKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId,
+            kubernetesHost: identityKubernetesAuth.kubernetesHost,
+            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
+            allowedNames: identityKubernetesAuth.allowedNames,
+            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityKubernetesAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.getKubernetesAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId
+          }
+        }
+      });
+
+      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -2,7 +2,9 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
-import { registerIdentityAwsIamAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
+import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -28,8 +30,10 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     async (authRouter) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
+      await authRouter.register(registerIdentityKubernetesRouter);
+      await authRouter.register(registerIdentityGcpAuthRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
-      await authRouter.register(registerIdentityAwsIamAuthRouter);
+      await authRouter.register(registerIdentityAwsAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/integration-router.ts

@@ -66,7 +66,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
           })
           .default({})
       }),
@@ -142,8 +143,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
       }),
       body: z.object({
-        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
-        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
+        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
         isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
@@ -153,7 +154,33 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .describe(INTEGRATION.UPDATE.secretPath),
         targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
         owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
+        metadata: z
+          .object({
+            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
+            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
+            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
+            secretGCPLabel: z
+              .object({
+                labelName: z.string(),
+                labelValue: z.string()
+              })
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
+            secretAWSTag: z
+              .array(
+                z.object({
+                  key: z.string(),
+                  value: z.string()
+                })
+              )
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
+          })
+          .optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-membership-router.ts

@@ -9,7 +9,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
+import { PROJECT_USERS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -30,7 +30,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIPS.workspaceId)
       }),
       response: {
         200: z.object({
@@ -74,6 +74,66 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/:workspaceId/memberships/details",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Return project user memberships",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        workspaceId: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.workspaceId)
+      }),
+      body: z.object({
+        username: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.username)
+      }),
+      response: {
+        200: z.object({
+          membership: ProjectMembershipsSchema.extend({
+            user: UsersSchema.pick({
+              email: true,
+              firstName: true,
+              lastName: true,
+              id: true
+            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            )
+          }).omit({ createdAt: true, updatedAt: true })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const membership = await server.services.projectMembership.getProjectMembershipByUsername({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        username: req.body.username
+      });
+      return { membership };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/:workspaceId/memberships",
@@ -142,8 +202,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.workspaceId),
+        membershipId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.membershipId)
       }),
       body: z.object({
         roles: z
@@ -164,7 +224,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
           )
           .min(1)
           .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least one long lived role is required")
-          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
+          .describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -127,6 +127,70 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/batch",
+    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Update folders by batch",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectSlug: z.string().trim().describe(FOLDERS.UPDATE.projectSlug),
+        folders: z
+          .object({
+            id: z.string().describe(FOLDERS.UPDATE.folderId),
+            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
+            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+          })
+          .array()
+          .min(1)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { newFolders, oldFolders, projectId } = await server.services.folder.updateManyFolders({
+        ...req.body,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await Promise.all(
+        req.body.folders.map(async (folder, index) => {
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId,
+            event: {
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment: oldFolders[index].envId,
+                folderId: oldFolders[index].id,
+                folderPath: folder.path,
+                newFolderName: newFolders[index].name,
+                oldFolderName: oldFolders[index].name
+              }
+            }
+          });
+        })
+      );
+
+      return { folders: newFolders };
+    }
+  });
+
   // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     method: "DELETE",

backend/src/server/routes/v2/identity-project-router.ts

@@ -7,7 +7,8 @@ import {
   ProjectMembershipRole,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
+import { PROJECT_IDENTITIES } from "@app/lib/api-docs";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -22,12 +23,48 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      description: "Create project identity membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       params: z.object({
         projectId: z.string().trim(),
         identityId: z.string().trim()
       }),
       body: z.object({
-        role: z.string().trim().min(1).default(ProjectMembershipRole.NoAccess)
+        // @depreciated
+        role: z.string().trim().optional().default(ProjectMembershipRole.NoAccess),
+        roles: z
+          .array(
+            z.union([
+              z.object({
+                role: z.string().describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z
+                  .literal(false)
+                  .default(false)
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role)
+              }),
+              z.object({
+                role: z.string().describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z.literal(true).describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                temporaryMode: z
+                  .nativeEnum(ProjectUserMembershipTemporaryMode)
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                temporaryRange: z
+                  .string()
+                  .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                temporaryAccessStartTime: z
+                  .string()
+                  .datetime()
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role)
+              })
+            ])
+          )
+          .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.description)
+          .optional()
       }),
       response: {
         200: z.object({
@@ -36,6 +73,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
       }
     },
     handler: async (req) => {
+      const { role, roles } = req.body;
+      if (!role && !roles) throw new BadRequestError({ message: "You must provide either role or roles field" });
+
       const identityMembership = await server.services.identityProject.createProjectIdentity({
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -43,7 +83,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         actorOrgId: req.permission.orgId,
         identityId: req.params.identityId,
         projectId: req.params.projectId,
-        role: req.body.role
+        roles: roles || [{ role }]
       });
       return { identityMembership };
     }
@@ -64,28 +104,39 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.identityId)
       }),
       body: z.object({
         roles: z
           .array(
             z.union([
               z.object({
-                role: z.string(),
-                isTemporary: z.literal(false).default(false)
+                role: z.string().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z
+                  .literal(false)
+                  .default(false)
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.isTemporary)
               }),
               z.object({
-                role: z.string(),
-                isTemporary: z.literal(true),
-                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
-                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
-                temporaryAccessStartTime: z.string().datetime()
+                role: z.string().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z.literal(true).describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.isTemporary),
+                temporaryMode: z
+                  .nativeEnum(ProjectUserMembershipTemporaryMode)
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryMode),
+                temporaryRange: z
+                  .string()
+                  .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryRange),
+                temporaryAccessStartTime: z
+                  .string()
+                  .datetime()
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryAccessStartTime)
               })
             ])
           )
           .min(1)
-          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
+          .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.description)
       }),
       response: {
         200: z.object({
@@ -122,8 +173,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.DELETE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECT_IDENTITIES.DELETE_IDENTITY_MEMBERSHIP.identityId)
       }),
       response: {
         200: z.object({
@@ -159,7 +210,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.LIST_IDENTITY_MEMBERSHIPS.projectId)
       }),
       response: {
         200: z.object({
@@ -200,4 +251,61 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
       return { identityMemberships };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Return project identity membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.GET_IDENTITY_MEMBERSHIP_BY_ID.projectId),
+        identityId: z.string().trim().describe(PROJECT_IDENTITIES.GET_IDENTITY_MEMBERSHIP_BY_ID.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityMembership: z.object({
+            id: z.string(),
+            identityId: z.string(),
+            createdAt: z.date(),
+            updatedAt: z.date(),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            ),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityMembership = await server.services.identityProject.getProjectIdentityByIdentityId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.projectId,
+        identityId: req.params.identityId
+      });
+      return { identityMembership };
+    }
+  });
 };

backend/src/server/routes/v2/project-membership-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
+import { PROJECT_USERS } from "@app/lib/api-docs";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -22,11 +22,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
+        projectId: z.string().describe(PROJECT_USERS.INVITE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.usernames)
       }),
       response: {
         200: z.object({
@@ -77,11 +77,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
+        projectId: z.string().describe(PROJECT_USERS.REMOVE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.usernames)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v3/secret-router.ts

@@ -293,6 +293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       }),
       querystring: z.object({
         workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@@ -311,6 +312,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const { workspaceSlug } = req.query;
       let { secretPath, environment, workspaceId } = req.query;
       if (req.auth.actor === ActorType.SERVICE) {
         const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@@ -322,7 +324,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+      if (!environment) throw new BadRequestError({ message: "Missing environment" });
+      if (!workspaceId && !workspaceSlug)
+        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -331,6 +335,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         environment,
         projectId: workspaceId,
+        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -339,7 +344,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: secret.workspace,
         ...req.auditLogInfo,
         event: {
           type: EventType.GET_SECRET,
@@ -358,7 +363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId,
+          workspaceId: secret.workspace,
           environment,
           secretPath: req.query.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),
@@ -1921,4 +1926,41 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       return { secrets };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/backfill-secret-references",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Backfill secret references",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectId: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { projectId } = req.body;
+      const message = await server.services.secret.backfillSecretReferences({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId
+      });
+
+      return message;
+    }
+  });
 };

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TIdentityAccessTokens } from "@app/db/schemas";
+import { IdentityAuthMethod, TableName, TIdentityAccessTokens } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 
@@ -15,23 +15,56 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
       const doc = await (tx || db)(TableName.IdentityAccessToken)
         .where(filter)
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
-        .leftJoin(
-          TableName.IdentityUaClientSecret,
-          `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
-          `${TableName.IdentityUaClientSecret}.id`
-        )
-        .leftJoin(
-          TableName.IdentityUniversalAuth,
-          `${TableName.IdentityUaClientSecret}.identityUAId`,
-          `${TableName.IdentityUniversalAuth}.id`
-        )
+        .leftJoin(TableName.IdentityUaClientSecret, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
+            `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
+            `${TableName.IdentityUaClientSecret}.id`
+          );
+        })
+        .leftJoin(TableName.IdentityUniversalAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
+            `${TableName.IdentityUaClientSecret}.identityUAId`,
+            `${TableName.IdentityUniversalAuth}.id`
+          );
+        })
+        .leftJoin(TableName.IdentityGcpAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.GCP_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityGcpAuth}.identityId`
+          );
+        })
+        .leftJoin(TableName.IdentityAwsAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AWS_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityAwsAuth}.identityId`
+          );
+        })
+        .leftJoin(TableName.IdentityKubernetesAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.KUBERNETES_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityKubernetesAuth}.identityId`
+          );
+        })
         .select(selectAllTableCols(TableName.IdentityAccessToken))
         .select(
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityGcpAuth).as("accessTokenTrustedIpsGcp"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
           db.ref("name").withSchema(TableName.Identity)
         )
         .first();
-      return doc;
+
+      if (!doc) return;
+
+      return {
+        ...doc,
+        accessTokenTrustedIps:
+          doc.accessTokenTrustedIpsUa ||
+          doc.accessTokenTrustedIpsGcp ||
+          doc.accessTokenTrustedIpsAws ||
+          doc.accessTokenTrustedIpsK8s
+      };
     } catch (error) {
       throw new DatabaseError({ error, name: "IdAccessTokenFindOne" });
     }

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -106,6 +106,24 @@ export const identityAccessTokenServiceFactory = ({
     return { accessToken, identityAccessToken: updatedIdentityAccessToken };
   };
 
+  const revokeAccessToken = async (accessToken: string) => {
+    const appCfg = getConfig();
+
+    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as JwtPayload & {
+      identityAccessTokenId: string;
+    };
+    if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) throw new UnauthorizedError();
+
+    const identityAccessToken = await identityAccessTokenDAL.findOne({
+      [`${TableName.IdentityAccessToken}.id` as "id"]: decodedToken.identityAccessTokenId,
+      isAccessTokenRevoked: false
+    });
+    if (!identityAccessToken) throw new UnauthorizedError();
+
+    const revokedToken = await identityAccessTokenDAL.deleteById(identityAccessToken.id);
+    return { revokedToken };
+  };
+
   const fnValidateIdentityAccessToken = async (token: TIdentityAccessTokenJwtPayload, ipAddress?: string) => {
     const identityAccessToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: token.identityAccessTokenId,
@@ -132,5 +150,5 @@ export const identityAccessTokenServiceFactory = ({
     return { ...identityAccessToken, orgId: identityOrgMembership.orgId };
   };
 
-  return { renewAccessToken, fnValidateIdentityAccessToken };
+  return { renewAccessToken, revokeAccessToken, fnValidateIdentityAccessToken };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAwsAuthDALFactory = ReturnType<typeof identityAwsAuthDALFactory>;
+
+export const identityAwsAuthDALFactory = (db: TDbClient) => {
+  const awsAuthOrm = ormify(db, TableName.IdentityAwsAuth);
+
+  return awsAuthOrm;
+};

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -16,48 +16,43 @@ import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityAwsIamAuthDALFactory } from "./identity-aws-iam-auth-dal";
-import { extractPrincipalArn } from "./identity-aws-iam-auth-fns";
+import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
+import { extractPrincipalArn } from "./identity-aws-auth-fns";
 import {
-  TAttachAWSIAMAuthDTO,
-  TAWSGetCallerIdentityHeaders,
-  TGetAWSIAMAuthDTO,
+  TAttachAwsAuthDTO,
+  TAwsGetCallerIdentityHeaders,
+  TGetAwsAuthDTO,
   TGetCallerIdentityResponse,
-  TLoginAWSIAMAuthDTO,
-  TUpdateAWSIAMAuthDTO
-} from "./identity-aws-iam-auth-types";
+  TLoginAwsAuthDTO,
+  TUpdateAwsAuthDTO
+} from "./identity-aws-auth-types";
 
-type TIdentityAwsIamAuthServiceFactoryDep = {
+type TIdentityAwsAuthServiceFactoryDep = {
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsIamAuthDAL: Pick<TIdentityAwsIamAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
 
-export type TIdentityAwsIamAuthServiceFactory = ReturnType<typeof identityAwsIamAuthServiceFactory>;
+export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
 
-export const identityAwsIamAuthServiceFactory = ({
+export const identityAwsAuthServiceFactory = ({
   identityAccessTokenDAL,
-  identityAwsIamAuthDAL,
+  identityAwsAuthDAL,
   identityOrgMembershipDAL,
   identityDAL,
   licenseService,
   permissionService
-}: TIdentityAwsIamAuthServiceFactoryDep) => {
-  const login = async ({
-    identityId,
-    iamHttpRequestMethod,
-    iamRequestBody,
-    iamRequestHeaders
-  }: TLoginAWSIAMAuthDTO) => {
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.findOne({ identityId });
-    if (!identityAwsIamAuth) throw new UnauthorizedError();
+}: TIdentityAwsAuthServiceFactoryDep) => {
+  const login = async ({ identityId, iamHttpRequestMethod, iamRequestBody, iamRequestHeaders }: TLoginAwsAuthDTO) => {
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
+    if (!identityAwsAuth) throw new UnauthorizedError();
 
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsIamAuth.identityId });
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
 
-    const headers: TAWSGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
+    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
     const body: string = Buffer.from(iamRequestBody, "base64").toString();
 
     const {
@@ -68,15 +63,15 @@ export const identityAwsIamAuthServiceFactory = ({
       }
     }: { data: TGetCallerIdentityResponse } = await axios({
       method: iamHttpRequestMethod,
-      url: identityAwsIamAuth.stsEndpoint,
+      url: identityAwsAuth.stsEndpoint,
       headers,
       data: body
     });
 
-    if (identityAwsIamAuth.allowedAccountIds) {
+    if (identityAwsAuth.allowedAccountIds) {
       // validate if Account is in the list of allowed Account IDs
 
-      const isAccountAllowed = identityAwsIamAuth.allowedAccountIds
+      const isAccountAllowed = identityAwsAuth.allowedAccountIds
         .split(",")
         .map((accountId) => accountId.trim())
         .some((accountId) => accountId === Account);
@@ -84,10 +79,10 @@ export const identityAwsIamAuthServiceFactory = ({
       if (!isAccountAllowed) throw new UnauthorizedError();
     }
 
-    if (identityAwsIamAuth.allowedPrincipalArns) {
+    if (identityAwsAuth.allowedPrincipalArns) {
       // validate if Arn is in the list of allowed Principal ARNs
 
