fix: resolved trailing slash issue with additional privileges

Fix: Machine Identities user experience improvement

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -122,19 +122,19 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true

backend/package-lock.json

@@ -34,11 +34,13 @@
         "axios": "^1.6.7",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
-        "bullmq": "^5.3.3",
+        "bullmq": "^5.4.2",
         "cassandra-driver": "^4.7.2",
         "dotenv": "^16.4.1",
         "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
+        "google-auth-library": "^9.9.0",
+        "googleapis": "^137.1.0",
         "handlebars": "^4.7.8",
         "ioredis": "^5.3.2",
         "jmespath": "^0.16.0",
@@ -49,7 +51,7 @@
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.7",
         "nanoid": "^5.0.4",
         "nodemailer": "^6.9.9",
         "ora": "^7.0.1",
@@ -2938,6 +2940,7 @@
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
       "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "2.0.5",
         "run-parallel": "^1.1.9"
@@ -2950,6 +2953,7 @@
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
       "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -2958,6 +2962,7 @@
       "version": "1.2.8",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
       "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
       "dependencies": {
         "@nodelib/fs.scandir": "2.1.5",
         "fastq": "^1.6.0"
@@ -6183,6 +6188,14 @@
       "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
       "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
     },
+    "node_modules/bignumber.js": {
+      "version": "9.1.2",
+      "resolved": "https://registry.npmjs.org/bignumber.js/-/bignumber.js-9.1.2.tgz",
+      "integrity": "sha512-2/mKyZH9K85bzOEfhXDBFZTGd1CTs+5IHpeFQo9luiBG7hghdC851Pj2WAhb6E3R6b9tZj/XKhbg4fum+Kepug==",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
@@ -6285,6 +6298,7 @@
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
       "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "dev": true,
       "dependencies": {
         "fill-range": "^7.0.1"
       },
@@ -6334,15 +6348,13 @@
       }
     },
     "node_modules/bullmq": {
-      "version": "5.3.3",
-      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.3.3.tgz",
-      "integrity": "sha512-Gc/68HxiCHLMPBiGIqtINxcf8HER/5wvBYMY/6x3tFejlvldUBFaAErMTLDv4TnPsTyzNPrfBKmFCEM58uVnJg==",
+      "version": "5.4.2",
+      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.4.2.tgz",
+      "integrity": "sha512-dkR/KGUw18miLe3QWtvSlmGvEe08aZF+w1jZyqEHMWFW3RP4162qp6OGud0/QCAOjusiRI8UOxUhbnortPY+rA==",
       "dependencies": {
         "cron-parser": "^4.6.0",
-        "fast-glob": "^3.3.2",
         "ioredis": "^5.3.2",
         "lodash": "^4.17.21",
-        "minimatch": "^9.0.3",
         "msgpackr": "^1.10.1",
         "node-abort-controller": "^3.1.1",
         "semver": "^7.5.4",
@@ -6350,28 +6362,6 @@
         "uuid": "^9.0.0"
       }
     },
-    "node_modules/bullmq/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/bullmq/node_modules/minimatch": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
-      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
     "node_modules/bundle-require": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/bundle-require/-/bundle-require-4.0.2.tgz",
@@ -7759,6 +7749,11 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
+    "node_modules/extend": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g=="
+    },
     "node_modules/extsprintf": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.4.1.tgz",
@@ -7798,6 +7793,7 @@
       "version": "3.3.2",
       "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.2.tgz",
       "integrity": "sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==",
+      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "^2.0.2",
         "@nodelib/fs.walk": "^1.2.3",
@@ -7949,6 +7945,7 @@
       "version": "7.0.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
       "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
       "dependencies": {
         "to-regex-range": "^5.0.1"
       },
@@ -8286,6 +8283,88 @@
         "node": ">=8"
       }
     },
+    "node_modules/gaxios": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-6.5.0.tgz",
+      "integrity": "sha512-R9QGdv8j4/dlNoQbX3hSaK/S0rkMijqjVvW3YM06CoBdbU/VdKd159j4hePpng0KuE6Lh6JJ7UdmVGJZFcAG1w==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "https-proxy-agent": "^7.0.1",
+        "is-stream": "^2.0.0",
+        "node-fetch": "^2.6.9",
+        "uuid": "^9.0.1"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/gaxios/node_modules/agent-base": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.1.tgz",
+      "integrity": "sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==",
+      "dependencies": {
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/gaxios/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/gaxios/node_modules/https-proxy-agent": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.4.tgz",
+      "integrity": "sha512-wlwpilI7YdjSkWaQ/7omYBMTliDcmCN8OLihO6I9B86g06lMyAoqgoDpV0XqoaPOKj+0DIdAvnsWfyAAhmimcg==",
+      "dependencies": {
+        "agent-base": "^7.0.2",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/gaxios/node_modules/is-stream": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
+      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/gaxios/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/gcp-metadata": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-6.1.0.tgz",
+      "integrity": "sha512-Jh/AIwwgaxan+7ZUUmRLCjtchyDiqh4KjBJ5tW3plBZb5iL/BPcso8A5DlzeD9qlw0duCamnNdpFjxwaT0KyKg==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "json-bigint": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/generate-function": {
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz",
@@ -8400,6 +8479,7 @@
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
       "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
       "dependencies": {
         "is-glob": "^4.0.1"
       },
@@ -8482,6 +8562,69 @@
       "integrity": "sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==",
       "dev": true
     },
+    "node_modules/google-auth-library": {
+      "version": "9.9.0",
+      "resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-9.9.0.tgz",
+      "integrity": "sha512-9l+zO07h1tDJdIHN74SpnWIlNR+OuOemXlWJlLP9pXy6vFtizgpEzMuwJa4lqY9UAdiAv5DVd5ql0Am916I+aA==",
+      "dependencies": {
+        "base64-js": "^1.3.0",
+        "ecdsa-sig-formatter": "^1.0.11",
+        "gaxios": "^6.1.1",
+        "gcp-metadata": "^6.1.0",
+        "gtoken": "^7.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/google-auth-library/node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/google-auth-library/node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/googleapis": {
+      "version": "137.1.0",
+      "resolved": "https://registry.npmjs.org/googleapis/-/googleapis-137.1.0.tgz",
+      "integrity": "sha512-2L7SzN0FLHyQtFmyIxrcXhgust77067pkkduqkbIpDuj9JzVnByxsRrcRfUMFQam3rQkWW2B0f1i40IwKDWIVQ==",
+      "dependencies": {
+        "google-auth-library": "^9.0.0",
+        "googleapis-common": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/googleapis-common": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/googleapis-common/-/googleapis-common-7.2.0.tgz",
+      "integrity": "sha512-/fhDZEJZvOV3X5jmD+fKxMqma5q2Q9nZNSF3kn1F18tpxmA86BcTxAGBQdM0N89Z3bEaIs+HVznSmFJEAmMTjA==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "gaxios": "^6.0.3",
+        "google-auth-library": "^9.7.0",
+        "qs": "^6.7.0",
+        "url-template": "^2.0.8",
+        "uuid": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/gopd": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
@@ -8504,6 +8647,37 @@
       "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
       "dev": true
     },
+    "node_modules/gtoken": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-7.1.0.tgz",
+      "integrity": "sha512-pCcEwRi+TKpMlxAQObHDQ56KawURgyAf6jtIY046fJ5tIv3zDe/LEIubckAO8fj6JnAxLdmWkUfNyulQ2iKdEw==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/gtoken/node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/gtoken/node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
     "node_modules/handlebars": {
       "version": "4.7.8",
       "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz",
@@ -9000,6 +9174,7 @@
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
       "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "dev": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -9030,6 +9205,7 @@
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
       "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
       "dependencies": {
         "is-extglob": "^2.1.1"
       },
@@ -9064,6 +9240,7 @@
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
       "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true,
       "engines": {
         "node": ">=0.12.0"
       }
@@ -9277,6 +9454,14 @@
       "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz",
       "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A=="
     },
+    "node_modules/json-bigint": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-bigint/-/json-bigint-1.0.0.tgz",
+      "integrity": "sha512-SiPv/8VpZuWbvLSMtTDU8hEfrZWg/mH/nV/b4o0CYbSxu1UIQPLdwKOCIyLQX+VIPO5vrLX3i8qtqFyhdPSUSQ==",
+      "dependencies": {
+        "bignumber.js": "^9.0.0"
+      }
+    },
     "node_modules/json-buffer": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
@@ -9892,6 +10077,7 @@
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
       "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -9908,6 +10094,7 @@
       "version": "4.0.5",
       "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
       "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
+      "dev": true,
       "dependencies": {
         "braces": "^3.0.2",
         "picomatch": "^2.3.1"
@@ -9920,6 +10107,7 @@
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
       "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "dev": true,
       "engines": {
         "node": ">=8.6"
       },
@@ -10102,9 +10290,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.7",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.7.tgz",
+      "integrity": "sha512-KnJT8vYRcNAZv73uf9zpXqNbvBG7DJrs+1nACsjZP1HMJ1TgXEy8wnNilXAn/5i57JizXKtrUtwDB7HxT9DDpw==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",
@@ -11549,6 +11737,7 @@
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
       "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -11901,6 +12090,7 @@
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
       "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -12701,6 +12891,7 @@
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
       "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
       "dependencies": {
         "is-number": "^7.0.0"
       },
@@ -13703,6 +13894,11 @@
         "querystring": "0.2.0"
       }
     },
+    "node_modules/url-template": {
+      "version": "2.0.8",
+      "resolved": "https://registry.npmjs.org/url-template/-/url-template-2.0.8.tgz",
+      "integrity": "sha512-XdVKMF4SJ0nP/O7XIPB0JwAEuT9lDIYnNsK8yGVe43y0AWoKeJNdv3ZNWh7ksJ6KqQFjOO6ox/VEitLnaVNufw=="
+    },
     "node_modules/url/node_modules/punycode": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.3.2.tgz",

backend/package.json

@@ -95,11 +95,13 @@
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.3.3",
+    "bullmq": "^5.4.2",
     "cassandra-driver": "^4.7.2",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
+    "google-auth-library": "^9.9.0",
+    "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",

backend/src/@types/fastify.d.ts

@@ -32,7 +32,10 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsIamAuthServiceFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-service";
+import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
+import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -116,7 +119,10 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      identityAwsIamAuth: TIdentityAwsIamAuthServiceFactory;
+      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
+      identityGcpAuth: TIdentityGcpAuthServiceFactory;
+      identityAwsAuth: TIdentityAwsAuthServiceFactory;
+      identityAzureAuth: TIdentityAzureAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;

backend/src/@types/knex.d.ts

@@ -59,9 +59,18 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAwsIamAuths,
-  TIdentityAwsIamAuthsInsert,
-  TIdentityAwsIamAuthsUpdate,
+  TIdentityAwsAuths,
+  TIdentityAwsAuthsInsert,
+  TIdentityAwsAuthsUpdate,
+  TIdentityAzureAuths,
+  TIdentityAzureAuthsInsert,
+  TIdentityAzureAuthsUpdate,
+  TIdentityGcpAuths,
+  TIdentityGcpAuthsInsert,
+  TIdentityGcpAuthsUpdate,
+  TIdentityKubernetesAuths,
+  TIdentityKubernetesAuthsInsert,
+  TIdentityKubernetesAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -228,6 +237,7 @@ import {
   TWebhooksInsert,
   TWebhooksUpdate
 } from "@app/db/schemas";
+import { TSecretReferences, TSecretReferencesInsert, TSecretReferencesUpdate } from "@app/db/schemas/secret-references";
 
 declare module "knex/types/tables" {
   interface Tables {
@@ -301,6 +311,11 @@ declare module "knex/types/tables" {
     >;
     [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
     [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
+    [TableName.SecretReference]: Knex.CompositeTableType<
+      TSecretReferences,
+      TSecretReferencesInsert,
+      TSecretReferencesUpdate
+    >;
     [TableName.SecretBlindIndex]: Knex.CompositeTableType<
       TSecretBlindIndexes,
       TSecretBlindIndexesInsert,
@@ -329,10 +344,25 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
-    [TableName.IdentityAwsIamAuth]: Knex.CompositeTableType<
-      TIdentityAwsIamAuths,
-      TIdentityAwsIamAuthsInsert,
-      TIdentityAwsIamAuthsUpdate
+    [TableName.IdentityKubernetesAuth]: Knex.CompositeTableType<
+      TIdentityKubernetesAuths,
+      TIdentityKubernetesAuthsInsert,
+      TIdentityKubernetesAuthsUpdate
+    >;
+    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
+      TIdentityGcpAuths,
+      TIdentityGcpAuthsInsert,
+      TIdentityGcpAuthsUpdate
+    >;
+    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
+      TIdentityAwsAuths,
+      TIdentityAwsAuthsInsert,
+      TIdentityAwsAuthsUpdate
+    >;
+    [TableName.IdentityAzureAuth]: Knex.CompositeTableType<
+      TIdentityAzureAuths,
+      TIdentityAzureAuthsInsert,
+      TIdentityAzureAuthsUpdate
     >;
     [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -4,8 +4,8 @@ import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 
 export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsIamAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsIamAuth, (t) => {
+  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
+    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
       t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
@@ -14,16 +14,17 @@ export async function up(knex: Knex): Promise<void> {
       t.timestamps(true, true, true);
       t.uuid("identityId").notNullable().unique();
       t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
       t.string("stsEndpoint").notNullable();
       t.string("allowedPrincipalArns").notNullable();
       t.string("allowedAccountIds").notNullable();
     });
   }
 
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsIamAuth);
+  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
 }
 
 export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsIamAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsIamAuth);
+  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
 }

backend/src/db/migrations/20240514041650_identity-gcp-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
+    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("allowedServiceAccounts").notNullable();
+      t.string("allowedProjects").notNullable();
+      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}

backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
+    await knex.schema.createTable(TableName.SecretReference, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("environment").notNullable();
+      t.string("secretPath").notNullable();
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretReference);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretReference);
+  await dropOnUpdateTrigger(knex, TableName.SecretReference);
+}

backend/src/db/migrations/20240518142614_kubernetes-auth.ts

@@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
+    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("kubernetesHost").notNullable();
+      t.text("encryptedCaCert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.text("encryptedTokenReviewerJwt").notNullable();
+      t.string("tokenReviewerJwtIV").notNullable();
+      t.string("tokenReviewerJwtTag").notNullable();
+      t.string("allowedNamespaces").notNullable();
+      t.string("allowedNames").notNullable();
+      t.string("allowedAudience").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}

backend/src/db/migrations/20240520064127_add-integration-sync-status.ts

@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
+  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
+  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
+
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    if (!hasIsSyncedColumn) {
+      t.boolean("isSynced").nullable();
+    }
+
+    if (!hasSyncMessageColumn) {
+      t.text("syncMessage").nullable();
+    }
+
+    if (!hasLastSyncJobId) {
+      t.string("lastSyncJobId").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
+  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
+  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
+
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    if (hasIsSyncedColumn) {
+      t.dropColumn("isSynced");
+    }
+
+    if (hasSyncMessageColumn) {
+      t.dropColumn("syncMessage");
+    }
+
+    if (hasLastSyncJobId) {
+      t.dropColumn("lastSyncJobId");
+    }
+  });
+}

backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts

@@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.index("projectId");
+      if (doesOrgIdExist) t.index("orgId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.dropIndex("projectId");
+      if (doesOrgIdExist) t.dropIndex("orgId");
+    });
+  }
+}

backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}

backend/src/db/migrations/20240522204414_index-secret-version-envId.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}

backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}

backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}

backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
+    });
+  }
+}

backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.index("expiresAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.dropIndex("expiresAt");
+    });
+  }
+}

backend/src/db/migrations/20240527073740_identity-azure-auth.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
+    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("tenantId").notNullable();
+      t.string("resource").notNullable();
+      t.string("allowedServicePrincipalIds").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -11,8 +11,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  envId: z.string().uuid(),
   secretPath: z.string().nullable().optional(),
+  envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

backend/src/db/schemas/identity-aws-auths.ts

@@ -7,7 +7,7 @@ import { z } from "zod";
 
 import { TImmutableDBKeys } from "./models";
 
-export const IdentityAwsIamAuthsSchema = z.object({
+export const IdentityAwsAuthsSchema = z.object({
   id: z.string().uuid(),
   accessTokenTTL: z.coerce.number().default(7200),
   accessTokenMaxTTL: z.coerce.number().default(7200),
@@ -16,11 +16,12 @@ export const IdentityAwsIamAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   identityId: z.string().uuid(),
+  type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
   allowedAccountIds: z.string()
 });
 
-export type TIdentityAwsIamAuths = z.infer<typeof IdentityAwsIamAuthsSchema>;
-export type TIdentityAwsIamAuthsInsert = Omit<z.input<typeof IdentityAwsIamAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAwsIamAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsIamAuthsSchema>, TImmutableDBKeys>>;
+export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
+export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAzureAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  tenantId: z.string(),
+  resource: z.string(),
+  allowedServicePrincipalIds: z.string()
+});
+
+export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;
+export type TIdentityAzureAuthsInsert = Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAzureAuthsUpdate = Partial<Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityGcpAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  allowedServiceAccounts: z.string(),
+  allowedProjects: z.string(),
+  allowedZones: z.string()
+});
+
+export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
+export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -0,0 +1,35 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityKubernetesAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  kubernetesHost: z.string(),
+  encryptedCaCert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  encryptedTokenReviewerJwt: z.string(),
+  tokenReviewerJwtIV: z.string(),
+  tokenReviewerJwtTag: z.string(),
+  allowedNamespaces: z.string(),
+  allowedNames: z.string(),
+  allowedAudience: z.string()
+});
+
+export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
+export type TIdentityKubernetesAuthsInsert = Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityKubernetesAuthsUpdate = Partial<
+  Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/index.ts

@@ -17,7 +17,10 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-aws-iam-auths";
+export * from "./identity-aws-auths";
+export * from "./identity-azure-auths";
+export * from "./identity-gcp-auths";
+export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/integrations.ts

@@ -28,7 +28,10 @@ export const IntegrationsSchema = z.object({
   secretPath: z.string().default("/"),
   createdAt: z.date(),
   updatedAt: z.date(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
+  isSynced: z.boolean().nullable().optional(),
+  syncMessage: z.string().nullable().optional(),
+  lastSyncJobId: z.string().nullable().optional()
 });
 
 export type TIntegrations = z.infer<typeof IntegrationsSchema>;

backend/src/db/schemas/models.ts

@@ -28,6 +28,7 @@ export enum TableName {
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
   Secret = "secrets",
+  SecretReference = "secret_references",
   SecretBlindIndex = "secret_blind_indexes",
   SecretVersion = "secret_versions",
   SecretFolder = "secret_folders",
@@ -44,8 +45,11 @@ export enum TableName {
   Identity = "identities",
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
+  IdentityKubernetesAuth = "identity_kubernetes_auths",
+  IdentityGcpAuth = "identity_gcp_auths",
+  IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAwsIamAuth = "identity_aws_iam_auths",
+  IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -144,5 +148,8 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   Univeral = "universal-auth",
-  AWS_IAM_AUTH = "aws-iam-auth"
+  KUBERNETES_AUTH = "kubernetes-auth",
+  GCP_AUTH = "gcp-auth",
+  AWS_AUTH = "aws-auth",
+  AZURE_AUTH = "azure-auth"
 }

backend/src/db/schemas/secret-references.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretReferencesSchema = z.object({
+  id: z.string().uuid(),
+  environment: z.string(),
+  secretPath: z.string(),
+  secretId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretReferences = z.infer<typeof SecretReferencesSchema>;
+export type TSecretReferencesInsert = Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>;
+export type TSecretReferencesUpdate = Partial<Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/users.ts

