Fix ssh cli docs based on review

Add SSH CLI capability to load issued SSH credentials into SSH Agent via addToAgent flag

.env.example

@@ -88,3 +88,20 @@ PLAIN_WISH_LABEL_IDS=
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
 
 ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
+
+# App Connections
+
+# aws assume-role
+INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
+INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
+
+# github oauth
+INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
+
+#github app
+INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
+INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
+INF_APP_CONNECTION_GITHUB_APP_SLUG=
+INF_APP_CONNECTION_GITHUB_APP_ID=

backend/src/@types/fastify.d.ts

@@ -36,6 +36,7 @@ import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-cert
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
+import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
@@ -208,6 +209,7 @@ declare module "fastify" {
       externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
       projectTemplate: TProjectTemplateServiceFactory;
       totp: TTotpServiceFactory;
+      appConnection: TAppConnectionServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -363,6 +363,7 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
+import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
 import {
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
@@ -886,5 +887,10 @@ declare module "knex/types/tables" {
       TProjectSplitBackfillIdsInsert,
       TProjectSplitBackfillIdsUpdate
     >;
+    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
+      TAppConnections,
+      TAppConnectionsInsert,
+      TAppConnectionsUpdate
+    >;
   }
 }

backend/src/db/migrations/20241218181018_app-connection.ts

@@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AppConnection))) {
+    await knex.schema.createTable(TableName.AppConnection, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("app").notNullable();
+      t.string("method").notNullable();
+      t.binary("encryptedCredentials").notNullable();
+      t.integer("version").defaultTo(1).notNullable();
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.AppConnection);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.AppConnection);
+  await dropOnUpdateTrigger(knex, TableName.AppConnection);
+}

backend/src/db/schemas/app-connections.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AppConnectionsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  app: z.string(),
+  method: z.string(),
+  encryptedCredentials: zodBuffer,
+  version: z.number().default(1),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAppConnections = z.infer<typeof AppConnectionsSchema>;
+export type TAppConnectionsInsert = Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>;
+export type TAppConnectionsUpdate = Partial<Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/models.ts

@@ -129,7 +129,8 @@ export enum TableName {
   KmsKeyVersion = "kms_key_versions",
   WorkflowIntegrations = "workflow_integrations",
   SlackIntegrations = "slack_integrations",
-  ProjectSlackConfigs = "project_slack_configs"
+  ProjectSlackConfigs = "project_slack_configs",
+  AppConnection = "app_connections"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";

backend/src/ee/routes/v1/org-role-router.ts

@@ -23,7 +23,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           "Please choose a different slug, the slug you have entered is reserved"
         ),
         name: z.string().trim(),
-        description: z.string().trim().optional(),
+        description: z.string().trim().nullish(),
         permissions: z.any().array()
       }),
       response: {
@@ -95,7 +95,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           )
           .optional(),
         name: z.string().trim().optional(),
-        description: z.string().trim().optional(),
+        description: z.string().trim().nullish(),
         permissions: z.any().array().optional()
       }),
       response: {

backend/src/ee/routes/v1/project-role-router.ts

@@ -39,7 +39,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           )
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
         permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
       }),
       response: {
@@ -95,7 +95,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECT_ROLE.UPDATE.slug)
           .optional(),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
         permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
       }),
       response: {

backend/src/ee/routes/v2/project-role-router.ts

@@ -36,7 +36,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           )
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
         permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
       }),
       response: {
@@ -91,7 +91,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .optional()
           .describe(PROJECT_ROLE.UPDATE.slug),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
         permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
       }),
       response: {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -6,6 +6,8 @@ import { SshCaStatus, SshCertType } from "@app/ee/services/ssh/ssh-certificate-a
 import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
@@ -222,7 +224,12 @@ export enum EventType {
   CREATE_PROJECT_TEMPLATE = "create-project-template",
   UPDATE_PROJECT_TEMPLATE = "update-project-template",
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template"
+  APPLY_PROJECT_TEMPLATE = "apply-project-template",
+  GET_APP_CONNECTIONS = "get-app-connections",
+  GET_APP_CONNECTION = "get-app-connection",
+  CREATE_APP_CONNECTION = "create-app-connection",
+  UPDATE_APP_CONNECTION = "update-app-connection",
+  DELETE_APP_CONNECTION = "delete-app-connection"
 }
 
 interface UserActorMetadata {
@@ -1867,6 +1874,39 @@ interface ApplyProjectTemplateEvent {
   };
 }
 
+interface GetAppConnectionsEvent {
+  type: EventType.GET_APP_CONNECTIONS;
+  metadata: {
+    app?: AppConnection;
+    count: number;
+    connectionIds: string[];
+  };
+}
+
+interface GetAppConnectionEvent {
+  type: EventType.GET_APP_CONNECTION;
+  metadata: {
+    connectionId: string;
+  };
+}
+
+interface CreateAppConnectionEvent {
+  type: EventType.CREATE_APP_CONNECTION;
+  metadata: Omit<TCreateAppConnectionDTO, "credentials"> & { connectionId: string };
+}
+
+interface UpdateAppConnectionEvent {
+  type: EventType.UPDATE_APP_CONNECTION;
+  metadata: Omit<TUpdateAppConnectionDTO, "credentials"> & { connectionId: string; credentialsUpdated: boolean };
+}
+
+interface DeleteAppConnectionEvent {
+  type: EventType.DELETE_APP_CONNECTION;
+  metadata: {
+    connectionId: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2038,4 +2078,9 @@ export type Event =
   | CreateProjectTemplateEvent
   | UpdateProjectTemplateEvent
   | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent;
+  | ApplyProjectTemplateEvent
+  | GetAppConnectionsEvent
+  | GetAppConnectionEvent
+  | CreateAppConnectionEvent
+  | UpdateAppConnectionEvent
+  | DeleteAppConnectionEvent;

backend/src/ee/services/license/license-fns.ts

@@ -49,7 +49,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   },
   pkiEst: false,
   enforceMfa: false,
-  projectTemplates: false
+  projectTemplates: false,
+  appConnections: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -67,6 +67,7 @@ export type TFeatureSet = {
   pkiEst: boolean;
   enforceMfa: boolean;
   projectTemplates: false;
+  appConnections: false; // TODO: remove once live
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -27,7 +27,8 @@ export enum OrgPermissionSubjects {
   Kms = "kms",
   AdminConsole = "organization-admin-console",
   AuditLogs = "audit-logs",
-  ProjectTemplates = "project-templates"
+  ProjectTemplates = "project-templates",
+  AppConnections = "app-connections"
 }
 
 export type OrgPermissionSet =
@@ -46,6 +47,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
+  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
 const buildAdminPermission = () => {
@@ -123,6 +125,11 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
 
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
   return rules;
@@ -153,6 +160,8 @@ const buildMemberPermission = () => {
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
 
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+
   return rules;
 };
 

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -5,6 +5,7 @@ import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+
 import { TSshCertificateAuthorityDALFactory } from "../ssh/ssh-certificate-authority-dal";
 import { TSshCertificateTemplateDALFactory } from "./ssh-certificate-template-dal";
 import {

backend/src/lib/api-docs/constants.ts

@@ -1,3 +1,6 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+
 export const GROUPS = {
   CREATE: {
     name: "The name of the group to create.",
@@ -1605,3 +1608,34 @@ export const ProjectTemplates = {
     templateId: "The ID of the project template to be deleted."
   }
 };
+
+export const AppConnections = {
+  GET_BY_ID: (app: AppConnection) => ({
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`
+  }),
+  GET_BY_NAME: (app: AppConnection) => ({
+    connectionName: `The name of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`
+  }),
+  CREATE: (app: AppConnection) => {
+    const appName = APP_CONNECTION_NAME_MAP[app];
+    return {
+      name: `The name of the ${appName} Connection to create. Must be slug-friendly.`,
+      description: `An optional description for the ${appName} Connection.`,
+      credentials: `The credentials used to connect with ${appName}.`,
+      method: `The method used to authenticate with ${appName}.`
+    };
+  },
+  UPDATE: (app: AppConnection) => {
+    const appName = APP_CONNECTION_NAME_MAP[app];
+    return {
+      connectionId: `The ID of the ${appName} Connection to be updated.`,
+      name: `The updated name of the ${appName} Connection. Must be slug-friendly.`,
+      description: `The updated description of the ${appName} Connection.`,
+      credentials: `The credentials used to connect with ${appName}.`,
+      method: `The method used to authenticate with ${appName}.`
+    };
+  },
+  DELETE: (app: AppConnection) => ({
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} connection to be deleted.`
+  })
+};

backend/src/lib/config/env.ts

@@ -180,7 +180,24 @@ const envSchema = z
     HSM_SLOT: z.coerce.number().optional().default(0),
 
     USE_PG_QUEUE: zodStrBool.default("false"),
-    SHOULD_INIT_PG_QUEUE: zodStrBool.default("false")
+    SHOULD_INIT_PG_QUEUE: zodStrBool.default("false"),
+
+    /* App Connections ----------------------------------------------------------------------------- */
+
+    // aws
+    INF_APP_CONNECTION_AWS_ACCESS_KEY_ID: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY: zpStr(z.string().optional()),
+
+    // github oauth
+    INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET: zpStr(z.string().optional()),
+
+    // github app
+    INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(

backend/src/lib/fn/string.ts

@@ -14,3 +14,5 @@ export const prefixWithSlash = (str: string) => {
   if (str.startsWith("/")) return str;
   return `/${str}`;
 };
+
+export const startsWithVowel = (str: string) => /^[aeiou]/i.test(str);

backend/src/lib/types/index.ts

@@ -43,6 +43,8 @@ export type RequiredKeys<T> = {
 
 export type PickRequired<T> = Pick<T, RequiredKeys<T>>;
 
+export type DiscriminativePick<T, K extends keyof T> = T extends unknown ? Pick<T, K> : never;
+
 export enum EnforcementLevel {
   Hard = "hard",
   Soft = "soft"

backend/src/server/plugins/error-handler.ts

@@ -1,8 +1,10 @@
 import { ForbiddenError, PureAbility } from "@casl/ability";
+import opentelemetry from "@opentelemetry/api";
 import fastifyPlugin from "fastify-plugin";
 import jwt from "jsonwebtoken";
 import { ZodError } from "zod";
 
+import { getConfig } from "@app/lib/config/env";
 import {
   BadRequestError,
   DatabaseError,
@@ -35,8 +37,30 @@ enum HttpStatusCodes {
 }
 
 export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+
+  const apiMeter = opentelemetry.metrics.getMeter("API");
+  const errorHistogram = apiMeter.createHistogram("API_errors", {
+    description: "API errors by type, status code, and name",
+    unit: "1"
+  });
+
   server.setErrorHandler((error, req, res) => {
     req.log.error(error);
+    if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+      const { method } = req;
+      const route = req.routerPath;
+      const errorType =
+        error instanceof jwt.JsonWebTokenError ? "TokenError" : error.constructor.name || "UnknownError";
+
+      errorHistogram.record(1, {
+        route,
+        method,
+        type: errorType,
+        name: error.name
+      });
+    }
+
     if (error instanceof BadRequestError) {
       void res
         .status(HttpStatusCodes.BadRequest)
@@ -52,13 +76,20 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
         message: error.message,
         error: error.name
       });
-    } else if (error instanceof DatabaseError || error instanceof InternalServerError) {
+    } else if (error instanceof DatabaseError) {
       void res.status(HttpStatusCodes.InternalServerError).send({
         reqId: req.id,
         statusCode: HttpStatusCodes.InternalServerError,
         message: "Something went wrong",
         error: error.name
       });
+    } else if (error instanceof InternalServerError) {
+      void res.status(HttpStatusCodes.InternalServerError).send({
+        reqId: req.id,
+        statusCode: HttpStatusCodes.InternalServerError,
+        message: error.message ?? "Something went wrong",
+        error: error.name
+      });
     } else if (error instanceof GatewayTimeoutError) {
       void res.status(HttpStatusCodes.GatewayTimeout).send({
         reqId: req.id,

backend/src/server/routes/index.ts

@@ -91,6 +91,8 @@ import { readLimit } from "@app/server/config/rateLimiter";
 import { accessTokenQueueServiceFactory } from "@app/services/access-token-queue/access-token-queue";
 import { apiKeyDALFactory } from "@app/services/api-key/api-key-dal";
 import { apiKeyServiceFactory } from "@app/services/api-key/api-key-service";
+import { appConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { appConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { authDALFactory } from "@app/services/auth/auth-dal";
 import { authLoginServiceFactory } from "@app/services/auth/auth-login-service";
 import { authPaswordServiceFactory } from "@app/services/auth/auth-password-service";
@@ -314,6 +316,7 @@ export const registerRoutes = async (
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
   const trustedIpDAL = trustedIpDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
+  const appConnectionDAL = appConnectionDALFactory(db);
 
   // ee db layer ops
   const permissionDAL = permissionDALFactory(db);
@@ -1352,6 +1355,13 @@ export const registerRoutes = async (
     externalGroupOrgRoleMappingDAL
   });
 
+  const appConnectionService = appConnectionServiceFactory({
+    appConnectionDAL,
+    permissionService,
+    kmsService,
+    licenseService
+  });
+
   await superAdminService.initServerCfg();
 