-      const isArnAllowed = identityAwsIamAuth.allowedPrincipalArns
+      const isArnAllowed = identityAwsAuth.allowedPrincipalArns
         .split(",")
         .map((principalArn) => principalArn.trim())
         .some((principalArn) => {
@@ -100,15 +95,15 @@ export const identityAwsIamAuthServiceFactory = ({
       if (!isArnAllowed) throw new UnauthorizedError();
     }
 
-    const identityAccessToken = await identityAwsIamAuthDAL.transaction(async (tx) => {
+    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
       const newToken = await identityAccessTokenDAL.create(
         {
-          identityId: identityAwsIamAuth.identityId,
+          identityId: identityAwsAuth.identityId,
           isAccessTokenRevoked: false,
-          accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
+          accessTokenTTL: identityAwsAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
         },
         tx
       );
@@ -118,7 +113,7 @@ export const identityAwsIamAuthServiceFactory = ({
     const appCfg = getConfig();
     const accessToken = jwt.sign(
       {
-        identityId: identityAwsIamAuth.identityId,
+        identityId: identityAwsAuth.identityId,
         identityAccessTokenId: identityAccessToken.id,
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
@@ -131,10 +126,10 @@ export const identityAwsIamAuthServiceFactory = ({
       }
     );
 
-    return { accessToken, identityAwsIamAuth, identityAccessToken, identityMembershipOrg };
+    return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };
   };
 
-  const attachAwsIamAuth = async ({
+  const attachAwsAuth = async ({
     identityId,
     stsEndpoint,
     allowedPrincipalArns,
@@ -147,12 +142,12 @@ export const identityAwsIamAuthServiceFactory = ({
     actorAuthMethod,
     actor,
     actorOrgId
-  }: TAttachAWSIAMAuthDTO) => {
+  }: TAttachAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
     if (identityMembershipOrg.identity.authMethod)
       throw new BadRequestError({
-        message: "Failed to add AWS IAM Auth to already configured identity"
+        message: "Failed to add AWS Auth to already configured identity"
       });
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
@@ -186,10 +181,11 @@ export const identityAwsIamAuthServiceFactory = ({
       return extractIPDetails(accessTokenTrustedIp.ipAddress);
     });
 
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.transaction(async (tx) => {
-      const doc = await identityAwsIamAuthDAL.create(
+    const identityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const doc = await identityAwsAuthDAL.create(
         {
           identityId: identityMembershipOrg.identityId,
+          type: "iam",
           stsEndpoint,
           allowedPrincipalArns,
           allowedAccountIds,
@@ -203,16 +199,16 @@ export const identityAwsIamAuthServiceFactory = ({
       await identityDAL.updateById(
         identityMembershipOrg.identityId,
         {
-          authMethod: IdentityAuthMethod.AWS_IAM_AUTH
+          authMethod: IdentityAuthMethod.AWS_AUTH
         },
         tx
       );
       return doc;
     });
-    return { ...identityAwsIamAuth, orgId: identityMembershipOrg.orgId };
+    return { ...identityAwsAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const updateAwsIamAuth = async ({
+  const updateAwsAuth = async ({
     identityId,
     stsEndpoint,
     allowedPrincipalArns,
@@ -225,20 +221,19 @@ export const identityAwsIamAuthServiceFactory = ({
     actorAuthMethod,
     actor,
     actorOrgId
-  }: TUpdateAWSIAMAuthDTO) => {
+  }: TUpdateAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_IAM_AUTH)
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
       throw new BadRequestError({
-        message: "Failed to update AWS IAM Auth"
+        message: "Failed to update AWS Auth"
       });
 
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.findOne({ identityId });
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
 
     if (
-      (accessTokenMaxTTL || identityAwsIamAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityAwsIamAuth.accessTokenMaxTTL) >
-        (accessTokenMaxTTL || identityAwsIamAuth.accessTokenMaxTTL)
+      (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityAwsAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL)
     ) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
     }
@@ -270,7 +265,7 @@ export const identityAwsIamAuthServiceFactory = ({
       return extractIPDetails(accessTokenTrustedIp.ipAddress);
     });
 
-    const updatedAwsIamAuth = await identityAwsIamAuthDAL.updateById(identityAwsIamAuth.id, {
+    const updatedAwsAuth = await identityAwsAuthDAL.updateById(identityAwsAuth.id, {
       stsEndpoint,
       allowedPrincipalArns,
       allowedAccountIds,
@@ -282,18 +277,18 @@ export const identityAwsIamAuthServiceFactory = ({
         : undefined
     });
 
-    return { ...updatedAwsIamAuth, orgId: identityMembershipOrg.orgId };
+    return { ...updatedAwsAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const getAwsIamAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAWSIAMAuthDTO) => {
+  const getAwsAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_IAM_AUTH)
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
       throw new BadRequestError({
-        message: "The identity does not have AWS IAM Auth attached"
+        message: "The identity does not have AWS Auth attached"
       });
 
-    const awsIamIdentityAuth = await identityAwsIamAuthDAL.findOne({ identityId });
+    const awsIdentityAuth = await identityAwsAuthDAL.findOne({ identityId });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -303,13 +298,13 @@ export const identityAwsIamAuthServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-    return { ...awsIamIdentityAuth, orgId: identityMembershipOrg.orgId };
+    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
   return {
     login,
-    attachAwsIamAuth,
-    updateAwsIamAuth,
-    getAwsIamAuth
+    attachAwsAuth,
+    updateAwsAuth,
+    getAwsAuth
   };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -1,13 +1,13 @@
 import { TProjectPermission } from "@app/lib/types";
 
-export type TLoginAWSIAMAuthDTO = {
+export type TLoginAwsAuthDTO = {
   identityId: string;
   iamHttpRequestMethod: string;
   iamRequestBody: string;
   iamRequestHeaders: string;
 };
 
-export type TAttachAWSIAMAuthDTO = {
+export type TAttachAwsAuthDTO = {
   identityId: string;
   stsEndpoint: string;
   allowedPrincipalArns: string;
@@ -18,7 +18,7 @@ export type TAttachAWSIAMAuthDTO = {
   accessTokenTrustedIps: { ipAddress: string }[];
 } & Omit<TProjectPermission, "projectId">;
 
-export type TUpdateAWSIAMAuthDTO = {
+export type TUpdateAwsAuthDTO = {
   identityId: string;
   stsEndpoint?: string;
   allowedPrincipalArns?: string;
@@ -29,11 +29,11 @@ export type TUpdateAWSIAMAuthDTO = {
   accessTokenTrustedIps?: { ipAddress: string }[];
 } & Omit<TProjectPermission, "projectId">;
 
-export type TGetAWSIAMAuthDTO = {
+export type TGetAwsAuthDTO = {
   identityId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TAWSGetCallerIdentityHeaders = {
+export type TAwsGetCallerIdentityHeaders = {
   "Content-Type": string;
   Host: string;
   "X-Amz-Date": string;

backend/src/services/identity-aws-iam-auth/identity-aws-iam-auth-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityAwsIamAuthDALFactory = ReturnType<typeof identityAwsIamAuthDALFactory>;
-
-export const identityAwsIamAuthDALFactory = (db: TDbClient) => {
-  const awsIamAuthOrm = ormify(db, TableName.IdentityAwsIamAuth);
-
-  return awsIamAuthOrm;
-};

backend/src/services/identity-gcp-auth/identity-gcp-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityGcpAuthDALFactory = ReturnType<typeof identityGcpAuthDALFactory>;
+
+export const identityGcpAuthDALFactory = (db: TDbClient) => {
+  const gcpAuthOrm = ormify(db, TableName.IdentityGcpAuth);
+  return gcpAuthOrm;
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-fns.ts

@@ -0,0 +1,70 @@
+import axios from "axios";
+import { OAuth2Client } from "google-auth-library";
+import jwt from "jsonwebtoken";
+
+import { UnauthorizedError } from "@app/lib/errors";
+
+import { TDecodedGcpIamAuthJwt, TGcpIdTokenPayload } from "./identity-gcp-auth-types";
+
+/**
+ * Validates that the identity token [jwt] sent in from a client GCE instance as part of GCP ID Token authentication
+ * is valid.
+ * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
+ * @param {string} jwt - The identity token to validate.
+ * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
+ */
+export const validateIdTokenIdentity = async ({
+  identityId,
+  jwt: identityToken
+}: {
+  identityId: string;
+  jwt: string;
+}) => {
+  const oAuth2Client = new OAuth2Client();
+  const response = await oAuth2Client.getFederatedSignonCerts();
+  const ticket = await oAuth2Client.verifySignedJwtWithCertsAsync(
+    identityToken,
+    response.certs,
+    identityId, // audience
+    ["https://accounts.google.com"]
+  );
+  const payload = ticket.getPayload() as TGcpIdTokenPayload;
+  if (!payload || !payload.email) throw new UnauthorizedError();
+
+  return { email: payload.email, computeEngineDetails: payload.google?.compute_engine };
+};
+
+/**
+ * Validates that the signed JWT token for a GCP service account is valid as part of GCP IAM authentication.
+ * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
+ * @param {string} jwt - The signed JWT token to validate.
+ * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
+ * @returns
+ */
+export const validateIamIdentity = async ({
+  identityId,
+  jwt: serviceAccountJwt
+}: {
+  identityId: string;
+  jwt: string;
+}) => {
+  const decodedJwt = jwt.decode(serviceAccountJwt, { complete: true }) as TDecodedGcpIamAuthJwt;
+  const { sub, aud } = decodedJwt.payload;
+
+  const {
+    data
+  }: {
+    data: {
+      [key: string]: string;
+    };
+  } = await axios.get(`https://www.googleapis.com/service_accounts/v1/metadata/x509/${sub}`);
+
+  const publicKey = data[decodedJwt.header.kid];
+
+  jwt.verify(serviceAccountJwt, publicKey, {
+    algorithms: ["RS256"]
+  });
+
+  if (aud !== identityId) throw new UnauthorizedError();
+  return { email: sub };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -0,0 +1,324 @@
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityGcpAuthDALFactory } from "./identity-gcp-auth-dal";
+import { validateIamIdentity, validateIdTokenIdentity } from "./identity-gcp-auth-fns";
+import {
+  TAttachGcpAuthDTO,
+  TGcpIdentityDetails,
+  TGetGcpAuthDTO,
+  TLoginGcpAuthDTO,
+  TUpdateGcpAuthDTO
+} from "./identity-gcp-auth-types";
+
+type TIdentityGcpAuthServiceFactoryDep = {
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityGcpAuthServiceFactory = ReturnType<typeof identityGcpAuthServiceFactory>;
+
+export const identityGcpAuthServiceFactory = ({
+  identityGcpAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  permissionService,
+  licenseService
+}: TIdentityGcpAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: gcpJwt }: TLoginGcpAuthDTO) => {
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+    if (!identityGcpAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityGcpAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError();
+
+    let gcpIdentityDetails: TGcpIdentityDetails;
+    switch (identityGcpAuth.type) {
+      case "gce": {
+        gcpIdentityDetails = await validateIdTokenIdentity({
+          identityId,
+          jwt: gcpJwt
+        });
+        break;
+      }
+      case "iam": {
+        gcpIdentityDetails = await validateIamIdentity({
+          identityId,
+          jwt: gcpJwt
+        });
+        break;
+      }
+      default: {
+        throw new BadRequestError({ message: "Invalid GCP Auth type" });
+      }
+    }
+
+    if (identityGcpAuth.allowedServiceAccounts) {
+      // validate if the service account is in the list of allowed service accounts
+
+      const isServiceAccountAllowed = identityGcpAuth.allowedServiceAccounts
+        .split(",")
+        .map((serviceAccount) => serviceAccount.trim())
+        .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);
+
+      if (!isServiceAccountAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
+      // validate if the project that the service account belongs to is in the list of allowed projects
+
+      const isProjectAllowed = identityGcpAuth.allowedProjects
+        .split(",")
+        .map((project) => project.trim())
+        .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);
+
+      if (!isProjectAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
+      const isZoneAllowed = identityGcpAuth.allowedZones
+        .split(",")
+        .map((zone) => zone.trim())
+        .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);
+
+      if (!isZoneAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityGcpAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityGcpAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityGcpAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityGcpAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachGcpAuth = async ({
+    identityId,
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add GCP Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const doc = await identityGcpAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          type,
+          allowedServiceAccounts,
+          allowedProjects,
+          allowedZones,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.GCP_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateGcpAuth = async ({
+    identityId,
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update GCP Auth"
+      });
+
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedGcpAuth = await identityGcpAuthDAL.updateById(identityGcpAuth.id, {
+      type,
+      allowedServiceAccounts,
+      allowedProjects,
+      allowedZones,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return {
+      ...updatedGcpAuth,
+      orgId: identityMembershipOrg.orgId
+    };
+  };
+
+  const getGcpAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have GCP Auth attached"
+      });
+
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachGcpAuth,
+    updateGcpAuth,
+    getGcpAuth
+  };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -0,0 +1,78 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginGcpAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachGcpAuthDTO = {
+  identityId: string;
+  type: "iam" | "gce";
+  allowedServiceAccounts: string;
+  allowedProjects: string;
+  allowedZones: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateGcpAuthDTO = {
+  identityId: string;
+  type?: "iam" | "gce";
+  allowedServiceAccounts?: string;
+  allowedProjects?: string;
+  allowedZones?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+type TComputeEngineDetails = {
+  instance_creation_timestamp: number;
+  instance_id: string;
+  instance_name: string;
+  project_id: string;
+  project_number: number;
+  zone: string;
+};
+
+export type TGcpIdentityDetails = {
+  email: string;
+  computeEngineDetails?: TComputeEngineDetails;
+};
+
+export type TGcpIdTokenPayload = {
+  aud: string;
+  azp: string;
+  email: string;
+  email_verified: boolean;
+  exp: number;
+  google?: {
+    compute_engine: TComputeEngineDetails;
+  };
+  iat: number;
+  iss: string;
+  sub: string;
+};
+
+export type TDecodedGcpIamAuthJwt = {
+  header: {
+    alg: string;
+    kid: string;
+    typ: string;
+  };
+  payload: {
+    sub: string;
+    aud: string;
+  };
+  signature: string;
+  metadata: {
+    [key: string]: string;
+  };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-validators.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+export const validateGcpAuthField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each ID and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityKubernetesAuthDALFactory = ReturnType<typeof identityKubernetesAuthDALFactory>;
+
+export const identityKubernetesAuthDALFactory = (db: TDbClient) => {
+  const kubernetesAuthOrm = ormify(db, TableName.IdentityKubernetesAuth);
+  return kubernetesAuthOrm;
+};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-fns.ts