@@ -22,7 +22,7 @@ export const UsersSchema = z.object({
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
   username: z.string(),
-  isEmailVerified: z.boolean().nullable().optional()
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -8,7 +8,7 @@ import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { PermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
+import { ProjectPermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@@ -39,7 +39,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
@@ -90,7 +90,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         temporaryMode: z
           .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@@ -155,7 +155,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                 message: "Slug must be a valid slug"
               })
               .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
             temporaryMode: z
               .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -3,7 +3,6 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
@@ -113,35 +112,7 @@ export const auditLogQueueServiceFactory = ({
     );
   });
 
-  queueService.start(QueueName.AuditLogPrune, async () => {
-    logger.info(`${QueueName.AuditLogPrune}: queue task started`);
-    await auditLogDAL.pruneAuditLog();
-    logger.info(`${QueueName.AuditLogPrune}: queue task completed`);
-  });
-
-  // we do a repeat cron job in utc timezone at 12 Midnight each day
-  const startAuditLogPruneJob = async () => {
-    // clear previous job
-    await queueService.stopRepeatableJob(
-      QueueName.AuditLogPrune,
-      QueueJobs.AuditLogPrune,
-      { pattern: "0 0 * * *", utc: true },
-      QueueName.AuditLogPrune // just a job id
-    );
-
-    await queueService.queue(QueueName.AuditLogPrune, QueueJobs.AuditLogPrune, undefined, {
-      delay: 5000,
-      jobId: QueueName.AuditLogPrune,
-      repeat: { pattern: "0 0 * * *", utc: true }
-    });
-  };
-
-  queueService.listen(QueueName.AuditLogPrune, "failed", (err) => {
-    logger.error(err?.failedReason, `${QueueName.AuditLogPrune}: log pruning failed`);
-  });
-
   return {
-    pushToLog,
-    startAuditLogPruneJob
+    pushToLog
   };
 };

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -51,6 +51,7 @@ export enum EventType {
   UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
   CREATE_INTEGRATION = "create-integration",
   DELETE_INTEGRATION = "delete-integration",
+  MANUAL_SYNC_INTEGRATION = "manual-sync-integration",
   ADD_TRUSTED_IP = "add-trusted-ip",
   UPDATE_TRUSTED_IP = "update-trusted-ip",
   DELETE_TRUSTED_IP = "delete-trusted-ip",
@@ -63,13 +64,25 @@ export enum EventType {
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
   GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
+  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
+  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
+  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  LOGIN_IDENTITY_AWS_IAM_AUTH = "login-identity-aws-iam-auth",
-  ADD_IDENTITY_AWS_IAM_AUTH = "add-identity-aws-iam-auth",
-  UPDATE_IDENTITY_AWS_IAM_AUTH = "update-identity-aws-iam-auth",
-  GET_IDENTITY_AWS_IAM_AUTH = "get-identity-aws-iam-auth",
+  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
+  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
+  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
+  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
+  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
+  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
+  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
+  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
+  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
+  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -273,6 +286,25 @@ interface DeleteIntegrationEvent {
   };
 }
 
+interface ManualSyncIntegrationEvent {
+  type: EventType.MANUAL_SYNC_INTEGRATION;
+  metadata: {
+    integrationId: string;
+    integration: string;
+    environment: string;
+    secretPath: string;
+    url?: string;
+    app?: string;
+    appId?: string;
+    targetEnvironment?: string;
+    targetEnvironmentId?: string;
+    targetService?: string;
+    targetServiceId?: string;
+    path?: string;
+    region?: string;
+  };
+}
+
 interface AddTrustedIPEvent {
   type: EventType.ADD_TRUSTED_IP;
   metadata: {
@@ -387,6 +419,50 @@ interface GetIdentityUniversalAuthEvent {
   };
 }
 
+interface LoginIdentityKubernetesAuthEvent {
+  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+    identityKubernetesAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityKubernetesAuthEvent {
+  type: EventType.ADD_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+    kubernetesHost: string;
+    allowedNamespaces: string;
+    allowedNames: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityKubernetesAuthEvent {
+  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
+  metadata: {
+    identityId: string;
+    kubernetesHost?: string;
+    allowedNamespaces?: string;
+    allowedNames?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityKubernetesAuthEvent {
+  type: EventType.GET_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface CreateIdentityUniversalAuthClientSecretEvent {
   type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
   metadata: {
@@ -410,17 +486,63 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
-interface LoginIdentityAwsIamAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AWS_IAM_AUTH;
+interface LoginIdentityGcpAuthEvent {
+  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
   metadata: {
     identityId: string;
-    identityAwsIamAuthId: string;
+    identityGcpAuthId: string;
     identityAccessTokenId: string;
   };
 }
 
-interface AddIdentityAwsIamAuthEvent {
-  type: EventType.ADD_IDENTITY_AWS_IAM_AUTH;
+interface AddIdentityGcpAuthEvent {
+  type: EventType.ADD_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    type: string;
+    allowedServiceAccounts: string;
+    allowedProjects: string;
+    allowedZones: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityGcpAuthEvent {
+  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    type?: string;
+    allowedServiceAccounts?: string;
+    allowedProjects?: string;
+    allowedZones?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityGcpAuthEvent {
+  type: EventType.GET_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface LoginIdentityAwsAuthEvent {
+  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+    identityAwsAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAwsAuthEvent {
+  type: EventType.ADD_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
     stsEndpoint: string;
@@ -433,8 +555,8 @@ interface AddIdentityAwsIamAuthEvent {
   };
 }
 
-interface UpdateIdentityAwsIamAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AWS_IAM_AUTH;
+interface UpdateIdentityAwsAuthEvent {
+  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
     stsEndpoint?: string;
@@ -447,8 +569,50 @@ interface UpdateIdentityAwsIamAuthEvent {
   };
 }
 
-interface GetIdentityAwsIamAuthEvent {
-  type: EventType.GET_IDENTITY_AWS_IAM_AUTH;
+interface GetIdentityAwsAuthEvent {
+  type: EventType.GET_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface LoginIdentityAzureAuthEvent {
+  type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+    identityAzureAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAzureAuthEvent {
+  type: EventType.ADD_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+    tenantId: string;
+    resource: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityAzureAuthEvent {
+  type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+    tenantId?: string;
+    resource?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityAzureAuthEvent {
+  type: EventType.GET_IDENTITY_AZURE_AUTH;
   metadata: {
     identityId: string;
   };
@@ -693,6 +857,7 @@ export type Event =
   | UnauthorizeIntegrationEvent
   | CreateIntegrationEvent
   | DeleteIntegrationEvent
+  | ManualSyncIntegrationEvent
   | AddTrustedIPEvent
   | UpdateTrustedIPEvent
   | DeleteTrustedIPEvent
@@ -705,13 +870,25 @@ export type Event =
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
   | GetIdentityUniversalAuthEvent
+  | LoginIdentityKubernetesAuthEvent
+  | AddIdentityKubernetesAuthEvent
+  | UpdateIdentityKubernetesAuthEvent
+  | GetIdentityKubernetesAuthEvent
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
-  | LoginIdentityAwsIamAuthEvent
-  | AddIdentityAwsIamAuthEvent
-  | UpdateIdentityAwsIamAuthEvent
-  | GetIdentityAwsIamAuthEvent
+  | LoginIdentityGcpAuthEvent
+  | AddIdentityGcpAuthEvent
+  | UpdateIdentityGcpAuthEvent
+  | GetIdentityGcpAuthEvent
+  | LoginIdentityAwsAuthEvent
+  | AddIdentityAwsAuthEvent
+  | UpdateIdentityAwsAuthEvent
+  | GetIdentityAwsAuthEvent
+  | LoginIdentityAzureAuthEvent
+  | AddIdentityAzureAuthEvent
+  | UpdateIdentityAzureAuthEvent
+  | GetIdentityAzureAuthEvent
   | CreateEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -7,12 +7,15 @@ import {
   SecretType,
   TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
+import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
+import { getAllNestedSecretReferences } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@@ -53,6 +56,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
+  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   secretService: Pick<
     TSecretServiceFactory,
     | "fnSecretBulkInsert"
@@ -80,7 +84,8 @@ export const secretApprovalRequestServiceFactory = ({
   snapshotService,
   secretService,
   secretVersionDAL,
-  secretQueueService
+  secretQueueService,
+  projectBotService
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -352,7 +357,7 @@ export const secretApprovalRequestServiceFactory = ({
     }
 
     const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === CommitType.Delete);
-
+    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
     const mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
       const newSecrets = secretCreationCommits.length
         ? await secretService.fnSecretBulkInsert({
@@ -379,7 +384,17 @@ export const secretApprovalRequestServiceFactory = ({
               ]),
               tags: el?.tags.map(({ id }) => id),
               version: 1,
-              type: SecretType.Shared
+              type: SecretType.Shared,
+              references: botKey
+                ? getAllNestedSecretReferences(
+                    decryptSymmetric128BitHexKeyUTF8({
+                      ciphertext: el.secretValueCiphertext,
+                      iv: el.secretValueIV,
+                      tag: el.secretValueTag,
+                      key: botKey
+                    })
+                  )
+                : undefined
             })),
             secretDAL,
             secretVersionDAL,
@@ -414,7 +429,17 @@ export const secretApprovalRequestServiceFactory = ({
                   "secretReminderNote",
                   "secretReminderRepeatDays",
                   "secretBlindIndex"
-                ])
+                ]),
+                references: botKey
+                  ? getAllNestedSecretReferences(
+                      decryptSymmetric128BitHexKeyUTF8({
+                        ciphertext: el.secretValueCiphertext,
+                        iv: el.secretValueIV,
+                        tag: el.secretValueTag,
+                        key: botKey
+                      })
+                    )
+                  : undefined
               }
             })),
             secretDAL,

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,15 +90,17 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    await Promise.all(
-      repositories.map(({ id, full_name }) =>
-        secretScanningQueue.startFullRepoScan({
-          organizationId: session.orgId,
-          installationId,
-          repository: { id, fullName: full_name }
-        })
-      )
-    );
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await Promise.all(
+        repositories.map(({ id, full_name }) =>
+          secretScanningQueue.startFullRepoScan({
+            organizationId: session.orgId,
+            installationId,
+            repository: { id, fullName: full_name }
+          })
+        )
+      );
+    }
     return { installatedApp };
   };
 
@@ -151,6 +153,7 @@ export const secretScanningServiceFactory = ({
   };
 
   const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
+    const appCfg = getConfig();
     const { commits, repository, installation, pusher } = payload;
     if (!commits || !repository || !installation || !pusher) {
       return;
@@ -161,13 +164,15 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    await secretScanningQueue.startPushEventScan({
-      commits,
-      pusher: { name: pusher.name, email: pusher.email },
-      repository: { fullName: repository.full_name, id: repository.id },
-      organizationId: installationLink.orgId,
-      installationId: String(installation?.id)
-    });
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await secretScanningQueue.startPushEventScan({
+        commits,
+        pusher: { name: pusher.name, email: pusher.email },
+        repository: { fullName: repository.full_name, id: repository.id },
+        organizationId: installationLink.orgId,
+        installationId: String(installation?.id)
+      });
+    }
   };
 
   const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {

backend/src/lib/api-docs/constants.ts

@@ -89,10 +89,13 @@ export const UNIVERSAL_AUTH = {
   },
   RENEW_ACCESS_TOKEN: {
     accessToken: "The access token to renew."
+  },
+  REVOKE_ACCESS_TOKEN: {
+    accessToken: "The access token to revoke."
   }
 } as const;
 
-export const AWS_IAM_AUTH = {
+export const AWS_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login.",
     iamHttpRequestMethod: "The HTTP request method used in the signed request.",
@@ -145,36 +148,6 @@ export const PROJECTS = {
     name: "The new name of the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project."
   },
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: "A list of roles to update the membership to."
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
   },
@@ -213,6 +186,70 @@ export const PROJECTS = {
   }
 } as const;
 
+export const PROJECT_USERS = {
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  GET_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to get memberships from.",
+    username: "The username to get project membership of. Email is the default username."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  }
+};
+
+export const PROJECT_IDENTITIES = {
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  GET_IDENTITY_MEMBERSHIP_BY_ID: {
+    identityId: "The ID of the identity to get the membership for.",
+    projectId: "The ID of the project to get the identity membership for."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: {
+      description: "A list of role slugs to assign to the identity project membership.",
+      role: "The role slug to assign to the newly created identity project membership.",
+      isTemporary: "Whether the assigned role is temporary.",
+      temporaryMode: "Type of temporary expiry.",
+      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
+      temporaryAccessStartTime: "Time to which the temporary access starts"
+    }
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
+  CREATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to create the identity membership from.",
+    identityId: "The ID of the identity to create the membership from.",
+    role: "The role slug to assign to the newly created identity project membership.",
+    roles: {
+      description: "A list of role slugs to assign to the newly created identity project membership.",
+      role: "The role slug to assign to the newly created identity project membership.",
+      isTemporary: "Whether the assigned role is temporary.",
+      temporaryMode: "Type of temporary expiry.",
+      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
+      temporaryAccessStartTime: "Time to which the temporary access starts"
+    }
+  }
+};
+
 export const ENVIRONMENTS = {
   CREATE: {
     workspaceId: "The ID of the project to create the environment in.",
@@ -252,6 +289,7 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -288,7 +326,8 @@ export const RAW_SECRETS = {
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    workspaceSlug:
+      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -307,6 +346,7 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
+    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -622,10 +662,12 @@ export const INTEGRATION = {
       secretPrefix: "The prefix for the saved secret. Used by GCP.",
       secretSuffix: "The suffix for the saved secret. Used by GCP.",
       initialSyncBehavoir: "Type of syncing behavoir with the integration.",
+      mappingBehavior: "The mapping behavior of the integration.",
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      kmsKeyId: "The ID of the encryption key from AWS KMS.",
+      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
     }
   },
   UPDATE: {
@@ -642,6 +684,9 @@ export const INTEGRATION = {
   },
   DELETE: {
     integrationId: "The ID of the integration object."
+  },
+  SYNC: {
+    integrationId: "The ID of the integration object to manually sync"
   }
 };
 

backend/src/lib/config/env.ts

@@ -13,6 +13,10 @@ const zodStrBool = z
 const envSchema = z
   .object({
     PORT: z.coerce.number().default(4000),
+    DISABLE_SECRET_SCANNING: z
+      .enum(["true", "false"])
+      .default("false")
+      .transform((el) => el === "true"),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(

backend/src/lib/knex/index.ts

@@ -104,24 +104,68 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Create" });
     }
   },
-  updateById: async (id: string, data: Tables[Tname]["update"], tx?: Knex) => {
+  updateById: async (
+    id: string,
+    {
+      $incr,
+      $decr,
+      ...data
+    }: Tables[Tname]["update"] & {
+      $incr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
+      $decr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
+    },
+    tx?: Knex
+  ) => {
     try {
-      const [res] = await (tx || db)(tableName)
+      const query = (tx || db)(tableName)
         .where({ id } as never)
         .update(data as never)
         .returning("*");
-      return res;
+      if ($incr) {
+        Object.entries($incr).forEach(([incrementField, incrementValue]) => {
+          void query.increment(incrementField, incrementValue);
+        });
+      }
+      if ($decr) {
+        Object.entries($decr).forEach(([incrementField, incrementValue]) => {
+          void query.increment(incrementField, incrementValue);
+        });
+      }
+      const [docs] = await query;
+      return docs;
     } catch (error) {
       throw new DatabaseError({ error, name: "Update by id" });
     }
   },
-  update: async (filter: TFindFilter<Tables[Tname]["base"]>, data: Tables[Tname]["update"], tx?: Knex) => {
+  update: async (
+    filter: TFindFilter<Tables[Tname]["base"]>,
+    {
+      $incr,
+      $decr,
+      ...data
+    }: Tables[Tname]["update"] & {
+      $incr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
+      $decr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
+    },
+    tx?: Knex
+  ) => {
     try {
-      const res = await (tx || db)(tableName)
+      const query = (tx || db)(tableName)
         .where(buildFindFilter(filter))
         .update(data as never)
         .returning("*");
-      return res;
+      // increment and decrement operation in update
+      if ($incr) {
+        Object.entries($incr).forEach(([incrementField, incrementValue]) => {
+          void query.increment(incrementField, incrementValue);
+        });
+      }
+      if ($decr) {
+        Object.entries($decr).forEach(([incrementField, incrementValue]) => {
+          void query.increment(incrementField, incrementValue);
+        });
+      }
+      return await query;
     } catch (error) {
       throw new DatabaseError({ error, name: "Update" });
     }

backend/src/lib/logger/logger.ts

@@ -30,6 +30,37 @@ const loggerConfig = z.object({
   NODE_ENV: z.enum(["development", "test", "production"]).default("production")
 });
 
+const redactedKeys = [
+  "accessToken",
+  "authToken",
+  "serviceToken",
+  "identityAccessToken",
+  "token",
+  "privateKey",
+  "serverPrivateKey",
+  "plainPrivateKey",
+  "plainProjectKey",
+  "encryptedPrivateKey",
+  "userPrivateKey",
+  "protectedKey",
+  "decryptKey",
+  "encryptedProjectKey",
+  "encryptedSymmetricKey",
+  "encryptedPrivateKey",
+  "backupPrivateKey",
+  "secretKey",
+  "SecretKey",
+  "botPrivateKey",
+  "encryptedKey",
+  "plaintextProjectKey",
+  "accessKey",
+  "botKey",
+  "decryptedSecret",
+  "secrets",
+  "key",
+  "password"
+];
+
 export const initLogger = async () => {
   const cfg = loggerConfig.parse(process.env);
   const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -74,7 +105,9 @@ export const initLogger = async () => {
           hostname: bindings.hostname
           // node_version: process.version
         })
-      }
+      },
+      // redact until depth of three
+      redact: [...redactedKeys, ...redactedKeys.map((key) => `*.${key}`), ...redactedKeys.map((key) => `*.*.${key}`)]
     },
     // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
     transport

backend/src/queue/queue-service.ts

@@ -12,7 +12,9 @@ export enum QueueName {
   SecretRotation = "secret-rotation",
   SecretReminder = "secret-reminder",
   AuditLog = "audit-log",
+  // TODO(akhilmhdh): This will get removed later. For now this is kept to stop the repeatable queue
   AuditLogPrune = "audit-log-prune",
+  DailyResourceCleanUp = "daily-resource-cleanup",
   TelemetryInstanceStats = "telemtry-self-hosted-stats",
   IntegrationSync = "sync-integrations",
   SecretWebhook = "secret-webhook",
@@ -26,7 +28,9 @@ export enum QueueJobs {
   SecretReminder = "secret-reminder-job",
   SecretRotation = "secret-rotation-job",
   AuditLog = "audit-log-job",
+  // TODO(akhilmhdh): This will get removed later. For now this is kept to stop the repeatable queue
   AuditLogPrune = "audit-log-prune-job",
+  DailyResourceCleanUp = "daily-resource-cleanup-job",
   SecWebhook = "secret-webhook-trigger",
   TelemetryInstanceStats = "telemetry-self-hosted-stats",
   IntegrationSync = "secret-integration-pull",
@@ -55,6 +59,10 @@ export type TQueueJobTypes = {
     name: QueueJobs.AuditLog;
     payload: TCreateAuditLogDTO;
   };
+  [QueueName.DailyResourceCleanUp]: {
+    name: QueueJobs.DailyResourceCleanUp;
+    payload: undefined;
+  };
   [QueueName.AuditLogPrune]: {
     name: QueueJobs.AuditLogPrune;
     payload: undefined;
@@ -65,7 +73,13 @@ export type TQueueJobTypes = {
   };
   [QueueName.IntegrationSync]: {
     name: QueueJobs.IntegrationSync;
-    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
+    payload: {
+      projectId: string;
+      environment: string;
+      secretPath: string;
+      depth?: number;
+      deDupeQueue?: Record<string, boolean>;
+    };
   };
   [QueueName.SecretFullRepoScan]: {
     name: QueueJobs.SecretScan;
@@ -166,7 +180,9 @@ export const queueServiceFactory = (redisUrl: string) => {
     jobId?: string
   ) => {
     const q = queueContainer[name];
-    return q.removeRepeatable(job, repeatOpt, jobId);
+    if (q) {
+      return q.removeRepeatable(job, repeatOpt, jobId);
+    }
   };
 
   const stopRepeatableJobByJobId = async <T extends QueueName>(name: T, jobId: string) => {

backend/src/server/config/rateLimiter.ts

@@ -36,7 +36,7 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: 1000,
+  max: 60,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/plugins/auth/inject-permission.ts