   // setup the communication with license key server
@@ -1448,7 +1458,8 @@ export const registerRoutes = async (
     migration: migrationService,
     externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
     projectTemplate: projectTemplateService,
-    totp: totpService
+    totp: totpService,
+    appConnection: appConnectionService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -0,0 +1,74 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
+import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+// can't use discriminated due to multiple schemas for certain apps
+const SanitizedAppConnectionSchema = z.union([
+  ...SanitizedAwsConnectionSchema.options,
+  ...SanitizedGitHubConnectionSchema.options
+]);
+
+const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
+  AwsConnectionListItemSchema,
+  GitHubConnectionListItemSchema
+]);
+
+export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/options",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List the available App Connection Options.",
+      response: {
+        200: z.object({
+          appConnectionOptions: AppConnectionOptionsSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: () => {
+      const appConnectionOptions = server.services.appConnection.listAppConnectionOptions();
+      return { appConnectionOptions };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List all the App Connections for the current organization.",
+      response: {
+        200: z.object({ appConnections: SanitizedAppConnectionSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const appConnections = await server.services.appConnection.listAppConnectionsByOrg(req.permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_APP_CONNECTIONS,
+          metadata: {
+            count: appConnections.length,
+            connectionIds: appConnections.map((connection) => connection.id)
+          }
+        }
+      });
+
+      return { appConnections };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts

@@ -0,0 +1,274 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { AppConnections } from "@app/lib/api-docs";
+import { startsWithVowel } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { TAppConnection, TAppConnectionInput } from "@app/services/app-connection/app-connection-types";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAppConnectionEndpoints = <T extends TAppConnection, I extends TAppConnectionInput>({
+  server,
+  app,
+  createSchema,
+  updateSchema,
+  responseSchema
+}: {
+  app: AppConnection;
+  server: FastifyZodProvider;
+  createSchema: z.ZodType<{
+    name: string;
+    method: I["method"];
+    credentials: I["credentials"];
+    description?: string | null;
+  }>;
+  updateSchema: z.ZodType<{ name?: string; credentials?: I["credentials"]; description?: string | null }>;
+  responseSchema: z.ZodTypeAny;
+}) => {
+  const appName = APP_CONNECTION_NAME_MAP[app];
+
+  server.route({
+    method: "GET",
+    url: `/`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `List the ${appName} Connections for the current organization.`,
+      response: {
+        200: z.object({ appConnections: responseSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const appConnections = (await server.services.appConnection.listAppConnectionsByOrg(req.permission, app)) as T[];
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_APP_CONNECTIONS,
+          metadata: {
+            app,
+            count: appConnections.length,
+            connectionIds: appConnections.map((connection) => connection.id)
+          }
+        }
+      });
+
+      return { appConnections };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:connectionId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `Get the specified ${appName} Connection by ID.`,
+      params: z.object({
+        connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
+      }),
+      response: {
+        200: z.object({ appConnection: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const appConnection = (await server.services.appConnection.findAppConnectionById(
+        app,
+        connectionId,
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_APP_CONNECTION,
+          metadata: {
+            connectionId
+          }
+        }
+      });
+
+      return { appConnection };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/name/:connectionName`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: `Get the specified ${appName} Connection by name.`,
+      params: z.object({
+        connectionName: z
+          .string()
+          .min(0, "Connection name required")
+          .describe(AppConnections.GET_BY_NAME(app).connectionName)
+      }),
+      response: {
+        200: z.object({ appConnection: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { connectionName } = req.params;
+
+      const appConnection = (await server.services.appConnection.findAppConnectionByName(
+        app,
+        connectionName,
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_APP_CONNECTION,
+          metadata: {
+            connectionId: appConnection.id
+          }
+        }
+      });
+
+      return { appConnection };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Create ${
+        startsWithVowel(appName) ? "an" : "a"
+      } ${appName} Connection for the current organization.`,
+      body: createSchema,
+      response: {
+        200: z.object({ appConnection: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { name, method, credentials, description } = req.body;
+
+      const appConnection = (await server.services.appConnection.createAppConnection(
+        { name, method, app, credentials, description },
+        req.permission
+      )) as TAppConnection;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.CREATE_APP_CONNECTION,
+          metadata: {
+            name,
+            method,
+            app,
+            connectionId: appConnection.id
+          }
+        }
+      });
+
+      return { appConnection };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:connectionId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Update the specified ${appName} Connection.`,
+      params: z.object({
+        connectionId: z.string().uuid().describe(AppConnections.UPDATE(app).connectionId)
+      }),
+      body: updateSchema,
+      response: {
+        200: z.object({ appConnection: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { name, credentials, description } = req.body;
+      const { connectionId } = req.params;
+
+      const appConnection = (await server.services.appConnection.updateAppConnection(
+        { name, credentials, connectionId, description },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.UPDATE_APP_CONNECTION,
+          metadata: {
+            name,
+            description,
+            credentialsUpdated: Boolean(credentials),
+            connectionId
+          }
+        }
+      });
+
+      return { appConnection };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: `/:connectionId`,
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: `Delete the specified ${appName} Connection.`,
+      params: z.object({
+        connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
+      }),
+      response: {
+        200: z.object({ appConnection: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const appConnection = (await server.services.appConnection.deleteAppConnection(
+        app,
+        connectionId,
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_APP_CONNECTION,
+          metadata: {
+            connectionId
+          }
+        }
+      });
+
+      return { appConnection };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts

@@ -0,0 +1,17 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateAwsConnectionSchema,
+  SanitizedAwsConnectionSchema,
+  UpdateAwsConnectionSchema
+} from "@app/services/app-connection/aws";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
+  registerAppConnectionEndpoints({
+    app: AppConnection.AWS,
+    server,
+    responseSchema: SanitizedAwsConnectionSchema,
+    createSchema: CreateAwsConnectionSchema,
+    updateSchema: UpdateAwsConnectionSchema
+  });

backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts

@@ -0,0 +1,17 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateGitHubConnectionSchema,
+  SanitizedGitHubConnectionSchema,
+  UpdateGitHubConnectionSchema
+} from "@app/services/app-connection/github";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) =>
+  registerAppConnectionEndpoints({
+    app: AppConnection.GitHub,
+    server,
+    responseSchema: SanitizedGitHubConnectionSchema,
+    createSchema: CreateGitHubConnectionSchema,
+    updateSchema: UpdateGitHubConnectionSchema
+  });

backend/src/server/routes/v1/app-connection-routers/apps/index.ts

@@ -0,0 +1,8 @@
+import { registerAwsConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/aws-connection-router";
+import { registerGitHubConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/github-connection-router";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const APP_CONNECTION_REGISTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> = {
+  [AppConnection.AWS]: registerAwsConnectionRouter,
+  [AppConnection.GitHub]: registerGitHubConnectionRouter
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -0,0 +1,2 @@
+export * from "./app-connection-router";
+export * from "./apps";

backend/src/server/routes/v1/index.ts

@@ -1,3 +1,4 @@
+import { APP_CONNECTION_REGISTER_MAP, registerAppConnectionRouter } from "@app/server/routes/v1/app-connection-routers";
 import { registerCmekRouter } from "@app/server/routes/v1/cmek-router";
 import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
 
@@ -110,4 +111,14 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerDashboardRouter, { prefix: "/dashboard" });
   await server.register(registerCmekRouter, { prefix: "/kms" });
   await server.register(registerExternalGroupOrgRoleMappingRouter, { prefix: "/external-group-mappings" });
+
+  await server.register(
+    async (appConnectionsRouter) => {
+      await appConnectionsRouter.register(registerAppConnectionRouter);
+      for await (const [app, router] of Object.entries(APP_CONNECTION_REGISTER_MAP)) {
+        await appConnectionsRouter.register(router, { prefix: `/${app}` });
+      }
+    },
+    { prefix: "/app-connections" }
+  );
 };

backend/src/services/app-connection/app-connection-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TAppConnectionDALFactory = ReturnType<typeof appConnectionDALFactory>;
+
+export const appConnectionDALFactory = (db: TDbClient) => {
+  const appConnectionOrm = ormify(db, TableName.AppConnection);
+
+  return { ...appConnectionOrm };
+};

backend/src/services/app-connection/app-connection-enums.ts

@@ -0,0 +1,4 @@
+export enum AppConnection {
+  GitHub = "github",
+  AWS = "aws"
+}

backend/src/services/app-connection/app-connection-fns.ts

@@ -0,0 +1,92 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { TAppConnectionServiceFactoryDep } from "@app/services/app-connection/app-connection-service";
+import { TAppConnection, TAppConnectionConfig } from "@app/services/app-connection/app-connection-types";
+import {
+  AwsConnectionMethod,
+  getAwsAppConnectionListItem,
+  validateAwsConnectionCredentials
+} from "@app/services/app-connection/aws";
+import {
+  getGitHubConnectionListItem,
+  GitHubConnectionMethod,
+  validateGitHubConnectionCredentials
+} from "@app/services/app-connection/github";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+export const listAppConnectionOptions = () => {
+  return [getAwsAppConnectionListItem(), getGitHubConnectionListItem()].sort((a, b) => a.name.localeCompare(b.name));
+};
+
+export const encryptAppConnectionCredentials = async ({
+  orgId,
+  credentials,
+  kmsService
+}: {
+  orgId: string;
+  credentials: TAppConnection["credentials"];
+  kmsService: TAppConnectionServiceFactoryDep["kmsService"];
+}) => {
+  const { encryptor } = await kmsService.createCipherPairWithDataKey({
+    type: KmsDataKey.Organization,
+    orgId
+  });
+
+  const { cipherTextBlob: encryptedCredentialsBlob } = encryptor({
+    plainText: Buffer.from(JSON.stringify(credentials))
+  });
+
+  return encryptedCredentialsBlob;
+};
+
+export const decryptAppConnectionCredentials = async ({
+  orgId,
+  encryptedCredentials,
+  kmsService
+}: {
+  orgId: string;
+  encryptedCredentials: Buffer;
+  kmsService: TAppConnectionServiceFactoryDep["kmsService"];
+}) => {
+  const { decryptor } = await kmsService.createCipherPairWithDataKey({
+    type: KmsDataKey.Organization,
+    orgId
+  });
+
+  const decryptedPlainTextBlob = decryptor({
+    cipherTextBlob: encryptedCredentials
+  });
+
+  return JSON.parse(decryptedPlainTextBlob.toString()) as TAppConnection["credentials"];
+};
+
+export const validateAppConnectionCredentials = async (
+  appConnection: TAppConnectionConfig
+): Promise<TAppConnection["credentials"]> => {
+  const { app } = appConnection;
+  switch (app) {
+    case AppConnection.AWS: {
+      return validateAwsConnectionCredentials(appConnection);
+    }
+    case AppConnection.GitHub:
+      return validateGitHubConnectionCredentials(appConnection);
+    default:
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      throw new Error(`Unhandled App Connection ${app}`);
+  }
+};
+
+export const getAppConnectionMethodName = (method: TAppConnection["method"]) => {
+  switch (method) {
+    case GitHubConnectionMethod.App:
+      return "GitHub App";
+    case GitHubConnectionMethod.OAuth:
+      return "OAuth";
+    case AwsConnectionMethod.AccessKey:
+      return "Access Key";
+    case AwsConnectionMethod.AssumeRole:
+      return "Assume Role";
+    default:
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      throw new Error(`Unhandled App Connection Method: ${method}`);
+  }
+};

backend/src/services/app-connection/app-connection-maps.ts

@@ -0,0 +1,6 @@
+import { AppConnection } from "./app-connection-enums";
+
+export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
+  [AppConnection.AWS]: "AWS",
+  [AppConnection.GitHub]: "GitHub"
+};

backend/src/services/app-connection/app-connection-schemas.ts

@@ -0,0 +1,35 @@
+import { z } from "zod";
+
+import { AppConnectionsSchema } from "@app/db/schemas/app-connections";
+import { AppConnections } from "@app/lib/api-docs";
+import { slugSchema } from "@app/server/lib/schemas";
+
+import { AppConnection } from "./app-connection-enums";
+
+export const BaseAppConnectionSchema = AppConnectionsSchema.omit({
+  encryptedCredentials: true,
+  app: true,
+  method: true
+});
+
+export const GenericCreateAppConnectionFieldsSchema = (app: AppConnection) =>
+  z.object({
+    name: slugSchema({ field: "name" }).describe(AppConnections.CREATE(app).name),
+    description: z
+      .string()
+      .trim()
+      .max(256, "Description cannot exceed 256 characters")
+      .nullish()
+      .describe(AppConnections.CREATE(app).description)
+  });
+
+export const GenericUpdateAppConnectionFieldsSchema = (app: AppConnection) =>
+  z.object({
+    name: slugSchema({ field: "name" }).describe(AppConnections.UPDATE(app).name).optional(),
+    description: z
+      .string()
+      .trim()
+      .max(256, "Description cannot exceed 256 characters")
+      .nullish()
+      .describe(AppConnections.UPDATE(app).description)
+  });