@@ -0,0 +1,15 @@
+/**
+ * Extracts the K8s service account name and namespace
+ * from the username in this format: system:serviceaccount:default:infisical-auth
+ */
+export const extractK8sUsername = (username: string) => {
+  const parts = username.split(":");
+  // Ensure that the username format is correct
+  if (parts.length === 4 && parts[0] === "system" && parts[1] === "serviceaccount") {
+    return {
+      namespace: parts[2],
+      name: parts[3]
+    };
+  }
+  throw new Error("Invalid username format");
+};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -0,0 +1,515 @@
+import { ForbiddenError } from "@casl/ability";
+import axios from "axios";
+import https from "https";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import {
+  decryptSymmetric,
+  encryptSymmetric,
+  generateAsymmetricKeyPair,
+  generateSymmetricKey,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityKubernetesAuthDALFactory } from "./identity-kubernetes-auth-dal";
+import { extractK8sUsername } from "./identity-kubernetes-auth-fns";
+import {
+  TAttachKubernetesAuthDTO,
+  TCreateTokenReviewResponse,
+  TGetKubernetesAuthDTO,
+  TLoginKubernetesAuthDTO,
+  TUpdateKubernetesAuthDTO
+} from "./identity-kubernetes-auth-types";
+
+type TIdentityKubernetesAuthServiceFactoryDep = {
+  identityKubernetesAuthDAL: Pick<
+    TIdentityKubernetesAuthDALFactory,
+    "create" | "findOne" | "transaction" | "updateById"
+  >;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityKubernetesAuthServiceFactory = ReturnType<typeof identityKubernetesAuthServiceFactory>;
+
+export const identityKubernetesAuthServiceFactory = ({
+  identityKubernetesAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  orgBotDAL,
+  permissionService,
+  licenseService
+}: TIdentityKubernetesAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: serviceAccountJwt }: TLoginKubernetesAuthDTO) => {
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+    if (!identityKubernetesAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({
+      identityId: identityKubernetesAuth.identityId
+    });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { encryptedCaCert, caCertIV, caCertTag, encryptedTokenReviewerJwt, tokenReviewerJwtIV, tokenReviewerJwtTag } =
+      identityKubernetesAuth;
+
+    let caCert = "";
+    if (encryptedCaCert && caCertIV && caCertTag) {
+      caCert = decryptSymmetric({
+        ciphertext: encryptedCaCert,
+        iv: caCertIV,
+        tag: caCertTag,
+        key
+      });
+    }
+
+    let tokenReviewerJwt = "";
+    if (encryptedTokenReviewerJwt && tokenReviewerJwtIV && tokenReviewerJwtTag) {
+      tokenReviewerJwt = decryptSymmetric({
+        ciphertext: encryptedTokenReviewerJwt,
+        iv: tokenReviewerJwtIV,
+        tag: tokenReviewerJwtTag,
+        key
+      });
+    }
+
+    const { data }: { data: TCreateTokenReviewResponse } = await axios.post(
+      `${identityKubernetesAuth.kubernetesHost}/apis/authentication.k8s.io/v1/tokenreviews`,
+      {
+        apiVersion: "authentication.k8s.io/v1",
+        kind: "TokenReview",
+        spec: {
+          token: serviceAccountJwt
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${tokenReviewerJwt}`
+        },
+        httpsAgent: new https.Agent({
+          ca: caCert,
+          rejectUnauthorized: !!caCert
+        })
+      }
+    );
+
+    if ("error" in data.status) throw new UnauthorizedError({ message: data.status.error });
+
+    // check the response to determine if the token is valid
+    if (!(data.status && data.status.authenticated)) throw new UnauthorizedError();
+
+    const { namespace: targetNamespace, name: targetName } = extractK8sUsername(data.status.user.username);
+
+    if (identityKubernetesAuth.allowedNamespaces) {
+      // validate if [targetNamespace] is in the list of allowed namespaces
+
+      const isNamespaceAllowed = identityKubernetesAuth.allowedNamespaces
+        .split(",")
+        .map((namespace) => namespace.trim())
+        .some((namespace) => namespace === targetNamespace);
+
+      if (!isNamespaceAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityKubernetesAuth.allowedNames) {
+      // validate if [targetName] is in the list of allowed names
+
+      const isNameAllowed = identityKubernetesAuth.allowedNames
+        .split(",")
+        .map((name) => name.trim())
+        .some((name) => name === targetName);
+
+      if (!isNameAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityKubernetesAuth.allowedAudience) {
+      // validate if [audience] is in the list of allowed audiences
+      const isAudienceAllowed = data.status.audiences.some(
+        (audience) => audience === identityKubernetesAuth.allowedAudience
+      );
+
+      if (!isAudienceAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityKubernetesAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityKubernetesAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityKubernetesAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachKubernetesAuth = async ({
+    identityId,
+    kubernetesHost,
+    caCert,
+    tokenReviewerJwt,
+    allowedNamespaces,
+    allowedNames,
+    allowedAudience,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add Kubernetes Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const orgBot = await orgBotDAL.transaction(async (tx) => {
+      const doc = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId }, tx);
+      if (doc) return doc;
+
+      const { privateKey, publicKey } = generateAsymmetricKeyPair();
+      const key = generateSymmetricKey();
+      const {
+        ciphertext: encryptedPrivateKey,
+        iv: privateKeyIV,
+        tag: privateKeyTag,
+        encoding: privateKeyKeyEncoding,
+        algorithm: privateKeyAlgorithm
+      } = infisicalSymmetricEncypt(privateKey);
+      const {
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        encoding: symmetricKeyKeyEncoding,
+        algorithm: symmetricKeyAlgorithm
+      } = infisicalSymmetricEncypt(key);
+
+      return orgBotDAL.create(
+        {
+          name: "Infisical org bot",
+          publicKey,
+          privateKeyIV,
+          encryptedPrivateKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          encryptedSymmetricKey,
+          symmetricKeyAlgorithm,
+          orgId: identityMembershipOrg.orgId,
+          privateKeyTag,
+          privateKeyAlgorithm,
+          privateKeyKeyEncoding,
+          symmetricKeyKeyEncoding
+        },
+        tx
+      );
+    });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { ciphertext: encryptedCaCert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+    const {
+      ciphertext: encryptedTokenReviewerJwt,
+      iv: tokenReviewerJwtIV,
+      tag: tokenReviewerJwtTag
+    } = encryptSymmetric(tokenReviewerJwt, key);
+
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const doc = await identityKubernetesAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          kubernetesHost,
+          encryptedCaCert,
+          caCertIV,
+          caCertTag,
+          encryptedTokenReviewerJwt,
+          tokenReviewerJwtIV,
+          tokenReviewerJwtTag,
+          allowedNamespaces,
+          allowedNames,
+          allowedAudience,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.KUBERNETES_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+
+    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateKubernetesAuth = async ({
+    identityId,
+    kubernetesHost,
+    caCert,
+    tokenReviewerJwt,
+    allowedNamespaces,
+    allowedNames,
+    allowedAudience,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update Kubernetes Auth"
+      });
+
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityKubernetesAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityKubernetesAuth.accessTokenMaxTTL) >
+        (accessTokenMaxTTL || identityKubernetesAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updateQuery: TIdentityKubernetesAuthsUpdate = {
+      kubernetesHost,
+      allowedNamespaces,
+      allowedNames,
+      allowedAudience,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    };
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    if (caCert !== undefined) {
+      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+      updateQuery.encryptedCaCert = encryptedCACert;
+      updateQuery.caCertIV = caCertIV;
+      updateQuery.caCertTag = caCertTag;
+    }
+
+    if (tokenReviewerJwt !== undefined) {
+      const {
+        ciphertext: encryptedTokenReviewerJwt,
+        iv: tokenReviewerJwtIV,
+        tag: tokenReviewerJwtTag
+      } = encryptSymmetric(tokenReviewerJwt, key);
+      updateQuery.encryptedTokenReviewerJwt = encryptedTokenReviewerJwt;
+      updateQuery.tokenReviewerJwtIV = tokenReviewerJwtIV;
+      updateQuery.tokenReviewerJwtTag = tokenReviewerJwtTag;
+    }
+
+    const updatedKubernetesAuth = await identityKubernetesAuthDAL.updateById(identityKubernetesAuth.id, updateQuery);
+
+    return { ...updatedKubernetesAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const getKubernetesAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have Kubernetes Auth attached"
+      });
+
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { encryptedCaCert, caCertIV, caCertTag, encryptedTokenReviewerJwt, tokenReviewerJwtIV, tokenReviewerJwtTag } =
+      identityKubernetesAuth;
+
+    let caCert = "";
+    if (encryptedCaCert && caCertIV && caCertTag) {
+      caCert = decryptSymmetric({
+        ciphertext: encryptedCaCert,
+        iv: caCertIV,
+        tag: caCertTag,
+        key
+      });
+    }
+
+    let tokenReviewerJwt = "";
+    if (encryptedTokenReviewerJwt && tokenReviewerJwtIV && tokenReviewerJwtTag) {
+      tokenReviewerJwt = decryptSymmetric({
+        ciphertext: encryptedTokenReviewerJwt,
+        iv: tokenReviewerJwtIV,
+        tag: tokenReviewerJwtTag,
+        key
+      });
+    }
+
+    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachKubernetesAuth,
+    updateKubernetesAuth,
+    getKubernetesAuth
+  };
+};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts

@@ -0,0 +1,61 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginKubernetesAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachKubernetesAuthDTO = {
+  identityId: string;
+  kubernetesHost: string;
+  caCert: string;
+  tokenReviewerJwt: string;
+  allowedNamespaces: string;
+  allowedNames: string;
+  allowedAudience: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateKubernetesAuthDTO = {
+  identityId: string;
+  kubernetesHost?: string;
+  caCert?: string;
+  tokenReviewerJwt?: string;
+  allowedNamespaces?: string;
+  allowedNames?: string;
+  allowedAudience?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetKubernetesAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+type TCreateTokenReviewSuccessResponse = {
+  authenticated: true;
+  user: {
+    username: string;
+    uid: string;
+    groups: string[];
+  };
+  audiences: string[];
+};
+
+type TCreateTokenReviewErrorResponse = {
+  error: string;
+};
+
+export type TCreateTokenReviewResponse = {
+  apiVersion: "authentication.k8s.io/v1";
+  kind: "TokenReview";
+  spec: {
+    token: string;
+  };
+  status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
+};

backend/src/services/identity-project/identity-project-dal.ts

@@ -10,11 +10,16 @@ export type TIdentityProjectDALFactory = ReturnType<typeof identityProjectDALFac
 export const identityProjectDALFactory = (db: TDbClient) => {
   const identityProjectOrm = ormify(db, TableName.IdentityProjectMembership);
 
-  const findByProjectId = async (projectId: string, tx?: Knex) => {
+  const findByProjectId = async (projectId: string, filter: { identityId?: string } = {}, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.IdentityProjectMembership)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
         .join(TableName.Identity, `${TableName.IdentityProjectMembership}.identityId`, `${TableName.Identity}.id`)
+        .where((qb) => {
+          if (filter.identityId) {
+            void qb.where("identityId", filter.identityId);
+          }
+        })
         .join(
           TableName.IdentityProjectMembershipRole,
           `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,

backend/src/services/identity-project/identity-project-service.ts

@@ -18,6 +18,7 @@ import { TIdentityProjectMembershipRoleDALFactory } from "./identity-project-mem
 import {
   TCreateProjectIdentityDTO,
   TDeleteProjectIdentityDTO,
+  TGetProjectIdentityByIdentityIdDTO,
   TListProjectIdentityDTO,
   TUpdateProjectIdentityDTO
 } from "./identity-project-types";
@@ -51,7 +52,7 @@ export const identityProjectServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     projectId,
-    role
+    roles
   }: TCreateProjectIdentityDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -78,17 +79,33 @@ export const identityProjectServiceFactory = ({
         message: `Failed to find identity with id ${identityId}`
       });
 
-    const { permission: rolePermission, role: customRole } = await permissionService.getProjectPermissionByRole(
-      role,
-      project.id
-    );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasPriviledge)
-      throw new ForbiddenRequestError({
-        message: "Failed to add identity to project with more privileged role"
-      });
-    const isCustomRole = Boolean(customRole);
+    for await (const { role: requestedRoleChange } of roles) {
+      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
+        requestedRoleChange,
+        projectId
+      );
 
+      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPriviledges) {
+        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
+      }
+    }
+
+    // validate custom roles input
+    const customInputRoles = roles.filter(
+      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+    );
+    const hasCustomRole = Boolean(customInputRoles.length);
+    const customRoles = hasCustomRole
+      ? await projectRoleDAL.find({
+          projectId,
+          $in: { slug: customInputRoles.map(({ role }) => role) }
+        })
+      : [];
+    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+
+    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
     const projectIdentity = await identityProjectDAL.transaction(async (tx) => {
       const identityProjectMembership = await identityProjectDAL.create(
         {
@@ -97,16 +114,32 @@ export const identityProjectServiceFactory = ({
         },
         tx
       );
+      const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
+        const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
+        if (!inputRole.isTemporary) {
+          return {
+            projectMembershipId: identityProjectMembership.id,
+            role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+            customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
+          };
+        }
 
-      await identityProjectMembershipRoleDAL.create(
-        {
+        // check cron or relative here later for now its just relative
+        const relativeTimeInMs = ms(inputRole.temporaryRange);
+        return {
           projectMembershipId: identityProjectMembership.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : role,
-          customRoleId: customRole?.id
-        },
-        tx
-      );
-      return identityProjectMembership;
+          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
+          isTemporary: true,
+          temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+          temporaryRange: inputRole.temporaryRange,
+          temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
+          temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
+        };
+      });
+
+      const identityRoles = await identityProjectMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);
+      return { ...identityProjectMembership, roles: identityRoles };
     });
     return projectIdentity;
   };
@@ -135,16 +168,18 @@ export const identityProjectServiceFactory = ({
         message: `Identity with id ${identityId} doesn't exists in project with id ${projectId}`
       });
 
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      projectIdentity.identityId,
-      projectIdentity.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
+    for await (const { role: requestedRoleChange } of roles) {
+      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
+        requestedRoleChange,
+        projectId
+      );
+
+      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPriviledges) {
+        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
+      }
+    }
 
     // validate custom roles input
     const customInputRoles = roles.filter(
@@ -248,10 +283,33 @@ export const identityProjectServiceFactory = ({
     return identityMemberships;
   };
 
+  const getProjectIdentityByIdentityId = async ({
+    projectId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    identityId
+  }: TGetProjectIdentityByIdentityIdDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+
+    const [identityMembership] = await identityProjectDAL.findByProjectId(projectId, { identityId });
+    if (!identityMembership) throw new BadRequestError({ message: `Membership not found for identity ${identityId}` });
+    return identityMembership;
+  };
+
   return {
     createProjectIdentity,
     updateProjectIdentity,
     deleteProjectIdentity,
-    listProjectIdentities
+    listProjectIdentities,
+    getProjectIdentityByIdentityId
   };
 };

backend/src/services/identity-project/identity-project-types.ts

@@ -4,7 +4,19 @@ import { ProjectUserMembershipTemporaryMode } from "../project-membership/projec
 
 export type TCreateProjectIdentityDTO = {
   identityId: string;
-  role: string;
+  roles: (
+    | {
+        role: string;
+        isTemporary?: false;
+      }
+    | {
+        role: string;
+        isTemporary: true;
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
+        temporaryRange: string;
+        temporaryAccessStartTime: string;
+      }
+  )[];
 } & TProjectPermission;
 
 export type TUpdateProjectIdentityDTO = {
@@ -29,3 +41,7 @@ export type TDeleteProjectIdentityDTO = {
 } & TProjectPermission;
 
 export type TListProjectIdentityDTO = TProjectPermission;
+
+export type TGetProjectIdentityByIdentityIdDTO = {
+  identityId: string;
+} & TProjectPermission;

backend/src/services/identity-ua/identity-ua-service.ts

@@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
   const login = async (clientId: string, clientSecret: string, ip: string) => {
     const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError();
+    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
 
@@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
     const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
       bcrypt.compareSync(clientSecret, clientSecretHash)
     );
-    if (!validClientSecretInfo) throw new UnauthorizedError();
+    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
     if (Number(clientSecretTTL) > 0) {