@@ -1,5 +1,6 @@
 import fp from "fastify-plugin";
 
+import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";
 
 // inject permission type needed based on auth extracted
@@ -15,6 +16,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
         authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.userId}] [type=${ActorType.USER}]`
+      );
     } else if (req.auth.actor === ActorType.IDENTITY) {
       req.permission = {
         type: ActorType.IDENTITY,
@@ -22,6 +27,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.identityId}] [type=${ActorType.IDENTITY}]`
+      );
     } else if (req.auth.actor === ActorType.SERVICE) {
       req.permission = {
         type: ActorType.SERVICE,
@@ -29,6 +38,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.serviceTokenId}] [type=${ActorType.SERVICE}]`
+      );
     } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
       req.permission = {
         type: ActorType.SCIM_CLIENT,
@@ -36,6 +49,10 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
+
+      logger.info(
+        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.scimTokenId}] [type=${ActorType.SCIM_CLIENT}]`
+      );
     }
   });
 });

backend/src/server/plugins/ip.ts

@@ -6,6 +6,7 @@ const headersOrder = [
   "cf-connecting-ip", // Cloudflare
   "Cf-Pseudo-IPv4", // Cloudflare
   "x-client-ip", // Most common
+  "x-envoy-external-address", // for envoy
   "x-forwarded-for", // Mostly used by proxies
   "fastly-client-ip",
   "true-client-ip", // Akamai and Cloudflare
@@ -23,7 +24,21 @@ export const fastifyIp = fp(async (fastify) => {
     const forwardedIpHeader = headersOrder.find((header) => Boolean(req.headers[header]));
     const forwardedIp = forwardedIpHeader ? req.headers[forwardedIpHeader] : undefined;
     if (forwardedIp) {
-      req.realIp = Array.isArray(forwardedIp) ? forwardedIp[0] : forwardedIp;
+      if (Array.isArray(forwardedIp)) {
+        // eslint-disable-next-line
+        req.realIp = forwardedIp[0];
+        return;
+      }
+
+      if (forwardedIp.includes(",")) {
+        // the ip header when placed with load balancers that proxy request
+        // will attach the internal ips to header by appending with comma
+        // https://github.com/go-chi/chi/blob/master/middleware/realip.go
+        const clientIPFromProxy = forwardedIp.slice(0, forwardedIp.indexOf(",")).trim();
+        req.realIp = clientIPFromProxy;
+        return;
+      }
+      req.realIp = forwardedIp;
     } else {
       req.realIp = req.ip;
     }

backend/src/server/plugins/maintenanceMode.ts

@@ -5,8 +5,13 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
   fastify.addHook("onRequest", async (req) => {
     const serverEnvs = getConfig();
-    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
-      throw new Error("Infisical is in maintenance mode. Please try again later.");
+    if (serverEnvs.MAINTENANCE_MODE) {
+      // skip if its universal auth login or renew
+      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
+      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
+      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
+        throw new Error("Infisical is in maintenance mode. Please try again later.");
+      }
     }
   });
 });

backend/src/server/routes/index.ts

@@ -78,8 +78,14 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { identityAwsIamAuthDALFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-dal";
-import { identityAwsIamAuthServiceFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-service";
+import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
+import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { identityAzureAuthDALFactory } from "@app/services/identity-azure-auth/identity-azure-auth-dal";
+import { identityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
+import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
+import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
+import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -111,6 +117,7 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@@ -156,7 +163,10 @@ export const registerRoutes = async (
     keyStore
   }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  const appCfg = getConfig();
+  if (!appCfg.DISABLE_SECRET_SCANNING) {
+    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  }
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -202,8 +212,11 @@ export const registerRoutes = async (
   const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);
 
   const identityUaDAL = identityUaDALFactory(db);
+  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
-  const identityAwsIamAuthDAL = identityAwsIamAuthDALFactory(db);
+  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
+  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+  const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -538,8 +551,10 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService
+    snapshotService,
+    projectDAL
   });
+
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -598,6 +613,7 @@ export const registerRoutes = async (
   });
   const sarService = secretApprovalRequestServiceFactory({
     permissionService,
+    projectBotService,
     folderDAL,
     secretDAL,
     secretTagDAL,
@@ -702,15 +718,42 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
-  const identityAWSIAMAuthService = identityAwsIamAuthServiceFactory({
+  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
+    identityKubernetesAuthDAL,
+    identityOrgMembershipDAL,
     identityAccessTokenDAL,
-    identityAwsIamAuthDAL,
+    identityDAL,
+    orgBotDAL,
+    permissionService,
+    licenseService
+  });
+  const identityGcpAuthService = identityGcpAuthServiceFactory({
+    identityGcpAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService
+  });
+
+  const identityAwsAuthService = identityAwsAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityAwsAuthDAL,
     identityOrgMembershipDAL,
     identityDAL,
     licenseService,
     permissionService
   });
 
+  const identityAzureAuthService = identityAzureAuthServiceFactory({
+    identityAzureAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService
+  });
+
   const dynamicSecretProviders = buildDynamicSecretProviders();
   const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
     queueService,
@@ -738,14 +781,19 @@ export const registerRoutes = async (
     folderDAL,
     licenseService
   });
+  const dailyResourceCleanUp = dailyResourceCleanUpQueueServiceFactory({
+    auditLogDAL,
+    queueService,
+    identityAccessTokenDAL
+  });
 
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
   await licenseService.init();
 
-  await auditLogQueue.startAuditLogPruneJob();
   await telemetryQueue.startTelemetryCheck();
+  await dailyResourceCleanUp.startCleanUp();
 
   // inject all services
   server.decorate<FastifyZodProvider["services"]>("services", {
@@ -779,7 +827,10 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
-    identityAwsIamAuth: identityAWSIAMAuthService,
+    identityKubernetesAuth: identityKubernetesAuthService,
+    identityGcpAuth: identityGcpAuthService,
+    identityAwsAuth: identityAwsAuthService,
+    identityAzureAuth: identityAzureAuthService,
     secretApprovalPolicy: sapService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -8,6 +8,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -64,14 +65,12 @@ export const secretRawSchema = z.object({
   secretComment: z.string().optional()
 });
 
-export const PermissionSchema = z.object({
+export const ProjectPermissionSchema = z.object({
   action: z
-    .string()
-    .min(1)
+    .nativeEnum(ProjectPermissionActions)
     .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
   subject: z
-    .string()
-    .min(1)
+    .nativeEnum(ProjectPermissionSub)
     .describe("The entity this permission pertains to. Possible options: secrets, environments"),
   conditions: z
     .object({

backend/src/server/routes/v1/admin-router.ts

@@ -20,16 +20,23 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
-            z.object({ isMigrationModeOn: z.boolean() })
-          )
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
+            isMigrationModeOn: z.boolean(),
+            isSecretScanningDisabled: z.boolean()
+          })
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
-      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
+      return {
+        config: {
+          ...config,
+          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
+          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
+        }
+      };
     }
   });
 

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -36,4 +36,29 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
       };
     }
   });
+
+  server.route({
+    url: "/token/revoke",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Revoke access token",
+      body: z.object({
+        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.REVOKE_ACCESS_TOKEN.accessToken)
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      await server.services.identityAccessToken.revokeAccessToken(req.body.accessToken);
+      return {
+        message: "Successfully revoked access token"
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -1,8 +1,8 @@
 import { z } from "zod";
 
-import { IdentityAwsIamAuthsSchema } from "@app/db/schemas";
+import { IdentityAwsAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_IAM_AUTH } from "@app/lib/api-docs";
+import { AWS_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -10,22 +10,22 @@ import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import {
   validateAccountIds,
   validatePrincipalArns
-} from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-validators";
+} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
 
-export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvider) => {
+export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
-    url: "/aws-iam-auth/login",
+    url: "/aws-auth/login",
     config: {
       rateLimit: writeLimit
     },
     schema: {
-      description: "Login with AWS IAM Auth",
+      description: "Login with AWS Auth",
       body: z.object({
-        identityId: z.string().describe(AWS_IAM_AUTH.LOGIN.identityId),
-        iamHttpRequestMethod: z.string().default("POST").describe(AWS_IAM_AUTH.LOGIN.iamHttpRequestMethod),
-        iamRequestBody: z.string().describe(AWS_IAM_AUTH.LOGIN.iamRequestBody),
-        iamRequestHeaders: z.string().describe(AWS_IAM_AUTH.LOGIN.iamRequestHeaders)
+        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
+        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
+        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
+        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
       }),
       response: {
         200: z.object({
@@ -37,18 +37,18 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }
     },
     handler: async (req) => {
-      const { identityAwsIamAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAwsIamAuth.login(req.body);
+      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAwsAuth.login(req.body);
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         orgId: identityMembershipOrg?.orgId,
         event: {
-          type: EventType.LOGIN_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
+            identityId: identityAwsAuth.identityId,
             identityAccessTokenId: identityAccessToken.id,
-            identityAwsIamAuthId: identityAwsIamAuth.id
+            identityAwsAuthId: identityAwsAuth.id
           }
         }
       });
@@ -56,21 +56,21 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       return {
         accessToken,
         tokenType: "Bearer" as const,
-        expiresIn: identityAwsIamAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL
+        expiresIn: identityAwsAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
       };
     }
   });
 
   server.route({
     method: "POST",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Attach AWS IAM Auth configuration onto identity",
+      description: "Attach AWS Auth configuration onto identity",
       security: [
         {
           bearerAuth: []
@@ -109,12 +109,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.attachAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -125,35 +125,35 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.ADD_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.ADD_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
-            stsEndpoint: identityAwsIamAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsIamAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsIamAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsIamAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
           }
         }
       });
 
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 
   server.route({
     method: "PATCH",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Update AWS IAM Auth configuration on identity",
+      description: "Update AWS Auth configuration on identity",
       security: [
         {
           bearerAuth: []
@@ -185,12 +185,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.updateAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -201,35 +201,35 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.UPDATE_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
-            stsEndpoint: identityAwsIamAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsIamAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsIamAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsIamAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
           }
         }
       });
 
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 
   server.route({
     method: "GET",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: readLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Retrieve AWS IAM Auth configuration on identity",
+      description: "Retrieve AWS Auth configuration on identity",
       security: [
         {
           bearerAuth: []
@@ -240,12 +240,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.getAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
         identityId: req.params.identityId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -255,15 +255,15 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.GET_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.GET_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId
+            identityId: identityAwsAuth.identityId
           }
         }
       });
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 };

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -0,0 +1,262 @@
+import { z } from "zod";
+
+import { IdentityAzureAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
+
+export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/azure-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with Azure Auth",
+      body: z.object({
+        identityId: z.string(),
+        jwt: z.string()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityAzureAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAzureAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityAzureAuthId: identityAzureAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityAzureAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach Azure Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        tenantId: z.string().trim(),
+        resource: z.string().trim(),
+        allowedServicePrincipalIds: validateAzureAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.attachAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId,
+            tenantId: identityAzureAuth.tenantId,
+            resource: identityAzureAuth.resource,
+            accessTokenTTL: identityAzureAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        tenantId: z.string().trim().optional(),
+        resource: z.string().trim().optional(),
+        allowedServicePrincipalIds: validateAzureAuthField.optional(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.updateAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId,
+            tenantId: identityAzureAuth.tenantId,
+            resource: identityAzureAuth.resource,
+            accessTokenTTL: identityAzureAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.getAzureAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
+};

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -0,0 +1,268 @@
+import { z } from "zod";
+
+import { IdentityGcpAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
+
+export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/gcp-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with GCP Auth",
+      body: z.object({
+        identityId: z.string(),
+        jwt: z.string()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityGcpAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityGcpAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityGcpAuthId: identityGcpAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityGcpAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach GCP Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        type: z.enum(["iam", "gce"]),
+        allowedServiceAccounts: validateGcpAuthField,
+        allowedProjects: validateGcpAuthField,
+        allowedZones: validateGcpAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.attachGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            type: identityGcpAuth.type,
+            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
+            allowedProjects: identityGcpAuth.allowedProjects,
+            allowedZones: identityGcpAuth.allowedZones,
+            accessTokenTTL: identityGcpAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        type: z.enum(["iam", "gce"]).optional(),
+        allowedServiceAccounts: validateGcpAuthField.optional(),
+        allowedProjects: validateGcpAuthField.optional(),
+        allowedZones: validateGcpAuthField.optional(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.updateGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            type: identityGcpAuth.type,
+            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
+            allowedProjects: identityGcpAuth.allowedProjects,
+            allowedZones: identityGcpAuth.allowedZones,
+            accessTokenTTL: identityGcpAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.getGcpAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+};

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -0,0 +1,283 @@
+import { z } from "zod";
+
+import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+
+const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.omit({
+  encryptedCaCert: true,
+  caCertIV: true,
+  caCertTag: true,
+  encryptedTokenReviewerJwt: true,
+  tokenReviewerJwtIV: true,
+  tokenReviewerJwtTag: true
+}).extend({
+  caCert: z.string(),
+  tokenReviewerJwt: z.string()
+});
+
+export const registerIdentityKubernetesRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/kubernetes-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with Kubernetes Auth",
+      body: z.object({
+        identityId: z.string().trim(),
+        jwt: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityKubernetesAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityKubernetesAuth.login({
+          identityId: req.body.identityId,
+          jwt: req.body.jwt
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityKubernetesAuthId: identityKubernetesAuth.id
+          }
+        }
+      });
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityKubernetesAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach Kubernetes Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        kubernetesHost: z.string().trim().min(1),
+        caCert: z.string().trim().default(""),
+        tokenReviewerJwt: z.string().trim().min(1),
+        allowedNamespaces: z.string(), // TODO: validation
+        allowedNames: z.string(),
+        allowedAudience: z.string(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.attachKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId,
+            kubernetesHost: identityKubernetesAuth.kubernetesHost,
+            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
+            allowedNames: identityKubernetesAuth.allowedNames,
+            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      body: z.object({
+        kubernetesHost: z.string().trim().min(1).optional(),
+        caCert: z.string().trim().optional(),
+        tokenReviewerJwt: z.string().trim().min(1).optional(),
+        allowedNamespaces: z.string().optional(), // TODO: validation
+        allowedNames: z.string().optional(),
+        allowedAudience: z.string().optional(),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.updateKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId,
+            kubernetesHost: identityKubernetesAuth.kubernetesHost,
+            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
+            allowedNames: identityKubernetesAuth.allowedNames,
+            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityKubernetesAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.getKubernetesAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId
+          }
+        }
+      });
+
+      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -2,7 +2,10 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
-import { registerIdentityAwsIamAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
+import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
+import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -28,8 +31,11 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     async (authRouter) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
+      await authRouter.register(registerIdentityKubernetesRouter);
+      await authRouter.register(registerIdentityGcpAuthRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
-      await authRouter.register(registerIdentityAwsIamAuthRouter);
+      await authRouter.register(registerIdentityAwsAuthRouter);
+      await authRouter.register(registerIdentityAzureAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/integration-router.ts

@@ -8,6 +8,7 @@ import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { IntegrationMappingBehavior } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
 
 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
@@ -49,6 +50,10 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
             secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
             initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            mappingBehavior: z
+              .nativeEnum(IntegrationMappingBehavior)
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.mappingBehavior),
             shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
             secretGCPLabel: z
               .object({
@@ -66,7 +71,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
           })
           .default({})
       }),
@@ -142,8 +148,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
       }),
       body: z.object({
-        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
-        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
+        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
         isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
@@ -153,7 +159,34 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .describe(INTEGRATION.UPDATE.secretPath),
         targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
         owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
+        metadata: z
+          .object({
+            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
+            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
+            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            mappingBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.mappingBehavior),
+            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
+            secretGCPLabel: z
+              .object({
+                labelName: z.string(),
+                labelValue: z.string()
+              })
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
+            secretAWSTag: z
+              .array(
+                z.object({
+                  key: z.string(),
+                  value: z.string()
+                })
+              )
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
+          })
+          .optional()
       }),
       response: {
         200: z.object({
@@ -235,5 +268,64 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  // TODO(akhilmhdh-pg): manual sync
+  server.route({
+    method: "POST",
+    url: "/:integrationId/sync",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Manually trigger sync of an integration by integration id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        integrationId: z.string().trim().describe(INTEGRATION.SYNC.integrationId)
+      }),
+      response: {
+        200: z.object({
+          integration: IntegrationsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const integration = await server.services.integration.syncIntegration({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: integration.projectId,
+        event: {
+          type: EventType.MANUAL_SYNC_INTEGRATION,
+          // eslint-disable-next-line
+          metadata: shake({
+            integrationId: integration.id,
+            integration: integration.integration,
+            environment: integration.environment.slug,
+            secretPath: integration.secretPath,
+            url: integration.url,
+            app: integration.app,
+            appId: integration.appId,
+            targetEnvironment: integration.targetEnvironment,
+            targetEnvironmentId: integration.targetEnvironmentId,
+            targetService: integration.targetService,
+            targetServiceId: integration.targetServiceId,
+            path: integration.path,
+            region: integration.region
+            // eslint-disable-next-line
+          }) as any
+        }
+      });
+
+      return { integration };
+    }
+  });
 };

backend/src/server/routes/v1/project-membership-router.ts

@@ -9,7 +9,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
+import { PROJECT_USERS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -30,7 +30,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIPS.workspaceId)
       }),
       response: {
         200: z.object({
@@ -74,6 +74,66 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/:workspaceId/memberships/details",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Return project user memberships",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        workspaceId: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.workspaceId)
+      }),
+      body: z.object({
+        username: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.username)
+      }),
+      response: {
+        200: z.object({
+          membership: ProjectMembershipsSchema.extend({
+            user: UsersSchema.pick({
+              email: true,
+              firstName: true,
+              lastName: true,
+              id: true
+            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            )
+          }).omit({ createdAt: true, updatedAt: true })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const membership = await server.services.projectMembership.getProjectMembershipByUsername({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        username: req.body.username
+      });
+      return { membership };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/:workspaceId/memberships",
@@ -142,8 +202,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.workspaceId),
+        membershipId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.membershipId)
       }),
       body: z.object({
         roles: z
@@ -164,7 +224,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
           )
           .min(1)
           .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least one long lived role is required")
-          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
+          .describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -127,6 +127,70 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/batch",
+    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Update folders by batch",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectSlug: z.string().trim().describe(FOLDERS.UPDATE.projectSlug),
+        folders: z
+          .object({
+            id: z.string().describe(FOLDERS.UPDATE.folderId),
+            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
+            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+          })
+          .array()
+          .min(1)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { newFolders, oldFolders, projectId } = await server.services.folder.updateManyFolders({
+        ...req.body,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await Promise.all(
+        req.body.folders.map(async (folder, index) => {
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId,
+            event: {
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment: oldFolders[index].envId,
+                folderId: oldFolders[index].id,
+                folderPath: folder.path,
+                newFolderName: newFolders[index].name,
+                oldFolderName: oldFolders[index].name
+              }
+            }
+          });
+        })
+      );
+
+      return { folders: newFolders };
+    }
+  });
+
   // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     method: "DELETE",