backend/src/services/app-connection/app-connection-service.ts

@@ -0,0 +1,360 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { DiscriminativePick, OrgServiceActor } from "@app/lib/types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  decryptAppConnectionCredentials,
+  encryptAppConnectionCredentials,
+  getAppConnectionMethodName,
+  listAppConnectionOptions,
+  validateAppConnectionCredentials
+} from "@app/services/app-connection/app-connection-fns";
+import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import {
+  TAppConnection,
+  TAppConnectionConfig,
+  TCreateAppConnectionDTO,
+  TUpdateAppConnectionDTO,
+  TValidateAppConnectionCredentials
+} from "@app/services/app-connection/app-connection-types";
+import { ValidateAwsConnectionCredentialsSchema } from "@app/services/app-connection/aws";
+import { ValidateGitHubConnectionCredentialsSchema } from "@app/services/app-connection/github";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "./app-connection-dal";
+
+export type TAppConnectionServiceFactoryDep = {
+  appConnectionDAL: TAppConnectionDALFactory;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">; // TODO: remove once launched
+};
+
+export type TAppConnectionServiceFactory = ReturnType<typeof appConnectionServiceFactory>;
+
+const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAppConnectionCredentials> = {
+  [AppConnection.AWS]: ValidateAwsConnectionCredentialsSchema,
+  [AppConnection.GitHub]: ValidateGitHubConnectionCredentialsSchema
+};
+
+export const appConnectionServiceFactory = ({
+  appConnectionDAL,
+  permissionService,
+  kmsService,
+  licenseService
+}: TAppConnectionServiceFactoryDep) => {
+  // app connections are disabled for public until launch
+  const checkAppServicesAvailability = async (orgId: string) => {
+    const subscription = await licenseService.getPlan(orgId);
+
+    if (!subscription.appConnections) throw new BadRequestError({ message: "App Connections are not available yet." });
+  };
+
+  const listAppConnectionsByOrg = async (actor: OrgServiceActor, app?: AppConnection) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+
+    const appConnections = await appConnectionDAL.find(
+      app
+        ? { orgId: actor.orgId, app }
+        : {
+            orgId: actor.orgId
+          }
+    );
+
+    return Promise.all(
+      appConnections
+        .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()))
+        .map(async ({ encryptedCredentials, ...connection }) => {
+          const credentials = await decryptAppConnectionCredentials({
+            encryptedCredentials,
+            kmsService,
+            orgId: connection.orgId
+          });
+
+          return {
+            ...connection,
+            credentials
+          } as TAppConnection;
+        })
+    );
+  };
+
+  const findAppConnectionById = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const appConnection = await appConnectionDAL.findById(connectionId);
+
+    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      appConnection.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+
+    if (appConnection.app !== app)
+      throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });
+
+    return {
+      ...appConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: appConnection.encryptedCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
+  };
+
+  const findAppConnectionByName = async (app: AppConnection, connectionName: string, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const appConnection = await appConnectionDAL.findOne({ name: connectionName, orgId: actor.orgId });
+
+    if (!appConnection)
+      throw new NotFoundError({ message: `Could not find App Connection with name ${connectionName}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      appConnection.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+
+    if (appConnection.app !== app)
+      throw new BadRequestError({ message: `App Connection with name ${connectionName} is not for App "${app}"` });
+
+    return {
+      ...appConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: appConnection.encryptedCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
+  };
+
+  const createAppConnection = async (
+    { method, app, credentials, ...params }: TCreateAppConnectionDTO,
+    actor: OrgServiceActor
+  ) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+
+    const appConnection = await appConnectionDAL.transaction(async (tx) => {
+      const isConflictingName = Boolean(
+        await appConnectionDAL.findOne(
+          {
+            name: params.name,
+            orgId: actor.orgId
+          },
+          tx
+        )
+      );
+
+      if (isConflictingName)
+        throw new BadRequestError({
+          message: `An App Connection with the name "${params.name}" already exists`
+        });
+
+      const validatedCredentials = await validateAppConnectionCredentials({
+        app,
+        credentials,
+        method,
+        orgId: actor.orgId
+      } as TAppConnectionConfig);
+
+      const encryptedCredentials = await encryptAppConnectionCredentials({
+        credentials: validatedCredentials,
+        orgId: actor.orgId,
+        kmsService
+      });
+
+      const connection = await appConnectionDAL.create(
+        {
+          orgId: actor.orgId,
+          encryptedCredentials,
+          method,
+          app,
+          ...params
+        },
+        tx
+      );
+
+      return {
+        ...connection,
+        credentials: validatedCredentials
+      };
+    });
+
+    return appConnection;
+  };
+
+  const updateAppConnection = async (
+    { connectionId, credentials, ...params }: TUpdateAppConnectionDTO,
+    actor: OrgServiceActor
+  ) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const appConnection = await appConnectionDAL.findById(connectionId);
+
+    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      appConnection.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+
+    const updatedAppConnection = await appConnectionDAL.transaction(async (tx) => {
+      if (params.name && appConnection.name !== params.name) {
+        const isConflictingName = Boolean(
+          await appConnectionDAL.findOne(
+            {
+              name: params.name,
+              orgId: appConnection.orgId
+            },
+            tx
+          )
+        );
+
+        if (isConflictingName)
+          throw new BadRequestError({
+            message: `An App Connection with the name "${params.name}" already exists`
+          });
+      }
+
+      let encryptedCredentials: undefined | Buffer;
+
+      if (credentials) {
+        const { app, method } = appConnection as DiscriminativePick<TAppConnectionConfig, "app" | "method">;
+
+        if (
+          !VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[app].safeParse({
+            method,
+            credentials
+          }).success
+        )
+          throw new BadRequestError({
+            message: `Invalid credential format for ${
+              APP_CONNECTION_NAME_MAP[app]
+            } Connection with method ${getAppConnectionMethodName(method)}`
+          });
+
+        const validatedCredentials = await validateAppConnectionCredentials({
+          app,
+          orgId: actor.orgId,
+          credentials,
+          method
+        } as TAppConnectionConfig);
+
+        if (!validatedCredentials)
+          throw new BadRequestError({ message: "Unable to validate connection - check credentials" });
+
+        encryptedCredentials = await encryptAppConnectionCredentials({
+          credentials: validatedCredentials,
+          orgId: actor.orgId,
+          kmsService
+        });
+      }
+
+      const updatedConnection = await appConnectionDAL.updateById(
+        connectionId,
+        {
+          orgId: actor.orgId,
+          encryptedCredentials,
+          ...params
+        },
+        tx
+      );
+
+      return updatedConnection;
+    });
+
+    return {
+      ...updatedAppConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: updatedAppConnection.encryptedCredentials,
+        orgId: updatedAppConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
+  };
+
+  const deleteAppConnection = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
+    const appConnection = await appConnectionDAL.findById(connectionId);
+
+    if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      appConnection.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
+
+    if (appConnection.app !== app)
+      throw new BadRequestError({ message: `App Connection with ID ${connectionId} is not for App "${app}"` });
+
+    // TODO: specify delete error message if due to existing dependencies
+
+    const deletedAppConnection = await appConnectionDAL.deleteById(connectionId);
+
+    return {
+      ...deletedAppConnection,
+      credentials: await decryptAppConnectionCredentials({
+        encryptedCredentials: deletedAppConnection.encryptedCredentials,
+        orgId: deletedAppConnection.orgId,
+        kmsService
+      })
+    } as TAppConnection;
+  };
+
+  return {
+    listAppConnectionOptions,
+    listAppConnectionsByOrg,
+    findAppConnectionById,
+    findAppConnectionByName,
+    createAppConnection,
+    updateAppConnection,
+    deleteAppConnection
+  };
+};

backend/src/services/app-connection/app-connection-types.ts

@@ -0,0 +1,31 @@
+import {
+  TAwsConnection,
+  TAwsConnectionConfig,
+  TAwsConnectionInput,
+  TValidateAwsConnectionCredentials
+} from "@app/services/app-connection/aws";
+import {
+  TGitHubConnection,
+  TGitHubConnectionConfig,
+  TGitHubConnectionInput,
+  TValidateGitHubConnectionCredentials
+} from "@app/services/app-connection/github";
+
+export type TAppConnection = { id: string } & (TAwsConnection | TGitHubConnection);
+
+export type TAppConnectionInput = { id: string } & (TAwsConnectionInput | TGitHubConnectionInput);
+
+export type TCreateAppConnectionDTO = Pick<
+  TAppConnectionInput,
+  "credentials" | "method" | "name" | "app" | "description"
+>;
+
+export type TUpdateAppConnectionDTO = Partial<Omit<TCreateAppConnectionDTO, "method" | "app">> & {
+  connectionId: string;
+};
+
+export type TAppConnectionConfig = TAwsConnectionConfig | TGitHubConnectionConfig;
+
+export type TValidateAppConnectionCredentials =
+  | TValidateAwsConnectionCredentials
+  | TValidateGitHubConnectionCredentials;

backend/src/services/app-connection/aws/aws-connection-enums.ts

@@ -0,0 +1,4 @@
+export enum AwsConnectionMethod {
+  AssumeRole = "assume-role",
+  AccessKey = "access-key"
+}

backend/src/services/app-connection/aws/aws-connection-fns.ts

@@ -0,0 +1,105 @@
+import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import AWS from "aws-sdk";
+import { randomUUID } from "crypto";
+
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { AwsConnectionMethod } from "./aws-connection-enums";
+import { TAwsConnectionConfig } from "./aws-connection-types";
+
+export const getAwsAppConnectionListItem = () => {
+  const { INF_APP_CONNECTION_AWS_ACCESS_KEY_ID } = getConfig();
+
+  return {
+    name: "AWS" as const,
+    app: AppConnection.AWS as const,
+    methods: Object.values(AwsConnectionMethod) as [AwsConnectionMethod.AssumeRole, AwsConnectionMethod.AccessKey],
+    accessKeyId: INF_APP_CONNECTION_AWS_ACCESS_KEY_ID
+  };
+};
+
+export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig, region = "us-east-1") => {
+  const appCfg = getConfig();
+
+  let accessKeyId: string;
+  let secretAccessKey: string;
+  let sessionToken: undefined | string;
+
+  const { method, credentials, orgId } = appConnection;
+
+  switch (method) {
+    case AwsConnectionMethod.AssumeRole: {
+      const client = new STSClient({
+        region,
+        credentials:
+          appCfg.INF_APP_CONNECTION_AWS_ACCESS_KEY_ID && appCfg.INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY
+            ? {
+                accessKeyId: appCfg.INF_APP_CONNECTION_AWS_ACCESS_KEY_ID,
+                secretAccessKey: appCfg.INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY
+              }
+            : undefined // if hosting on AWS
+      });
+
+      const command = new AssumeRoleCommand({
+        RoleArn: credentials.roleArn,
+        RoleSessionName: `infisical-app-connection-${randomUUID()}`,
+        DurationSeconds: 900, // 15 mins
+        ExternalId: orgId
+      });
+
+      const assumeRes = await client.send(command);
+
+      if (!assumeRes.Credentials?.AccessKeyId || !assumeRes.Credentials?.SecretAccessKey) {
+        throw new BadRequestError({ message: "Failed to assume role - verify credentials and role configuration" });
+      }
+
+      accessKeyId = assumeRes.Credentials.AccessKeyId;
+      secretAccessKey = assumeRes.Credentials.SecretAccessKey;
+      sessionToken = assumeRes.Credentials?.SessionToken;
+      break;
+    }
+    case AwsConnectionMethod.AccessKey: {
+      accessKeyId = credentials.accessKeyId;
+      secretAccessKey = credentials.secretAccessKey;
+      break;
+    }
+    default:
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      throw new InternalServerError({ message: `Unsupported AWS connection method: ${method}` });
+  }
+
+  return new AWS.Config({
+    region,
+    credentials: {
+      accessKeyId,
+      secretAccessKey,
+      sessionToken
+    }
+  });
+};
+
+export const validateAwsConnectionCredentials = async (appConnection: TAwsConnectionConfig) => {
+  const awsConfig = await getAwsConnectionConfig(appConnection);
+  const sts = new AWS.STS(awsConfig);
+  let resp: Awaited<ReturnType<ReturnType<typeof sts.getCallerIdentity>["promise"]>>;
+
+  try {
+    resp = await sts.getCallerIdentity().promise();
+  } catch (e: unknown) {
+    throw new BadRequestError({
+      message: `Unable to validate connection - verify credentials`
+    });
+  }
+
+  if (resp.$response.httpResponse.statusCode !== 200)
+    throw new InternalServerError({
+      message: `Unable to validate credentials: ${
+        resp.$response.error?.message ??
+        `AWS responded with a status code of ${resp.$response.httpResponse.statusCode}. Verify credentials and try again.`
+      }`
+    });
+
+  return appConnection.credentials;
+};