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -9,9 +9,12 @@
 
 import {
   CreateSecretCommand,
+  DescribeSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
   SecretsManagerClient,
+  TagResourceCommand,
+  UntagResourceCommand,
   UpdateSecretCommand
 } from "@aws-sdk/client-secrets-manager";
 import { Octokit } from "@octokit/rest";
@@ -459,27 +462,39 @@ const syncSecretsAWSParameterStore = async ({
   ssm.config.update(config);
 
   const metadata = z.record(z.any()).parse(integration.metadata || {});
+  const awsParameterStoreSecretsObj: Record<string, AWS.SSM.Parameter> = {};
 
-  const params = {
-    Path: integration.path as string,
-    Recursive: false,
-    WithDecryption: true
-  };
+  // now fetch all aws parameter store secrets
+  let hasNext = true;
+  let nextToken: string | undefined;
+  while (hasNext) {
+    const parameters = await ssm
+      .getParametersByPath({
+        Path: integration.path as string,
+        Recursive: false,
+        WithDecryption: true,
+        MaxResults: 10,
+        NextToken: nextToken
+      })
+      .promise();
 
-  const parameterList = (await ssm.getParametersByPath(params).promise()).Parameters;
+    if (parameters.Parameters) {
+      parameters.Parameters.forEach((parameter) => {
+        if (parameter.Name) {
+          const secKey = parameter.Name.substring((integration.path as string).length);
+          awsParameterStoreSecretsObj[secKey] = parameter;
+        }
+      });
+    }
+    hasNext = Boolean(parameters.NextToken);
+    nextToken = parameters.NextToken;
+  }
 
-  const awsParameterStoreSecretsObj = (parameterList || [])
-    .filter(({ Name }) => Boolean(Name))
-    .reduce(
-      (obj, secret) => ({
-        ...obj,
-        [(secret.Name as string).substring((integration.path as string).length)]: secret
-      }),
-      {} as Record<string, AWS.SSM.Parameter>
-    );
   // Identify secrets to create
-  await Promise.all(
-    Object.keys(secrets).map(async (key) => {
+  // don't use Promise.all() and promise map here
+  // it will cause rate limit
+  for (const key in secrets) {
+    if (Object.hasOwn(secrets, key)) {
       if (!(key in awsParameterStoreSecretsObj)) {
         // case: secret does not exist in AWS parameter store
         // -> create secret
@@ -514,23 +529,31 @@ const syncSecretsAWSParameterStore = async ({
           })
           .promise();
       }
-    })
-  );
 
-  // Identify secrets to delete
-  await Promise.all(
-    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case:
-        // -> delete secret
-        await ssm
-          .deleteParameter({
-            Name: awsParameterStoreSecretsObj[key].Name as string
-          })
-          .promise();
+      await new Promise((resolve) => {
+        setTimeout(resolve, 50);
+      });
+    }
+  }
+
+  if (!metadata.shouldDisableDelete) {
+    for (const key in awsParameterStoreSecretsObj) {
+      if (Object.hasOwn(awsParameterStoreSecretsObj, key)) {
+        if (!(key in secrets)) {
+          // case:
+          // -> delete secret
+          await ssm
+            .deleteParameter({
+              Name: awsParameterStoreSecretsObj[key].Name as string
+            })
+            .promise();
+        }
+        await new Promise((resolve) => {
+          setTimeout(resolve, 50);
+        });
       }
-    })
-  );
+    }
+  }
 };
 
 /**
@@ -572,6 +595,7 @@ const syncSecretsAWSSecretManager = async ({
     if (awsSecretManagerSecret?.SecretString) {
       awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
     }
+
     if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
       await secretsManager.send(
         new UpdateSecretCommand({
@@ -580,7 +604,88 @@ const syncSecretsAWSSecretManager = async ({
         })
       );
     }
+
+    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+
+    if (secretAWSTag && secretAWSTag.length) {
+      const describedSecret = await secretsManager.send(
+        // requires secretsmanager:DescribeSecret policy
+        new DescribeSecretCommand({
+          SecretId: integration.app as string
+        })
+      );
+
+      if (!describedSecret.Tags) return;
+
+      const integrationTagObj = secretAWSTag.reduce(
+        (acc, item) => {
+          acc[item.key] = item.value;
+          return acc;
+        },
+        {} as Record<string, string>
+      );
+
+      const awsTagObj = (describedSecret.Tags || []).reduce(
+        (acc, item) => {
+          if (item.Key && item.Value) {
+            acc[item.Key] = item.Value;
+          }
+          return acc;
+        },
+        {} as Record<string, string>
+      );
+
+      const tagsToUpdate: { Key: string; Value: string }[] = [];
+      const tagsToDelete: { Key: string; Value: string }[] = [];
+
+      describedSecret.Tags?.forEach((tag) => {
+        if (tag.Key && tag.Value) {
+          if (!(tag.Key in integrationTagObj)) {
+            // delete tag from AWS secret manager
+            tagsToDelete.push({
+              Key: tag.Key,
+              Value: tag.Value
+            });
+          } else if (tag.Value !== integrationTagObj[tag.Key]) {
+            // update tag in AWS secret manager
+            tagsToUpdate.push({
+              Key: tag.Key,
+              Value: integrationTagObj[tag.Key]
+            });
+          }
+        }
+      });
+
+      secretAWSTag?.forEach((tag) => {
+        if (!(tag.key in awsTagObj)) {
+          // create tag in AWS secret manager
+          tagsToUpdate.push({
+            Key: tag.key,
+            Value: tag.value
+          });
+        }
+      });
+
+      if (tagsToUpdate.length) {
+        await secretsManager.send(
+          new TagResourceCommand({
+            SecretId: integration.app as string,
+            Tags: tagsToUpdate
+          })
+        );
+      }
+
+      if (tagsToDelete.length) {
+        await secretsManager.send(
+          new UntagResourceCommand({
+            SecretId: integration.app as string,
+            TagKeys: tagsToDelete.map((tag) => tag.Key)
+          })
+        );
+      }
+    }
   } catch (err) {
+    // case when AWS manager can't find the specified secret
     if (err instanceof ResourceNotFoundException && secretsManager) {
       await secretsManager.send(
         new CreateSecretCommand({

backend/src/services/integration/integration-service.ts

@@ -103,7 +103,8 @@ export const integrationServiceFactory = ({
     owner,
     isActive,
     environment,
-    secretPath
+    secretPath,
+    metadata
   }: TUpdateIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
@@ -127,7 +128,17 @@ export const integrationServiceFactory = ({
       appId,
       targetEnvironment,
       owner,
-      secretPath
+      secretPath,
+      metadata: {
+        ...(integration.metadata as object),
+        ...metadata
+      }
+    });
+
+    await secretQueueService.syncIntegrations({
+      environment: folder.environment.slug,
+      secretPath,
+      projectId: folder.projectId
     });
 
     return updatedIntegration;

backend/src/services/integration/integration-types.ts

@@ -27,18 +27,33 @@ export type TCreateIntegrationDTO = {
       value: string;
     }[];
     kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateIntegrationDTO = {
   id: string;
-  app: string;
-  appId: string;
+  app?: string;
+  appId?: string;
   isActive?: boolean;
   secretPath: string;
   targetEnvironment: string;
   owner: string;
   environment: string;
+  metadata?: {
+    secretPrefix?: string;
+    secretSuffix?: string;
+    secretGCPLabel?: {
+      labelName: string;
+      labelValue: string;
+    };
+    secretAWSTag?: {
+      key: string;
+      value: string;
+    }[];
+    kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
+  };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteIntegrationDTO = {

backend/src/services/org/org-service.ts

@@ -546,6 +546,10 @@ export const orgServiceFactory = ({
       code
     });
 
+    await userDAL.updateById(user.id, {
+      isEmailVerified: true
+    });
+
     if (user.isAccepted) {
       // this means user has already completed signup process
       // isAccepted is set true when keys are exchanged

backend/src/services/project-membership/project-membership-dal.ts

@@ -9,11 +9,19 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
   const projectMemberOrm = ormify(db, TableName.ProjectMembership);
 
   // special query
-  const findAllProjectMembers = async (projectId: string) => {
+  const findAllProjectMembers = async (projectId: string, filter: { usernames?: string[]; username?: string } = {}) => {
     try {
       const docs = await db(TableName.ProjectMembership)
         .where({ [`${TableName.ProjectMembership}.projectId` as "projectId"]: projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .where((qb) => {
+          if (filter.usernames) {
+            void qb.whereIn("username", filter.usernames);
+          }
+          if (filter.username) {
+            void qb.where("username", filter.username);
+          }
+        })
         .join<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
           `${TableName.UserEncryptionKey}.userId`,

backend/src/services/project-membership/project-membership-service.ts

@@ -34,6 +34,7 @@ import {
   TAddUsersToWorkspaceNonE2EEDTO,
   TDeleteProjectMembershipOldDTO,
   TDeleteProjectMembershipsDTO,
+  TGetProjectMembershipByUsernameDTO,
   TGetProjectMembershipDTO,
   TUpdateProjectMembershipDTO
 } from "./project-membership-types";
@@ -89,6 +90,28 @@ export const projectMembershipServiceFactory = ({
     return projectMembershipDAL.findAllProjectMembers(projectId);
   };
 
+  const getProjectMembershipByUsername = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    username
+  }: TGetProjectMembershipByUsernameDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+
+    const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { username });
+    if (!membership) throw new BadRequestError({ message: `Project membership not found for user ${username}` });
+    return membership;
+  };
+
   const addUsersToProject = async ({
     projectId,
     actorId,
@@ -510,6 +533,7 @@ export const projectMembershipServiceFactory = ({
 
   return {
     getProjectMemberships,
+    getProjectMembershipByUsername,
     updateProjectMembership,
     addUsersToProjectNonE2EE,
     deleteProjectMemberships,

backend/src/services/project-membership/project-membership-types.ts

@@ -9,6 +9,10 @@ export type TInviteUserToProjectDTO = {
   emails: string[];
 } & TProjectPermission;
 
+export type TGetProjectMembershipByUsernameDTO = {
+  username: string;
+} & TProjectPermission;
+
 export type TUpdateProjectMembershipDTO = {
   membershipId: string;
   roles: (

backend/src/services/secret-folder/secret-folder-service.ts

@@ -8,9 +8,16 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
-import { TCreateFolderDTO, TDeleteFolderDTO, TGetFolderDTO, TUpdateFolderDTO } from "./secret-folder-types";
+import {
+  TCreateFolderDTO,
+  TDeleteFolderDTO,
+  TGetFolderDTO,
+  TUpdateFolderDTO,
+  TUpdateManyFoldersDTO
+} from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
 
 type TSecretFolderServiceFactoryDep = {
@@ -19,6 +26,7 @@ type TSecretFolderServiceFactoryDep = {
   folderDAL: TSecretFolderDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderVersionDAL: TSecretFolderVersionDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
 
 export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
@@ -28,7 +36,8 @@ export const secretFolderServiceFactory = ({
   snapshotService,
   permissionService,
   projectEnvDAL,
-  folderVersionDAL
+  folderVersionDAL,
+  projectDAL
 }: TSecretFolderServiceFactoryDep) => {
   const createFolder = async ({
     projectId,
@@ -116,6 +125,105 @@ export const secretFolderServiceFactory = ({
     return folder;
   };
 
+  const updateManyFolders = async ({
+    actor,
+    actorId,
+    projectSlug,
+    actorAuthMethod,
+    actorOrgId,
+    folders
+  }: TUpdateManyFoldersDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) {
+      throw new BadRequestError({ message: "Project not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    });
+
+    const result = await folderDAL.transaction(async (tx) =>
+      Promise.all(
+        folders.map(async (newFolder) => {
+          const { environment, path: secretPath, id, name } = newFolder;
+
+          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
+          if (!parentFolder) {
+            throw new BadRequestError({ message: "Secret path not found", name: "Batch update folder" });
+          }
+
+          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
+          if (!env) {
+            throw new BadRequestError({ message: "Environment not found", name: "Batch update folder" });
+          }
+          const folder = await folderDAL
+            .findOne({ envId: env.id, id, parentId: parentFolder.id })
+            // now folder api accepts id based change
+            // this is for cli backward compatiability and when cli removes this, we will remove this logic
+            .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
+
+          if (!folder) {
+            throw new BadRequestError({ message: "Folder not found" });
+          }
+          if (name !== folder.name) {
+            // ensure that new folder name is unique
+            const folderToCheck = await folderDAL.findOne({
+              name,
+              envId: env.id,
+              parentId: parentFolder.id
+            });
+
+            if (folderToCheck) {
+              throw new BadRequestError({
+                message: "Folder with specified name already exists",
+                name: "Batch update folder"
+              });
+            }
+          }
+
+          const [doc] = await folderDAL.update(
+            { envId: env.id, id: folder.id, parentId: parentFolder.id },
+            { name },
+            tx
+          );
+          await folderVersionDAL.create(
+            {
+              name: doc.name,
+              envId: doc.envId,
+              version: doc.version,
+              folderId: doc.id
+            },
+            tx
+          );
+          if (!doc) {
+            throw new BadRequestError({ message: "Folder not found", name: "Batch update folder" });
+          }
+
+          return { oldFolder: folder, newFolder: doc };
+        })
+      )
+    );
+
+    await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
+
+    return {
+      projectId: project.id,
+      newFolders: result.map((res) => res.newFolder),
+      oldFolders: result.map((res) => res.oldFolder)
+    };
+  };
+
   const updateFolder = async ({
     projectId,
     actor,
@@ -151,6 +259,21 @@ export const secretFolderServiceFactory = ({
       .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
 
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (name !== folder.name) {
+      // ensure that new folder name is unique
+      const folderToCheck = await folderDAL.findOne({
+        name,
+        envId: env.id,
+        parentId: parentFolder.id
+      });
+
+      if (folderToCheck) {
+        throw new BadRequestError({
+          message: "Folder with specified name already exists",
+          name: "Update folder"
+        });
+      }
+    }
 
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update({ envId: env.id, id: folder.id, parentId: parentFolder.id }, { name }, tx);
@@ -239,6 +362,7 @@ export const secretFolderServiceFactory = ({
   return {
     createFolder,
     updateFolder,
+    updateManyFolders,
     deleteFolder,
     getFolders
   };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -13,6 +13,16 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
+export type TUpdateManyFoldersDTO = {
+  projectSlug: string;
+  folders: {
+    environment: string;
+    path: string;
+    id: string;
+    name: string;
+  }[];
+} & Omit<TProjectPermission, "projectId">;
+
 export type TDeleteFolderDTO = {
   environment: string;
   path: string;

backend/src/services/secret/secret-dal.ts

@@ -243,6 +243,74 @@ export const secretDALFactory = (db: TDbClient) => {
     }
   };
 