backend/src/server/routes/v2/identity-project-router.ts

@@ -7,7 +7,8 @@ import {
   ProjectMembershipRole,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
+import { PROJECT_IDENTITIES } from "@app/lib/api-docs";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -22,12 +23,48 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      description: "Create project identity membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       params: z.object({
         projectId: z.string().trim(),
         identityId: z.string().trim()
       }),
       body: z.object({
-        role: z.string().trim().min(1).default(ProjectMembershipRole.NoAccess)
+        // @depreciated
+        role: z.string().trim().optional().default(ProjectMembershipRole.NoAccess),
+        roles: z
+          .array(
+            z.union([
+              z.object({
+                role: z.string().describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z
+                  .literal(false)
+                  .default(false)
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role)
+              }),
+              z.object({
+                role: z.string().describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z.literal(true).describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                temporaryMode: z
+                  .nativeEnum(ProjectUserMembershipTemporaryMode)
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                temporaryRange: z
+                  .string()
+                  .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
+                temporaryAccessStartTime: z
+                  .string()
+                  .datetime()
+                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role)
+              })
+            ])
+          )
+          .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.description)
+          .optional()
       }),
       response: {
         200: z.object({
@@ -36,6 +73,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
       }
     },
     handler: async (req) => {
+      const { role, roles } = req.body;
+      if (!role && !roles) throw new BadRequestError({ message: "You must provide either role or roles field" });
+
       const identityMembership = await server.services.identityProject.createProjectIdentity({
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -43,7 +83,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         actorOrgId: req.permission.orgId,
         identityId: req.params.identityId,
         projectId: req.params.projectId,
-        role: req.body.role
+        roles: roles || [{ role }]
       });
       return { identityMembership };
     }
@@ -64,28 +104,39 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.identityId)
       }),
       body: z.object({
         roles: z
           .array(
             z.union([
               z.object({
-                role: z.string(),
-                isTemporary: z.literal(false).default(false)
+                role: z.string().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z
+                  .literal(false)
+                  .default(false)
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.isTemporary)
               }),
               z.object({
-                role: z.string(),
-                isTemporary: z.literal(true),
-                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
-                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
-                temporaryAccessStartTime: z.string().datetime()
+                role: z.string().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.role),
+                isTemporary: z.literal(true).describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.isTemporary),
+                temporaryMode: z
+                  .nativeEnum(ProjectUserMembershipTemporaryMode)
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryMode),
+                temporaryRange: z
+                  .string()
+                  .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryRange),
+                temporaryAccessStartTime: z
+                  .string()
+                  .datetime()
+                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryAccessStartTime)
               })
             ])
           )
           .min(1)
-          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
+          .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.description)
       }),
       response: {
         200: z.object({
@@ -122,8 +173,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.DELETE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECT_IDENTITIES.DELETE_IDENTITY_MEMBERSHIP.identityId)
       }),
       response: {
         200: z.object({
@@ -159,7 +210,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.LIST_IDENTITY_MEMBERSHIPS.projectId)
       }),
       response: {
         200: z.object({
@@ -200,4 +251,61 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
       return { identityMemberships };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/identity-memberships/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Return project identity membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim().describe(PROJECT_IDENTITIES.GET_IDENTITY_MEMBERSHIP_BY_ID.projectId),
+        identityId: z.string().trim().describe(PROJECT_IDENTITIES.GET_IDENTITY_MEMBERSHIP_BY_ID.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityMembership: z.object({
+            id: z.string(),
+            identityId: z.string(),
+            createdAt: z.date(),
+            updatedAt: z.date(),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            ),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityMembership = await server.services.identityProject.getProjectIdentityByIdentityId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.projectId,
+        identityId: req.params.identityId
+      });
+      return { identityMembership };
+    }
+  });
 };

backend/src/server/routes/v2/project-membership-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
+import { PROJECT_USERS } from "@app/lib/api-docs";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -22,11 +22,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
+        projectId: z.string().describe(PROJECT_USERS.INVITE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.usernames)
       }),
       response: {
         200: z.object({
@@ -77,11 +77,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
+        projectId: z.string().describe(PROJECT_USERS.REMOVE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.usernames)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v3/secret-router.ts

@@ -293,6 +293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       }),
       querystring: z.object({
         workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@@ -311,6 +312,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const { workspaceSlug } = req.query;
       let { secretPath, environment, workspaceId } = req.query;
       if (req.auth.actor === ActorType.SERVICE) {
         const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@@ -322,7 +324,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+      if (!environment) throw new BadRequestError({ message: "Missing environment" });
+      if (!workspaceId && !workspaceSlug)
+        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -331,6 +335,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         environment,
         projectId: workspaceId,
+        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -339,7 +344,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: secret.workspace,
         ...req.auditLogInfo,
         event: {
           type: EventType.GET_SECRET,
@@ -358,7 +363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId,
+          workspaceId: secret.workspace,
           environment,
           secretPath: req.query.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),
@@ -1921,4 +1926,41 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       return { secrets };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/backfill-secret-references",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Backfill secret references",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectId: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { projectId } = req.body;
+      const message = await server.services.secret.backfillSecretReferences({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId
+      });
+
+      return message;
+    }
+  });
 };

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TIdentityAccessTokens } from "@app/db/schemas";
+import { IdentityAuthMethod, TableName, TIdentityAccessTokens } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 
@@ -15,27 +15,111 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
       const doc = await (tx || db)(TableName.IdentityAccessToken)
         .where(filter)
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
-        .leftJoin(
-          TableName.IdentityUaClientSecret,
-          `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
-          `${TableName.IdentityUaClientSecret}.id`
-        )
-        .leftJoin(
-          TableName.IdentityUniversalAuth,
-          `${TableName.IdentityUaClientSecret}.identityUAId`,
-          `${TableName.IdentityUniversalAuth}.id`
-        )
+        .leftJoin(TableName.IdentityUaClientSecret, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
+            `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
+            `${TableName.IdentityUaClientSecret}.id`
+          );
+        })
+        .leftJoin(TableName.IdentityUniversalAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
+            `${TableName.IdentityUaClientSecret}.identityUAId`,
+            `${TableName.IdentityUniversalAuth}.id`
+          );
+        })
+        .leftJoin(TableName.IdentityGcpAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.GCP_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityGcpAuth}.identityId`
+          );
+        })
+        .leftJoin(TableName.IdentityAwsAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AWS_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityAwsAuth}.identityId`
+          );
+        })
+        .leftJoin(TableName.IdentityAzureAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AZURE_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityAzureAuth}.identityId`
+          );
+        })
+        .leftJoin(TableName.IdentityKubernetesAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.KUBERNETES_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityKubernetesAuth}.identityId`
+          );
+        })
         .select(selectAllTableCols(TableName.IdentityAccessToken))
         .select(
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityGcpAuth).as("accessTokenTrustedIpsGcp"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAzureAuth).as("accessTokenTrustedIpsAzure"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
           db.ref("name").withSchema(TableName.Identity)
         )
         .first();
-      return doc;
+
+      if (!doc) return;
+
+      return {
+        ...doc,
+        accessTokenTrustedIps:
+          doc.accessTokenTrustedIpsUa ||
+          doc.accessTokenTrustedIpsGcp ||
+          doc.accessTokenTrustedIpsAws ||
+          doc.accessTokenTrustedIpsAzure ||
+          doc.accessTokenTrustedIpsK8s
+      };
     } catch (error) {
       throw new DatabaseError({ error, name: "IdAccessTokenFindOne" });
     }
   };
 
-  return { ...identityAccessTokenOrm, findOne };
+  const removeExpiredTokens = async (tx?: Knex) => {
+    try {
+      const docs = (tx || db)(TableName.IdentityAccessToken)
+        .where({
+          isAccessTokenRevoked: true
+        })
+        .orWhere((qb) => {
+          void qb
+            .where("accessTokenNumUsesLimit", ">", 0)
+            .andWhere(
+              "accessTokenNumUses",
+              ">=",
+              db.ref("accessTokenNumUsesLimit").withSchema(TableName.IdentityAccessToken)
+            );
+        })
+        .orWhere((qb) => {
+          void qb.where("accessTokenTTL", ">", 0).andWhere((qb2) => {
+            void qb2
+              .where((qb3) => {
+                void qb3
+                  .whereNotNull("accessTokenLastRenewedAt")
+                  // accessTokenLastRenewedAt + convert_integer_to_seconds(accessTokenTTL) < present_date
+                  .andWhereRaw(
+                    `"${TableName.IdentityAccessToken}"."accessTokenLastRenewedAt" + make_interval(secs => "${TableName.IdentityAccessToken}"."accessTokenTTL") < NOW()`
+                  );
+              })
+              .orWhere((qb3) => {
+                void qb3
+                  .whereNull("accessTokenLastRenewedAt")
+                  // created + convert_integer_to_seconds(accessTokenTTL) < present_date
+                  .andWhereRaw(
+                    `"${TableName.IdentityAccessToken}"."createdAt" + make_interval(secs => "${TableName.IdentityAccessToken}"."accessTokenTTL") < NOW()`
+                  );
+              });
+          });
+        })
+        .delete();
+      return await docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "IdentityAccessTokenPrune" });
+    }
+  };
+
+  return { ...identityAccessTokenOrm, findOne, removeExpiredTokens };
 };

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -21,17 +21,18 @@ export const identityAccessTokenServiceFactory = ({
   identityAccessTokenDAL,
   identityOrgMembershipDAL
 }: TIdentityAccessTokenServiceFactoryDep) => {
-  const validateAccessTokenExp = (identityAccessToken: TIdentityAccessTokens) => {
+  const validateAccessTokenExp = async (identityAccessToken: TIdentityAccessTokens) => {
     const {
+      id: tokenId,
       accessTokenTTL,
       accessTokenNumUses,
       accessTokenNumUsesLimit,
       accessTokenLastRenewedAt,
-      accessTokenMaxTTL,
       createdAt: accessTokenCreatedAt
     } = identityAccessToken;
 
     if (accessTokenNumUsesLimit > 0 && accessTokenNumUses > 0 && accessTokenNumUses >= accessTokenNumUsesLimit) {
+      await identityAccessTokenDAL.deleteById(tokenId);
       throw new BadRequestError({
         message: "Unable to renew because access token number of uses limit reached"
       });
@@ -46,41 +47,26 @@ export const identityAccessTokenServiceFactory = ({
         const ttlInMilliseconds = Number(accessTokenTTL) * 1000;
         const expirationDate = new Date(accessTokenRenewed.getTime() + ttlInMilliseconds);
 
-        if (currentDate > expirationDate)
+        if (currentDate > expirationDate) {
+          await identityAccessTokenDAL.deleteById(tokenId);
           throw new UnauthorizedError({
             message: "Failed to renew MI access token due to TTL expiration"
           });
+        }
       } else {
         // access token has never been renewed
         const accessTokenCreated = new Date(accessTokenCreatedAt);
         const ttlInMilliseconds = Number(accessTokenTTL) * 1000;
         const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
 
-        if (currentDate > expirationDate)
+        if (currentDate > expirationDate) {
+          await identityAccessTokenDAL.deleteById(tokenId);
           throw new UnauthorizedError({
             message: "Failed to renew MI access token due to TTL expiration"
           });
+        }
       }
     }
-
-    // max ttl checks
-    if (Number(accessTokenMaxTTL) > 0) {
-      const accessTokenCreated = new Date(accessTokenCreatedAt);
-      const ttlInMilliseconds = Number(accessTokenMaxTTL) * 1000;
-      const currentDate = new Date();
-      const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
-
-      if (currentDate > expirationDate)
-        throw new UnauthorizedError({
-          message: "Failed to renew MI access token due to Max TTL expiration"
-        });
-
-      const extendToDate = new Date(currentDate.getTime() + Number(accessTokenTTL));
-      if (extendToDate > expirationDate)
-        throw new UnauthorizedError({
-          message: "Failed to renew MI access token past its Max TTL expiration"
-        });
-    }
   };
 
   const renewAccessToken = async ({ accessToken }: TRenewAccessTokenDTO) => {
@@ -97,7 +83,32 @@ export const identityAccessTokenServiceFactory = ({
     });
     if (!identityAccessToken) throw new UnauthorizedError();
 
-    validateAccessTokenExp(identityAccessToken);
+    await validateAccessTokenExp(identityAccessToken);
+
+    const { accessTokenMaxTTL, createdAt: accessTokenCreatedAt, accessTokenTTL } = identityAccessToken;
+
+    // max ttl checks - will it go above max ttl
+    if (Number(accessTokenMaxTTL) > 0) {
+      const accessTokenCreated = new Date(accessTokenCreatedAt);
+      const ttlInMilliseconds = Number(accessTokenMaxTTL) * 1000;
+      const currentDate = new Date();
+      const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
+
+      if (currentDate > expirationDate) {
+        await identityAccessTokenDAL.deleteById(identityAccessToken.id);
+        throw new UnauthorizedError({
+          message: "Failed to renew MI access token due to Max TTL expiration"
+        });
+      }
+
+      const extendToDate = new Date(currentDate.getTime() + Number(accessTokenTTL * 1000));
+      if (extendToDate > expirationDate) {
+        await identityAccessTokenDAL.deleteById(identityAccessToken.id);
+        throw new UnauthorizedError({
+          message: "Failed to renew MI access token past its Max TTL expiration"
+        });
+      }
+    }
 
     const updatedIdentityAccessToken = await identityAccessTokenDAL.updateById(identityAccessToken.id, {
       accessTokenLastRenewedAt: new Date()
@@ -106,6 +117,24 @@ export const identityAccessTokenServiceFactory = ({
     return { accessToken, identityAccessToken: updatedIdentityAccessToken };
   };
 
+  const revokeAccessToken = async (accessToken: string) => {
+    const appCfg = getConfig();
+
+    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as JwtPayload & {
+      identityAccessTokenId: string;
+    };
+    if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) throw new UnauthorizedError();
+
+    const identityAccessToken = await identityAccessTokenDAL.findOne({
+      [`${TableName.IdentityAccessToken}.id` as "id"]: decodedToken.identityAccessTokenId,
+      isAccessTokenRevoked: false
+    });
+    if (!identityAccessToken) throw new UnauthorizedError();
+
+    const revokedToken = await identityAccessTokenDAL.deleteById(identityAccessToken.id);
+    return { revokedToken };
+  };
+
   const fnValidateIdentityAccessToken = async (token: TIdentityAccessTokenJwtPayload, ipAddress?: string) => {
     const identityAccessToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: token.identityAccessTokenId,
@@ -113,7 +142,7 @@ export const identityAccessTokenServiceFactory = ({
     });
     if (!identityAccessToken) throw new UnauthorizedError();
 
-    if (ipAddress) {
+    if (ipAddress && identityAccessToken) {
       checkIPAgainstBlocklist({
         ipAddress,
         trustedIps: identityAccessToken?.accessTokenTrustedIps as TIp[]
@@ -128,9 +157,16 @@ export const identityAccessTokenServiceFactory = ({
       throw new UnauthorizedError({ message: "Identity does not belong to any organization" });
     }
 
-    validateAccessTokenExp(identityAccessToken);
+    await validateAccessTokenExp(identityAccessToken);
+
+    await identityAccessTokenDAL.updateById(identityAccessToken.id, {
+      accessTokenLastUsedAt: new Date(),
+      $incr: {
+        accessTokenNumUses: 1
+      }
+    });
     return { ...identityAccessToken, orgId: identityOrgMembership.orgId };
   };
 
-  return { renewAccessToken, fnValidateIdentityAccessToken };
+  return { renewAccessToken, revokeAccessToken, fnValidateIdentityAccessToken };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAwsAuthDALFactory = ReturnType<typeof identityAwsAuthDALFactory>;
+
+export const identityAwsAuthDALFactory = (db: TDbClient) => {
+  const awsAuthOrm = ormify(db, TableName.IdentityAwsAuth);
+
+  return awsAuthOrm;
+};

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -16,48 +16,43 @@ import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityAwsIamAuthDALFactory } from "./identity-aws-iam-auth-dal";
-import { extractPrincipalArn } from "./identity-aws-iam-auth-fns";
+import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
+import { extractPrincipalArn } from "./identity-aws-auth-fns";
 import {
-  TAttachAWSIAMAuthDTO,
-  TAWSGetCallerIdentityHeaders,
-  TGetAWSIAMAuthDTO,
+  TAttachAwsAuthDTO,
+  TAwsGetCallerIdentityHeaders,
+  TGetAwsAuthDTO,
   TGetCallerIdentityResponse,
-  TLoginAWSIAMAuthDTO,
-  TUpdateAWSIAMAuthDTO
-} from "./identity-aws-iam-auth-types";
+  TLoginAwsAuthDTO,
+  TUpdateAwsAuthDTO
+} from "./identity-aws-auth-types";
 
-type TIdentityAwsIamAuthServiceFactoryDep = {
+type TIdentityAwsAuthServiceFactoryDep = {
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsIamAuthDAL: Pick<TIdentityAwsIamAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
 
-export type TIdentityAwsIamAuthServiceFactory = ReturnType<typeof identityAwsIamAuthServiceFactory>;
+export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
 
-export const identityAwsIamAuthServiceFactory = ({
+export const identityAwsAuthServiceFactory = ({
   identityAccessTokenDAL,
-  identityAwsIamAuthDAL,
+  identityAwsAuthDAL,
   identityOrgMembershipDAL,
   identityDAL,
   licenseService,
   permissionService
-}: TIdentityAwsIamAuthServiceFactoryDep) => {
-  const login = async ({
-    identityId,
-    iamHttpRequestMethod,
-    iamRequestBody,
-    iamRequestHeaders
-  }: TLoginAWSIAMAuthDTO) => {
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.findOne({ identityId });
-    if (!identityAwsIamAuth) throw new UnauthorizedError();
+}: TIdentityAwsAuthServiceFactoryDep) => {
+  const login = async ({ identityId, iamHttpRequestMethod, iamRequestBody, iamRequestHeaders }: TLoginAwsAuthDTO) => {
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
+    if (!identityAwsAuth) throw new UnauthorizedError();
 
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsIamAuth.identityId });
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
 
-    const headers: TAWSGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
+    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
     const body: string = Buffer.from(iamRequestBody, "base64").toString();
 
     const {
@@ -68,15 +63,15 @@ export const identityAwsIamAuthServiceFactory = ({
       }
     }: { data: TGetCallerIdentityResponse } = await axios({
       method: iamHttpRequestMethod,
-      url: identityAwsIamAuth.stsEndpoint,
+      url: identityAwsAuth.stsEndpoint,
       headers,
       data: body
     });
 