backend/src/services/app-connection/aws/aws-connection-schemas.ts

@@ -0,0 +1,82 @@
+import { z } from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { AwsConnectionMethod } from "./aws-connection-enums";
+
+export const AwsConnectionAssumeRoleCredentialsSchema = z.object({
+  roleArn: z.string().trim().min(1, "Role ARN required")
+});
+
+export const AwsConnectionAccessTokenCredentialsSchema = z.object({
+  accessKeyId: z.string().trim().min(1, "Access Key ID required"),
+  secretAccessKey: z.string().trim().min(1, "Secret Access Key required")
+});
+
+const BaseAwsConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.AWS) });
+
+export const AwsConnectionSchema = z.intersection(
+  BaseAwsConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(AwsConnectionMethod.AssumeRole),
+      credentials: AwsConnectionAssumeRoleCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(AwsConnectionMethod.AccessKey),
+      credentials: AwsConnectionAccessTokenCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedAwsConnectionSchema = z.discriminatedUnion("method", [
+  BaseAwsConnectionSchema.extend({
+    method: z.literal(AwsConnectionMethod.AssumeRole),
+    credentials: AwsConnectionAssumeRoleCredentialsSchema.omit({ roleArn: true })
+  }),
+  BaseAwsConnectionSchema.extend({
+    method: z.literal(AwsConnectionMethod.AccessKey),
+    credentials: AwsConnectionAccessTokenCredentialsSchema.omit({ secretAccessKey: true })
+  })
+]);
+
+export const ValidateAwsConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(AwsConnectionMethod.AssumeRole).describe(AppConnections?.CREATE(AppConnection.AWS).method),
+    credentials: AwsConnectionAssumeRoleCredentialsSchema.describe(AppConnections.CREATE(AppConnection.AWS).credentials)
+  }),
+  z.object({
+    method: z.literal(AwsConnectionMethod.AccessKey).describe(AppConnections?.CREATE(AppConnection.AWS).method),
+    credentials: AwsConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.AWS).credentials
+    )
+  })
+]);
+
+export const CreateAwsConnectionSchema = ValidateAwsConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.AWS)
+);
+
+export const UpdateAwsConnectionSchema = z
+  .object({
+    credentials: z
+      .union([AwsConnectionAccessTokenCredentialsSchema, AwsConnectionAssumeRoleCredentialsSchema])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.AWS).credentials)
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AWS));
+
+export const AwsConnectionListItemSchema = z.object({
+  name: z.literal("AWS"),
+  app: z.literal(AppConnection.AWS),
+  // the below is preferable but currently breaks mintlify
+  // methods: z.tuple([z.literal(AwsConnectionMethod.AssumeRole), z.literal(AwsConnectionMethod.AccessKey)]),
+  methods: z.nativeEnum(AwsConnectionMethod).array(),
+  accessKeyId: z.string().optional()
+});

backend/src/services/app-connection/aws/aws-connection-types.ts

@@ -0,0 +1,22 @@
+import { z } from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import {
+  AwsConnectionSchema,
+  CreateAwsConnectionSchema,
+  ValidateAwsConnectionCredentialsSchema
+} from "./aws-connection-schemas";
+
+export type TAwsConnection = z.infer<typeof AwsConnectionSchema>;
+
+export type TAwsConnectionInput = z.infer<typeof CreateAwsConnectionSchema> & {
+  app: AppConnection.AWS;
+};
+
+export type TValidateAwsConnectionCredentials = typeof ValidateAwsConnectionCredentialsSchema;
+
+export type TAwsConnectionConfig = DiscriminativePick<TAwsConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};

backend/src/services/app-connection/aws/index.ts

@@ -0,0 +1,4 @@
+export * from "./aws-connection-enums";
+export * from "./aws-connection-fns";
+export * from "./aws-connection-schemas";
+export * from "./aws-connection-types";

backend/src/services/app-connection/github/github-connection-enums.ts

@@ -0,0 +1,4 @@
+export enum GitHubConnectionMethod {
+  OAuth = "oauth",
+  App = "github-app"
+}

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -0,0 +1,129 @@
+import { AxiosResponse } from "axios";
+
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
+import { getAppConnectionMethodName } from "@app/services/app-connection/app-connection-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { AppConnection } from "../app-connection-enums";
+import { GitHubConnectionMethod } from "./github-connection-enums";
+import { TGitHubConnectionConfig } from "./github-connection-types";
+
+export const getGitHubConnectionListItem = () => {
+  const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
+
+  return {
+    name: "GitHub" as const,
+    app: AppConnection.GitHub as const,
+    methods: Object.values(GitHubConnectionMethod) as [GitHubConnectionMethod.App, GitHubConnectionMethod.OAuth],
+    oauthClientId: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
+    appClientSlug: INF_APP_CONNECTION_GITHUB_APP_SLUG
+  };
+};
+
+type TokenRespData = {
+  access_token: string;
+  scope: string;
+  token_type: string;
+};
+
+export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
+  const { credentials, method } = config;
+
+  const {
+    INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
+    INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET,
+    INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
+    INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET,
+    SITE_URL
+  } = getConfig();
+
+  const { clientId, clientSecret } =
+    method === GitHubConnectionMethod.App
+      ? {
+          clientId: INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
+          clientSecret: INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
+        }
+      : // oauth
+        {
+          clientId: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
+          clientSecret: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET
+        };
+
+  if (!clientId || !clientSecret) {
+    throw new InternalServerError({
+      message: `GitHub ${getAppConnectionMethodName(method)} environment variables have not been configured`
+    });
+  }
+
+  let tokenResp: AxiosResponse<TokenRespData>;
+
+  try {
+    tokenResp = await request.get<TokenRespData>("https://github.com/login/oauth/access_token", {
+      params: {
+        client_id: clientId,
+        client_secret: clientSecret,
+        code: credentials.code,
+        redirect_uri: `${SITE_URL}/app-connections/github/oauth/callback`
+      },
+      headers: {
+        Accept: "application/json",
+        "Accept-Encoding": "application/json"
+      }
+    });
+  } catch (e: unknown) {
+    throw new BadRequestError({
+      message: `Unable to validate connection - verify credentials`
+    });
+  }
+
+  if (tokenResp.status !== 200) {
+    throw new BadRequestError({
+      message: `Unable to validate credentials: GitHub responded with a status code of ${tokenResp.status} (${tokenResp.statusText}). Verify credentials and try again.`
+    });
+  }
+
+  if (method === GitHubConnectionMethod.App) {
+    const installationsResp = await request.get<{
+      installations: {
+        id: number;
+        account: {
+          login: string;
+        };
+      }[];
+    }>(IntegrationUrls.GITHUB_USER_INSTALLATIONS, {
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${tokenResp.data.access_token}`,
+        "Accept-Encoding": "application/json"
+      }
+    });
+
+    const matchingInstallation = installationsResp.data.installations.find(
+      (installation) => installation.id === +credentials.installationId
+    );
+
+    if (!matchingInstallation) {
+      throw new ForbiddenRequestError({
+        message: "User does not have access to the provided installation"
+      });
+    }
+  }
+
+  switch (method) {
+    case GitHubConnectionMethod.App:
+      return {
+        // access token not needed for GitHub App
+        installationId: credentials.installationId
+      };
+    case GitHubConnectionMethod.OAuth:
+      return {
+        accessToken: tokenResp.data.access_token
+      };
+    default:
+      throw new InternalServerError({
+        message: `Unhandled GitHub connection method: ${method as GitHubConnectionMethod}`
+      });
+  }
+};

backend/src/services/app-connection/github/github-connection-schemas.ts

@@ -0,0 +1,93 @@
+import { z } from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { GitHubConnectionMethod } from "./github-connection-enums";
+
+export const GitHubConnectionOAuthInputCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "OAuth code required")
+});
+
+export const GitHubConnectionAppInputCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "GitHub App code required"),
+  installationId: z.string().min(1, "GitHub App Installation ID required")
+});
+
+export const GitHubConnectionOAuthOutputCredentialsSchema = z.object({
+  accessToken: z.string()
+});
+
+export const GitHubConnectionAppOutputCredentialsSchema = z.object({
+  installationId: z.string()
+});
+
+export const ValidateGitHubConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(GitHubConnectionMethod.App).describe(AppConnections.CREATE(AppConnection.GitHub).method),
+    credentials: GitHubConnectionAppInputCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.GitHub).credentials
+    )
+  }),
+  z.object({
+    method: z.literal(GitHubConnectionMethod.OAuth).describe(AppConnections.CREATE(AppConnection.GitHub).method),
+    credentials: GitHubConnectionOAuthInputCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.GitHub).credentials
+    )
+  })
+]);
+
+export const CreateGitHubConnectionSchema = ValidateGitHubConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.GitHub)
+);
+
+export const UpdateGitHubConnectionSchema = z
+  .object({
+    credentials: z
+      .union([GitHubConnectionAppInputCredentialsSchema, GitHubConnectionOAuthInputCredentialsSchema])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.GitHub).credentials)
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GitHub));
+
+const BaseGitHubConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.GitHub) });
+
+export const GitHubAppConnectionSchema = z.intersection(
+  BaseGitHubConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(GitHubConnectionMethod.App),
+      credentials: GitHubConnectionAppOutputCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(GitHubConnectionMethod.OAuth),
+      credentials: GitHubConnectionOAuthOutputCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
+  BaseGitHubConnectionSchema.extend({
+    method: z.literal(GitHubConnectionMethod.App),
+    credentials: GitHubConnectionAppOutputCredentialsSchema.omit({ installationId: true })
+  }),
+  BaseGitHubConnectionSchema.extend({
+    method: z.literal(GitHubConnectionMethod.OAuth),
+    credentials: GitHubConnectionOAuthOutputCredentialsSchema.omit({ accessToken: true })
+  })
+]);
+
+export const GitHubConnectionListItemSchema = z.object({
+  name: z.literal("GitHub"),
+  app: z.literal(AppConnection.GitHub),
+  // the below is preferable but currently breaks mintlify
+  // methods: z.tuple([z.literal(GitHubConnectionMethod.GitHubApp), z.literal(GitHubConnectionMethod.OAuth)]),
+  methods: z.nativeEnum(GitHubConnectionMethod).array(),
+  oauthClientId: z.string().optional(),
+  appClientSlug: z.string().optional()
+});

backend/src/services/app-connection/github/github-connection-types.ts

@@ -0,0 +1,20 @@
+import { z } from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateGitHubConnectionSchema,
+  GitHubAppConnectionSchema,
+  ValidateGitHubConnectionCredentialsSchema
+} from "./github-connection-schemas";
+
+export type TGitHubConnection = z.infer<typeof GitHubAppConnectionSchema>;
+
+export type TGitHubConnectionInput = z.infer<typeof CreateGitHubConnectionSchema> & {
+  app: AppConnection.GitHub;
+};
+
+export type TValidateGitHubConnectionCredentials = typeof ValidateGitHubConnectionCredentialsSchema;
+
+export type TGitHubConnectionConfig = DiscriminativePick<TGitHubConnectionInput, "method" | "app" | "credentials">;

backend/src/services/app-connection/github/index.ts

@@ -0,0 +1,4 @@
+export * from "./github-connection-enums";
+export * from "./github-connection-fns";
+export * from "./github-connection-schemas";
+export * from "./github-connection-types";

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -1397,14 +1397,24 @@ const syncSecretsHeroku = async ({
  * Sync/push [secrets] to Vercel project named [integration.app]
  */
 const syncSecretsVercel = async ({
+  createManySecretsRawFn,
   integration,
   integrationAuth,
-  secrets,
+  secrets: infisicalSecrets,
   accessToken
 }: {
-  integration: TIntegrations;
+  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<{ id: string }>>;
+  integration: TIntegrations & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
   integrationAuth: TIntegrationAuths;
-  secrets: Record<string, { value: string; comment?: string }>;
+  secrets: Record<string, { value: string; comment?: string } | null>;
   accessToken: string;
 }) => {
   interface VercelSecret {
@@ -1477,80 +1487,119 @@ const syncSecretsVercel = async ({
     }
   }
 
-  const updateSecrets: VercelSecret[] = [];
-  const deleteSecrets: VercelSecret[] = [];
-  const newSecrets: VercelSecret[] = [];
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata);
 
-  // Identify secrets to create
-  Object.keys(secrets).forEach((key) => {
-    if (!(key in res)) {
-      // case: secret has been created
-      newSecrets.push({
-        key,
-        value: secrets[key].value,
-        type: "encrypted",
-        target: [integration.targetEnvironment as string],
-        ...(integration.path
-          ? {
-              gitBranch: integration.path
-            }
-          : {})
-      });
+  // Default to overwrite target for old integrations that doesn't have a initial sync behavior set.
+  if (!metadata.initialSyncBehavior) {
+    metadata.initialSyncBehavior = IntegrationInitialSyncBehavior.OVERWRITE_TARGET;
+  }
+
+  const secretsToAddToInfisical: { [key: string]: VercelSecret } = {};
+
+  Object.keys(res).forEach((vercelKey) => {
+    if (!integration.lastUsed) {
+      // first time using integration
+      // -> apply initial sync behavior
+      switch (metadata.initialSyncBehavior) {
+        // Override all the secrets in Vercel
+        case IntegrationInitialSyncBehavior.OVERWRITE_TARGET: {
+          if (!(vercelKey in infisicalSecrets)) infisicalSecrets[vercelKey] = null;
+          break;
+        }
+        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
+          // if the vercel secret is not in infisical, we need to add it to infisical
+          if (!(vercelKey in infisicalSecrets)) {
+            infisicalSecrets[vercelKey] = {
+              value: res[vercelKey].value
+            };
+            secretsToAddToInfisical[vercelKey] = res[vercelKey];
+          }
+          break;
+        }
+        default: {
+          throw new Error(`Invalid initial sync behavior: ${metadata.initialSyncBehavior}`);
+        }
+      }
+    } else if (!(vercelKey in infisicalSecrets)) {
+      infisicalSecrets[vercelKey] = null;
     }
   });
 