+  const upsertSecretReferences = async (
+    data: {
+      secretId: string;
+      references: Array<{ environment: string; secretPath: string }>;
+    }[] = [],
+    tx?: Knex
+  ) => {
+    try {
+      if (!data.length) return;
+
+      await (tx || db)(TableName.SecretReference)
+        .whereIn(
+          "secretId",
+          data.map(({ secretId }) => secretId)
+        )
+        .delete();
+      const newSecretReferences = data
+        .filter(({ references }) => references.length)
+        .flatMap(({ secretId, references }) =>
+          references.map(({ environment, secretPath }) => ({
+            secretPath,
+            secretId,
+            environment
+          }))
+        );
+      if (!newSecretReferences.length) return;
+      const secretReferences = await (tx || db)(TableName.SecretReference).insert(newSecretReferences);
+      return secretReferences;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "UpsertSecretReference" });
+    }
+  };
+
+  const findReferencedSecretReferences = async (projectId: string, envSlug: string, secretPath: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.SecretReference)
+        .where({
+          secretPath,
+          environment: envSlug
+        })
+        .join(TableName.Secret, `${TableName.Secret}.id`, `${TableName.SecretReference}.secretId`)
+        .join(TableName.SecretFolder, `${TableName.Secret}.folderId`, `${TableName.SecretFolder}.id`)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .where("projectId", projectId)
+        .select(selectAllTableCols(TableName.SecretReference))
+        .select("folderId");
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindReferencedSecretReferences" });
+    }
+  };
+
+  // special query to backfill secret value
+  const findAllProjectSecretValues = async (projectId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.Secret)
+        .join(TableName.SecretFolder, `${TableName.Secret}.folderId`, `${TableName.SecretFolder}.id`)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .where("projectId", projectId)
+        // not empty
+        .whereNotNull("secretValueCiphertext")
+        .select("secretValueTag", "secretValueCiphertext", "secretValueIV", `${TableName.Secret}.id` as "id");
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindAllProjectSecretValues" });
+    }
+  };
+
   return {
     ...secretOrm,
     update,
@@ -252,6 +320,9 @@ export const secretDALFactory = (db: TDbClient) => {
     getSecretTags,
     findByFolderId,
     findByFolderIds,
-    findByBlindIndexes
+    findByBlindIndexes,
+    upsertSecretReferences,
+    findReferencedSecretReferences,
+    findAllProjectSecretValues
   };
 };

backend/src/services/secret/secret-fns.ts

@@ -194,6 +194,7 @@ type TInterpolateSecretArg = {
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
 };
 
+const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
 export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderDAL }: TInterpolateSecretArg) => {
   const fetchSecretsCrossEnv = () => {
     const fetchCache: Record<string, Record<string, string>> = {};
@@ -235,7 +236,6 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
     };
   };
 
-  const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
   const recursivelyExpandSecret = async (
     expandedSec: Record<string, string>,
     interpolatedSec: Record<string, string>,
@@ -353,7 +353,7 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
 };
 
 export const decryptSecretRaw = (
-  secret: TSecrets & { workspace: string; environment: string; secretPath?: string },
+  secret: TSecrets & { workspace: string; environment: string; secretPath: string },
   key: string
 ) => {
   const secretKey = decryptSymmetric128BitHexKeyUTF8({
@@ -396,6 +396,37 @@ export const decryptSecretRaw = (
   };
 };
 
+/**
+ * Grabs and processes nested secret references from a string
+ *
+ * This function looks for patterns that match the interpolation syntax in the input string.
+ * It filters out references that include nested paths, splits them into environment and
+ * secret path parts, and then returns an array of objects with the environment and the
+ * joined secret path.
+ *
+ * @param {string} maybeSecretReference - The string that has the potential secret references.
+ * @returns {Array<{ environment: string, secretPath: string }>} - An array of objects
+ * with the environment and joined secret path.
+ *
+ * @example
+ * const value = "Hello ${dev.someFolder.OtherFolder.SECRET_NAME} and ${prod.anotherFolder.SECRET_NAME}";
+ * const result = getAllNestedSecretReferences(value);
+ * // result will be:
+ * // [
+ * //   { environment: 'dev', secretPath: '/someFolder/OtherFolder' },
+ * //   { environment: 'prod', secretPath: '/anotherFolder' }
+ * // ]
+ */
+export const getAllNestedSecretReferences = (maybeSecretReference: string) => {
+  const references = Array.from(maybeSecretReference.matchAll(INTERPOLATION_SYNTAX_REG), (m) => m[1]);
+  return references
+    .filter((el) => el.includes("."))
+    .map((el) => {
+      const [environment, ...secretPathList] = el.split(".");
+      return { environment, secretPath: path.join("/", ...secretPathList.slice(0, -1)) };
+    });
+};
+
 /**
  * Checks and handles secrets using a blind index method.
  * The function generates mappings between secret names and their blind indexes, validates user IDs for personal secrets, and retrieves secrets from the database based on their blind indexes.
@@ -467,7 +498,7 @@ export const fnSecretBulkInsert = async ({
   tx
 }: TFnSecretBulkInsert) => {
   const newSecrets = await secretDAL.insertMany(
-    inputSecrets.map(({ tags, ...el }) => ({ ...el, folderId })),
+    inputSecrets.map(({ tags, references, ...el }) => ({ ...el, folderId })),
     tx
   );
   const newSecretGroupByBlindIndex = groupBy(newSecrets, (item) => item.secretBlindIndex as string);
@@ -478,13 +509,20 @@ export const fnSecretBulkInsert = async ({
     }))
   );
   const secretVersions = await secretVersionDAL.insertMany(
-    inputSecrets.map(({ tags, ...el }) => ({
+    inputSecrets.map(({ tags, references, ...el }) => ({
       ...el,
       folderId,
       secretId: newSecretGroupByBlindIndex[el.secretBlindIndex as string][0].id
     })),
     tx
   );
+  await secretDAL.upsertSecretReferences(
+    inputSecrets.map(({ references = [], secretBlindIndex }) => ({
+      secretId: newSecretGroupByBlindIndex[secretBlindIndex as string][0].id,
+      references
+    })),
+    tx
+  );
   if (newSecretTags.length) {
     const secTags = await secretTagDAL.saveTagsToSecret(newSecretTags, tx);
     const secVersionsGroupBySecId = groupBy(secretVersions, (i) => i.secretId);
@@ -509,7 +547,7 @@ export const fnSecretBulkUpdate = async ({
   secretVersionTagDAL
 }: TFnSecretBulkUpdate) => {
   const newSecrets = await secretDAL.bulkUpdate(
-    inputSecrets.map(({ filter, data: { tags, ...data } }) => ({
+    inputSecrets.map(({ filter, data: { tags, references, ...data } }) => ({
       filter: { ...filter, folderId },
       data
     })),
@@ -522,6 +560,15 @@ export const fnSecretBulkUpdate = async ({
     })),
     tx
   );
+  await secretDAL.upsertSecretReferences(
+    inputSecrets
+      .filter(({ data: { references } }) => Boolean(references))
+      .map(({ data: { references = [] } }, i) => ({
+        secretId: newSecrets[i].id,
+        references
+      })),
+    tx
+  );
   const secsUpdatedTag = inputSecrets.flatMap(({ data: { tags } }, i) =>
     tags !== undefined ? { tags, secretId: newSecrets[i].id } : []
   );
@@ -591,50 +638,39 @@ export const createManySecretsRawFnFactory = ({
       folderId,
       isNew: true,
       blindIndexCfg,
+      userId,
       secretDAL
     });
 
-    const inputSecrets = await Promise.all(
-      secrets.map(async (secret) => {
-        const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
-        const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
-        const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
+    const inputSecrets = secrets.map((secret) => {
+      const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
+      const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
+      const secretReferences = getAllNestedSecretReferences(secret.secretValue || "");
+      const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
 
-        if (secret.type === SecretType.Personal) {
-          if (!userId) throw new BadRequestError({ message: "Missing user id for personal secret" });
-          const sharedExist = await secretDAL.findOne({
-            secretBlindIndex: keyName2BlindIndex[secret.secretName],
-            folderId,
-            type: SecretType.Shared
-          });
+      return {
+        type: secret.type,
+        userId: secret.type === SecretType.Personal ? userId : null,
+        secretName: secret.secretName,
+        secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+        secretKeyIV: secretKeyEncrypted.iv,
+        secretKeyTag: secretKeyEncrypted.tag,
+        secretValueCiphertext: secretValueEncrypted.ciphertext,
+        secretValueIV: secretValueEncrypted.iv,
+        secretValueTag: secretValueEncrypted.tag,
+        secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+        secretCommentIV: secretCommentEncrypted.iv,
+        secretCommentTag: secretCommentEncrypted.tag,
+        skipMultilineEncoding: secret.skipMultilineEncoding,
+        tags: secret.tags,
+        references: secretReferences
+      };
+    });
 
-          if (!sharedExist)
-            throw new BadRequestError({
-              message: "Failed to create personal secret override for no corresponding shared secret"
-            });
-        }
-
-        const tags = secret.tags ? await secretTagDAL.findManyTagsById(projectId, secret.tags) : [];
-        if ((secret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
-
-        return {
-          type: secret.type,
-          userId: secret.type === SecretType.Personal ? userId : null,
-          secretName: secret.secretName,
-          secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-          secretKeyIV: secretKeyEncrypted.iv,
-          secretKeyTag: secretKeyEncrypted.tag,
-          secretValueCiphertext: secretValueEncrypted.ciphertext,
-          secretValueIV: secretValueEncrypted.iv,
-          secretValueTag: secretValueEncrypted.tag,
-          secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-          secretCommentIV: secretCommentEncrypted.iv,
-          secretCommentTag: secretCommentEncrypted.tag,
-          skipMultilineEncoding: secret.skipMultilineEncoding,
-          tags: secret.tags
-        };
-      })
-    );
+    // get all tags
+    const tagIds = inputSecrets.flatMap(({ tags = [] }) => tags);
+    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
+    if (tags.length !== tagIds.length) throw new BadRequestError({ message: "Tag not found" });
 
     const newSecrets = await secretDAL.transaction(async (tx) =>
       fnSecretBulkInsert({
@@ -703,56 +739,35 @@ export const updateManySecretsRawFnFactory = ({
       userId
     });
 
-    const inputSecrets = await Promise.all(
-      secrets.map(async (secret) => {
-        if (secret.newSecretName === "") {
-          throw new BadRequestError({ message: "New secret name cannot be empty" });
-        }
+    const inputSecrets = secrets.map((secret) => {
+      if (secret.newSecretName === "") {
+        throw new BadRequestError({ message: "New secret name cannot be empty" });
+      }
 
-        const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
-        const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
-        const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
+      const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
+      const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
+      const secretReferences = getAllNestedSecretReferences(secret.secretValue || "");
+      const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
 
-        if (secret.type === SecretType.Personal) {
-          if (!userId) throw new BadRequestError({ message: "Missing user id for personal secret" });
-
-          const sharedExist = await secretDAL.findOne({
-            secretBlindIndex: keyName2BlindIndex[secret.secretName],
-            folderId,
-            type: SecretType.Shared
-          });
-
-          if (!sharedExist)
-            throw new BadRequestError({
-              message: "Failed to update personal secret override for no corresponding shared secret"
-            });
-
-          if (secret.newSecretName)
-            throw new BadRequestError({ message: "Personal secret cannot change the key name" });
-        }
-
-        const tags = secret.tags ? await secretTagDAL.findManyTagsById(projectId, secret.tags) : [];
-        if ((secret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
-
-        return {
-          type: secret.type,
-          userId: secret.type === SecretType.Personal ? userId : null,
-          secretName: secret.secretName,
-          newSecretName: secret.newSecretName,
-          secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-          secretKeyIV: secretKeyEncrypted.iv,
-          secretKeyTag: secretKeyEncrypted.tag,
-          secretValueCiphertext: secretValueEncrypted.ciphertext,
-          secretValueIV: secretValueEncrypted.iv,
-          secretValueTag: secretValueEncrypted.tag,
-          secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-          secretCommentIV: secretCommentEncrypted.iv,
-          secretCommentTag: secretCommentEncrypted.tag,
-          skipMultilineEncoding: secret.skipMultilineEncoding,
-          tags: secret.tags
-        };
-      })
-    );
+      return {
+        type: secret.type,
+        userId: secret.type === SecretType.Personal ? userId : null,
+        secretName: secret.secretName,
+        newSecretName: secret.newSecretName,
+        secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+        secretKeyIV: secretKeyEncrypted.iv,
+        secretKeyTag: secretKeyEncrypted.tag,
+        secretValueCiphertext: secretValueEncrypted.ciphertext,
+        secretValueIV: secretValueEncrypted.iv,
+        secretValueTag: secretValueEncrypted.tag,
+        secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+        secretCommentIV: secretCommentEncrypted.iv,
+        secretCommentTag: secretCommentEncrypted.tag,
+        skipMultilineEncoding: secret.skipMultilineEncoding,
+        tags: secret.tags,
+        references: secretReferences
+      };
+    });
 
     const tagIds = inputSecrets.flatMap(({ tags = [] }) => tags);
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];

backend/src/services/secret/secret-queue.ts

@@ -59,6 +59,7 @@ export type TGetSecrets = {
 };
 
 const MAX_SYNC_SECRET_DEPTH = 5;
+const uniqueIntegrationKey = (environment: string, secretPath: string) => `integration-${environment}-${secretPath}`;
 
 export const secretQueueFactory = ({
   queueService,
@@ -102,28 +103,35 @@ export const secretQueueFactory = ({
     folderDAL
   });
 
-  const syncIntegrations = async (dto: TGetSecrets) => {
+  const syncIntegrations = async (dto: TGetSecrets & { deDupeQueue?: Record<string, boolean> }) => {
     await queueService.queue(QueueName.IntegrationSync, QueueJobs.IntegrationSync, dto, {
-      attempts: 5,
+      attempts: 3,
       delay: 1000,
       backoff: {
         type: "exponential",
         delay: 3000
       },
       removeOnComplete: true,
-      removeOnFail: {
-        count: 5 // keep the most recent  jobs
-      }
+      removeOnFail: true
     });
   };
 