-    if (identityAwsIamAuth.allowedAccountIds) {
+    if (identityAwsAuth.allowedAccountIds) {
       // validate if Account is in the list of allowed Account IDs
 
-      const isAccountAllowed = identityAwsIamAuth.allowedAccountIds
+      const isAccountAllowed = identityAwsAuth.allowedAccountIds
         .split(",")
         .map((accountId) => accountId.trim())
         .some((accountId) => accountId === Account);
@@ -84,10 +79,10 @@ export const identityAwsIamAuthServiceFactory = ({
       if (!isAccountAllowed) throw new UnauthorizedError();
     }
 
-    if (identityAwsIamAuth.allowedPrincipalArns) {
+    if (identityAwsAuth.allowedPrincipalArns) {
       // validate if Arn is in the list of allowed Principal ARNs
 
-      const isArnAllowed = identityAwsIamAuth.allowedPrincipalArns
+      const isArnAllowed = identityAwsAuth.allowedPrincipalArns
         .split(",")
         .map((principalArn) => principalArn.trim())
         .some((principalArn) => {
@@ -100,15 +95,15 @@ export const identityAwsIamAuthServiceFactory = ({
       if (!isArnAllowed) throw new UnauthorizedError();
     }
 
-    const identityAccessToken = await identityAwsIamAuthDAL.transaction(async (tx) => {
+    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
       const newToken = await identityAccessTokenDAL.create(
         {
-          identityId: identityAwsIamAuth.identityId,
+          identityId: identityAwsAuth.identityId,
           isAccessTokenRevoked: false,
-          accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
+          accessTokenTTL: identityAwsAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
         },
         tx
       );
@@ -118,7 +113,7 @@ export const identityAwsIamAuthServiceFactory = ({
     const appCfg = getConfig();
     const accessToken = jwt.sign(
       {
-        identityId: identityAwsIamAuth.identityId,
+        identityId: identityAwsAuth.identityId,
         identityAccessTokenId: identityAccessToken.id,
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
@@ -131,10 +126,10 @@ export const identityAwsIamAuthServiceFactory = ({
       }
     );
 
-    return { accessToken, identityAwsIamAuth, identityAccessToken, identityMembershipOrg };
+    return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };
   };
 
-  const attachAwsIamAuth = async ({
+  const attachAwsAuth = async ({
     identityId,
     stsEndpoint,
     allowedPrincipalArns,
@@ -147,12 +142,12 @@ export const identityAwsIamAuthServiceFactory = ({
     actorAuthMethod,
     actor,
     actorOrgId
-  }: TAttachAWSIAMAuthDTO) => {
+  }: TAttachAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
     if (identityMembershipOrg.identity.authMethod)
       throw new BadRequestError({
-        message: "Failed to add AWS IAM Auth to already configured identity"
+        message: "Failed to add AWS Auth to already configured identity"
       });
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
@@ -186,10 +181,11 @@ export const identityAwsIamAuthServiceFactory = ({
       return extractIPDetails(accessTokenTrustedIp.ipAddress);
     });
 
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.transaction(async (tx) => {
-      const doc = await identityAwsIamAuthDAL.create(
+    const identityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const doc = await identityAwsAuthDAL.create(
         {
           identityId: identityMembershipOrg.identityId,
+          type: "iam",
           stsEndpoint,
           allowedPrincipalArns,
           allowedAccountIds,
@@ -203,16 +199,16 @@ export const identityAwsIamAuthServiceFactory = ({
       await identityDAL.updateById(
         identityMembershipOrg.identityId,
         {
-          authMethod: IdentityAuthMethod.AWS_IAM_AUTH
+          authMethod: IdentityAuthMethod.AWS_AUTH
         },
         tx
       );
       return doc;
     });
-    return { ...identityAwsIamAuth, orgId: identityMembershipOrg.orgId };
+    return { ...identityAwsAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const updateAwsIamAuth = async ({
+  const updateAwsAuth = async ({
     identityId,
     stsEndpoint,
     allowedPrincipalArns,
@@ -225,20 +221,19 @@ export const identityAwsIamAuthServiceFactory = ({
     actorAuthMethod,
     actor,
     actorOrgId
-  }: TUpdateAWSIAMAuthDTO) => {
+  }: TUpdateAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_IAM_AUTH)
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
       throw new BadRequestError({
-        message: "Failed to update AWS IAM Auth"
+        message: "Failed to update AWS Auth"
       });
 
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.findOne({ identityId });
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
 
     if (
-      (accessTokenMaxTTL || identityAwsIamAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityAwsIamAuth.accessTokenMaxTTL) >
-        (accessTokenMaxTTL || identityAwsIamAuth.accessTokenMaxTTL)
+      (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityAwsAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL)
     ) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
     }
@@ -270,7 +265,7 @@ export const identityAwsIamAuthServiceFactory = ({
       return extractIPDetails(accessTokenTrustedIp.ipAddress);
     });
 
-    const updatedAwsIamAuth = await identityAwsIamAuthDAL.updateById(identityAwsIamAuth.id, {
+    const updatedAwsAuth = await identityAwsAuthDAL.updateById(identityAwsAuth.id, {
       stsEndpoint,
       allowedPrincipalArns,
       allowedAccountIds,
@@ -282,18 +277,18 @@ export const identityAwsIamAuthServiceFactory = ({
         : undefined
     });
 
-    return { ...updatedAwsIamAuth, orgId: identityMembershipOrg.orgId };
+    return { ...updatedAwsAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const getAwsIamAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAWSIAMAuthDTO) => {
+  const getAwsAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_IAM_AUTH)
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
       throw new BadRequestError({
-        message: "The identity does not have AWS IAM Auth attached"
+        message: "The identity does not have AWS Auth attached"
       });
 
-    const awsIamIdentityAuth = await identityAwsIamAuthDAL.findOne({ identityId });
+    const awsIdentityAuth = await identityAwsAuthDAL.findOne({ identityId });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -303,13 +298,13 @@ export const identityAwsIamAuthServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-    return { ...awsIamIdentityAuth, orgId: identityMembershipOrg.orgId };
+    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
   return {
     login,
-    attachAwsIamAuth,
-    updateAwsIamAuth,
-    getAwsIamAuth
+    attachAwsAuth,
+    updateAwsAuth,
+    getAwsAuth
   };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -1,13 +1,13 @@
 import { TProjectPermission } from "@app/lib/types";
 
-export type TLoginAWSIAMAuthDTO = {
+export type TLoginAwsAuthDTO = {
   identityId: string;
   iamHttpRequestMethod: string;
   iamRequestBody: string;
   iamRequestHeaders: string;
 };
 
-export type TAttachAWSIAMAuthDTO = {
+export type TAttachAwsAuthDTO = {
   identityId: string;
   stsEndpoint: string;
   allowedPrincipalArns: string;
@@ -18,7 +18,7 @@ export type TAttachAWSIAMAuthDTO = {
   accessTokenTrustedIps: { ipAddress: string }[];
 } & Omit<TProjectPermission, "projectId">;
 
-export type TUpdateAWSIAMAuthDTO = {
+export type TUpdateAwsAuthDTO = {
   identityId: string;
   stsEndpoint?: string;
   allowedPrincipalArns?: string;
@@ -29,11 +29,11 @@ export type TUpdateAWSIAMAuthDTO = {
   accessTokenTrustedIps?: { ipAddress: string }[];
 } & Omit<TProjectPermission, "projectId">;
 
-export type TGetAWSIAMAuthDTO = {
+export type TGetAwsAuthDTO = {
   identityId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TAWSGetCallerIdentityHeaders = {
+export type TAwsGetCallerIdentityHeaders = {
   "Content-Type": string;
   Host: string;
   "X-Amz-Date": string;

backend/src/services/identity-aws-iam-auth/identity-aws-iam-auth-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityAwsIamAuthDALFactory = ReturnType<typeof identityAwsIamAuthDALFactory>;
-
-export const identityAwsIamAuthDALFactory = (db: TDbClient) => {
-  const awsIamAuthOrm = ormify(db, TableName.IdentityAwsIamAuth);
-
-  return awsIamAuthOrm;
-};

backend/src/services/identity-azure-auth/identity-azure-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAzureAuthDALFactory = ReturnType<typeof identityAzureAuthDALFactory>;
+
+export const identityAzureAuthDALFactory = (db: TDbClient) => {
+  const azureAuthOrm = ormify(db, TableName.IdentityAzureAuth);
+  return azureAuthOrm;
+};

backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts

@@ -0,0 +1,34 @@
+import axios from "axios";
+import jwt from "jsonwebtoken";
+
+import { UnauthorizedError } from "@app/lib/errors";
+
+import { TAzureAuthJwtPayload, TAzureJwksUriResponse, TDecodedAzureAuthJwt } from "./identity-azure-auth-types";
+
+export const validateAzureIdentity = async ({
+  tenantId,
+  resource,
+  jwt: azureJwt
+}: {
+  tenantId: string;
+  resource: string;
+  jwt: string;
+}) => {
+  const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/keys`;
+
+  const decodedJwt = jwt.decode(azureJwt, { complete: true }) as TDecodedAzureAuthJwt;
+  const { kid } = decodedJwt.header;
+
+  const { data }: { data: TAzureJwksUriResponse } = await axios.get(jwksUri);
+  const signingKeys = data.keys;
+
+  const signingKey = signingKeys.find((key) => key.kid === kid);
+  if (!signingKey) throw new UnauthorizedError();
+
+  const publicKey = `-----BEGIN CERTIFICATE-----\n${signingKey.x5c[0]}\n-----END CERTIFICATE-----`;
+
+  return jwt.verify(azureJwt, publicKey, {
+    audience: resource,
+    issuer: `https://sts.windows.net/${tenantId}/`
+  }) as TAzureAuthJwtPayload;
+};

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -0,0 +1,286 @@
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityAzureAuthDALFactory } from "./identity-azure-auth-dal";
+import { validateAzureIdentity } from "./identity-azure-auth-fns";
+import {
+  TAttachAzureAuthDTO,
+  TGetAzureAuthDTO,
+  TLoginAzureAuthDTO,
+  TUpdateAzureAuthDTO
+} from "./identity-azure-auth-types";
+
+type TIdentityAzureAuthServiceFactoryDep = {
+  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityAzureAuthServiceFactory = ReturnType<typeof identityAzureAuthServiceFactory>;
+
+export const identityAzureAuthServiceFactory = ({
+  identityAzureAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  permissionService,
+  licenseService
+}: TIdentityAzureAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: azureJwt }: TLoginAzureAuthDTO) => {
+    const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
+    if (!identityAzureAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAzureAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError();
+
+    const azureIdentity = await validateAzureIdentity({
+      tenantId: identityAzureAuth.tenantId,
+      resource: identityAzureAuth.resource,
+      jwt: azureJwt
+    });
+
+    if (azureIdentity.tid !== identityAzureAuth.tenantId) throw new UnauthorizedError();
+
+    if (identityAzureAuth.allowedServicePrincipalIds) {
+      // validate if the service principal id is in the list of allowed service principal ids
+
+      const isServicePrincipalAllowed = identityAzureAuth.allowedServicePrincipalIds
+        .split(",")
+        .map((servicePrincipalId) => servicePrincipalId.trim())
+        .some((servicePrincipalId) => servicePrincipalId === azureIdentity.oid);
+
+      if (!isServicePrincipalAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityAzureAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityAzureAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityAzureAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityAzureAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachAzureAuth = async ({
+    identityId,
+    tenantId,
+    resource,
+    allowedServicePrincipalIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add Azure Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
+      const doc = await identityAzureAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          tenantId,
+          resource,
+          allowedServicePrincipalIds,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.AZURE_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateAzureAuth = async ({
+    identityId,
+    tenantId,
+    resource,
+    allowedServicePrincipalIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update Azure Auth"
+      });
+
+    const identityGcpAuth = await identityAzureAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedAzureAuth = await identityAzureAuthDAL.updateById(identityGcpAuth.id, {
+      tenantId,
+      resource,
+      allowedServicePrincipalIds,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return {
+      ...updatedAzureAuth,
+      orgId: identityMembershipOrg.orgId
+    };
+  };
+
+  const getAzureAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have Azure Auth attached"
+      });
+
+    const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachAzureAuth,
+    updateAzureAuth,
+    getAzureAuth
+  };
+};

backend/src/services/identity-azure-auth/identity-azure-auth-types.ts

@@ -0,0 +1,120 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginAzureAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachAzureAuthDTO = {
+  identityId: string;
+  tenantId: string;
+  resource: string;
+  allowedServicePrincipalIds: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateAzureAuthDTO = {
+  identityId: string;
+  tenantId?: string;
+  resource?: string;
+  allowedServicePrincipalIds?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetAzureAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TAzureJwksUriResponse = {
+  keys: {
+    kty: string;
+    use: string;
+    kid: string;
+    x5t: string;
+    n: string;
+    e: string;
+    x5c: string[];
+  }[];
+};
+
+type TUserPayload = {
+  aud: string;
+  iss: string;
+  iat: number;
+  nbf: number;
+  exp: number;
+  acr: string;
+  aio: string;
+  amr: string[];
+  appid: string;
+  appidacr: string;
+  family_name: string;
+  given_name: string;
+  groups: string[];
+  idtyp: string;
+  ipaddr: string;
+  name: string;
+  oid: string;
+  puid: string;
+  rh: string;
+  scp: string;
+  sub: string;
+  tid: string;
+  unique_name: string;
+  upn: string;
+  uti: string;
+  ver: string;
+  wids: string[];
+  xms_cae: string;
+  xms_cc: string[];
+  xms_filter_index: string[];
+  xms_rd: string;
+  xms_ssm: string;
+  xms_tcdt: number;
+};
+
+type TAppPayload = {
+  aud: string;
+  iss: string;
+  iat: number;
+  nbf: number;
+  exp: number;
+  aio: string;
+  appid: string;
+  appidacr: string;
+  idp: string;
+  idtyp: string;
+  oid: string; // service principal id
+  rh: string;
+  sub: string;
+  tid: string;
+  uti: string;
+  ver: string;
+  xms_cae: string;
+  xms_cc: string[];
+  xms_rd: string;
+  xms_ssm: string;
+  xms_tcdt: number;
+};
+
+export type TAzureAuthJwtPayload = TUserPayload | TAppPayload;
+
+export type TDecodedAzureAuthJwt = {
+  header: {
+    type: string;
+    alg: string;
+    x5t: string;
+    kid: string;
+  };
+  payload: TAzureAuthJwtPayload;
+  signature: string;
+  metadata: {
+    [key: string]: string;
+  };
+};

backend/src/services/identity-azure-auth/identity-azure-auth-validators.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+export const validateAzureAuthField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each ID and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });

backend/src/services/identity-gcp-auth/identity-gcp-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityGcpAuthDALFactory = ReturnType<typeof identityGcpAuthDALFactory>;
+
+export const identityGcpAuthDALFactory = (db: TDbClient) => {
+  const gcpAuthOrm = ormify(db, TableName.IdentityGcpAuth);
+  return gcpAuthOrm;
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-fns.ts

@@ -0,0 +1,70 @@
+import axios from "axios";
+import { OAuth2Client } from "google-auth-library";
+import jwt from "jsonwebtoken";
+
+import { UnauthorizedError } from "@app/lib/errors";
+
+import { TDecodedGcpIamAuthJwt, TGcpIdTokenPayload } from "./identity-gcp-auth-types";
+
+/**
+ * Validates that the identity token [jwt] sent in from a client GCE instance as part of GCP ID Token authentication
+ * is valid.
+ * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
+ * @param {string} jwt - The identity token to validate.
+ * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
+ */
+export const validateIdTokenIdentity = async ({
+  identityId,
+  jwt: identityToken
+}: {
+  identityId: string;
+  jwt: string;
+}) => {
+  const oAuth2Client = new OAuth2Client();
+  const response = await oAuth2Client.getFederatedSignonCerts();
+  const ticket = await oAuth2Client.verifySignedJwtWithCertsAsync(
+    identityToken,
+    response.certs,
+    identityId, // audience
+    ["https://accounts.google.com"]
+  );
+  const payload = ticket.getPayload() as TGcpIdTokenPayload;
+  if (!payload || !payload.email) throw new UnauthorizedError();
+
+  return { email: payload.email, computeEngineDetails: payload.google?.compute_engine };
+};
+
+/**
+ * Validates that the signed JWT token for a GCP service account is valid as part of GCP IAM authentication.
+ * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
+ * @param {string} jwt - The signed JWT token to validate.
+ * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
+ * @returns
+ */
+export const validateIamIdentity = async ({
+  identityId,
+  jwt: serviceAccountJwt
+}: {
+  identityId: string;
+  jwt: string;
+}) => {
+  const decodedJwt = jwt.decode(serviceAccountJwt, { complete: true }) as TDecodedGcpIamAuthJwt;
+  const { sub, aud } = decodedJwt.payload;
+
+  const {
+    data
+  }: {
+    data: {
+      [key: string]: string;
+    };
+  } = await axios.get(`https://www.googleapis.com/service_accounts/v1/metadata/x509/${sub}`);
+
+  const publicKey = data[decodedJwt.header.kid];
+
+  jwt.verify(serviceAccountJwt, publicKey, {
+    algorithms: ["RS256"]
+  });
+
+  if (aud !== identityId) throw new UnauthorizedError();
+  return { email: sub };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -0,0 +1,324 @@
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityGcpAuthDALFactory } from "./identity-gcp-auth-dal";
+import { validateIamIdentity, validateIdTokenIdentity } from "./identity-gcp-auth-fns";
+import {
+  TAttachGcpAuthDTO,
+  TGcpIdentityDetails,
+  TGetGcpAuthDTO,
+  TLoginGcpAuthDTO,
+  TUpdateGcpAuthDTO
+} from "./identity-gcp-auth-types";
+
+type TIdentityGcpAuthServiceFactoryDep = {
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityGcpAuthServiceFactory = ReturnType<typeof identityGcpAuthServiceFactory>;
+
+export const identityGcpAuthServiceFactory = ({
+  identityGcpAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  permissionService,
+  licenseService
+}: TIdentityGcpAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: gcpJwt }: TLoginGcpAuthDTO) => {
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+    if (!identityGcpAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityGcpAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError();
+
+    let gcpIdentityDetails: TGcpIdentityDetails;
+    switch (identityGcpAuth.type) {
+      case "gce": {
+        gcpIdentityDetails = await validateIdTokenIdentity({
+          identityId,
+          jwt: gcpJwt
+        });
+        break;
+      }
+      case "iam": {
+        gcpIdentityDetails = await validateIamIdentity({
+          identityId,
+          jwt: gcpJwt
+        });
+        break;
+      }
+      default: {
+        throw new BadRequestError({ message: "Invalid GCP Auth type" });
+      }
+    }
+
+    if (identityGcpAuth.allowedServiceAccounts) {
+      // validate if the service account is in the list of allowed service accounts
+
+      const isServiceAccountAllowed = identityGcpAuth.allowedServiceAccounts
+        .split(",")
+        .map((serviceAccount) => serviceAccount.trim())
+        .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);
+
+      if (!isServiceAccountAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
+      // validate if the project that the service account belongs to is in the list of allowed projects
+
+      const isProjectAllowed = identityGcpAuth.allowedProjects
+        .split(",")
+        .map((project) => project.trim())
+        .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);
+
+      if (!isProjectAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
+      const isZoneAllowed = identityGcpAuth.allowedZones
+        .split(",")
+        .map((zone) => zone.trim())
+        .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);
+
+      if (!isZoneAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityGcpAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityGcpAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityGcpAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityGcpAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachGcpAuth = async ({
+    identityId,
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add GCP Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const doc = await identityGcpAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          type,
+          allowedServiceAccounts,
+          allowedProjects,
+          allowedZones,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.GCP_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateGcpAuth = async ({
+    identityId,
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update GCP Auth"
+      });
+
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedGcpAuth = await identityGcpAuthDAL.updateById(identityGcpAuth.id, {
+      type,
+      allowedServiceAccounts,
+      allowedProjects,
+      allowedZones,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return {
+      ...updatedGcpAuth,
+      orgId: identityMembershipOrg.orgId
+    };
+  };
+
+  const getGcpAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have GCP Auth attached"
+      });
+
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachGcpAuth,
+    updateGcpAuth,
+    getGcpAuth
+  };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -0,0 +1,78 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginGcpAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachGcpAuthDTO = {
+  identityId: string;
+  type: "iam" | "gce";
+  allowedServiceAccounts: string;
+  allowedProjects: string;
+  allowedZones: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateGcpAuthDTO = {
+  identityId: string;
+  type?: "iam" | "gce";
+  allowedServiceAccounts?: string;
+  allowedProjects?: string;
+  allowedZones?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+type TComputeEngineDetails = {
+  instance_creation_timestamp: number;
+  instance_id: string;
+  instance_name: string;
+  project_id: string;
+  project_number: number;
+  zone: string;
+};
+
+export type TGcpIdentityDetails = {
+  email: string;
+  computeEngineDetails?: TComputeEngineDetails;
+};
+
+export type TGcpIdTokenPayload = {
+  aud: string;
+  azp: string;
+  email: string;
+  email_verified: boolean;
+  exp: number;
+  google?: {
+    compute_engine: TComputeEngineDetails;
+  };
+  iat: number;
+  iss: string;
+  sub: string;
+};
+
+export type TDecodedGcpIamAuthJwt = {
+  header: {
+    alg: string;
+    kid: string;
+    typ: string;
+  };
+  payload: {
+    sub: string;
+    aud: string;
+  };
+  signature: string;
+  metadata: {
+    [key: string]: string;
+  };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-validators.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+export const validateGcpAuthField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each ID and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityKubernetesAuthDALFactory = ReturnType<typeof identityKubernetesAuthDALFactory>;
+
+export const identityKubernetesAuthDALFactory = (db: TDbClient) => {
+  const kubernetesAuthOrm = ormify(db, TableName.IdentityKubernetesAuth);
+  return kubernetesAuthOrm;
+};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-fns.ts