-  // Identify secrets to update and delete
-  Object.keys(res).forEach((key) => {
-    if (key in secrets) {
-      if (res[key].value !== secrets[key].value) {
-        // case: secret value has changed
-        updateSecrets.push({
-          id: res[key].id,
-          key,
-          value: secrets[key].value,
-          type: res[key].type,
-          target: res[key].target.includes(integration.targetEnvironment as string)
-            ? [...res[key].target]
-            : [...res[key].target, integration.targetEnvironment as string],
-          ...(integration.path
-            ? {
-                gitBranch: integration.path
-              }
-            : {})
-        });
-      }
-    } else {
-      // case: secret has been deleted
-      deleteSecrets.push({
-        id: res[key].id,
-        key,
-        value: res[key].value,
-        type: "encrypted", // value doesn't matter
-        target: [integration.targetEnvironment as string],
-        ...(integration.path
-          ? {
-              gitBranch: integration.path
-            }
-          : {})
-      });
-    }
-  });
-
-  // Sync/push new secrets
-  if (newSecrets.length > 0) {
-    await request.post(`${IntegrationUrls.VERCEL_API_URL}/v10/projects/${integration.app}/env`, newSecrets, {
-      params,
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json"
-      }
+  if (Object.keys(secretsToAddToInfisical).length) {
+    await createManySecretsRawFn({
+      projectId: integration.projectId,
+      environment: integration.environment.slug,
+      path: integration.secretPath,
+      secrets: Object.keys(secretsToAddToInfisical).map((key) => ({
+        secretName: key,
+        secretValue: secretsToAddToInfisical[key].value,
+        type: SecretType.Shared,
+        secretComment: ""
+      }))
     });
   }
 
-  for await (const secret of updateSecrets) {
-    if (secret.type !== "sensitive") {
-      const { id, ...updatedSecret } = secret;
-      await request.patch(`${IntegrationUrls.VERCEL_API_URL}/v9/projects/${integration.app}/env/${id}`, updatedSecret, {
+  // update and create logic
+  for await (const key of Object.keys(infisicalSecrets)) {
+    if (!(key in res) || infisicalSecrets[key]?.value !== res[key].value) {
+      // if the key is not in the vercel res, we need to create it
+      if (!(key in res)) {
+        await request.post(
+          `${IntegrationUrls.VERCEL_API_URL}/v10/projects/${integration.app}/env`,
+          {
+            key,
+            value: infisicalSecrets[key]?.value,
+            type: "encrypted",
+            target: [integration.targetEnvironment as string],
+            ...(integration.path
+              ? {
+                  gitBranch: integration.path
+                }
+              : {})
+          },
+          {
+            params,
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json"
+            }
+          }
+        );
+
+        // Else if the key already exists and its not sensitive, we need to update it
+      } else if (res[key].type !== "sensitive") {
+        await request.patch(
+          `${IntegrationUrls.VERCEL_API_URL}/v9/projects/${integration.app}/env/${res[key].id}`,
+          {
+            key,
+            value: infisicalSecrets[key]?.value,
+            type: res[key].type,
+            target: res[key].target.includes(integration.targetEnvironment as string)
+              ? [...res[key].target]
+              : [...res[key].target, integration.targetEnvironment as string],
+            ...(integration.path
+              ? {
+                  gitBranch: integration.path
+                }
+              : {})
+          },
+          {
+            params,
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json"
+            }
+          }
+        );
+      }
+    }
+  }
+
+  // delete logic
+  for await (const key of Object.keys(res)) {
+    if (infisicalSecrets[key] === null) {
+      // case: delete secret
+      await request.delete(`${IntegrationUrls.VERCEL_API_URL}/v9/projects/${integration.app}/env/${res[key].id}`, {
         params,
         headers: {
           Authorization: `Bearer ${accessToken}`,
@@ -1559,16 +1608,6 @@ const syncSecretsVercel = async ({
       });
     }
   }
-
-  for await (const secret of deleteSecrets) {
-    await request.delete(`${IntegrationUrls.VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`, {
-      params,
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json"
-      }
-    });
-  }
 };
 
 /**
@@ -4471,7 +4510,8 @@ export const syncIntegrationSecrets = async ({
         integration,
         integrationAuth,
         secrets,
-        accessToken
+        accessToken,
+        createManySecretsRawFn
       });
       break;
     case Integrations.NETLIFY:

backend/src/services/secret/secret-queue.ts

@@ -1,4 +1,5 @@
 /* eslint-disable no-await-in-loop */
+import opentelemetry from "@opentelemetry/api";
 import { AxiosError } from "axios";
 
 import {
@@ -158,6 +159,12 @@ export const secretQueueFactory = ({
   projectUserMembershipRoleDAL,
   projectKeyDAL
 }: TSecretQueueFactoryDep) => {
+  const integrationMeter = opentelemetry.metrics.getMeter("Integrations");
+  const errorHistogram = integrationMeter.createHistogram("integration_secret_sync_errors", {
+    description: "Integration secret sync errors",
+    unit: "1"
+  });
+
   const removeSecretReminder = async (dto: TRemoveSecretReminderDTO) => {
     const appCfg = getConfig();
     await queueService.stopRepeatableJob(
@@ -933,6 +940,19 @@ export const secretQueueFactory = ({
               `Secret integration sync error [projectId=${job.data.projectId}] [environment=${environment}]  [secretPath=${job.data.secretPath}]`
             );
 
+            const appCfg = getConfig();
+            if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+              errorHistogram.record(1, {
+                version: 1,
+                integration: integration.integration,
+                integrationId: integration.id,
+                type: err instanceof AxiosError ? "AxiosError" : err?.constructor?.name || "UnknownError",
+                status: err instanceof AxiosError ? err.response?.status : undefined,
+                name: err instanceof Error ? err.name : undefined,
+                projectId: integration.projectId
+              });
+            }
+
             const message =
               // eslint-disable-next-line no-nested-ternary
               (err instanceof AxiosError

docs/api-reference/endpoints/app-connections/aws/create.mdx

@@ -0,0 +1,9 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/aws"
+---
+
+<Note>
+    Check out the configuration docs for [AWS Connections](/integrations/app-connections/aws) to learn how to obtain
+    the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/aws/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/aws/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/aws/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/aws/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/aws/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/aws/name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/aws/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/aws"
+---

docs/api-reference/endpoints/app-connections/aws/update.mdx

@@ -0,0 +1,9 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/aws/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [AWS Connections](/integrations/app-connections/aws) to learn how to obtain
+    the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/github/create.mdx

@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/github"
+---
+
+<Note>
+    GitHub Connections must be created through the Infisical UI.
+    Check out the configuration docs for [GitHub Connections](/integrations/app-connections/github) for a step-by-step
+    guide.
+</Note>

docs/api-reference/endpoints/app-connections/github/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/github/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/github/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/github/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/github/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/github/name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/github/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/github"
+---

docs/api-reference/endpoints/app-connections/github/update.mdx

@@ -0,0 +1,10 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/github/{connectionId}"
+---
+
+<Note>
+    GitHub Connections must be updated through the Infisical UI.
+    Check out the configuration docs for [GitHub Connections](/integrations/app-connections/github) for a step-by-step
+    guide.
+</Note>

docs/api-reference/endpoints/app-connections/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections"
+---

docs/api-reference/endpoints/app-connections/options.mdx

@@ -0,0 +1,4 @@
+---
+title: "Options"
+openapi: "GET /api/v1/app-connections/options"
+---

docs/cli/commands/ssh.mdx

@@ -0,0 +1,116 @@
+---
+title: "infisical ssh"
+description: "Generate SSH credentials with the CLI"
+---
+
+## Description
+
+[Infisical SSH](/documentation/platform/ssh) lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure.
+
+This command enables you to obtain SSH credentials used to access a remote host; we recommend using the `issue-credentials` sub-command to generate dynamic SSH credentials for each SSH session.
+
+### Sub-commands
+
+<Accordion title="infisical ssh issue-credentials">
+    This command is used to issue SSH credentials (SSH certificate, public key, and private key) against a certificate template.
+    
+    We recommend using the `--addToAgent` flag to automatically load issued SSH credentials to the SSH agent.
+    
+    ```bash
+    $ infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<principals> --addToAgent
+    ```
+
+    ### Flags
+    <Accordion title="--certificateTemplateId">
+        The ID of the SSH certificate template to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--principals">
+        A comma-separated list of principals (i.e. usernames like `ec2-user` or hostnames) to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--addToAgent">
+        Whether to add issued SSH credentials to the SSH agent.
+        
+        Default value: `false`
+        
+        Note that either the `--outFilePath` or `--addToAgent` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--outFilePath">
+        The path to write the SSH credentials to such as `~/.ssh`, `./some_folder`, `./some_folder/id_rsa-cert.pub`. If not provided, the credentials will be saved to the current working directory where the command is run.
+        
+        Note that either the `--outFilePath` or `--addToAgent` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--keyAlgorithm">
+        The key algorithm to issue SSH credentials for.
+        
+        Default value: `RSA_2048`
+        
+        Available options: `RSA_2048`, `RSA_4096`, `EC_prime256v1`, `EC_secp384r1`.
+    </Accordion>
+    <Accordion title="--certType">
+        The certificate type to issue SSH credentials for.
+        
+        Default value: `user`
+        
+        Available options: `user` or `host`
+    </Accordion>
+    <Accordion title="--ttl">
+        The time-to-live (TTL) for the issued SSH certificate (e.g. `2 days`, `1d`, `2h`, `1y`).
+        
+        Defaults to the Default TTL value set in the certificate template.
+    </Accordion>
+    <Accordion title="--keyId">
+        A custom Key ID to issue SSH credentials for.
+        
+        Defaults to the autogenerated Key ID by Infisical.
+    </Accordion>
+    <Accordion title="--token">
+        An authenticated token to use to issue SSH credentials.
+    </Accordion>
+</Accordion>
+
+<Accordion title="infisical ssh sign-key">
+    This command is used to sign an existing SSH public key against a certificate template; the command outputs the corresponding signed SSH certificate.
+    
+    ```bash
+    $ infisical ssh sign-key --certificateTemplateId=<certificate-template-id> --publicKey=<public-key> --principals=<principals> --outFilePath=<out-file-path>
+    ```
+    <Accordion title="--certificateTemplateId">
+        The ID of the SSH certificate template to issue the SSH certificate for.
+    </Accordion>
+    <Accordion title="--publicKey">
+        The public key to sign.
+
+        Note that either the `--publicKey` or `--publicKeyFilePath` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--publicKeyFilePath">
+        The path to the public key file to sign.
+
+        Note that either the `--publicKey` or `--publicKeyFilePath` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--principals">
+        A comma-separated list of principals (i.e. usernames like `ec2-user` or hostnames) to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--outFilePath">
+        The path to write the SSH certificate to such as `~/.ssh/id_rsa-cert.pub`; the specified file must have the `.pub` extension. If not provided, the credentials will be saved to the directory of the specified `--publicKeyFilePath` or the current working directory where the command is run.
+    </Accordion>
+    <Accordion title="--certType">
+        The certificate type to issue SSH credentials for.
+        
+        Default value: `user`
+        
+        Available options: `user` or `host`
+    </Accordion>
+    <Accordion title="--ttl">
+        The time-to-live (TTL) for the issued SSH certificate (e.g. `2 days`, `1d`, `2h`, `1y`).
+        
+        Defaults to the Default TTL value set in the certificate template.
+    </Accordion>
+    <Accordion title="--keyId">
+        A custom Key ID to issue SSH credentials for.
+        
+        Defaults to the autogenerated Key ID by Infisical.
+    </Accordion>
+    <Accordion title="--token">
+        An authenticated token to use to issue SSH credentials.
+    </Accordion>
+</Accordion>

docs/documentation/platform/ssh.mdx

@@ -6,7 +6,7 @@ description: "Learn how to generate SSH credentials to provide secure and centra
 
 ## Concept
 
-Infisical can be used to issue SSH certificates to clients to provide short-lived, secure SSH access to infrastructure;
+Infisical can be used to issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure;
 this improves on many limitations of traditional SSH key-based authentication via mitigation of private key compromise, static key management,
 unauthorized access, and SSH key sprawl.
 