-  const syncSecrets = async (dto: TGetSecrets & { depth?: number }) => {
+  const syncSecrets = async ({
+    deDupeQueue = {},
+    ...dto
+  }: TGetSecrets & { depth?: number; deDupeQueue?: Record<string, boolean> }) => {
+    const deDuplicationKey = uniqueIntegrationKey(dto.environment, dto.secretPath);
+    if (deDupeQueue?.[deDuplicationKey]) {
+      return;
+    }
+    // eslint-disable-next-line
+    deDupeQueue[deDuplicationKey] = true;
     logger.info(
       `syncSecrets: syncing project secrets where [projectId=${dto.projectId}]  [environment=${dto.environment}] [path=${dto.secretPath}]`
     );
     await queueService.queue(QueueName.SecretWebhook, QueueJobs.SecWebhook, dto, {
       jobId: `secret-webhook-${dto.environment}-${dto.projectId}-${dto.secretPath}`,
-      removeOnFail: { count: 5 },
+      removeOnFail: true,
       removeOnComplete: true,
       delay: 1000,
       attempts: 5,
@@ -132,7 +140,7 @@ export const secretQueueFactory = ({
         delay: 3000
       }
     });
-    await syncIntegrations(dto);
+    await syncIntegrations({ ...dto, deDupeQueue });
   };
 
   const removeSecretReminder = async (dto: TRemoveSecretReminderDTO) => {
@@ -326,7 +334,7 @@ export const secretQueueFactory = ({
   };
 
   queueService.start(QueueName.IntegrationSync, async (job) => {
-    const { environment, projectId, secretPath, depth = 1 } = job.data;
+    const { environment, projectId, secretPath, depth = 1, deDupeQueue = {} } = job.data;
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder) {
@@ -349,21 +357,68 @@ export const secretQueueFactory = ({
         const importedFolderIds = unique(imports, (i) => i.folderId).map(({ folderId }) => folderId);
         const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
         const foldersGroupedById = groupBy(importedFolders, (i) => i.child || i.id);
+        logger.info(
+          `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+        );
         await Promise.all(
           imports
             .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0].path))
-            .map(({ folderId }) => {
-              const syncDto = {
+            // filter out already synced ones
+            .filter(
+              ({ folderId }) =>
+                !deDupeQueue[
+                  uniqueIntegrationKey(
+                    foldersGroupedById[folderId][0].environmentSlug,
+                    foldersGroupedById[folderId][0].path
+                  )
+                ]
+            )
+            .map(({ folderId }) =>
+              syncSecrets({
                 depth: depth + 1,
                 projectId,
                 secretPath: foldersGroupedById[folderId][0].path,
-                environment: foldersGroupedById[folderId][0].environmentSlug
-              };
-              logger.info(
-                `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
-              );
-              return syncSecrets(syncDto);
-            })
+                environment: foldersGroupedById[folderId][0].environmentSlug,
+                deDupeQueue
+              })
+            )
+        );
+      }
+
+      const secretReferences = await secretDAL.findReferencedSecretReferences(
+        projectId,
+        folder.environment.slug,
+        secretPath
+      );
+      if (secretReferences.length) {
+        const referencedFolderIds = unique(secretReferences, (i) => i.folderId).map(({ folderId }) => folderId);
+        const referencedFolders = await folderDAL.findSecretPathByFolderIds(projectId, referencedFolderIds);
+        const referencedFoldersGroupedById = groupBy(referencedFolders, (i) => i.child || i.id);
+        logger.info(
+          `getIntegrationSecrets: Syncing secret due to reference change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+        );
+        await Promise.all(
+          secretReferences
+            .filter(({ folderId }) => Boolean(referencedFoldersGroupedById[folderId][0].path))
+            // filter out already synced ones
+            .filter(
+              ({ folderId }) =>
+                !deDupeQueue[
+                  uniqueIntegrationKey(
+                    referencedFoldersGroupedById[folderId][0].environmentSlug,
+                    referencedFoldersGroupedById[folderId][0].path
+                  )
+                ]
+            )
+            .map(({ folderId }) =>
+              syncSecrets({
+                depth: depth + 1,
+                projectId,
+                secretPath: referencedFoldersGroupedById[folderId][0].path,
+                environment: referencedFoldersGroupedById[folderId][0].environmentSlug,
+                deDupeQueue
+              })
+            )
         );
       }
     } else {

backend/src/services/secret/secret-service.ts

@@ -2,12 +2,22 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { SecretEncryptionAlgo, SecretKeyEncoding, SecretsSchema, SecretType } from "@app/db/schemas";
+import {
+  ProjectMembershipRole,
+  SecretEncryptionAlgo,
+  SecretKeyEncoding,
+  SecretsSchema,
+  SecretType
+} from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { getConfig } from "@app/lib/config/env";
-import { buildSecretBlindIndexFromName, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import {
+  buildSecretBlindIndexFromName,
+  decryptSymmetric128BitHexKeyUTF8,
+  encryptSymmetric128BitHexKeyUTF8
+} from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { groupBy, pick } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
@@ -27,12 +37,14 @@ import {
   fnSecretBlindIndexCheck,
   fnSecretBulkInsert,
   fnSecretBulkUpdate,
+  getAllNestedSecretReferences,
   interpolateSecrets,
   recursivelyGetSecretPaths
 } from "./secret-fns";
 import { TSecretQueueFactory } from "./secret-queue";
 import {
   TAttachSecretTagsDTO,
+  TBackFillSecretReferencesDTO,
   TCreateBulkSecretDTO,
   TCreateManySecretRawDTO,
   TCreateSecretDTO,
@@ -91,6 +103,22 @@ export const secretServiceFactory = ({
   secretImportDAL,
   secretVersionTagDAL
 }: TSecretServiceFactoryDep) => {
+  const getSecretReference = async (projectId: string) => {
+    // if bot key missing means e2e still exist
+    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
+    return (el: { ciphertext?: string; iv: string; tag: string }) =>
+      botKey
+        ? getAllNestedSecretReferences(
+            decryptSymmetric128BitHexKeyUTF8({
+              ciphertext: el.ciphertext || "",
+              iv: el.iv,
+              tag: el.tag,
+              key: botKey
+            })
+          )
+        : undefined;
+  };
+
   // utility function to get secret blind index data
   const interalGenSecBlindIndexByName = async (projectId: string, secretName: string) => {
     const appCfg = getConfig();
@@ -225,6 +253,7 @@ export const secretServiceFactory = ({
     if ((inputSecret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
 
     const { secretName, type, ...el } = inputSecret;
+    const references = await getSecretReference(projectId);
     const secret = await secretDAL.transaction((tx) =>
       fnSecretBulkInsert({
         folderId,
@@ -237,7 +266,12 @@ export const secretServiceFactory = ({
             userId: inputSecret.type === SecretType.Personal ? actorId : null,
             algorithm: SecretEncryptionAlgo.AES_256_GCM,
             keyEncoding: SecretKeyEncoding.UTF8,
-            tags: inputSecret.tags
+            tags: inputSecret.tags,
+            references: references({
+              ciphertext: inputSecret.secretValueCiphertext,
+              iv: inputSecret.secretValueIV,
+              tag: inputSecret.secretValueTag
+            })
           }
         ],
         secretDAL,
@@ -251,7 +285,7 @@ export const secretServiceFactory = ({
     await snapshotService.performSnapshot(folderId);
     await secretQueueService.syncSecrets({ secretPath: path, projectId, environment });
     // TODO(akhilmhdh-pg): licence check, posthog service and snapshot
-    return { ...secret[0], environment, workspace: projectId, tags };
+    return { ...secret[0], environment, workspace: projectId, tags, secretPath: path };
   };
 
   const updateSecret = async ({
@@ -335,6 +369,7 @@ export const secretServiceFactory = ({
 
     const { secretName, ...el } = inputSecret;
 
+    const references = await getSecretReference(projectId);
     const updatedSecret = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
@@ -360,7 +395,12 @@ export const secretServiceFactory = ({
                 "secretReminderRepeatDays",
                 "tags"
               ]),
-              secretBlindIndex: newSecretNameBlindIndex || keyName2BlindIndex[secretName]
+              secretBlindIndex: newSecretNameBlindIndex || keyName2BlindIndex[secretName],
+              references: references({
+                ciphertext: inputSecret.secretValueCiphertext,
+                iv: inputSecret.secretValueIV,
+                tag: inputSecret.secretValueTag
+              })
             }
           }
         ],
@@ -375,7 +415,7 @@ export const secretServiceFactory = ({
     await snapshotService.performSnapshot(folderId);
     await secretQueueService.syncSecrets({ secretPath: path, projectId, environment });
     // TODO(akhilmhdh-pg): licence check, posthog service and snapshot
-    return { ...updatedSecret[0], workspace: projectId, environment };
+    return { ...updatedSecret[0], workspace: projectId, environment, secretPath: path };
   };
 
   const deleteSecret = async ({
@@ -444,7 +484,7 @@ export const secretServiceFactory = ({
     await secretQueueService.syncSecrets({ secretPath: path, projectId, environment });
 
     // TODO(akhilmhdh-pg): licence check, posthog service and snapshot
-    return { ...deletedSecret[0], _id: deletedSecret[0].id, workspace: projectId, environment };
+    return { ...deletedSecret[0], _id: deletedSecret[0].id, workspace: projectId, environment, secretPath: path };
   };
 
   const getSecrets = async ({
@@ -641,7 +681,8 @@ export const secretServiceFactory = ({
             return {
               ...importedSecrets[i].secrets[j],
               workspace: projectId,
-              environment: importedSecrets[i].environment
+              environment: importedSecrets[i].environment,
+              secretPath: importedSecrets[i].secretPath
             };
           }
         }
@@ -649,7 +690,7 @@ export const secretServiceFactory = ({
     }
     if (!secret) throw new BadRequestError({ message: "Secret not found" });
 
-    return { ...secret, workspace: projectId, environment };
+    return { ...secret, workspace: projectId, environment, secretPath: path };
   };
 
   const createManySecret = async ({
@@ -700,6 +741,7 @@ export const secretServiceFactory = ({
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
     if (tags.length !== tagIds.length) throw new BadRequestError({ message: "Tag not found" });
 
+    const references = await getSecretReference(projectId);
     const newSecrets = await secretDAL.transaction(async (tx) =>
       fnSecretBulkInsert({
         inputSecrets: inputSecrets.map(({ secretName, ...el }) => ({
@@ -708,7 +750,12 @@ export const secretServiceFactory = ({
           secretBlindIndex: keyName2BlindIndex[secretName],
           type: SecretType.Shared,
           algorithm: SecretEncryptionAlgo.AES_256_GCM,
-          keyEncoding: SecretKeyEncoding.UTF8
+          keyEncoding: SecretKeyEncoding.UTF8,
+          references: references({
+            ciphertext: el.secretValueCiphertext,
+            iv: el.secretValueIV,
+            tag: el.secretValueTag
+          })
         })),
         folderId,
         secretDAL,
@@ -783,6 +830,8 @@ export const secretServiceFactory = ({
     const tagIds = inputSecrets.flatMap(({ tags = [] }) => tags);
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
     if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+
+    const references = await getSecretReference(projectId);
     const secrets = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
@@ -799,7 +848,15 @@ export const secretServiceFactory = ({
                 ? newKeyName2BlindIndex[newSecretName]
                 : keyName2BlindIndex[secretName],
             algorithm: SecretEncryptionAlgo.AES_256_GCM,
-            keyEncoding: SecretKeyEncoding.UTF8
+            keyEncoding: SecretKeyEncoding.UTF8,
+            references:
+              el.secretValueIV && el.secretValueTag
+                ? references({
+                    ciphertext: el.secretValueCiphertext,
+                    iv: el.secretValueIV,
+                    tag: el.secretValueTag
+                  })
+                : undefined
           }
         })),
         secretDAL,
@@ -924,34 +981,40 @@ export const secretServiceFactory = ({
       });
 
       const batchSecretsExpand = async (
-        secretBatch: {
-          secretKey: string;
-          secretValue: string;
-          secretComment?: string;
-        }[]
+        secretBatch: { secretKey: string; secretValue: string; secretComment?: string; secretPath: string }[]
       ) => {
-        const secretRecord: Record<
-          string,
-          {
-            value: string;
-            comment?: string;
-            skipMultilineEncoding?: boolean;
+        // Group secrets by secretPath
+        const secretsByPath: Record<string, { secretKey: string; secretValue: string; secretComment?: string }[]> = {};
+
+        secretBatch.forEach((secret) => {
+          if (!secretsByPath[secret.secretPath]) {
+            secretsByPath[secret.secretPath] = [];
           }
-        > = {};
-
-        secretBatch.forEach((decryptedSecret) => {
-          secretRecord[decryptedSecret.secretKey] = {
-            value: decryptedSecret.secretValue,
-            comment: decryptedSecret.secretComment
-          };
+          secretsByPath[secret.secretPath].push(secret);
         });
 
-        await expandSecrets(secretRecord);
+        // Expand secrets for each group
+        for (const secPath in secretsByPath) {
+          if (!Object.hasOwn(secretsByPath, path)) {
+            // eslint-disable-next-line no-continue
+            continue;
+          }
 
-        secretBatch.forEach((decryptedSecret, index) => {
-          // eslint-disable-next-line no-param-reassign
-          secretBatch[index].secretValue = secretRecord[decryptedSecret.secretKey].value;
-        });
+          const secretRecord: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
+          secretsByPath[secPath].forEach((decryptedSecret) => {
+            secretRecord[decryptedSecret.secretKey] = {
+              value: decryptedSecret.secretValue,
+              comment: decryptedSecret.secretComment
+            };
+          });
+
+          await expandSecrets(secretRecord);
+
+          secretsByPath[secPath].forEach((decryptedSecret) => {
+            // eslint-disable-next-line no-param-reassign
+            decryptedSecret.secretValue = secretRecord[decryptedSecret.secretKey].value;
+          });
+        }
       };
 
       // expand secrets
@@ -972,7 +1035,8 @@ export const secretServiceFactory = ({
     path,
     actor,
     environment,
-    projectId,
+    projectId: workspaceId,
+    projectSlug,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -980,6 +1044,8 @@ export const secretServiceFactory = ({
     includeImports,
     version
   }: TGetASecretRawDTO) => {
+    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
+
     const botKey = await projectBotService.getBotKey(projectId);
     if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
 
@@ -996,6 +1062,7 @@ export const secretServiceFactory = ({
       includeImports,
       version
     });
+
     return decryptSecretRaw(secret, botKey);
   };
 
@@ -1168,7 +1235,9 @@ export const secretServiceFactory = ({
     await snapshotService.performSnapshot(secrets[0].folderId);
     await secretQueueService.syncSecrets({ secretPath, projectId, environment });
 
-    return secrets.map((secret) => decryptSecretRaw({ ...secret, workspace: projectId, environment }, botKey));
+    return secrets.map((secret) =>
+      decryptSecretRaw({ ...secret, workspace: projectId, environment, secretPath }, botKey)
+    );
   };
 
   const updateManySecretsRaw = async ({
@@ -1220,7 +1289,9 @@ export const secretServiceFactory = ({
     await snapshotService.performSnapshot(secrets[0].folderId);
     await secretQueueService.syncSecrets({ secretPath, projectId, environment });
 
-    return secrets.map((secret) => decryptSecretRaw({ ...secret, workspace: projectId, environment }, botKey));
+    return secrets.map((secret) =>
+      decryptSecretRaw({ ...secret, workspace: projectId, environment, secretPath }, botKey)
+    );
   };
 
   const deleteManySecretsRaw = async ({
@@ -1254,7 +1325,9 @@ export const secretServiceFactory = ({
     await snapshotService.performSnapshot(secrets[0].folderId);
     await secretQueueService.syncSecrets({ secretPath, projectId, environment });
 
-    return secrets.map((secret) => decryptSecretRaw({ ...secret, workspace: projectId, environment }, botKey));
+    return secrets.map((secret) =>
+      decryptSecretRaw({ ...secret, workspace: projectId, environment, secretPath }, botKey)
+    );
   };
 
   const getSecretVersions = async ({
@@ -1485,6 +1558,52 @@ export const secretServiceFactory = ({
     };
   };
 
+  // this is a backfilling API for secret references
+  // what it does is it will go through all the secret values and parse all references
+  // populate the secret reference to do sync integrations
+  const backfillSecretReferences = async ({
+    projectId,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TBackFillSecretReferencesDTO) => {
+    const { hasRole } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (!hasRole(ProjectMembershipRole.Admin))
+      throw new BadRequestError({ message: "Only admins are allowed to take this action" });
+
+    const botKey = await projectBotService.getBotKey(projectId);
+    if (!botKey)
+      throw new BadRequestError({ message: "Please upgrade your project first", name: "bot_not_found_error" });
+
+    await secretDAL.transaction(async (tx) => {
+      const secrets = await secretDAL.findAllProjectSecretValues(projectId, tx);
+      await secretDAL.upsertSecretReferences(
+        secrets.map(({ id, secretValueCiphertext, secretValueIV, secretValueTag }) => ({
+          secretId: id,
+          references: getAllNestedSecretReferences(
+            decryptSymmetric128BitHexKeyUTF8({
+              ciphertext: secretValueCiphertext,
+              iv: secretValueIV,
+              tag: secretValueTag,
+              key: botKey
+            })
+          )
+        })),
+        tx
+      );
+    });
+
+    return { message: "Successfully backfilled secret references" };
+  };
+
   return {
     attachTags,
     detachTags,
@@ -1505,6 +1624,7 @@ export const secretServiceFactory = ({
     updateManySecretsRaw,
     deleteManySecretsRaw,
     getSecretVersions,
+    backfillSecretReferences,
     // external services function
     fnSecretBulkDelete,
     fnSecretBulkUpdate,

backend/src/services/secret/secret-types.ts

@@ -152,7 +152,9 @@ export type TGetASecretRawDTO = {
   type: "shared" | "personal";
   includeImports?: boolean;
   version?: number;
-} & TProjectPermission;
+  projectSlug?: string;
+  projectId?: string;
+} & Omit<TProjectPermission, "projectId">;
 
 export type TCreateSecretRawDTO = TProjectPermission & {
   secretPath: string;
@@ -221,11 +223,13 @@ export type TGetSecretVersionsDTO = Omit<TProjectPermission, "projectId"> & {
   secretId: string;
 };
 