@@ -0,0 +1,15 @@
+/**
+ * Extracts the K8s service account name and namespace
+ * from the username in this format: system:serviceaccount:default:infisical-auth
+ */
+export const extractK8sUsername = (username: string) => {
+  const parts = username.split(":");
+  // Ensure that the username format is correct
+  if (parts.length === 4 && parts[0] === "system" && parts[1] === "serviceaccount") {
+    return {
+      namespace: parts[2],
+      name: parts[3]
+    };
+  }
+  throw new Error("Invalid username format");
+};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -0,0 +1,515 @@
+import { ForbiddenError } from "@casl/ability";
+import axios from "axios";
+import https from "https";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import {
+  decryptSymmetric,
+  encryptSymmetric,
+  generateAsymmetricKeyPair,
+  generateSymmetricKey,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityKubernetesAuthDALFactory } from "./identity-kubernetes-auth-dal";
+import { extractK8sUsername } from "./identity-kubernetes-auth-fns";
+import {
+  TAttachKubernetesAuthDTO,
+  TCreateTokenReviewResponse,
+  TGetKubernetesAuthDTO,
+  TLoginKubernetesAuthDTO,
+  TUpdateKubernetesAuthDTO
+} from "./identity-kubernetes-auth-types";
+
+type TIdentityKubernetesAuthServiceFactoryDep = {
+  identityKubernetesAuthDAL: Pick<
+    TIdentityKubernetesAuthDALFactory,
+    "create" | "findOne" | "transaction" | "updateById"
+  >;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityKubernetesAuthServiceFactory = ReturnType<typeof identityKubernetesAuthServiceFactory>;
+
+export const identityKubernetesAuthServiceFactory = ({
+  identityKubernetesAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  orgBotDAL,
+  permissionService,
+  licenseService
+}: TIdentityKubernetesAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: serviceAccountJwt }: TLoginKubernetesAuthDTO) => {
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+    if (!identityKubernetesAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({
+      identityId: identityKubernetesAuth.identityId
+    });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { encryptedCaCert, caCertIV, caCertTag, encryptedTokenReviewerJwt, tokenReviewerJwtIV, tokenReviewerJwtTag } =
+      identityKubernetesAuth;
+
+    let caCert = "";
+    if (encryptedCaCert && caCertIV && caCertTag) {
+      caCert = decryptSymmetric({
+        ciphertext: encryptedCaCert,
+        iv: caCertIV,
+        tag: caCertTag,
+        key
+      });
+    }
+
+    let tokenReviewerJwt = "";
+    if (encryptedTokenReviewerJwt && tokenReviewerJwtIV && tokenReviewerJwtTag) {
+      tokenReviewerJwt = decryptSymmetric({
+        ciphertext: encryptedTokenReviewerJwt,
+        iv: tokenReviewerJwtIV,
+        tag: tokenReviewerJwtTag,
+        key
+      });
+    }
+
+    const { data }: { data: TCreateTokenReviewResponse } = await axios.post(
+      `${identityKubernetesAuth.kubernetesHost}/apis/authentication.k8s.io/v1/tokenreviews`,
+      {
+        apiVersion: "authentication.k8s.io/v1",
+        kind: "TokenReview",
+        spec: {
+          token: serviceAccountJwt
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${tokenReviewerJwt}`
+        },
+        httpsAgent: new https.Agent({
+          ca: caCert,
+          rejectUnauthorized: !!caCert
+        })
+      }
+    );
+
+    if ("error" in data.status) throw new UnauthorizedError({ message: data.status.error });
+
+    // check the response to determine if the token is valid
+    if (!(data.status && data.status.authenticated)) throw new UnauthorizedError();
+
+    const { namespace: targetNamespace, name: targetName } = extractK8sUsername(data.status.user.username);
+
+    if (identityKubernetesAuth.allowedNamespaces) {
+      // validate if [targetNamespace] is in the list of allowed namespaces
+
+      const isNamespaceAllowed = identityKubernetesAuth.allowedNamespaces
+        .split(",")
+        .map((namespace) => namespace.trim())
+        .some((namespace) => namespace === targetNamespace);
+
+      if (!isNamespaceAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityKubernetesAuth.allowedNames) {
+      // validate if [targetName] is in the list of allowed names
+
+      const isNameAllowed = identityKubernetesAuth.allowedNames
+        .split(",")
+        .map((name) => name.trim())
+        .some((name) => name === targetName);
+
+      if (!isNameAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityKubernetesAuth.allowedAudience) {
+      // validate if [audience] is in the list of allowed audiences
+      const isAudienceAllowed = data.status.audiences.some(
+        (audience) => audience === identityKubernetesAuth.allowedAudience
+      );
+
+      if (!isAudienceAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityKubernetesAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityKubernetesAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityKubernetesAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachKubernetesAuth = async ({
+    identityId,
+    kubernetesHost,
+    caCert,
+    tokenReviewerJwt,
+    allowedNamespaces,
+    allowedNames,
+    allowedAudience,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add Kubernetes Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const orgBot = await orgBotDAL.transaction(async (tx) => {
+      const doc = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId }, tx);
+      if (doc) return doc;
+
+      const { privateKey, publicKey } = generateAsymmetricKeyPair();
+      const key = generateSymmetricKey();
+      const {
+        ciphertext: encryptedPrivateKey,
+        iv: privateKeyIV,
+        tag: privateKeyTag,
+        encoding: privateKeyKeyEncoding,
+        algorithm: privateKeyAlgorithm
+      } = infisicalSymmetricEncypt(privateKey);
+      const {
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        encoding: symmetricKeyKeyEncoding,
+        algorithm: symmetricKeyAlgorithm
+      } = infisicalSymmetricEncypt(key);
+
+      return orgBotDAL.create(
+        {
+          name: "Infisical org bot",
+          publicKey,
+          privateKeyIV,
+          encryptedPrivateKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          encryptedSymmetricKey,
+          symmetricKeyAlgorithm,
+          orgId: identityMembershipOrg.orgId,
+          privateKeyTag,
+          privateKeyAlgorithm,
+          privateKeyKeyEncoding,
+          symmetricKeyKeyEncoding
+        },
+        tx
+      );
+    });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { ciphertext: encryptedCaCert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+    const {
+      ciphertext: encryptedTokenReviewerJwt,
+      iv: tokenReviewerJwtIV,
+      tag: tokenReviewerJwtTag
+    } = encryptSymmetric(tokenReviewerJwt, key);
+
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const doc = await identityKubernetesAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          kubernetesHost,
+          encryptedCaCert,
+          caCertIV,
+          caCertTag,
+          encryptedTokenReviewerJwt,
+          tokenReviewerJwtIV,
+          tokenReviewerJwtTag,
+          allowedNamespaces,
+          allowedNames,
+          allowedAudience,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.KUBERNETES_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+
+    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateKubernetesAuth = async ({
+    identityId,
+    kubernetesHost,
+    caCert,
+    tokenReviewerJwt,
+    allowedNamespaces,
+    allowedNames,
+    allowedAudience,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update Kubernetes Auth"
+      });
+
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityKubernetesAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityKubernetesAuth.accessTokenMaxTTL) >
+        (accessTokenMaxTTL || identityKubernetesAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updateQuery: TIdentityKubernetesAuthsUpdate = {
+      kubernetesHost,
+      allowedNamespaces,
+      allowedNames,
+      allowedAudience,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    };
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    if (caCert !== undefined) {
+      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+      updateQuery.encryptedCaCert = encryptedCACert;
+      updateQuery.caCertIV = caCertIV;
+      updateQuery.caCertTag = caCertTag;
+    }
+
+    if (tokenReviewerJwt !== undefined) {
+      const {
+        ciphertext: encryptedTokenReviewerJwt,
+        iv: tokenReviewerJwtIV,
+        tag: tokenReviewerJwtTag
+      } = encryptSymmetric(tokenReviewerJwt, key);
+      updateQuery.encryptedTokenReviewerJwt = encryptedTokenReviewerJwt;
+      updateQuery.tokenReviewerJwtIV = tokenReviewerJwtIV;
+      updateQuery.tokenReviewerJwtTag = tokenReviewerJwtTag;
+    }
+
+    const updatedKubernetesAuth = await identityKubernetesAuthDAL.updateById(identityKubernetesAuth.id, updateQuery);
+
+    return { ...updatedKubernetesAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const getKubernetesAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have Kubernetes Auth attached"
+      });
+
+    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { encryptedCaCert, caCertIV, caCertTag, encryptedTokenReviewerJwt, tokenReviewerJwtIV, tokenReviewerJwtTag } =
+      identityKubernetesAuth;
+
+    let caCert = "";
+    if (encryptedCaCert && caCertIV && caCertTag) {
+      caCert = decryptSymmetric({
+        ciphertext: encryptedCaCert,
+        iv: caCertIV,
+        tag: caCertTag,
+        key
+      });
+    }
+
+    let tokenReviewerJwt = "";
+    if (encryptedTokenReviewerJwt && tokenReviewerJwtIV && tokenReviewerJwtTag) {
+      tokenReviewerJwt = decryptSymmetric({
+        ciphertext: encryptedTokenReviewerJwt,
+        iv: tokenReviewerJwtIV,
+        tag: tokenReviewerJwtTag,
+        key
+      });
+    }
+
+    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachKubernetesAuth,
+    updateKubernetesAuth,
+    getKubernetesAuth
+  };
+};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts

@@ -0,0 +1,61 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginKubernetesAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachKubernetesAuthDTO = {
+  identityId: string;
+  kubernetesHost: string;
+  caCert: string;
+  tokenReviewerJwt: string;
+  allowedNamespaces: string;
+  allowedNames: string;
+  allowedAudience: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateKubernetesAuthDTO = {
+  identityId: string;
+  kubernetesHost?: string;
+  caCert?: string;
+  tokenReviewerJwt?: string;
+  allowedNamespaces?: string;
+  allowedNames?: string;
+  allowedAudience?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetKubernetesAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+type TCreateTokenReviewSuccessResponse = {
+  authenticated: true;
+  user: {
+    username: string;
+    uid: string;
+    groups: string[];
+  };
+  audiences: string[];
+};
+
+type TCreateTokenReviewErrorResponse = {
+  error: string;
+};
+
+export type TCreateTokenReviewResponse = {
+  apiVersion: "authentication.k8s.io/v1";
+  kind: "TokenReview";
+  spec: {
+    token: string;
+  };
+  status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
+};

backend/src/services/identity-project/identity-project-dal.ts

@@ -10,11 +10,16 @@ export type TIdentityProjectDALFactory = ReturnType<typeof identityProjectDALFac
 export const identityProjectDALFactory = (db: TDbClient) => {
   const identityProjectOrm = ormify(db, TableName.IdentityProjectMembership);
 
-  const findByProjectId = async (projectId: string, tx?: Knex) => {
+  const findByProjectId = async (projectId: string, filter: { identityId?: string } = {}, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.IdentityProjectMembership)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
         .join(TableName.Identity, `${TableName.IdentityProjectMembership}.identityId`, `${TableName.Identity}.id`)
+        .where((qb) => {
+          if (filter.identityId) {
+            void qb.where("identityId", filter.identityId);
+          }
+        })
         .join(
           TableName.IdentityProjectMembershipRole,
           `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,

backend/src/services/identity-project/identity-project-service.ts

@@ -18,6 +18,7 @@ import { TIdentityProjectMembershipRoleDALFactory } from "./identity-project-mem
 import {
   TCreateProjectIdentityDTO,
   TDeleteProjectIdentityDTO,
+  TGetProjectIdentityByIdentityIdDTO,
   TListProjectIdentityDTO,
   TUpdateProjectIdentityDTO
 } from "./identity-project-types";
@@ -51,7 +52,7 @@ export const identityProjectServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     projectId,
-    role
+    roles
   }: TCreateProjectIdentityDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -78,17 +79,33 @@ export const identityProjectServiceFactory = ({
         message: `Failed to find identity with id ${identityId}`
       });
 
-    const { permission: rolePermission, role: customRole } = await permissionService.getProjectPermissionByRole(
-      role,
-      project.id
-    );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasPriviledge)
-      throw new ForbiddenRequestError({
-        message: "Failed to add identity to project with more privileged role"
-      });
-    const isCustomRole = Boolean(customRole);
+    for await (const { role: requestedRoleChange } of roles) {
+      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
+        requestedRoleChange,
+        projectId
+      );
 
+      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPriviledges) {
+        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
+      }
+    }
+
+    // validate custom roles input
+    const customInputRoles = roles.filter(
+      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+    );
+    const hasCustomRole = Boolean(customInputRoles.length);
+    const customRoles = hasCustomRole
+      ? await projectRoleDAL.find({
+          projectId,
+          $in: { slug: customInputRoles.map(({ role }) => role) }
+        })
+      : [];
+    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+
+    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
     const projectIdentity = await identityProjectDAL.transaction(async (tx) => {
       const identityProjectMembership = await identityProjectDAL.create(
         {
@@ -97,16 +114,32 @@ export const identityProjectServiceFactory = ({
         },
         tx
       );
+      const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
+        const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
+        if (!inputRole.isTemporary) {
+          return {
+            projectMembershipId: identityProjectMembership.id,
+            role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+            customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
+          };
+        }
 
-      await identityProjectMembershipRoleDAL.create(
-        {
+        // check cron or relative here later for now its just relative
+        const relativeTimeInMs = ms(inputRole.temporaryRange);
+        return {
           projectMembershipId: identityProjectMembership.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : role,
-          customRoleId: customRole?.id
-        },
-        tx
-      );
-      return identityProjectMembership;
+          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
+          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
+          isTemporary: true,
+          temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
+          temporaryRange: inputRole.temporaryRange,
+          temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
+          temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
+        };
+      });
+
+      const identityRoles = await identityProjectMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);
+      return { ...identityProjectMembership, roles: identityRoles };
     });
     return projectIdentity;
   };
@@ -135,16 +168,18 @@ export const identityProjectServiceFactory = ({
         message: `Identity with id ${identityId} doesn't exists in project with id ${projectId}`
       });
 
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      projectIdentity.identityId,
-      projectIdentity.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
+    for await (const { role: requestedRoleChange } of roles) {
+      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
+        requestedRoleChange,
+        projectId
+      );
+
+      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPriviledges) {
+        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
+      }
+    }
 
     // validate custom roles input
     const customInputRoles = roles.filter(
@@ -224,7 +259,7 @@ export const identityProjectServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
 
-    const [deletedIdentity] = await identityProjectDAL.delete({ identityId });
+    const [deletedIdentity] = await identityProjectDAL.delete({ identityId, projectId });
     return deletedIdentity;
   };
 
@@ -248,10 +283,33 @@ export const identityProjectServiceFactory = ({
     return identityMemberships;
   };
 
+  const getProjectIdentityByIdentityId = async ({
+    projectId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    identityId
+  }: TGetProjectIdentityByIdentityIdDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+
+    const [identityMembership] = await identityProjectDAL.findByProjectId(projectId, { identityId });
+    if (!identityMembership) throw new BadRequestError({ message: `Membership not found for identity ${identityId}` });
+    return identityMembership;
+  };
+
   return {
     createProjectIdentity,
     updateProjectIdentity,
     deleteProjectIdentity,
-    listProjectIdentities
+    listProjectIdentities,
+    getProjectIdentityByIdentityId
   };
 };

backend/src/services/identity-project/identity-project-types.ts

@@ -4,7 +4,19 @@ import { ProjectUserMembershipTemporaryMode } from "../project-membership/projec
 
 export type TCreateProjectIdentityDTO = {
   identityId: string;
-  role: string;
+  roles: (
+    | {
+        role: string;
+        isTemporary?: false;
+      }
+    | {
+        role: string;
+        isTemporary: true;
+        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
+        temporaryRange: string;
+        temporaryAccessStartTime: string;
+      }
+  )[];
 } & TProjectPermission;
 
 export type TUpdateProjectIdentityDTO = {
@@ -29,3 +41,7 @@ export type TDeleteProjectIdentityDTO = {
 } & TProjectPermission;
 
 export type TListProjectIdentityDTO = TProjectPermission;
+
+export type TGetProjectIdentityByIdentityIdDTO = {
+  identityId: string;
+} & TProjectPermission;

backend/src/services/identity-ua/identity-ua-service.ts

@@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
   const login = async (clientId: string, clientSecret: string, ip: string) => {
     const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError();
+    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
 
@@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
     const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
       bcrypt.compareSync(clientSecret, clientSecretHash)
     );
-    if (!validClientSecretInfo) throw new UnauthorizedError();
+    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
     if (Number(clientSecretTTL) > 0) {

backend/src/services/integration-auth/integration-list.ts

@@ -43,6 +43,11 @@ export enum IntegrationInitialSyncBehavior {
   PREFER_SOURCE = "prefer-source"
 }
 
+export enum IntegrationMappingBehavior {
+  ONE_TO_ONE = "one-to-one",
+  MANY_TO_ONE = "many-to-one"
+}
+
 export enum IntegrationUrls {
   // integration oauth endpoints
   GCP_TOKEN_URL = "https://oauth2.googleapis.com/token",