@@ -191,7 +191,9 @@ infisical login
 
     - `certificateTemplateId`: The ID of the certificate template to use for issuing the SSH certificate.
     - `principals`: The comma-delimited username(s) or hostname(s) to include in the SSH certificate.
-
+    
+    For fuller documentation on commands and flags supported by the Infisical CLI for SSH, refer to the docs [here](/cli/commands/ssh).
+ 
   </Step>
   <Step title="SSH into the host">
     Finally, SSH into the desired host; the SSH operation will be performed using the SSH certificate loaded into the SSH agent.
@@ -199,11 +201,10 @@ infisical login
     ```bash
     ssh username@hostname
     ```
-
   </Step>
 </Steps>
 
 <Note>
   Note that the above workflow can be executed via API or other client methods
   such as SDK.
-</Note>
+</Note>

docs/integrations/app-connections/aws.mdx

@@ -0,0 +1,354 @@
+---
+title: "AWS Connection"
+description: "Learn how to configure an AWS Connection for Infisical."
+---
+
+Infisical supports two methods for connecting to AWS.
+
+<Tabs>
+    <Tab title="Assume Role (Recommended)">
+        Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
+
+        **Prerequisites:**
+
+        - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+        <Accordion title="Self-Hosted Instance">
+            To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.
+
+            If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
+
+            The following steps are for instances not deployed on AWS:
+            <Steps>
+                <Step title="Create an IAM User">
+                    Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
+                </Step>
+                <Step title="Create an Inline Policy">
+                    Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
+                    ```json
+                    {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                    {
+                        "Sid": "AllowAssumeAnyRole",
+                        "Effect": "Allow",
+                        "Action": "sts:AssumeRole",
+                        "Resource": "arn:aws:iam::*:role/*"
+                    }
+                        ]
+                    }
+                    ```
+                </Step>
+                <Step title="Obtain the IAM User Credentials">
+                    Obtain the AWS access key ID and secret access key for your IAM User by navigating to **IAM > Users > [Your User] > Security credentials > Access keys**.
+
+                    ![Access Key Step 1](/images/integrations/aws/integrations-aws-access-key-1.png)
+                    ![Access Key Step 2](/images/integrations/aws/integrations-aws-access-key-2.png)
+                    ![Access Key Step 3](/images/integrations/aws/integrations-aws-access-key-3.png)
+                </Step>
+                <Step title="Set Up Connection Keys">
+                    1. Set the access key as **INF_APP_CONNECTION_AWS_CLIENT_ID**.
+                    2. Set the secret key as **INF_APP_CONNECTION_AWS_CLIENT_SECRET**.
+                </Step>
+            </Steps>
+        </Accordion>
+
+        <Steps>
+            <Step title="Create the Managing User IAM Role for Infisical">
+                1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
+                ![IAM Role Creation](/images/integrations/aws/integration-aws-iam-assume-role.png)
+
+                2. Select **AWS Account** as the **Trusted Entity Type**.
+                3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
+                4. Optionally, enable **Require external ID** and enter your **Organization ID** to further enhance security.
+            </Step>
+
+            <Step title="Add Required Permissions for the IAM Role">
+                Depending on your use case, add one or more of the following policies to your IAM Role:
+
+                <Tabs>
+                    <Tab title="Secrets Sync">
+                        <AccordionGroup>
+                            <Accordion title="AWS Secrets Manager">
+                                Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:
+
+                                ![IAM Role Secrets Manager Permissions](/images/app-connections/aws/secrets-manager-permissions.png)
+
+                                ```json
+                                {
+                                    "Version": "2012-10-17",
+                                    "Statement": [
+                                        {
+                                            "Sid": "AllowSecretsManagerAccess",
+                                            "Effect": "Allow",
+                                            "Action": [
+                                            "secretsmanager:GetSecretValue",
+                                            "secretsmanager:CreateSecret",
+                                            "secretsmanager:UpdateSecret",
+                                            "secretsmanager:DescribeSecret",
+                                            "secretsmanager:TagResource",
+                                            "secretsmanager:UntagResource",
+                                            "kms:ListKeys",
+                                            "kms:ListAliases",
+                                            "kms:Encrypt",
+                                            "kms:Decrypt"
+                                            ],
+                                            "Resource": "*"
+                                        }
+                                    ]
+                                }
+                                ```
+                            </Accordion>
+                            <Accordion title="AWS Parameter Store">
+                                Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
+
+                                ![IAM Role Secrets Manager Permissions](/images/app-connections/aws/parameter-store-permissions.png)
+
+                                ```json
+                                {
+                                    "Version": "2012-10-17",
+                                    "Statement": [
+                                        {
+                                            "Sid": "AllowSSMAccess",
+                                            "Effect": "Allow",
+                                            "Action": [
+                                            "ssm:PutParameter",
+                                            "ssm:DeleteParameter",
+                                            "ssm:GetParameters",
+                                            "ssm:GetParametersByPath",
+                                            "ssm:DescribeParameters",
+                                            "ssm:DeleteParameters",
+                                            "ssm:AddTagsToResource", // if you need to add tags to secrets
+                                            "kms:ListKeys", // if you need to specify the KMS key
+                                            "kms:ListAliases", // if you need to specify the KMS key
+                                            "kms:Encrypt", // if you need to specify the KMS key
+                                            "kms:Decrypt" // if you need to specify the KMS key
+                                            ],
+                                            "Resource": "*"
+                                        }
+                                    ]
+                                }
+                                ```
+                            </Accordion>
+                        </AccordionGroup>
+                    </Tab>
+                </Tabs>
+            </Step>
+
+            <Step title="Copy the AWS IAM Role ARN">
+                ![Copy IAM Role ARN](/images/integrations/aws/integration-aws-iam-assume-arn.png)
+            </Step>
+
+            <Step title="Setup AWS Connection in Infisical">
+                <Tabs>
+                    <Tab title="Infisical UI">
+                        1. Navigate to the App Connections tab on the Organization Settings page.
+                        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+
+                        2. Select the **AWS Connection** option.
+                        ![Select AWS Connection](/images/app-connections/aws/select-aws-connection.png)
+
+                        3. Select the **Assume Role** method option and provide the **AWS IAM Role ARN** obtained from the previous step and press **Connect to AWS**.
+                        ![Create AWS Connection](/images/app-connections/aws/create-assume-role-method.png)
+
+                        4. Your **AWS Connection** is now available for use.
+                        ![Assume Role AWS Connection](/images/app-connections/aws/assume-role-connection.png)
+                    </Tab>
+                    <Tab title="API">
+                        To create an AWS Connection, make an API request to the [Create AWS
+                        Connection](/api-reference/endpoints/app-connections/aws/create) API endpoint.
+
+                        ### Sample request
+
+                        ```bash Request
+                        curl    --request POST \
+                                --url https://app.infisical.com/api/v1/app-connections/aws \
+                                --header 'Content-Type: application/json' \
+                                --data '{
+                                    "name": "my-aws-connection",
+                                    "method": "assume-role",
+                                    "credentials": {
+                                        "roleArn": "...",
+                                    }
+                                }'
+                        ```
+
+                        ### Sample response
+
+                        ```bash Response
+                        {
+                            "appConnection": {
+                                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                                "name": "my-aws-connection",
+                                "version": 123,
+                                "orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                                "createdAt": "2023-11-07T05:31:56Z",
+                                "updatedAt": "2023-11-07T05:31:56Z",
+                                "app": "aws",
+                                "method": "assume-role",
+                                "credentials": {}
+                            }
+                        }
+                        ```
+                    </Tab>
+                </Tabs>
+            </Step>
+        </Steps>
+
+    </Tab>
+    <Tab title="Access Key">
+        Infisical will use the provided **Access Key ID** and **Secret Key** to connect to your AWS instance.
+
+        **Prerequisites:**
+
+        - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+        <Steps>
+            <Step title="Create the Managing User IAM Role for Infisical">
+                1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
+                ![IAM Role Creation](/images/integrations/aws/integration-aws-iam-assume-role.png)
+
+                2. Select **AWS Account** as the **Trusted Entity Type**.
+                3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
+                4. Optionally, enable **Require external ID** and enter your **Organization ID** to further enhance security.
+            </Step>
+
+            <Step title="Add Required Permissions for the IAM Role">
+                Depending on your use case, add one or more of the following policies to your IAM Role:
+
+                <Tabs>
+                    <Tab title="Secrets Sync">
+                        <AccordionGroup>
+                            <Accordion title="AWS Secrets Manager">
+                                Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:
+
+                                ![IAM Role Secrets Manager Permissions](/images/app-connections/aws/secrets-manager-permissions.png)
+
+                                ```json
+                                {
+                                    "Version": "2012-10-17",
+                                    "Statement": [
+                                {
+                                    "Sid": "AllowSecretsManagerAccess",
+                                    "Effect": "Allow",
+                                    "Action": [
+                                    "secretsmanager:GetSecretValue",
+                                    "secretsmanager:CreateSecret",
+                                    "secretsmanager:UpdateSecret",
+                                    "secretsmanager:DescribeSecret",
+                                    "secretsmanager:TagResource",
+                                    "secretsmanager:UntagResource",
+                                    "kms:ListKeys",
+                                    "kms:ListAliases",
+                                    "kms:Encrypt",
+                                    "kms:Decrypt"
+                                    ],
+                                    "Resource": "*"
+                                }
+                                    ]
+                                }
+                                ```
+                            </Accordion>
+                            <Accordion title="AWS Parameter Store">
+                                Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
+
+                                ![IAM Role Secrets Manager Permissions](/images/app-connections/aws/parameter-store-permissions.png)
+
+                                ```json
+                                {
+                                    "Version": "2012-10-17",
+                                    "Statement": [
+                                {
+                                    "Sid": "AllowSSMAccess",
+                                    "Effect": "Allow",
+                                    "Action": [
+                                    "ssm:PutParameter",
+                                    "ssm:DeleteParameter",
+                                    "ssm:GetParameters",
+                                    "ssm:GetParametersByPath",
+                                    "ssm:DescribeParameters",
+                                    "ssm:DeleteParameters",
+                                    "ssm:AddTagsToResource", // if you need to add tags to secrets
+                                    "kms:ListKeys", // if you need to specify the KMS key
+                                    "kms:ListAliases", // if you need to specify the KMS key
+                                    "kms:Encrypt", // if you need to specify the KMS key
+                                    "kms:Decrypt" // if you need to specify the KMS key
+                                    ],
+                                    "Resource": "*"
+                                }
+                                    ]
+                                }
+                                ```
+                            </Accordion>
+                        </AccordionGroup>
+                    </Tab>
+                </Tabs>
+            </Step>
+            <Step title="Obtain Access Key ID and Secret Access Key">
+                Retrieve an AWS **Access Key ID** and a **Secret Key** for your IAM user in **IAM > Users > User > Security credentials > Access keys**.
+
+                ![access key 1](/images/integrations/aws/integrations-aws-access-key-1.png)
+                ![access key 2](/images/integrations/aws/integrations-aws-access-key-2.png)
+                ![access key 3](/images/integrations/aws/integrations-aws-access-key-3.png)
+            </Step>
+            <Step title="Setup AWS Connection in Infisical">
+                <Tabs>
+                    <Tab title="Infisical UI">
+                        1. Navigate to the App Connections tab on the Organization Settings page.
+                        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+
+                        2. Select the **AWS Connection** option.
+                        ![Select AWS Connection](/images/app-connections/aws/select-aws-connection.png)
+
+                        3. Select the **Access Key** method option and provide the **Access Key ID** and **Secret Key** obtained from the previous step and press **Connect to AWS**.
+                        ![Create AWS Connection](/images/app-connections/aws/create-access-key-method.png)
+
+                        4. Your **AWS Connection** is now available for use.
+                        ![Assume Role AWS Connection](/images/app-connections/aws/access-key-connection.png)
+                    </Tab>
+                    <Tab title="API">
+                        To create an AWS Connection, make an API request to the [Create AWS
+                        Connection](/api-reference/endpoints/app-connections/aws/create) API endpoint.
+
+                        ### Sample request
+
+                        ```bash Request
+                        curl    --request POST \
+                                --url https://app.infisical.com/api/v1/app-connections/aws \
+                                --header 'Content-Type: application/json' \
+                                --data '{
+                                    "name": "my-aws-connection",
+                                    "method": "access-key",
+                                    "credentials": {
+                                        "accessKeyId": "...",
+                                        "secretKey": "..."
+                                    }
+                                }'
+                        ```
+
+                        ### Sample response
+
+                        ```bash Response
+                        {
+                            "appConnection": {
+                                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                                "name": "my-aws-connection",
+                                "version": 123,
+                                "orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                                "createdAt": "2023-11-07T05:31:56Z",
+                                "updatedAt": "2023-11-07T05:31:56Z",
+                                "app": "aws",
+                                "method": "access-key",
+                                "credentials": {
+                                    "accessKeyId": "..."
+                                }
+                            }
+                        }
+                        ```
+                    </Tab>
+                </Tabs>
+            </Step>
+        </Steps>
+
+    </Tab>
+</Tabs>