+export type TSecretReference = { environment: string; secretPath: string };
+
 export type TFnSecretBulkInsert = {
   folderId: string;
   tx?: Knex;
-  inputSecrets: Array<Omit<TSecretsInsert, "folderId"> & { tags?: string[] }>;
-  secretDAL: Pick<TSecretDALFactory, "insertMany">;
+  inputSecrets: Array<Omit<TSecretsInsert, "folderId"> & { tags?: string[]; references?: TSecretReference[] }>;
+  secretDAL: Pick<TSecretDALFactory, "insertMany" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
@@ -234,8 +238,11 @@ export type TFnSecretBulkInsert = {
 export type TFnSecretBulkUpdate = {
   folderId: string;
   projectId: string;
-  inputSecrets: { filter: Partial<TSecrets>; data: TSecretsUpdate & { tags?: string[] } }[];
-  secretDAL: Pick<TSecretDALFactory, "bulkUpdate">;
+  inputSecrets: {
+    filter: Partial<TSecrets>;
+    data: TSecretsUpdate & { tags?: string[]; references?: TSecretReference[] };
+  }[];
+  secretDAL: Pick<TSecretDALFactory, "bulkUpdate" | "upsertSecretReferences">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret" | "deleteTagsManySecret">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
@@ -292,6 +299,8 @@ export type TRemoveSecretReminderDTO = {
   repeatDays: number;
 };
 
+export type TBackFillSecretReferencesDTO = TProjectPermission;
+
 // ---
 
 export type TCreateManySecretsRawFnFactory = {

docker-compose.dev.yml

@@ -91,6 +91,8 @@ services:
       - TELEMETRY_ENABLED=false
     volumes:
       - ./backend/src:/app/src
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 
   frontend:
     container_name: infisical-dev-frontend
@@ -128,7 +130,7 @@ services:
     ports:
       - 1025:1025 # SMTP server
       - 8025:8025 # Web UI
-  
+
   openldap: # note: more advanced configuration is available
     image: osixia/openldap:1.5.0
     restart: always

docs/api-reference/endpoints/project-identities/add-identity-membership.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create Identity Membership"
+openapi: "POST /api/v2/workspace/{projectId}/identity-memberships/{identityId}"
+---

docs/api-reference/endpoints/project-identities/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get Identity by ID"
+openapi: "GET /api/v2/workspace/{projectId}/identity-memberships/{identityId}"
+---

docs/api-reference/endpoints/project-users/get-by-username.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get By Username"
+openapi: "POST /api/v1/workspace/{workspaceId}/memberships/details"
+---

docs/api-reference/endpoints/project-users/invite-member-to-workspace.mdx

@@ -1,4 +1,4 @@
 ---
 title: "Invite Member"
 openapi: "POST /api/v2/workspace/{projectId}/memberships"
----
+---

docs/api-reference/endpoints/universal-auth/revoke-access-token.mdx

@@ -0,0 +1,4 @@
+---
+title: "Revoke Access Token"
+openapi: "POST /api/v1/auth/token/revoke"
+---

docs/cli/commands/export.mdx

@@ -128,6 +128,12 @@ infisical export --template=<path to template>
 
   </Accordion>
 
+  <Accordion title="--include-imports">
+    By default imported secrets are available, you can disable it by setting this option to false.
+
+    Default value: `true`
+  </Accordion>
+
   <Accordion title="--format">
     Format of the output file. Accepted values: `dotenv`, `dotenv-export`, `csv`, `json` and `yaml`
 

docs/cli/commands/run.mdx

@@ -126,6 +126,12 @@ $ infisical run -- npm run dev
 
   </Accordion>
 
+  <Accordion title="--include-imports">
+    By default imported secrets are available, you can disable it by setting this option to false.
+
+    Default value: `true`
+  </Accordion>
+
 {" "}
 
 <Accordion title="--env">

docs/cli/faq.mdx

@@ -13,6 +13,7 @@ If none of the available stores work for you, you can try using the `file` store
 If you are still experiencing trouble, please seek support. 
 
 [Learn more about vault command](./commands/vault)
+
 </Accordion>
 
 <Accordion title="Can I fetch secrets with Infisical if I am offline?">

docs/documentation/getting-started/introduction.mdx

@@ -51,7 +51,7 @@ As a result, the 3 main concepts that are important to understand are:
 
 - **[Identities](/documentation/platform/identities/overview)**: users or machines with a set permissions assigned to them.
 - **[Clients](/integrations/platforms/kubernetes)**: Infisical-developed tools for managing secrets in various infrastructure components (e.g., [Kubernetes Operator](/integrations/platforms/kubernetes), [Infisical Agent](/integrations/platforms/infisical-agent), [CLI](/cli/usage), [SDKs](/sdks/overview), [API](/api-reference/overview/introduction), [Web Dashboard](/documentation/platform/organization)).
-- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, AWS IAM Auth etc.).
+- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, AWS Auth etc.).
 
 ## How to get started with Infisical?
 

docs/documentation/platform/identities/aws-auth.mdx

@@ -1,34 +1,64 @@
 ---
-title: AWS IAM Auth
+title: AWS Auth
 description: "Learn how to authenticate with Infisical for EC2 instances, Lambda functions, and other IAM principals."
 ---
 
-**AWS IAM Auth** is an AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to access Infisical.
+**AWS Auth** is an AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to access Infisical.
+
+## Diagram
+
+The following sequence digram illustrates the AWS Auth workflow for authenticating AWS IAM principals with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+  participant AWS as AWS STS
+
+  Note over Client,Client: Step 1: Sign GetCallerIdentityQuery
+
+  Note over Client,Infis: Step 2: Login Operation
+  Client->>Infis: Send signed query details /api/v1/auth/aws-auth/login
+
+  Note over Infis,AWS: Step 3: Query verification
+  Infis->>AWS: Forward signed GetCallerIdentity query
+  AWS-->>Infis: Return IAM user/role details
+
+  Note over Infis: Step 4: Identity Property Validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 5: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
 
 ## Concept
 
-At a high-level, Infisical authenticates an IAM principal by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed IAM principal ARN) at the `/api/v1/auth/aws-iam-auth/login` endpoint. If successful,
+At a high-level, Infisical authenticates an IAM principal by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed IAM principal ARN) at the `/api/v1/auth/aws-auth/login` endpoint. If successful,
 then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
 
-In AWS IAM Auth, an IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
-The query data including the request method, request body, and request headers are sent to Infisical afterwhich Infisical forwards the signed query to AWS STS API via the [sts:GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) method to verify and obtain the identity of the IAM principal.
-Once obtained, the identity information is verified against specified requirements such as if the associated IAM principal ARN is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+To be more specific:
+
+1. The client IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
+2. The client sends the signed query data to Infisical including the request method, request body, and request headers at the `/api/v1/auth/aws-auth/login` endpoint.
+3. Infisical reconstructs the query and sends it to AWS STS API via the [sts:GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) method for verification and obtains the identity associated with the IAM principal.
+4. Infisical checks the identity's properties against set criteria such **Allowed Principal ARNs**.
+5. If all is well, Infisical returns a short-lived access token that the IAM principal can use to make authenticated requests to the Infisical API.
 
 <Note>
 We recommend using one of Infisical's clients like SDKs or the Infisical Agent
-to authenticate with Infisical using AWS IAM Auth as they handle the
+to authenticate with Infisical using AWS Auth as they handle the
 authentication process including the signed `GetCallerIdentity` query
 construction for you.
 
 Also, note that Infisical needs network-level access to send requests to the AWS STS API
-as part of the AWS IAM Auth workflow.
+as part of the AWS Auth workflow.
 
 </Note>
 
-## Workflow
+## Guide
 
 In the following steps, we explore how to create and use identities for your workloads and applications on AWS to
-access the Infisical API using the AWS IAM authentication method.
+access the Infisical API using the AWS Auth authentication method.
 
 <Steps>
     <Step title="Creating an identity">
@@ -45,15 +75,15 @@ access the Infisical API using the AWS IAM authentication method.
     - Name (required): A friendly name for the identity.
     - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
 
-    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **AWS IAM Auth**.
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **AWS Auth**.
 
-    ![identities create iam auth method](/images/platform/identities/identities-org-create-aws-iam-auth-method.png)
+    ![identities create aws auth method](/images/platform/identities/identities-org-create-aws-auth-method.png)
 
     Here's some more guidance on each field:
 
     - Allowed Principal ARNs: A comma-separated list of trusted IAM principal ARNs that are allowed to authenticate with Infisical. The values should take one of three forms: `arn:aws:iam::123456789012:user/MyUserName`, `arn:aws:iam::123456789012:role/MyRoleName`, or `arn:aws:iam::123456789012:*`. Using a wildcard in this case allows any IAM principal in the account `123456789012` to authenticate with Infisical under the identity.
     - Allowed Account IDs: A comma-separated list of trusted AWS account IDs that are allowed to authenticate with Infisical.
-    - STS Endpoint (default is `https://sts.amazonaws.com/`): The endpoint URL for the AWS STS API. This is useful for AWS GovCloud or other AWS regions that have different STS endpoints.
+    - STS Endpoint (default is `https://sts.amazonaws.com/`): The endpoint URL for the AWS STS API. This value should be adjusted based on the AWS region you are operating in (e.g. `https://sts.us-east-1.amazonaws.com/`); refer to the list of regional STS endpoints [here](https://docs.aws.amazon.com/general/latest/gr/sts.html).
     - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
     - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
     - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
@@ -71,7 +101,7 @@ access the Infisical API using the AWS IAM authentication method.
     ![identities project create](/images/platform/identities/identities-project-create.png)
     </Step>
     <Step title="Accessing the Infisical API with the identity">
-        To access the Infisical API as the identity, you need to construct a signed `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) and make a request to the `/api/v1/auth/aws-iam-auth/login` endpoint containing the query data
+        To access the Infisical API as the identity, you need to construct a signed `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) and make a request to the `/api/v1/auth/aws-auth/login` endpoint containing the query data
         in exchange for an access token.
 
         We provide a few code examples below of how you can authenticate with Infisical from inside a Lambda function, EC2 instance, etc. and obtain an access token to access the [Infisical API](/api-reference/overview/introduction).
@@ -119,7 +149,7 @@ access the Infisical API using the AWS IAM authentication method.
                         const identityId = "<your-identity-id>";
 
                         const { data } = await axios.post(
-                            `${infisicalUrl}/api/v1/auth/aws-iam-auth/login`,
+                            `${infisicalUrl}/api/v1/auth/aws-auth/login`,
                             {
                                 identityId,
                                 iamHttpRequestMethod: "POST",
@@ -191,7 +221,7 @@ access the Infisical API using the AWS IAM authentication method.
                         const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
                         const identityId = "<your-identity-id>";
 
-                        const { data } = await axios.post(`${infisicalUrl}/api/v1/auth/aws-iam-auth/login`, {
+                        const { data } = await axios.post(`${infisicalUrl}/api/v1/auth/aws-auth/login`, {
                             identityId,
                             iamHttpRequestMethod: "POST",
                             iamRequestUrl: Buffer.from(iamRequestURL).toString("base64"),
@@ -234,12 +264,15 @@ access the Infisical API using the AWS IAM authentication method.
                 request.headers["X-Amz-Date"] = AWS.util.date.iso8601(new Date()).replace(/[:-]|\.\d{3}/g, "");
                 request.body = iamRequestBody;
                 request.headers["Content-Length"] = Buffer.byteLength(iamRequestBody);
+
+                const signer = new AWS.Signers.V4(request, "sts");
+                signer.addAuthorization(AWS.config.credentials, new Date());
                 ````
 
                 #### Sample request
 
                 ```bash Request
-                curl --location --request POST 'https://app.infisical.com/api/v1/auth/aws-iam-auth/login' \
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/aws-auth/login' \
                     --header 'Content-Type: application/x-www-form-urlencoded' \
                     --data-urlencode 'identityId=...' \
                     --data-urlencode 'iamHttpRequestMethod=...' \
@@ -263,7 +296,7 @@ access the Infisical API using the AWS IAM authentication method.
         </AccordionGroup>
 
         <Tip>
-            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using AWS IAM Auth as they handle the authentication process including the signed `GetCallerIdentity` query construction for you.
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using AWS Auth as they handle the authentication process including the signed `GetCallerIdentity` query construction for you.
         </Tip>
 