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -9,9 +9,12 @@
 
 import {
   CreateSecretCommand,
+  DescribeSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
   SecretsManagerClient,
+  TagResourceCommand,
+  UntagResourceCommand,
   UpdateSecretCommand
 } from "@aws-sdk/client-secrets-manager";
 import { Octokit } from "@octokit/rest";
@@ -27,7 +30,12 @@ import { BadRequestError } from "@app/lib/errors";
 import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/secret/secret-types";
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
-import { IntegrationInitialSyncBehavior, Integrations, IntegrationUrls } from "./integration-list";
+import {
+  IntegrationInitialSyncBehavior,
+  IntegrationMappingBehavior,
+  Integrations,
+  IntegrationUrls
+} from "./integration-list";
 
 const getSecretKeyValuePair = (secrets: Record<string, { value: string | null; comment?: string } | null>) =>
   Object.keys(secrets).reduce<Record<string, string | null | undefined>>((prev, key) => {
@@ -459,27 +467,39 @@ const syncSecretsAWSParameterStore = async ({
   ssm.config.update(config);
 
   const metadata = z.record(z.any()).parse(integration.metadata || {});
+  const awsParameterStoreSecretsObj: Record<string, AWS.SSM.Parameter> = {};
 
-  const params = {
-    Path: integration.path as string,
-    Recursive: false,
-    WithDecryption: true
-  };
+  // now fetch all aws parameter store secrets
+  let hasNext = true;
+  let nextToken: string | undefined;
+  while (hasNext) {
+    const parameters = await ssm
+      .getParametersByPath({
+        Path: integration.path as string,
+        Recursive: false,
+        WithDecryption: true,
+        MaxResults: 10,
+        NextToken: nextToken
+      })
+      .promise();
 
-  const parameterList = (await ssm.getParametersByPath(params).promise()).Parameters;
+    if (parameters.Parameters) {
+      parameters.Parameters.forEach((parameter) => {
+        if (parameter.Name) {
+          const secKey = parameter.Name.substring((integration.path as string).length);
+          awsParameterStoreSecretsObj[secKey] = parameter;
+        }
+      });
+    }
+    hasNext = Boolean(parameters.NextToken);
+    nextToken = parameters.NextToken;
+  }
 
-  const awsParameterStoreSecretsObj = (parameterList || [])
-    .filter(({ Name }) => Boolean(Name))
-    .reduce(
-      (obj, secret) => ({
-        ...obj,
-        [(secret.Name as string).substring((integration.path as string).length)]: secret
-      }),
-      {} as Record<string, AWS.SSM.Parameter>
-    );
   // Identify secrets to create
-  await Promise.all(
-    Object.keys(secrets).map(async (key) => {
+  // don't use Promise.all() and promise map here
+  // it will cause rate limit
+  for (const key in secrets) {
+    if (Object.hasOwn(secrets, key)) {
       if (!(key in awsParameterStoreSecretsObj)) {
         // case: secret does not exist in AWS parameter store
         // -> create secret
@@ -514,23 +534,31 @@ const syncSecretsAWSParameterStore = async ({
           })
           .promise();
       }
-    })
-  );
 
-  // Identify secrets to delete
-  await Promise.all(
-    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case:
-        // -> delete secret
-        await ssm
-          .deleteParameter({
-            Name: awsParameterStoreSecretsObj[key].Name as string
-          })
-          .promise();
+      await new Promise((resolve) => {
+        setTimeout(resolve, 50);
+      });
+    }
+  }
+
+  if (!metadata.shouldDisableDelete) {
+    for (const key in awsParameterStoreSecretsObj) {
+      if (Object.hasOwn(awsParameterStoreSecretsObj, key)) {
+        if (!(key in secrets)) {
+          // case:
+          // -> delete secret
+          await ssm
+            .deleteParameter({
+              Name: awsParameterStoreSecretsObj[key].Name as string
+            })
+            .promise();
+        }
+        await new Promise((resolve) => {
+          setTimeout(resolve, 50);
+        });
       }
-    })
-  );
+    }
+  }
 };
 
 /**
@@ -547,52 +575,149 @@ const syncSecretsAWSSecretManager = async ({
   accessId: string | null;
   accessToken: string;
 }) => {
-  let secretsManager;
-  const secKeyVal = getSecretKeyValuePair(secrets);
   const metadata = z.record(z.any()).parse(integration.metadata || {});
-  try {
-    if (!accessId) return;
 
-    secretsManager = new SecretsManagerClient({
-      region: integration.region as string,
-      credentials: {
-        accessKeyId: accessId,
-        secretAccessKey: accessToken
+  if (!accessId) return;
+
+  const secretsManager = new SecretsManagerClient({
+    region: integration.region as string,
+    credentials: {
+      accessKeyId: accessId,
+      secretAccessKey: accessToken
+    }
+  });
+
+  const processAwsSecret = async (
+    secretId: string,
+    secretValue: Record<string, string | null | undefined> | string
+  ) => {
+    try {
+      const awsSecretManagerSecret = await secretsManager.send(
+        new GetSecretValueCommand({
+          SecretId: secretId
+        })
+      );
+
+      let secretToCompare;
+      if (awsSecretManagerSecret?.SecretString) {
+        if (typeof secretValue === "string") {
+          secretToCompare = awsSecretManagerSecret.SecretString;
+        } else {
+          secretToCompare = JSON.parse(awsSecretManagerSecret.SecretString);
+        }
       }
-    });
 
-    const awsSecretManagerSecret = await secretsManager.send(
-      new GetSecretValueCommand({
-        SecretId: integration.app as string
-      })
-    );
+      if (!isEqual(secretToCompare, secretValue)) {
+        await secretsManager.send(
+          new UpdateSecretCommand({
+            SecretId: secretId,
+            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue)
+          })
+        );
+      }
 
-    let awsSecretManagerSecretObj: { [key: string]: AWS.SecretsManager } = {};
+      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
 
-    if (awsSecretManagerSecret?.SecretString) {
-      awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
+      if (secretAWSTag && secretAWSTag.length) {
+        const describedSecret = await secretsManager.send(
+          // requires secretsmanager:DescribeSecret policy
+          new DescribeSecretCommand({
+            SecretId: secretId
+          })
+        );
+
+        if (!describedSecret.Tags) return;
+
+        const integrationTagObj = secretAWSTag.reduce(
+          (acc, item) => {
+            acc[item.key] = item.value;
+            return acc;
+          },
+          {} as Record<string, string>
+        );
+
+        const awsTagObj = (describedSecret.Tags || []).reduce(
+          (acc, item) => {
+            if (item.Key && item.Value) {
+              acc[item.Key] = item.Value;
+            }
+            return acc;
+          },
+          {} as Record<string, string>
+        );
+
+        const tagsToUpdate: { Key: string; Value: string }[] = [];
+        const tagsToDelete: { Key: string; Value: string }[] = [];
+
+        describedSecret.Tags?.forEach((tag) => {
+          if (tag.Key && tag.Value) {
+            if (!(tag.Key in integrationTagObj)) {
+              // delete tag from AWS secret manager
+              tagsToDelete.push({
+                Key: tag.Key,
+                Value: tag.Value
+              });
+            } else if (tag.Value !== integrationTagObj[tag.Key]) {
+              // update tag in AWS secret manager
+              tagsToUpdate.push({
+                Key: tag.Key,
+                Value: integrationTagObj[tag.Key]
+              });
+            }
+          }
+        });
+
+        secretAWSTag?.forEach((tag) => {
+          if (!(tag.key in awsTagObj)) {
+            // create tag in AWS secret manager
+            tagsToUpdate.push({
+              Key: tag.key,
+              Value: tag.value
+            });
+          }
+        });
+
+        if (tagsToUpdate.length) {
+          await secretsManager.send(
+            new TagResourceCommand({
+              SecretId: secretId,
+              Tags: tagsToUpdate
+            })
+          );
+        }
+
+        if (tagsToDelete.length) {
+          await secretsManager.send(
+            new UntagResourceCommand({
+              SecretId: secretId,
+              TagKeys: tagsToDelete.map((tag) => tag.Key)
+            })
+          );
+        }
+      }
+    } catch (err) {
+      // case when AWS manager can't find the specified secret
+      if (err instanceof ResourceNotFoundException && secretsManager) {
+        await secretsManager.send(
+          new CreateSecretCommand({
+            Name: secretId,
+            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
+            ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
+            Tags: metadata.secretAWSTag
+              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
+              : []
+          })
+        );
+      }
     }
-    if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
-      await secretsManager.send(
-        new UpdateSecretCommand({
-          SecretId: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal)
-        })
-      );
-    }
-  } catch (err) {
-    if (err instanceof ResourceNotFoundException && secretsManager) {
-      await secretsManager.send(
-        new CreateSecretCommand({
-          Name: integration.app as string,
-          SecretString: JSON.stringify(secKeyVal),
-          ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-          Tags: metadata.secretAWSTag
-            ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-            : []
-        })
-      );
+  };
+
+  if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
+    for await (const [key, value] of Object.entries(secrets)) {
+      await processAwsSecret(key, value.value);
     }
+  } else {
+    await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
   }
 };
 
@@ -2571,18 +2696,21 @@ const syncSecretsCloudflarePages = async ({
     })
   ).data.result.deployment_configs[integration.targetEnvironment as string].env_vars;
 
-  // copy the secrets object, so we can set deleted keys to null
-  const secretsObj = Object.fromEntries(
-    Object.entries(getSecretKeyValuePair(secrets)).map(([key, val]) => [
-      key,
-      key in Object.keys(getSecretsRes) ? { type: "secret_text", value: val } : null
-    ])
-  );
+  let secretEntries: [string, object | null][] = Object.entries(getSecretKeyValuePair(secrets)).map(([key, val]) => [
+    key,
+    { type: "secret_text", value: val }
+  ]);
+
+  if (getSecretsRes) {
+    const toDeleteKeys = Object.keys(getSecretsRes).filter((key) => !Object.keys(secrets).includes(key));
+    const toDeleteEntries: [string, null][] = toDeleteKeys.map((key) => [key, null]);
+    secretEntries = [...secretEntries, ...toDeleteEntries];
+  }
 
   const data = {
     deployment_configs: {
       [integration.targetEnvironment as string]: {
-        env_vars: secretsObj
+        env_vars: Object.fromEntries(secretEntries)
       }
     }
   };
@@ -2860,7 +2988,7 @@ const syncSecretsDigitalOceanAppPlatform = async ({
       spec: {
         name: integration.app,
         ...appSettings,
-        envs: Object.entries(secrets).map(([key, data]) => ({ key, value: data.value }))
+        envs: Object.entries(secrets).map(([key, data]) => ({ key, value: data.value, type: "SECRET" }))
       }
     },
     {

backend/src/services/integration/integration-service.ts

@@ -9,7 +9,12 @@ import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TIntegrationDALFactory } from "./integration-dal";
-import { TCreateIntegrationDTO, TDeleteIntegrationDTO, TUpdateIntegrationDTO } from "./integration-types";
+import {
+  TCreateIntegrationDTO,
+  TDeleteIntegrationDTO,
+  TSyncIntegrationDTO,
+  TUpdateIntegrationDTO
+} from "./integration-types";
 
 type TIntegrationServiceFactoryDep = {
   integrationDAL: TIntegrationDALFactory;
@@ -103,7 +108,8 @@ export const integrationServiceFactory = ({
     owner,
     isActive,
     environment,
-    secretPath
+    secretPath,
+    metadata
   }: TUpdateIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
@@ -127,7 +133,17 @@ export const integrationServiceFactory = ({
       appId,
       targetEnvironment,
       owner,
-      secretPath
+      secretPath,
+      metadata: {
+        ...(integration.metadata as object),
+        ...metadata
+      }
+    });
+
+    await secretQueueService.syncIntegrations({
+      environment: folder.environment.slug,
+      secretPath,
+      projectId: folder.projectId
     });
 
     return updatedIntegration;
@@ -190,10 +206,35 @@ export const integrationServiceFactory = ({
     return integrations;
   };
 
+  const syncIntegration = async ({ id, actorId, actor, actorOrgId, actorAuthMethod }: TSyncIntegrationDTO) => {
+    const integration = await integrationDAL.findById(id);
+    if (!integration) {
+      throw new BadRequestError({ message: "Integration not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integration.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+
+    await secretQueueService.syncIntegrations({
+      environment: integration.environment.slug,
+      secretPath: integration.secretPath,
+      projectId: integration.projectId
+    });
+
+    return { ...integration, envId: integration.environment.id };
+  };
+
   return {
     createIntegration,
     updateIntegration,
     deleteIntegration,
-    listIntegrationByProject
+    listIntegrationByProject,
+    syncIntegration
   };
 };

backend/src/services/integration/integration-types.ts

@@ -27,20 +27,39 @@ export type TCreateIntegrationDTO = {
       value: string;
     }[];
     kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateIntegrationDTO = {
   id: string;
-  app: string;
-  appId: string;
+  app?: string;
+  appId?: string;
   isActive?: boolean;
   secretPath: string;
   targetEnvironment: string;
   owner: string;
   environment: string;
+  metadata?: {
+    secretPrefix?: string;
+    secretSuffix?: string;
+    secretGCPLabel?: {
+      labelName: string;
+      labelValue: string;
+    };
+    secretAWSTag?: {
+      key: string;
+      value: string;
+    }[];
+    kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
+  };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteIntegrationDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TSyncIntegrationDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/org/org-service.ts

@@ -546,6 +546,10 @@ export const orgServiceFactory = ({
       code
     });
 
+    await userDAL.updateById(user.id, {
+      isEmailVerified: true
+    });
+
     if (user.isAccepted) {
       // this means user has already completed signup process
       // isAccepted is set true when keys are exchanged

backend/src/services/project-bot/project-bot-fns.ts

@@ -3,6 +3,7 @@ import { decryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/en
 import { BadRequestError } from "@app/lib/errors";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TGetPrivateKeyDTO } from "./project-bot-types";
 
 export const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
@@ -13,11 +14,17 @@ export const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
     ciphertext: bot.encryptedPrivateKey
   });
 
-export const getBotKeyFnFactory = (projectBotDAL: TProjectBotDALFactory) => {
+export const getBotKeyFnFactory = (
+  projectBotDAL: TProjectBotDALFactory,
+  projectDAL: Pick<TProjectDALFactory, "findById">
+) => {
   const getBotKeyFn = async (projectId: string) => {
-    const bot = await projectBotDAL.findOne({ projectId });
+    const project = await projectDAL.findById(projectId);
+    if (!project) throw new BadRequestError({ message: "Project not found during bot lookup." });
 
-    if (!bot) throw new BadRequestError({ message: "failed to find bot key" });
+    const bot = await projectBotDAL.findOne({ projectId: project.id });
+
+    if (!bot) throw new BadRequestError({ message: "Failed to find bot key" });
     if (!bot.isActive) throw new BadRequestError({ message: "Bot is not active" });
     if (!bot.encryptedProjectKeyNonce || !bot.encryptedProjectKey)
       throw new BadRequestError({ message: "Encryption key missing" });

backend/src/services/project-bot/project-bot-service.ts

@@ -25,7 +25,7 @@ export const projectBotServiceFactory = ({
   projectDAL,
   permissionService
 }: TProjectBotServiceFactoryDep) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
 
   const getBotKey = async (projectId: string) => {
     return getBotKeyFn(projectId);

backend/src/services/project-membership/project-membership-dal.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -9,11 +11,19 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
   const projectMemberOrm = ormify(db, TableName.ProjectMembership);
 
   // special query
-  const findAllProjectMembers = async (projectId: string) => {
+  const findAllProjectMembers = async (projectId: string, filter: { usernames?: string[]; username?: string } = {}) => {
     try {
       const docs = await db(TableName.ProjectMembership)
         .where({ [`${TableName.ProjectMembership}.projectId` as "projectId"]: projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .where((qb) => {
+          if (filter.usernames) {
+            void qb.whereIn("username", filter.usernames);
+          }
+          if (filter.username) {
+            void qb.where("username", filter.username);
+          }
+        })
         .join<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
           `${TableName.UserEncryptionKey}.userId`,
@@ -96,9 +106,9 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectGhostUser = async (projectId: string) => {
+  const findProjectGhostUser = async (projectId: string, tx?: Knex) => {
     try {
-      const ghostUser = await db(TableName.ProjectMembership)
+      const ghostUser = await (tx || db)(TableName.ProjectMembership)
         .where({ projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .select(selectAllTableCols(TableName.Users))

backend/src/services/project-membership/project-membership-service.ts

@@ -34,6 +34,7 @@ import {
   TAddUsersToWorkspaceNonE2EEDTO,
   TDeleteProjectMembershipOldDTO,
   TDeleteProjectMembershipsDTO,
+  TGetProjectMembershipByUsernameDTO,
   TGetProjectMembershipDTO,
   TUpdateProjectMembershipDTO
 } from "./project-membership-types";
@@ -89,6 +90,28 @@ export const projectMembershipServiceFactory = ({
     return projectMembershipDAL.findAllProjectMembers(projectId);
   };
 
+  const getProjectMembershipByUsername = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    username
+  }: TGetProjectMembershipByUsernameDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+
+    const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { username });
+    if (!membership) throw new BadRequestError({ message: `Project membership not found for user ${username}` });
+    return membership;
+  };
+
   const addUsersToProject = async ({
     projectId,
     actorId,
@@ -510,6 +533,7 @@ export const projectMembershipServiceFactory = ({
 
   return {
     getProjectMemberships,
+    getProjectMembershipByUsername,
     updateProjectMembership,
     addUsersToProjectNonE2EE,
     deleteProjectMemberships,

backend/src/services/project-membership/project-membership-types.ts

@@ -9,6 +9,10 @@ export type TInviteUserToProjectDTO = {
   emails: string[];
 } & TProjectPermission;
 
+export type TGetProjectMembershipByUsernameDTO = {
+  username: string;
+} & TProjectPermission;
+
 export type TUpdateProjectMembershipDTO = {
   membershipId: string;
   roles: (

backend/src/services/project/project-service.ts

@@ -340,7 +340,7 @@ export const projectServiceFactory = ({
 
     const deletedProject = await projectDAL.transaction(async (tx) => {
       const delProject = await projectDAL.deleteById(project.id, tx);
-      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id).catch(() => null);
+      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id, tx).catch(() => null);
 