docs/integrations/app-connections/github.mdx

@@ -0,0 +1,169 @@
+---
+title: "GitHub Connection"
+description: "Learn how to configure a GitHub Connection for Infisical."
+---
+
+Infisical supports two methods for connecting to GitHub.
+
+<Tabs>
+    <Tab title="GitHub App (Recommended)">
+        Infisical will use a GitHub App with finely grained permissions to connect to GitHub.
+
+        **Prerequisites:**
+
+        - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+        <Accordion title="Self-Hosted Instance">
+            Using the GitHub integration with app authentication on a self-hosted instance of Infisical requires configuring an application on GitHub
+            and registering your instance with it.
+
+            <Steps>
+                <Step title="Create an application on GitHub">
+                    Navigate to the GitHub app settings [here](https://github.com/settings/apps). Click **New GitHub App**.
+
+                    ![integrations github app create](/images/integrations/github/app/self-hosted-github-app-create.png)
+
+                    Give the application a name, a homepage URL (your self-hosted domain i.e. `https://your-domain.com`), and a callback URL (i.e. `https://your-domain.com/app-connections/github/oauth/callback`).
+
+                    ![integrations github app basic details](/images/integrations/github/app/self-hosted-github-app-basic-details.png)
+
+                    Enable request user authorization during app installation.
+                    ![integrations github app enable auth](/images/integrations/github/app/self-hosted-github-app-enable-oauth.png)
+
+                    Disable webhook by unchecking the Active checkbox.
+                    ![integrations github app webhook](/images/integrations/github/app/self-hosted-github-app-webhook.png)
+
+                    Set the repository permissions as follows: Metadata: Read-only, Secrets: Read and write, Environments: Read and write, Actions: Read.
+                    ![integrations github app repository](/images/integrations/github/app/self-hosted-github-app-repository.png)
+
+                    Similarly, set the organization permissions as follows: Secrets: Read and write.
+                    ![integrations github app organization](/images/integrations/github/app/self-hosted-github-app-organization.png)
+
+                    Create the Github application.
+                    ![integrations github app create confirm](/images/integrations/github/app/self-hosted-github-app-create-confirm.png)
+
+                    <Note>
+                        If you have a GitHub organization, you can create an application under it
+                        in your organization Settings > Developer settings > GitHub Apps > New GitHub App.
+                    </Note>
+                </Step>
+                <Step title="Add your application credentials to Infisical">
+                    Generate a new **Client Secret** for your GitHub application.
+                    ![integrations github app create secret](/images/integrations/github/app/self-hosted-github-app-secret.png)
+
+                    Generate a new **Private Key** for your Github application.
+                    ![integrations github app create private key](/images/integrations/github/app/self-hosted-github-app-private-key.png)
+
+                    Obtain the necessary Github application credentials. This would be the application slug, client ID, app ID, client secret, and private key.
+                    ![integrations github app credentials](/images/integrations/github/app/self-hosted-github-app-credentials.png)
+
+                    Back in your Infisical instance, add the five new environment variables for the credentials of your GitHub application:
+
+                    - `INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID`: The **Client ID** of your GitHub application.
+                    - `INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET`: The **Client Secret** of your GitHub application.
+                    - `INF_APP_CONNECTION_GITHUB_APP_CLIENT_SLUG`: The **Slug** of your GitHub application. This is the one found in the URL.
+                    - `INF_APP_CONNECTION_GITHUB_APP_CLIENT_APP_ID`: The **App ID** of your GitHub application.
+                    - `INF_APP_CONNECTION_GITHUB_APP_CLIENT_PRIVATE_KEY`: The **Private Key** of your GitHub application.
+
+                    Once added, restart your Infisical instance and use the GitHub integration via app authentication.
+                </Step>
+            </Steps>
+        </Accordion>
+
+        ## Setup GitHub Connection in Infisical
+
+        <Steps>
+            <Step title="Navigate to the App Connections">
+                Navigate to the **App Connections** tab on the **Organization Settings** page.
+                ![App Connections Tab](/images/app-connections/general/add-connection.png)
+            </Step>
+            <Step title="Add Connection">
+                Select the **GitHub Connection** option from the connection options modal.
+                ![Select GitHub Connection](/images/app-connections/github/select-github-connection.png)
+            </Step>
+            <Step title="Authorize Connection">
+                Select the **GitHub App** method and click **Connect to GitHub**.
+                ![Connect via GitHub App](/images/app-connections/github/create-github-app-method.png)
+            </Step>
+            <Step title="Install GitHub App">
+                You will then be redirected to the GitHub app installation page.
+
+                Install and authorize the GitHub application. This will redirect you back to Infisical's App Connections page.
+                ![Install GitHub App](/images/app-connections/github/install-github-app.png)
+            </Step>
+            <Step title="Connection Created">
+                Your **GitHub Connection** is now available for use.
+                ![Assume Role AWS Connection](/images/app-connections/github/github-app-connection.png)
+            </Step>
+        </Steps>
+    </Tab>
+    <Tab title="OAuth">
+        Infisical will use an OAuth App to connect to GitHub.
+
+        **Prerequisites:**
+
+        - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+        <Accordion title="Self-Hosted Instance">
+            Using the GitHub integration on a self-hosted instance of Infisical requires configuring an OAuth application in GitHub
+            and registering your instance with it.
+            <Steps>
+                <Step title="Create an OAuth application in GitHub">
+                    Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application.
+
+                    ![integrations github config](../../images/integrations/github/integrations-github-config-settings.png)
+                    ![integrations github config](../../images/integrations/github/integrations-github-config-dev-settings.png)
+                    ![integrations github config](../../images/integrations/github/integrations-github-config-new-app.png)
+
+                    Create the OAuth application. As part of the form, set the **Homepage URL** to your self-hosted domain `https://your-domain.com`
+                    and the **Authorization callback URL** to `https://your-domain.com/app-connections/github/oauth/callback`.
+
+                    ![integrations github config](../../images/integrations/github/integrations-github-config-new-app-form.png)
+
+                    <Note>
+                        If you have a GitHub organization, you can create an OAuth application under it
+                        in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.
+                    </Note>
+                </Step>
+                <Step title="Add your OAuth application credentials to Infisical">
+                    Obtain the **Client ID** and generate a new **Client Secret** for your GitHub OAuth application.
+
+                    ![integrations github config](../../images/integrations/github/integrations-github-config-credentials.png)
+
+                    Back in your Infisical instance, add two new environment variables for the credentials of your GitHub OAuth application:
+
+                    - `INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID`: The **Client ID** of your GitHub OAuth application.
+                    - `INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET`: The **Client Secret** of your GitHub OAuth application.
+
+                    Once added, restart your Infisical instance and use the GitHub integration.
+                </Step>
+            </Steps>
+        </Accordion>
+
+        ## Setup GitHub Connection in Infisical
+
+        <Steps>
+            <Step title="Navigate to the App Connections">
+                Navigate to the **App Connections** tab on the **Organization Settings** page.
+                ![App Connections Tab](/images/app-connections/general/add-connection.png)
+            </Step>
+            <Step title="Add Connection">
+                Select the **GitHub Connection** option from the connection options modal.
+                ![Select GitHub Connection](/images/app-connections/github/select-github-connection.png)
+            </Step>
+            <Step title="Authorize Connection">
+                Select the **OAuth** method and click **Connect to GitHub**.
+                ![Connect via GitHub App](/images/app-connections/github/create-oauth-method.png)
+            </Step>
+            <Step title="Grant Access">
+                You will then be redirected to the GitHub to grant Infisical access to your GitHub account (organization and repo privileges).
+                Once granted, you will redirect you back to Infisical's App Connections page.
+                ![GitHub Authorization](/images/integrations/github/integrations-github-auth.png)
+            </Step>
+            <Step title="Connection Created">
+                Your **GitHub Connection** is now available for use.
+                ![Assume Role AWS Connection](/images/app-connections/github/oauth-connection.png)
+            </Step>
+        </Steps>
+    </Tab>
+</Tabs>

docs/integrations/app-connections/overview.mdx

@@ -0,0 +1,77 @@
+---
+sidebarTitle: "Overview"
+description: "Learn how to manage and configure third-party app connections with Infisical."
+---
+
+App Connections enable your organization to integrate Infisical with third-party services in a secure and versatile way.
+
+## Concept
+
+App Connections are an organization-level resource used to establish connections with third-party applications
+that can be used across Infisical projects. Example use cases include syncing secrets, generating dynamic secrets, and more.
+
+<br />
+
+<div align="center">
+
+    ```mermaid
+    %%{init: {'flowchart': {'curve': 'linear'} } }%%
+    graph TD
+    A[AWS]
+    B[AWS Connection]
+    C[Project 1 Secret Sync]
+    D[Project 2 Secret Sync]
+    E[Project 3 Generate Dynamic Secret]
+
+    B --> A
+    C --> B
+    D --> B
+    E --> B
+
+    classDef default fill:#ffffff,stroke:#666,stroke-width:2px,rx:10px,color:black
+    classDef aws fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:15px
+    classDef project fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
+    classDef connection fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
+
+    class A aws
+    class B connection
+    class C,D,E project
+    ```
+
+</div>
+
+## Workflow
+
+App Connections require initial setup in both your third-party application and Infisical. Follow these steps to establish a secure connection:
+
+<Note>
+    For step-by-step guides specific to each application, refer to the App Connections section in the Navigation Bar.
+</Note>
+
+1. <strong>Create Access Entity:</strong> If necessary, create an entity such as a service account or role within the third-party application you want to connect to. Be sure
+to limit the access of this entity to the minimal permission set required to perform the operations you need. For example:
+    - For secret syncing: Read/write permissions to specific secret stores
+    - For dynamic secrets: Permissions to create temporary credentials
+
+<Tip>
+    Whenever possible, Infisical encourages creating a designated service account for your App Connection to limit the scope of permissions based on your use-case.
+</Tip>
+
+2. <strong>Generate Authentication Credentials:</strong> Obtain the required credentials from your third-party application. These can vary between applications and might be:
+    - an API key or access token
+    - A client ID and secret pair
+    - other credentials, etc.
+
+3. <strong>Create App Connection:</strong> Configure the connection in Infisical using your generated credentials through either the UI or API.
+
+<Info>
+    Some App Connections can only be created via the UI such as connections using OAuth.
+</Info>
+
+4. <strong>Utilize the Connection:</strong> Use your App Connection for various features across Infisical such as our Secrets Sync by selecting it via the dropdown menu
+in the UI or by passing the associated `connectionId` when generating resources via the API.
+
+<Note>
+    Infisical is continuously expanding its third-party application support. If your desired application isn't listed,
+    you can still use previous methods of connecting to it such as our Native Integrations.
+</Note>

docs/mint.json

@@ -320,6 +320,7 @@
             "cli/commands/run",
             "cli/commands/secrets",
             "cli/commands/dynamic-secrets",
+            "cli/commands/ssh",
             "cli/commands/export",
             "cli/commands/token",
             "cli/commands/service-token",
@@ -341,6 +342,14 @@
         "cli/faq"
       ]
     },
+    {
+      "group": "App Connections",
+      "pages": [
+        "integrations/app-connections/overview",
+        "integrations/app-connections/aws",
+        "integrations/app-connections/github"
+      ]
+    },
     {
       "group": "Infrastructure Integrations",
       "pages": [
@@ -757,6 +766,33 @@
             "api-reference/endpoints/identity-specific-privilege/list"
           ]
         },
+        {
+          "group": "App Connections",
+          "pages": [
+            "api-reference/endpoints/app-connections/list",
+            "api-reference/endpoints/app-connections/options",
+            { "group":  "AWS",
+              "pages": [
+                "api-reference/endpoints/app-connections/aws/list",
+                "api-reference/endpoints/app-connections/aws/get-by-id",
+                "api-reference/endpoints/app-connections/aws/get-by-name",
+                "api-reference/endpoints/app-connections/aws/create",
+                "api-reference/endpoints/app-connections/aws/update",
+                "api-reference/endpoints/app-connections/aws/delete"
+              ]
+            },
+            { "group":  "GitHub",
+              "pages": [
+                "api-reference/endpoints/app-connections/github/list",
+                "api-reference/endpoints/app-connections/github/get-by-id",
+                "api-reference/endpoints/app-connections/github/get-by-name",
+                "api-reference/endpoints/app-connections/github/create",
+                "api-reference/endpoints/app-connections/github/update",
+                "api-reference/endpoints/app-connections/github/delete"
+              ]
+            }
+          ]
+        },
         {
           "group": "Integrations",
           "pages": [

docs/self-hosting/configuration/envars.mdx

@@ -418,7 +418,53 @@ When set, all visits to the Infisical login page will automatically redirect use
   information.
 </Accordion>
 
-## Native secret integrations
+## App Connections
+
+You can configure third-party app connections for re-use across Infisical Projects.
+
+<Accordion title="AWS Assume Role Connection">
+    <ParamField query="INF_APP_CONNECTION_AWS_ACCESS_KEY_ID" type="string" default="none" optional>
+        The AWS IAM User access key ID for assuming roles
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY" type="string" default="none" optional>
+        The AWS IAM User secret key for assuming roles
+    </ParamField>
+</Accordion>
+
+<Accordion title="GitHub App Connection">
+    <ParamField query="INF_APP_CONNECTION_GITHUB_APP_ID" type="string" default="none" optional>
+        The ID of the GitHub App
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_GITHUB_APP_SLUG" type="string" default="none" optional>
+        The slug of the GitHub App
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID" type="string" default="none" optional>
+        The client ID for the GitHub App
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET" type="string" default="none" optional>
+        The client secret for the GitHub App
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY" type="string" default="none" optional>
+        The private key for the GitHub App
+    </ParamField>
+</Accordion>
+
+<Accordion title="GitHub OAuth Connection">
+    <ParamField query="INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID" type="string" default="none" optional>
+        The OAuth2 client ID for GitHub OAuth Connection
+    </ParamField>
+
+    <ParamField query="INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET" type="string" default="none" optional>
+        The OAuth2 client secret for GitHub OAuth Connection
+    </ParamField>
+</Accordion>
+
+## Native Secret Integrations
 
 To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.
 