         <Note>

docs/documentation/platform/identities/gcp-auth.mdx

@@ -0,0 +1,351 @@
+---
+title: GCP Auth
+description: "Learn how to authenticate with Infisical for services on Google Cloud Platform"
+---
+
+**GCP Auth** is a GCP-native authentication method for GCP resources to access Infisical. It consists of two sub-methods/approaches:
+
+- GCP ID Token Auth: For GCP services including [Compute Engine](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature), [App Engine standard environment](https://cloud.google.com/appengine/docs/standard/python3/runtime#metadata_server), [App Engine flexible environment](https://cloud.google.com/appengine/docs/flexible/python/runtime#metadata_server), [Cloud Functions](https://cloud.google.com/functions/docs/securing/function-identity#using_the_metadata_server_to_acquire_tokens), [Cloud Run](https://cloud.google.com/run/docs/container-contract#metadata-server), [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#instance_metadata), and [Cloud Build](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#instance_metadata) to authenticate with Infisical.
+- GCP IAM Auth: For Google Cloud Platform (GCP) service accounts to authenticate with Infisical.
+
+<Tabs>
+  <Tab title="Google ID Token Auth">
+
+    ## Diagram
+
+    The following sequence digram illustrates the GCP ID Token Auth workflow for authenticating GCP resources with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant GCE as GCP Service
+  participant Infis as Infisical
+  participant Google as OAuth2 API
+
+  Note over GCE,Google: Step 1: Instance Identity Token Retrieval
+  GCE->>Google: Request instance identity metadata token
+  Google-->>GCE: Return JWT token with RS256 signature
+
+  Note over GCE,Infis: Step 2: Identity Token Login Operation
+  GCE->>Infis: Send JWT token to /api/v1/auth/gcp-auth/login
+  Infis->>Google: Request OAuth2 certificates
+  Google-->>Infis: Return certificates
+
+  Note over Infis: Step 3: Identity Token Verification
+  Note over Infis: Step 4: Identity Property Validation
+  Infis->>GCE: Return short-lived access token
+
+  Note over GCE,Infis: Step 4: Access Infisical API with Token
+  GCE->>Infis: Make authenticated requests using the short-lived access token
+```
+
+    ## Concept
+
+At a high-level, Infisical authenticates a GCP resource by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed GCE instance) at the `/api/v1/auth/gcp-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The client running on a GCP service obtains an [ID token](https://cloud.google.com/docs/authentication/get-id-token) constituting the identity for a GCP resource such as a GCE instance or Cloud Function; this is a unique JWT token that includes details about the instance as well as Google's [RS256 signature](https://datatracker.ietf.org/doc/html/rfc7518#section-3.3).
+2. The client sends the ID token to Infisical at the `/api/v1/auth/gcp-auth/login` endpoint.
+3. Infisical verifies the token against Google's [public OAuth2 certificates](https://www.googleapis.com/oauth2/v3/certs).
+4. Infisical checks if the entity behind the ID token is allowed to authenticate with Infisical based on set criteria such as **Allowed Service Account Emails**.
+5. If all is well, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using GCP ID Token Auth as they handle the
+authentication process including generating the instance ID token for you.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the GCP Auth workflow.
+
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
+access the Infisical API using the GCP ID Token authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP Auth** and set the **Type** to **GCP ID Token Auth**.
+
+    ![identities create gcp auth method](/images/platform/identities/identities-org-create-gcp-gce-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Allowed Service Account Emails: A comma-separated list of trusted service account emails corresponding to the GCE resource(s) allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
+    - Allowed Projects: A comma-separated list of trusted GCP projects that the GCE instance must belong to authenticate with Infisical. Note that this validation property will only work for GCE instances.
+    - Allowed Zones: A comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical; this should be the fully-qualified zone name in the format `<region>-<zone>`like `us-central1-a`, `us-west1-b`, etc. Note that this validation property will only work for GCE instances.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+        To access the Infisical API as the identity, you need to generate an [ID token](https://cloud.google.com/docs/authentication/get-id-token) constituting the identity of the present GCE instance and make a request to the `/api/v1/auth/gcp-auth/login` endpoint containing the token in exchange for an access token.
+
+        We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+        <AccordionGroup>
+            <Accordion
+                title="Sample code for generating the ID token"
+            >
+                Start by making a request from the GCE instance to obtain the ID token.
+                For more examples of how to obtain the token in Java, Go, Node.js, etc. refer to the [official documentation](https://cloud.google.com/docs/authentication/get-id-token#curl).
+
+                #### Sample request
+                <CodeGroup>
+                ```bash curl
+                curl -H "Metadata-Flavor: Google" \
+                'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=<identityId>&format=full'
+                ```
+                </CodeGroup>
+
+                <Note>
+                    Note that you should replace `<identityId>` with the ID of the identity you created in step 1.
+                </Note>
+
+                Next use send the obtained JWT token along to authenticate with Infisical and obtain an access token.
+
+                #### Sample request
+
+                ```bash Request
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+                    --header 'Content-Type: application/x-www-form-urlencoded' \
+                    --data-urlencode 'identityId=...' \
+                    --data-urlencode 'jwt=...'
+                ```
+
+                #### Sample response
+
+                ```bash Response
+                {
+                    "accessToken": "...",
+                    "expiresIn": 7200,
+                    "accessTokenMaxTTL": 43244
+                    "tokenType": "Bearer"
+                }
+                ```
+
+                Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+            </Accordion>
+        </AccordionGroup>
+
+        <Tip>
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
+        </Tip>
+        <Note>
+        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+        </Note>
+    </Step>
+
+</Steps>
+
+  </Tab>
+<Tab title="GCP IAM Auth">
+  
+    ## Diagram
+
+    The following sequence digram illustrates the GCP IAM Auth workflow for authenticating GCP IAM service accounts with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant GCE as Client
+  participant Infis as Infisical
+  participant Google as Cloud IAM
+
+  Note over GCE,Google: Step 1: Signed JWT Token Generation
+  GCE->>Google: Request to generate signed JWT token
+  Google-->>GCE: Return signed JWT token
+
+  Note over GCE,Infis: Step 2: JWT Token Login Operation
+  GCE->>Infis: Send signed JWT token to /api/v1/auth/gcp-auth/login
+  Infis->>Google: Request public key
+  Google-->>Infis: Return public key
+
+  Note over Infis: Step 3: JWT Token Verification
+  Note over Infis: Step 4: JWT Property Validation
+  Infis->>GCE: Return short-lived access token
+
+  Note over GCE,Infis: Step 5: Access Infisical API with Token
+  GCE->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high-level, Infisical authenticates an IAM service account by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed service account) at the `/api/v1/auth/gcp-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The client generates a signed JWT token using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt); this is done using the service account credentials associated with the client.
+2. The client sends the signed JWT token to Infisical at the `/api/v1/auth/gcp-auth/login` endpoint.
+3. Infisical verifies the signed JWT token.
+4. Infisical checks if the service account behind the JWT token is allowed to authenticate with Infisical based **Allowed Service Account Emails**.
+5. If all is well, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using GCP IAM Auth as they handle the
+authentication process including generating the signed JWT token.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the GCP Auth workflow.
+
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
+access the Infisical API using the GCP IAM authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP IAM Auth** and set the **Type** to **GCP IAM Auth**.
+
+    ![identities create gcp auth method](/images/platform/identities/identities-org-create-gcp-iam-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Allowed Service Account Emails: A comma-separated list of trusted IAM service account emails that are allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+        To access the Infisical API as the identity, you need to generate a signed JWT token using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt) and make a request to the `/api/v1/auth/gcp-auth/login` endpoint containing the signed JWT token in exchange for an access token.
+
+        <Info>
+            Make sure that the service account has the `iam.serviceAccounts.signJwt` permission or the `roles/iam.serviceAccountTokenCreator` role.
+        </Info>
+
+        We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+        <AccordionGroup>
+            <Accordion
+                title="Sample code for generating a signed JWT token"
+            >
+                The following code provides a generic example of how you can generate a signed JWT token against the `projects.serviceAccounts.signJwt` API method.
+
+                The shown example uses Node.js and the official [google-auth-library](https://github.com/googleapis/google-auth-library-nodejs#readme) package but you can use any language you wish.
+
+
+                ```javascript
+                const { GoogleAuth } = require("google-auth-library");
+
+                const auth = new GoogleAuth({
+                    scopes: "https://www.googleapis.com/auth/cloud-platform",
+                });
+
+                const credentials = await auth.getCredentials();
+
+                const identityId = "<your-infisical-identity-id>";
+
+                const jwtPayload = {
+                    sub: credentials.client_email,
+                    aud: identityId,
+                };
+
+                const { data } = await client.request({
+                    url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${credentials.client_email}:signJwt`,
+                    method: "POST",
+                    data: { payload: JSON.stringify(jwtPayload) },
+                });
+
+                const jwt = data.signedJwt // send this jwt to Infisical in the next step
+                ```
+
+                #### Sample request
+
+                ```bash Request
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+                    --header 'Content-Type: application/x-www-form-urlencoded' \
+                    --data-urlencode 'identityId=...' \
+                    --data-urlencode 'jwt=...'
+                ```
+
+                #### Sample response
+
+                ```bash Response
+                {
+                    "accessToken": "...",
+                    "expiresIn": 7200,
+                    "accessTokenMaxTTL": 43244
+                    "tokenType": "Bearer"
+                }
+                ```
+
+                Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+            </Accordion>
+        </AccordionGroup>
+
+        <Tip>
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
+        </Tip>
+        <Note>
+        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+        </Note>
+    </Step>
+
+</Steps>
+  </Tab>
+  
+</Tabs>

docs/documentation/platform/identities/kubernetes-auth.mdx

@@ -0,0 +1,247 @@
+---
+title: Kubernetes Auth
+description: "Learn how to authenticate with Infisical in Kubernetes"
+---
+
+**Kubernetes Auth** is a Kubernetes-native authentication method for applications (e.g. pods) to access Infisical.
+
+## Diagram
+
+    The following sequence digram illustrates the Kubernetes Auth workflow for authenticating applications running in pods with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Pod as Pod
+  participant Infis as Infisical
+  participant KubernetesServer as K8s API Server
+
+  Note over Pod: Step 1: Service Account JWT Token Retrieval
+
+  Note over Pod,Infis: Step 2: JWT Token Login Operation
+  Pod->>Infis: Send JWT token to /api/v1/auth/kubernetes-auth/login
+  Infis->>KubernetesServer: Forward JWT token for validation
+    KubernetesServer-->>Infis: Return identity info for JWT
+
+  Note over Infis: Step 3: Identity Property Verification
+  Infis->>Pod: Return short-lived access token
+
+  Note over Pod,Infis: Step 4: Access Infisical API with Token
+  Pod->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high-level, Infisical authenticates an application in Kubernetes by verifying its identity and checking that it meets specific requirements (e.g. it is bound to an allowed service account) at the `/api/v1/auth/kubernetes-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The application deployed on Kubernetes retrieves its [service account credential](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) that is a JWT token at the `/var/run/secrets/kubernetes.io/serviceaccount/token` pod path.
+2. The application sends the JWT token to Infisical at the `/api/v1/auth/kubernetes-auth/login` endpoint after which Infisical forwards the JWT token to the Kubernetes API Server at the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) for verification and to obtain the service account information associated with the JWT token. Infisical is able to authenticate and interact with the TokenReview API by using a long-lived service account JWT token itself (referred to onward as the token reviewer JWT token).
+3. Infisical checks the service account properties against set criteria such **Allowed Service Account Names** and **Allowed Namespaces**.
+4. If all is well, Infisical returns a short-lived access token that the application can use to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using Kubernetes Auth as they handle the
+authentication process including service account credential retrieval for you.
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your applications in Kubernetes to access the Infisical API using the Kubernetes Auth authentication method.
+
+<Steps>
+    <Step title="Obtaining the token reviewer JWT for Infisical">
+        1.1. Start by creating a service account in your Kubernetes cluster that will be used by Infisical to authenticate with the Kubernetes API Server.
+
+        ```yaml infisical-service-account.yaml
+        apiVersion: v1
+        kind: ServiceAccount
+        metadata:
+          name: infisical-auth
+          namespace: default
+
+        ```
+
+        ```
+        kubectl apply -f infisical-service-account.yaml
+        ```
+
+        1.2. Bind the service account to the `system:auth-delegator` cluster role. As described [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles), this role allows delegated authentication and authorization checks, specifically for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). You can apply the following configuration file:
+
+        ```yaml cluster-role-binding.yaml
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          name: role-tokenreview-binding
+          namespace: default
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: system:auth-delegator
+        subjects:
+          - kind: ServiceAccount
+            name: infisical-auth
+            namespace: default
+        ```
+
+        ```
+        kubectl apply -f cluster-role-binding.yaml
+        ```
+
+        1.3. Next, create a long-lived service account JWT token (i.e. the token reviewer JWT token) for the service account using this configuration file for a new `Secret` resource:
+
+        ```yaml service-account-token.yaml
+        apiVersion: v1
+        kind: Secret
+        type: kubernetes.io/service-account-token
+        metadata:
+          name: infisical-auth-token
+          annotations:
+            kubernetes.io/service-account.name: "infisical-auth"
+        ```
+
+
+        ```
+        kubectl apply -f service-account-token.yaml
+        ```
+
+        1.4. Link the secret in step 1.3 to the service account in step 1.1:
+
+        ```bash
+        kubectl patch serviceaccount infisical-auth -p '{"secrets": [{"name": "infisical-auth-token"}]}' -n default
+        ```
+
+        1.5. Finally, retrieve the token reviewer JWT token from the secret.
+
+        ```bash
+        kubectl get secret infisical-auth-token -n default -o=jsonpath='{.data.token}' | base64 --decode
+        ```
+
+        Keep this JWT token handy as you will need it for the **Token Reviewer JWT** field when configuring the Kubernetes Auth authentication method for the identity in step 2.
+
+    </Step>
+
+  <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **Kubernetes Auth**.
+
+    ![identities organization create auth method](/images/platform/identities/identities-org-create-kubernetes-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Kubernetes Host / Base Kubernetes API URL: The host string, host:port pair, or URL to the base of the Kubernetes API server. This can usually be obtained by running `kubectl cluster-info`.
+    - Token Reviewer JWT: A long-lived service account JWT token for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) to validate other service account JWT tokens submitted by applications/pods. This is the JWT token obtained from step 1.5.
+    - Allowed Service Account Names: A comma-separated list of trusted service account names that are allowed to authenticate with Infisical.
+    - Allowed Namespaces: A comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.
+    - Allowed Audience: An optional audience claim that the service account JWT token must have to authenticate with Infisical.
+    - CA Certificate: The PEM-encoded CA cert for the Kubernetes API server. This is used by the TLS client for secure communication with the Kubernetes API server.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+  </Step>
+  <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+
+  </Step>
+  <Step title="Accessing the Infisical API with the identity">
+    To access the Infisical API as the identity, you should first make sure that the pod running your application is bound to a service account specified in the **Allowed Service Account Names** field of the identity's Kubernetes Auth authentication method configuration in step 2.
+    
+    Once bound, the pod will receive automatically mounted service account credentials that is a JWT token at the `/var/run/secrets/kubernetes.io/serviceaccount/token` path. This token should be used to authenticate with Infisical at the `/api/v1/auth/kubernetes-auth/login` endpoint.
+    
+    For information on how to configure sevice accounts for pods, refer to the guide [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/).
+    
+    We provide a code example below of how you might retrieve the JWT token and use it to authenticate with Infisical to gain access to the [Infisical API](/api-reference/overview/introduction).
+   <Accordion
+        title="Sample code for inside an application"
+    > 
+        The shown example uses Node.js but you can use any other language to retrieve the service account JWT token and use it to authenticate with Infisical.
+        
+        ```javascript   
+        const fs = require("fs");
+        try {
+            const tokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+            const jwtToken = fs.readFileSync(tokenPath, "utf8");
+
+            const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
+            const identityId = "<your-identity-id>";
+
+            const { data } = await axios.post(
+                `{infisicalUrl}/api/v1/auth/kubernetes-auth/login`,
+                {
+                    identityId,
+                    jwt,
+                }
+            );
+
+            console.log("result data: ", data); // access token here
+        } catch(err) {
+            console.error(err);
+        }
+        ```
+    </Accordion>
+
+    <Tip>
+        We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using Kubernetes Auth as they handle the authentication process including service account credential retrieval for you.
+    </Tip>
+
+    <Note>
+    Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+    the default TTL is `7200` seconds which can be adjusted.
+
+    If an identity access token exceeds its max ttl, it can no longer authenticate with the Infisical API. In this case,
+    a new access token should be obtained by performing another login operation.
+    </Note>
+
+  </Step>
+</Steps>
+
+**FAQ**
+
+<AccordionGroup>
+<Accordion title="Why is the Infisical API rejecting my service account JWT token?">
+  There are a few reasons for why this might happen:
+  - The Kubernetes Auth authentication method configuration is invalid.
+  - The service account JWT token has expired is malformed or invalid.
+  - The service account associated with the JWT token does not meet the criteria set forth in the Kubernetes Auth authentication method configuration such as **Allowed Service Account Names** and **Allowed Namespaces**.
+</Accordion>
+<Accordion title="Why is the Infisical API rejecting my access token?">
+  There are a few reasons for why this might happen:
+  
+  - The access token has expired.
+  - The identity is insufficently permissioned to interact with the resources you wish to access.
+  - The client access token is being used from an untrusted IP.
+</Accordion>
+<Accordion title="What is access token renewal and TTL/Max TTL?">
+  A identity access token can have a time-to-live (TTL) or incremental lifetime after which it expires.
+  
+  In certain cases, you may want to extend the lifespan of an access token; to do so, you must set a max TTL parameter.
+
+A token can be renewed any number of time and each call to renew it will extend the toke life by increments of access token TTL.
+Regardless of how frequently an access token is renewed, its lifespan remains bound to the maximum TTL determined at its creation
+
+</Accordion>
+</AccordionGroup>