       // Delete the org membership for the ghost user if it's found.
       if (projectGhostUser) {

backend/src/services/resource-cleanup/resource-cleanup-queue.ts

@@ -0,0 +1,58 @@
+import { TAuditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+
+type TDailyResourceCleanUpQueueServiceFactoryDep = {
+  auditLogDAL: Pick<TAuditLogDALFactory, "pruneAuditLog">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "removeExpiredTokens">;
+  queueService: TQueueServiceFactory;
+};
+
+export type TDailyResourceCleanUpQueueServiceFactory = ReturnType<typeof dailyResourceCleanUpQueueServiceFactory>;
+
+export const dailyResourceCleanUpQueueServiceFactory = ({
+  auditLogDAL,
+  queueService,
+  identityAccessTokenDAL
+}: TDailyResourceCleanUpQueueServiceFactoryDep) => {
+  queueService.start(QueueName.DailyResourceCleanUp, async () => {
+    logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
+    await auditLogDAL.pruneAuditLog();
+    await identityAccessTokenDAL.removeExpiredTokens();
+    logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
+  });
+
+  // we do a repeat cron job in utc timezone at 12 Midnight each day
+  const startCleanUp = async () => {
+    // TODO(akhilmhdh): remove later
+    await queueService.stopRepeatableJob(
+      QueueName.AuditLogPrune,
+      QueueJobs.AuditLogPrune,
+      { pattern: "0 0 * * *", utc: true },
+      QueueName.AuditLogPrune // just a job id
+    );
+    // clear previous job
+    await queueService.stopRepeatableJob(
+      QueueName.DailyResourceCleanUp,
+      QueueJobs.DailyResourceCleanUp,
+      { pattern: "0 0 * * *", utc: true },
+      QueueName.DailyResourceCleanUp // just a job id
+    );
+
+    await queueService.queue(QueueName.DailyResourceCleanUp, QueueJobs.DailyResourceCleanUp, undefined, {
+      delay: 5000,
+      jobId: QueueName.DailyResourceCleanUp,
+      repeat: { pattern: "0 0 * * *", utc: true }
+    });
+  };
+
+  queueService.listen(QueueName.DailyResourceCleanUp, "failed", (_, err) => {
+    logger.error(err, `${QueueName.DailyResourceCleanUp}: resource cleanup failed`);
+  });
+
+  return {
+    startCleanUp
+  };
+};

backend/src/services/secret-folder/secret-folder-service.ts

@@ -8,9 +8,16 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
-import { TCreateFolderDTO, TDeleteFolderDTO, TGetFolderDTO, TUpdateFolderDTO } from "./secret-folder-types";
+import {
+  TCreateFolderDTO,
+  TDeleteFolderDTO,
+  TGetFolderDTO,
+  TUpdateFolderDTO,
+  TUpdateManyFoldersDTO
+} from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
 
 type TSecretFolderServiceFactoryDep = {
@@ -19,6 +26,7 @@ type TSecretFolderServiceFactoryDep = {
   folderDAL: TSecretFolderDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderVersionDAL: TSecretFolderVersionDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
 
 export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
@@ -28,7 +36,8 @@ export const secretFolderServiceFactory = ({
   snapshotService,
   permissionService,
   projectEnvDAL,
-  folderVersionDAL
+  folderVersionDAL,
+  projectDAL
 }: TSecretFolderServiceFactoryDep) => {
   const createFolder = async ({
     projectId,
@@ -116,6 +125,105 @@ export const secretFolderServiceFactory = ({
     return folder;
   };
 
+  const updateManyFolders = async ({
+    actor,
+    actorId,
+    projectSlug,
+    actorAuthMethod,
+    actorOrgId,
+    folders
+  }: TUpdateManyFoldersDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) {
+      throw new BadRequestError({ message: "Project not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    });
+
+    const result = await folderDAL.transaction(async (tx) =>
+      Promise.all(
+        folders.map(async (newFolder) => {
+          const { environment, path: secretPath, id, name } = newFolder;
+
+          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
+          if (!parentFolder) {
+            throw new BadRequestError({ message: "Secret path not found", name: "Batch update folder" });
+          }
+
+          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
+          if (!env) {
+            throw new BadRequestError({ message: "Environment not found", name: "Batch update folder" });
+          }
+          const folder = await folderDAL
+            .findOne({ envId: env.id, id, parentId: parentFolder.id })
+            // now folder api accepts id based change
+            // this is for cli backward compatiability and when cli removes this, we will remove this logic
+            .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
+
+          if (!folder) {
+            throw new BadRequestError({ message: "Folder not found" });
+          }
+          if (name !== folder.name) {
+            // ensure that new folder name is unique
+            const folderToCheck = await folderDAL.findOne({
+              name,
+              envId: env.id,
+              parentId: parentFolder.id
+            });
+
+            if (folderToCheck) {
+              throw new BadRequestError({
+                message: "Folder with specified name already exists",
+                name: "Batch update folder"
+              });
+            }
+          }
+
+          const [doc] = await folderDAL.update(
+            { envId: env.id, id: folder.id, parentId: parentFolder.id },
+            { name },
+            tx
+          );
+          await folderVersionDAL.create(
+            {
+              name: doc.name,
+              envId: doc.envId,
+              version: doc.version,
+              folderId: doc.id
+            },
+            tx
+          );
+          if (!doc) {
+            throw new BadRequestError({ message: "Folder not found", name: "Batch update folder" });
+          }
+
+          return { oldFolder: folder, newFolder: doc };
+        })
+      )
+    );
+
+    await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
+
+    return {
+      projectId: project.id,
+      newFolders: result.map((res) => res.newFolder),
+      oldFolders: result.map((res) => res.oldFolder)
+    };
+  };
+
   const updateFolder = async ({
     projectId,
     actor,
@@ -151,6 +259,21 @@ export const secretFolderServiceFactory = ({
       .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
 
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (name !== folder.name) {
+      // ensure that new folder name is unique
+      const folderToCheck = await folderDAL.findOne({
+        name,
+        envId: env.id,
+        parentId: parentFolder.id
+      });
+
+      if (folderToCheck) {
+        throw new BadRequestError({
+          message: "Folder with specified name already exists",
+          name: "Update folder"
+        });
+      }
+    }
 
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update({ envId: env.id, id: folder.id, parentId: parentFolder.id }, { name }, tx);
@@ -239,6 +362,7 @@ export const secretFolderServiceFactory = ({
   return {
     createFolder,
     updateFolder,
+    updateManyFolders,
     deleteFolder,
     getFolders
   };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -13,6 +13,16 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
+export type TUpdateManyFoldersDTO = {
+  projectSlug: string;
+  folders: {
+    environment: string;
+    path: string;
+    id: string;
+    name: string;
+  }[];
+} & Omit<TProjectPermission, "projectId">;
+
 export type TDeleteFolderDTO = {
   environment: string;
   path: string;

backend/src/services/secret/secret-dal.ts

@@ -243,6 +243,74 @@ export const secretDALFactory = (db: TDbClient) => {
     }
   };
 
+  const upsertSecretReferences = async (
+    data: {
+      secretId: string;
+      references: Array<{ environment: string; secretPath: string }>;
+    }[] = [],
+    tx?: Knex
+  ) => {
+    try {
+      if (!data.length) return;
+
+      await (tx || db)(TableName.SecretReference)
+        .whereIn(
+          "secretId",
+          data.map(({ secretId }) => secretId)
+        )
+        .delete();
+      const newSecretReferences = data
+        .filter(({ references }) => references.length)
+        .flatMap(({ secretId, references }) =>
+          references.map(({ environment, secretPath }) => ({
+            secretPath,
+            secretId,
+            environment
+          }))
+        );
+      if (!newSecretReferences.length) return;
+      const secretReferences = await (tx || db)(TableName.SecretReference).insert(newSecretReferences);
+      return secretReferences;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "UpsertSecretReference" });
+    }
+  };
+
+  const findReferencedSecretReferences = async (projectId: string, envSlug: string, secretPath: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.SecretReference)
+        .where({
+          secretPath,
+          environment: envSlug
+        })
+        .join(TableName.Secret, `${TableName.Secret}.id`, `${TableName.SecretReference}.secretId`)
+        .join(TableName.SecretFolder, `${TableName.Secret}.folderId`, `${TableName.SecretFolder}.id`)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .where("projectId", projectId)
+        .select(selectAllTableCols(TableName.SecretReference))
+        .select("folderId");
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindReferencedSecretReferences" });
+    }
+  };
+
+  // special query to backfill secret value
+  const findAllProjectSecretValues = async (projectId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.Secret)
+        .join(TableName.SecretFolder, `${TableName.Secret}.folderId`, `${TableName.SecretFolder}.id`)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .where("projectId", projectId)
+        // not empty
+        .whereNotNull("secretValueCiphertext")
+        .select("secretValueTag", "secretValueCiphertext", "secretValueIV", `${TableName.Secret}.id` as "id");
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindAllProjectSecretValues" });
+    }
+  };
+
   return {
     ...secretOrm,
     update,
@@ -252,6 +320,9 @@ export const secretDALFactory = (db: TDbClient) => {
     getSecretTags,
     findByFolderId,
     findByFolderIds,
-    findByBlindIndexes
+    findByBlindIndexes,
+    upsertSecretReferences,
+    findReferencedSecretReferences,
+    findAllProjectSecretValues
   };
 };

backend/src/services/secret/secret-fns.ts

@@ -194,6 +194,7 @@ type TInterpolateSecretArg = {
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
 };
 
+const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
 export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderDAL }: TInterpolateSecretArg) => {
   const fetchSecretsCrossEnv = () => {
     const fetchCache: Record<string, Record<string, string>> = {};
@@ -235,7 +236,6 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
     };
   };
 
-  const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
   const recursivelyExpandSecret = async (
     expandedSec: Record<string, string>,
     interpolatedSec: Record<string, string>,
@@ -353,7 +353,7 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
 };
 
 export const decryptSecretRaw = (
-  secret: TSecrets & { workspace: string; environment: string; secretPath?: string },
+  secret: TSecrets & { workspace: string; environment: string; secretPath: string },
   key: string
 ) => {
   const secretKey = decryptSymmetric128BitHexKeyUTF8({
@@ -396,6 +396,37 @@ export const decryptSecretRaw = (
   };
 };
 
+/**
+ * Grabs and processes nested secret references from a string
+ *
+ * This function looks for patterns that match the interpolation syntax in the input string.
+ * It filters out references that include nested paths, splits them into environment and
+ * secret path parts, and then returns an array of objects with the environment and the
+ * joined secret path.
+ *
+ * @param {string} maybeSecretReference - The string that has the potential secret references.
+ * @returns {Array<{ environment: string, secretPath: string }>} - An array of objects
+ * with the environment and joined secret path.
+ *
+ * @example
+ * const value = "Hello ${dev.someFolder.OtherFolder.SECRET_NAME} and ${prod.anotherFolder.SECRET_NAME}";
+ * const result = getAllNestedSecretReferences(value);
+ * // result will be:
+ * // [
+ * //   { environment: 'dev', secretPath: '/someFolder/OtherFolder' },
+ * //   { environment: 'prod', secretPath: '/anotherFolder' }
+ * // ]
+ */
+export const getAllNestedSecretReferences = (maybeSecretReference: string) => {
+  const references = Array.from(maybeSecretReference.matchAll(INTERPOLATION_SYNTAX_REG), (m) => m[1]);
+  return references
+    .filter((el) => el.includes("."))
+    .map((el) => {
+      const [environment, ...secretPathList] = el.split(".");
+      return { environment, secretPath: path.join("/", ...secretPathList.slice(0, -1)) };
+    });
+};
+
 /**
  * Checks and handles secrets using a blind index method.
  * The function generates mappings between secret names and their blind indexes, validates user IDs for personal secrets, and retrieves secrets from the database based on their blind indexes.
@@ -467,7 +498,7 @@ export const fnSecretBulkInsert = async ({
   tx
 }: TFnSecretBulkInsert) => {
   const newSecrets = await secretDAL.insertMany(
-    inputSecrets.map(({ tags, ...el }) => ({ ...el, folderId })),
+    inputSecrets.map(({ tags, references, ...el }) => ({ ...el, folderId })),
     tx
   );
   const newSecretGroupByBlindIndex = groupBy(newSecrets, (item) => item.secretBlindIndex as string);
@@ -478,13 +509,20 @@ export const fnSecretBulkInsert = async ({
     }))
   );
   const secretVersions = await secretVersionDAL.insertMany(
-    inputSecrets.map(({ tags, ...el }) => ({
+    inputSecrets.map(({ tags, references, ...el }) => ({
       ...el,
       folderId,
       secretId: newSecretGroupByBlindIndex[el.secretBlindIndex as string][0].id
     })),
     tx
   );
+  await secretDAL.upsertSecretReferences(
+    inputSecrets.map(({ references = [], secretBlindIndex }) => ({
+      secretId: newSecretGroupByBlindIndex[secretBlindIndex as string][0].id,
+      references
+    })),
+    tx
+  );
   if (newSecretTags.length) {
     const secTags = await secretTagDAL.saveTagsToSecret(newSecretTags, tx);
     const secVersionsGroupBySecId = groupBy(secretVersions, (i) => i.secretId);
@@ -509,7 +547,7 @@ export const fnSecretBulkUpdate = async ({
   secretVersionTagDAL
 }: TFnSecretBulkUpdate) => {
   const newSecrets = await secretDAL.bulkUpdate(
-    inputSecrets.map(({ filter, data: { tags, ...data } }) => ({
+    inputSecrets.map(({ filter, data: { tags, references, ...data } }) => ({
       filter: { ...filter, folderId },
       data
     })),
@@ -522,6 +560,15 @@ export const fnSecretBulkUpdate = async ({
     })),
     tx
   );
+  await secretDAL.upsertSecretReferences(
+    inputSecrets
+      .filter(({ data: { references } }) => Boolean(references))
+      .map(({ data: { references = [] } }, i) => ({
+        secretId: newSecrets[i].id,
+        references
+      })),
+    tx
+  );
   const secsUpdatedTag = inputSecrets.flatMap(({ data: { tags } }, i) =>
     tags !== undefined ? { tags, secretId: newSecrets[i].id } : []
   );
@@ -561,7 +608,7 @@ export const createManySecretsRawFnFactory = ({
   secretVersionTagDAL,
   folderDAL
 }: TCreateManySecretsRawFnFactory) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
   const createManySecretsRawFn = async ({
     projectId,
     environment,
@@ -591,50 +638,39 @@ export const createManySecretsRawFnFactory = ({
       folderId,
       isNew: true,
       blindIndexCfg,
+      userId,
       secretDAL
     });
 
-    const inputSecrets = await Promise.all(
-      secrets.map(async (secret) => {
-        const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
-        const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
-        const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
+    const inputSecrets = secrets.map((secret) => {
+      const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
+      const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
+      const secretReferences = getAllNestedSecretReferences(secret.secretValue || "");
+      const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
 
-        if (secret.type === SecretType.Personal) {
-          if (!userId) throw new BadRequestError({ message: "Missing user id for personal secret" });
-          const sharedExist = await secretDAL.findOne({
-            secretBlindIndex: keyName2BlindIndex[secret.secretName],
-            folderId,
-            type: SecretType.Shared
-          });
+      return {
+        type: secret.type,
+        userId: secret.type === SecretType.Personal ? userId : null,
+        secretName: secret.secretName,
+        secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+        secretKeyIV: secretKeyEncrypted.iv,
+        secretKeyTag: secretKeyEncrypted.tag,
+        secretValueCiphertext: secretValueEncrypted.ciphertext,
+        secretValueIV: secretValueEncrypted.iv,
+        secretValueTag: secretValueEncrypted.tag,
+        secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+        secretCommentIV: secretCommentEncrypted.iv,
+        secretCommentTag: secretCommentEncrypted.tag,
+        skipMultilineEncoding: secret.skipMultilineEncoding,
+        tags: secret.tags,
+        references: secretReferences
+      };
+    });
 
-          if (!sharedExist)
-            throw new BadRequestError({
-              message: "Failed to create personal secret override for no corresponding shared secret"
-            });
-        }
-
-        const tags = secret.tags ? await secretTagDAL.findManyTagsById(projectId, secret.tags) : [];
-        if ((secret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
-
-        return {
-          type: secret.type,
-          userId: secret.type === SecretType.Personal ? userId : null,
-          secretName: secret.secretName,
-          secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-          secretKeyIV: secretKeyEncrypted.iv,
-          secretKeyTag: secretKeyEncrypted.tag,
-          secretValueCiphertext: secretValueEncrypted.ciphertext,
-          secretValueIV: secretValueEncrypted.iv,
-          secretValueTag: secretValueEncrypted.tag,
-          secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-          secretCommentIV: secretCommentEncrypted.iv,
-          secretCommentTag: secretCommentEncrypted.tag,
-          skipMultilineEncoding: secret.skipMultilineEncoding,
-          tags: secret.tags
-        };
-      })
-    );
+    // get all tags
+    const tagIds = inputSecrets.flatMap(({ tags = [] }) => tags);
+    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
+    if (tags.length !== tagIds.length) throw new BadRequestError({ message: "Tag not found" });
 
     const newSecrets = await secretDAL.transaction(async (tx) =>
       fnSecretBulkInsert({
@@ -670,7 +706,7 @@ export const updateManySecretsRawFnFactory = ({
   secretVersionTagDAL,
   folderDAL
 }: TUpdateManySecretsRawFnFactory) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
   const updateManySecretsRawFn = async ({
     projectId,
     environment,
@@ -703,56 +739,35 @@ export const updateManySecretsRawFnFactory = ({
       userId
     });
 
-    const inputSecrets = await Promise.all(
-      secrets.map(async (secret) => {
-        if (secret.newSecretName === "") {
-          throw new BadRequestError({ message: "New secret name cannot be empty" });
-        }
+    const inputSecrets = secrets.map((secret) => {
+      if (secret.newSecretName === "") {
+        throw new BadRequestError({ message: "New secret name cannot be empty" });
+      }
 
-        const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
-        const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
-        const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
+      const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretName, botKey);
+      const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretValue || "", botKey);
+      const secretReferences = getAllNestedSecretReferences(secret.secretValue || "");
+      const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8(secret.secretComment || "", botKey);
 
-        if (secret.type === SecretType.Personal) {
-          if (!userId) throw new BadRequestError({ message: "Missing user id for personal secret" });
-
-          const sharedExist = await secretDAL.findOne({
-            secretBlindIndex: keyName2BlindIndex[secret.secretName],
-            folderId,
-            type: SecretType.Shared
-          });
-
-          if (!sharedExist)
-            throw new BadRequestError({
-              message: "Failed to update personal secret override for no corresponding shared secret"
-            });
-
-          if (secret.newSecretName)
-            throw new BadRequestError({ message: "Personal secret cannot change the key name" });
-        }
-
-        const tags = secret.tags ? await secretTagDAL.findManyTagsById(projectId, secret.tags) : [];
-        if ((secret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
-
-        return {
-          type: secret.type,
-          userId: secret.type === SecretType.Personal ? userId : null,
-          secretName: secret.secretName,
-          newSecretName: secret.newSecretName,
-          secretKeyCiphertext: secretKeyEncrypted.ciphertext,
-          secretKeyIV: secretKeyEncrypted.iv,
-          secretKeyTag: secretKeyEncrypted.tag,
-          secretValueCiphertext: secretValueEncrypted.ciphertext,
-          secretValueIV: secretValueEncrypted.iv,
-          secretValueTag: secretValueEncrypted.tag,
-          secretCommentCiphertext: secretCommentEncrypted.ciphertext,
-          secretCommentIV: secretCommentEncrypted.iv,
-          secretCommentTag: secretCommentEncrypted.tag,
-          skipMultilineEncoding: secret.skipMultilineEncoding,
-          tags: secret.tags
-        };
-      })
-    );
+      return {
+        type: secret.type,
+        userId: secret.type === SecretType.Personal ? userId : null,
+        secretName: secret.secretName,
+        newSecretName: secret.newSecretName,
+        secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+        secretKeyIV: secretKeyEncrypted.iv,
+        secretKeyTag: secretKeyEncrypted.tag,
+        secretValueCiphertext: secretValueEncrypted.ciphertext,
+        secretValueIV: secretValueEncrypted.iv,
+        secretValueTag: secretValueEncrypted.tag,
+        secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+        secretCommentIV: secretCommentEncrypted.iv,
+        secretCommentTag: secretCommentEncrypted.tag,
+        skipMultilineEncoding: secret.skipMultilineEncoding,
+        tags: secret.tags,
+        references: secretReferences
+      };
+    });
 
     const tagIds = inputSecrets.flatMap(({ tags = [] }) => tags);
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];