@@ -492,7 +538,7 @@ To help you sync secrets from Infisical to services such as Github and Gitlab, I
   </ParamField>
 </Accordion>
 
-<Accordion title="AWS">
+<Accordion title="AWS Integration">
   <ParamField query="CLIENT_ID_AWS_INTEGRATION" type="string" default="none" optional>
 	  The AWS IAM User access key for assuming roles.
   </ParamField>

frontend/src/components/navigation/RegionSelect.tsx

@@ -3,6 +3,7 @@ import { faCheck } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { Modal, ModalContent, ModalTrigger, Select, SelectItem } from "@app/components/v2";
+import { isInfisicalCloud } from "@app/helpers/platform";
 
 enum Region {
   US = "us",
@@ -79,10 +80,7 @@ export const RegionSelect = () => {
   };
 
   const shouldDisplay =
-    window.location.origin.includes("https://app.infisical.com") ||
-    window.location.origin.includes("https://us.infisical.com") ||
-    window.location.origin.includes("https://eu.infisical.com") ||
-    window.location.origin.includes("http://localhost:8080");
+    isInfisicalCloud() || window.location.origin.includes("http://localhost:8080");
 
   // only display region select for cloud
   if (!shouldDisplay) return null;

frontend/src/components/v2/FormControl/FormControl.tsx

@@ -44,7 +44,7 @@ export const FormLabel = ({
     )}
     {tooltipText && (
       <Tooltip content={tooltipText} className={tooltipClassName}>
-        <FontAwesomeIcon icon={faQuestionCircle} size="1x" className="ml-2" />
+        <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
       </Tooltip>
     )}
   </Label.Root>

frontend/src/context/OrgPermissionContext/types.ts

@@ -23,7 +23,8 @@ export enum OrgPermissionSubjects {
   Kms = "kms",
   AdminConsole = "organization-admin-console",
   AuditLogs = "audit-logs",
-  ProjectTemplates = "project-templates"
+  ProjectTemplates = "project-templates",
+  AppConnections = "app-connections"
 }
 
 export enum OrgPermissionAdminConsoleAction {
@@ -47,6 +48,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
-  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates];
+  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
+  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections];
 
 export type TOrgPermission = MongoAbility<OrgPermissionSet>;

frontend/src/helpers/appConnections.ts

@@ -0,0 +1,29 @@
+import { faGithub } from "@fortawesome/free-brands-svg-icons";
+import { faKey, faPassport, faUser } from "@fortawesome/free-solid-svg-icons";
+
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import {
+  AwsConnectionMethod,
+  GitHubConnectionMethod,
+  TAppConnection
+} from "@app/hooks/api/appConnections/types";
+
+export const APP_CONNECTION_MAP: Record<AppConnection, { name: string; image: string }> = {
+  [AppConnection.AWS]: { name: "AWS", image: "Amazon Web Services.png" },
+  [AppConnection.GitHub]: { name: "GitHub", image: "GitHub.png" }
+};
+
+export const getAppConnectionMethodDetails = (method: TAppConnection["method"]) => {
+  switch (method) {
+    case GitHubConnectionMethod.App:
+      return { name: "GitHub App", icon: faGithub };
+    case GitHubConnectionMethod.OAuth:
+      return { name: "OAuth", icon: faPassport };
+    case AwsConnectionMethod.AccessKey:
+      return { name: "Access Key", icon: faKey };
+    case AwsConnectionMethod.AssumeRole:
+      return { name: "Assume Role", icon: faUser };
+    default:
+      throw new Error(`Unhandled App Connection Method: ${method}`);
+  }
+};

frontend/src/helpers/platform.ts

@@ -0,0 +1,4 @@
+export const isInfisicalCloud = () =>
+  window.location.origin.includes("https://app.infisical.com") ||
+  window.location.origin.includes("https://us.infisical.com") ||
+  window.location.origin.includes("https://eu.infisical.com");

frontend/src/hooks/api/appConnections/enums.ts

@@ -0,0 +1,4 @@
+export enum AppConnection {
+  AWS = "aws",
+  GitHub = "github"
+}

frontend/src/hooks/api/appConnections/index.ts

@@ -0,0 +1,3 @@
+export * from "./mutations";
+export * from "./queries";
+export * from "./types";

frontend/src/hooks/api/appConnections/mutations.tsx

@@ -0,0 +1,58 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+import { appConnectionKeys } from "@app/hooks/api/appConnections/queries";
+import {
+  TAppConnectionResponse,
+  TCreateAppConnectionDTO,
+  TDeleteAppConnectionDTO,
+  TUpdateAppConnectionDTO
+} from "@app/hooks/api/appConnections/types";
+
+export const useCreateAppConnection = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({ app, ...params }: TCreateAppConnectionDTO) => {
+      const { data } = await apiRequest.post<TAppConnectionResponse>(
+        `/api/v1/app-connections/${app}`,
+        params
+      );
+
+      return data.appConnection;
+    },
+    onSuccess: () => queryClient.invalidateQueries(appConnectionKeys.list())
+  });
+};
+
+export const useUpdateAppConnection = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({ connectionId, app, ...params }: TUpdateAppConnectionDTO) => {
+      const { data } = await apiRequest.patch<TAppConnectionResponse>(
+        `/api/v1/app-connections/${app}/${connectionId}`,
+        params
+      );
+
+      return data.appConnection;
+    },
+    onSuccess: (_, { connectionId, app }) => {
+      queryClient.invalidateQueries(appConnectionKeys.list());
+      queryClient.invalidateQueries(appConnectionKeys.byId(app, connectionId));
+    }
+  });
+};
+
+export const useDeleteAppConnection = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({ connectionId, app }: TDeleteAppConnectionDTO) => {
+      const { data } = await apiRequest.delete(`/api/v1/app-connections/${app}/${connectionId}`);
+
+      return data;
+    },
+    onSuccess: (_, { connectionId, app }) => {
+      queryClient.invalidateQueries(appConnectionKeys.list());
+      queryClient.invalidateQueries(appConnectionKeys.byId(app, connectionId));
+    }
+  });
+};

frontend/src/hooks/api/appConnections/queries.tsx

@@ -0,0 +1,136 @@
+import { useMemo } from "react";
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import {
+  TAppConnection,
+  TAppConnectionMap,
+  TAppConnectionOptions,
+  TGetAppConnection,
+  TListAppConnections
+} from "@app/hooks/api/appConnections/types";
+import {
+  TAppConnectionOption,
+  TAppConnectionOptionMap
+} from "@app/hooks/api/appConnections/types/app-options";
+
+export const appConnectionKeys = {
+  all: ["app-connection"] as const,
+  options: () => [...appConnectionKeys.all, "options"] as const,
+  list: () => [...appConnectionKeys.all, "list"] as const,
+  listByApp: (app: AppConnection) => [...appConnectionKeys.list(), app],
+  byId: (app: AppConnection, templateId: string) =>
+    [...appConnectionKeys.all, app, "by-id", templateId] as const
+};
+
+export const useAppConnectionOptions = (
+  options?: Omit<
+    UseQueryOptions<
+      TAppConnectionOption[],
+      unknown,
+      TAppConnectionOption[],
+      ReturnType<typeof appConnectionKeys.options>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: appConnectionKeys.options(),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TAppConnectionOptions>(
+        "/api/v1/app-connections/options"
+      );
+
+      return data.appConnectionOptions;
+    },
+    ...options
+  });
+};
+
+export const useGetAppConnectionOption = <T extends AppConnection>(app: T) => {
+  const { data: options = [], isLoading } = useAppConnectionOptions();
+
+  return useMemo(
+    () => ({
+      option: (options.find((opt) => opt.app === app) as TAppConnectionOptionMap[T]) ?? {},
+      isLoading
+    }),
+    [options, app]
+  );
+};
+
+export const useListAppConnections = (
+  options?: Omit<
+    UseQueryOptions<
+      TAppConnection[],
+      unknown,
+      TAppConnection[],
+      ReturnType<typeof appConnectionKeys.list>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: appConnectionKeys.list(),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TListAppConnections<TAppConnection>>(
+        "/api/v1/app-connections"
+      );
+
+      return data.appConnections;
+    },
+    ...options
+  });
+};
+
+export const useListAppConnectionsByApp = <T extends AppConnection>(
+  app: T,
+  options?: Omit<
+    UseQueryOptions<
+      TAppConnectionMap[T][],
+      unknown,
+      TAppConnectionMap[T][],
+      ReturnType<typeof appConnectionKeys.listByApp>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: appConnectionKeys.listByApp(app),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TListAppConnections<TAppConnectionMap[T]>>(
+        `/api/v1/app-connections/${app}`
+      );
+
+      return data.appConnections;
+    },
+    ...options
+  });
+};
+
+export const useGetAppConnectionById = <T extends AppConnection>(
+  app: T,
+  connectionId: string,
+  options?: Omit<
+    UseQueryOptions<
+      TAppConnectionMap[T],
+      unknown,
+      TAppConnectionMap[T],
+      ReturnType<typeof appConnectionKeys.byId>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: appConnectionKeys.byId(app, connectionId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TGetAppConnection<TAppConnectionMap[T]>>(
+        `/api/v1/app-connections/${app}/${connectionId}`
+      );
+
+      return data.appConnection;
+    },
+    ...options
+  });
+};

frontend/src/hooks/api/appConnections/types/app-options.ts

@@ -0,0 +1,24 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+
+export type TAppConnectionOptionBase = {
+  name: string;
+  methods: string[];
+};
+
+export type TAwsConnectionOption = TAppConnectionOptionBase & {
+  app: AppConnection.AWS;
+  accessKeyId?: string;
+};
+
+export type TGitHubConnectionOption = TAppConnectionOptionBase & {
+  app: AppConnection.GitHub;
+  oauthClientId?: string;
+  appClientSlug?: string;
+};
+
+export type TAppConnectionOption = TAwsConnectionOption | TGitHubConnectionOption;
+
+export type TAppConnectionOptionMap = {
+  [AppConnection.AWS]: TAwsConnectionOption;
+  [AppConnection.GitHub]: TGitHubConnectionOption;
+};

frontend/src/hooks/api/appConnections/types/aws-connection.ts

@@ -0,0 +1,23 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
+
+export enum AwsConnectionMethod {
+  AssumeRole = "assume-role",
+  AccessKey = "access-key"
+}
+
+export type TAwsConnection = TRootAppConnection & { app: AppConnection.AWS } & (
+    | {
+        method: AwsConnectionMethod.AccessKey;
+        credentials: {
+          accessKeyId: string;
+          secretAccessKey: string;
+        };
+      }
+    | {
+        method: AwsConnectionMethod.AssumeRole;
+        credentials: {
+          roleArn: string;
+        };
+      }
+  );

frontend/src/hooks/api/appConnections/types/github-connection.ts

@@ -0,0 +1,23 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
+
+export enum GitHubConnectionMethod {
+  App = "github-app",
+  OAuth = "oauth"
+}
+
+export type TGitHubConnection = TRootAppConnection & { app: AppConnection.GitHub } & (
+    | {
+        method: GitHubConnectionMethod.OAuth;
+        credentials: {
+          code: string;
+        };
+      }
+    | {
+        method: GitHubConnectionMethod.App;
+        credentials: {
+          code: string;
+          installationId: string;
+        };
+      }
+  );

frontend/src/hooks/api/appConnections/types/index.ts

@@ -0,0 +1,36 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TAppConnectionOption } from "@app/hooks/api/appConnections/types/app-options";
+import { TAwsConnection } from "@app/hooks/api/appConnections/types/aws-connection";
+import { TGitHubConnection } from "@app/hooks/api/appConnections/types/github-connection";
+
+export * from "./aws-connection";
+export * from "./github-connection";
+
+export type TAppConnection = TAwsConnection | TGitHubConnection;
+
+export type TListAppConnections<T extends TAppConnection> = { appConnections: T[] };
+export type TGetAppConnection<T extends TAppConnection> = { appConnection: T };
+export type TAppConnectionOptions = { appConnectionOptions: TAppConnectionOption[] };
+export type TAppConnectionResponse = { appConnection: TAppConnection };
+
+export type TCreateAppConnectionDTO = Pick<
+  TAppConnection,
+  "name" | "credentials" | "method" | "app" | "description"
+>;
+
+export type TUpdateAppConnectionDTO = Partial<
+  Pick<TAppConnection, "name" | "credentials" | "description">
+> & {
+  connectionId: string;
+  app: AppConnection;
+};
+
+export type TDeleteAppConnectionDTO = {
+  app: AppConnection;
+  connectionId: string;
+};
+
+export type TAppConnectionMap = {
+  [AppConnection.AWS]: TAwsConnection;
+  [AppConnection.GitHub]: TGitHubConnection;
+};

frontend/src/hooks/api/appConnections/types/root-connection.ts

@@ -0,0 +1,9 @@
+export type TRootAppConnection = {
+  id: string;
+  name: string;
+  description?: string | null;
+  version: number;
+  orgId: string;
+  createdAt: string;
+  updatedAt: string;
+};

frontend/src/hooks/api/roles/types.ts

@@ -56,7 +56,7 @@ export type TGetUserProjectPermissionDTO = {
 export type TCreateOrgRoleDTO = {
   orgId: string;
   name: string;
-  description?: string;
+  description?: string | null;
   slug: string;
   permissions: TPermission[];
 };
@@ -74,7 +74,7 @@ export type TDeleteOrgRoleDTO = {
 export type TCreateProjectRoleDTO = {
   projectId: string;
   name: string;
-  description?: string;
+  description?: string | null;
   slug: string;
   permissions: TProjectPermission[];
 };

frontend/src/hooks/api/subscriptions/types.ts

@@ -45,4 +45,5 @@ export type SubscriptionPlan = {
   pkiEst: boolean;
   enforceMfa: boolean;
   projectTemplates: boolean;
+  appConnections: boolean; // TODO: remove once released
 };

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -327,6 +327,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
                   </div>
                 )}
                 {!router.asPath.includes("org") &&
+                  !router.asPath.includes("app-connections") &&
                   (!router.asPath.includes("personal") && currentWorkspace ? (
                     <ProjectSelect />
                   ) : (
@@ -339,7 +340,8 @@ export const AppLayout = ({ children }: LayoutProps) => {
                   ))}
                 <div className={`px-1 ${!router.asPath.includes("personal") ? "block" : "hidden"}`}>
                   <ProjectSidebarItem />
-                  {router.pathname.startsWith("/org") && (
+                  {(router.pathname.startsWith("/org") ||
+                    router.pathname.startsWith("/app-connections")) && (
                     <Menu className="mt-4">
                       <Link
                         href={`/org/${currentOrg?.id}/${ProjectType.SecretManager}/overview`}

frontend/src/layouts/AppLayout/components/ProjectSidebarItems/ProjectSidebarItems.tsx

@@ -24,7 +24,8 @@ export const ProjectSidebarItem = () => {
   if (
     !currentWorkspace ||
     router.asPath.startsWith("personal") ||
-    router.asPath.startsWith("integrations")
+    router.asPath.startsWith("integrations") ||
+    router.asPath.startsWith("/app-connections")
   ) {
     return <div />;
   }