Merge pull request #3744 from Infisical/project-group-users-page

feature(group-projects): Add project group details page

backend/src/@types/fastify.d.ts

@@ -119,6 +119,10 @@ declare module "@fastify/request-context" {
       oidc?: {
         claims: Record<string, string>;
       };
+      kubernetes?: {
+        namespace: string;
+        name: string;
+      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -23,7 +23,10 @@ const validateUsernameTemplateCharacters = characterValidator([
   CharacterType.CloseBrace,
   CharacterType.CloseBracket,
   CharacterType.OpenBracket,
-  CharacterType.Fullstop
+  CharacterType.Fullstop,
+  CharacterType.SingleQuote,
+  CharacterType.Spaces,
+  CharacterType.Pipe
 ]);
 
 const userTemplateSchema = z
@@ -33,7 +36,7 @@ const userTemplateSchema = z
   .refine((el) => validateUsernameTemplateCharacters(el))
   .refine((el) =>
     isValidHandleBarTemplate(el, {
-      allowedExpressions: (val) => ["randomUsername", "unixTimestamp"].includes(val)
+      allowedExpressions: (val) => ["randomUsername", "unixTimestamp", "identity.name"].includes(val)
     })
   );
 

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts

@@ -99,7 +99,9 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
           secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
         ) as object;
 
-        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId);
+        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId, {
+          projectId: folder.projectId
+        });
         await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
         return;
       }
@@ -133,7 +135,9 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
           await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));
           await Promise.all(
             dynamicSecretLeases.map(({ externalEntityId }) =>
-              selectedProvider.revoke(decryptedStoredInput, externalEntityId)
+              selectedProvider.revoke(decryptedStoredInput, externalEntityId, {
+                projectId: folder.projectId
+              })
             )
           );
         }

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,4 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";
+import RE2 from "re2";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -11,10 +12,13 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ms } from "@app/lib/ms";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
 import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
@@ -39,6 +43,8 @@ type TDynamicSecretLeaseServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  userDAL: Pick<TUserDALFactory, "findById">;
+  identityDAL: TIdentityDALFactory;
 };
 
 export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
@@ -52,8 +58,16 @@ export const dynamicSecretLeaseServiceFactory = ({
   dynamicSecretQueueService,
   projectDAL,
   licenseService,
-  kmsService
+  kmsService,
+  userDAL,
+  identityDAL
 }: TDynamicSecretLeaseServiceFactoryDep) => {
+  const extractEmailUsername = (email: string) => {
+    const regex = new RE2(/^([^@]+)/);
+    const match = email.match(regex);
+    return match ? match[1] : email;
+  };
+
   const create = async ({
     environmentSlug,
     path,
@@ -132,10 +146,24 @@ export const dynamicSecretLeaseServiceFactory = ({
 
     let result;
     try {
+      const identity: { name: string } = { name: "" };
+      if (actor === ActorType.USER) {
+        const user = await userDAL.findById(actorId);
+        if (user) {
+          identity.name = extractEmailUsername(user.username);
+        }
+      } else if (actor === ActorType.Machine) {
+        const machineIdentity = await identityDAL.findById(actorId);
+        if (machineIdentity) {
+          identity.name = machineIdentity.name;
+        }
+      }
       result = await selectedProvider.create({
         inputs: decryptedStoredInput,
         expireAt: expireAt.getTime(),
-        usernameTemplate: dynamicSecretCfg.usernameTemplate
+        usernameTemplate: dynamicSecretCfg.usernameTemplate,
+        identity,
+        metadata: { projectId }
       });
     } catch (error: unknown) {
       if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
@@ -237,7 +265,8 @@ export const dynamicSecretLeaseServiceFactory = ({
     const { entityId } = await selectedProvider.renew(
       decryptedStoredInput,
       dynamicSecretLease.externalEntityId,
-      expireAt.getTime()
+      expireAt.getTime(),
+      { projectId }
     );
 
     await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
@@ -313,7 +342,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     ) as object;
 
     const revokeResponse = await selectedProvider
-      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId)
+      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId, { projectId })
       .catch(async (err) => {
         // only propogate this error if forced is false
         if (!isForced) return { error: err as Error };

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -116,7 +116,7 @@ export const dynamicSecretServiceFactory = ({
       throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
 
     const selectedProvider = dynamicSecretProviders[provider.type];
-    const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
+    const inputs = await selectedProvider.validateProviderInputs(provider.inputs, { projectId });
 
     let selectedGatewayId: string | null = null;
     if (inputs && typeof inputs === "object" && "gatewayId" in inputs && inputs.gatewayId) {
@@ -146,7 +146,7 @@ export const dynamicSecretServiceFactory = ({
       selectedGatewayId = gateway.id;
     }
 
-    const isConnected = await selectedProvider.validateConnection(provider.inputs);
+    const isConnected = await selectedProvider.validateConnection(provider.inputs, { projectId });
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
     const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
@@ -272,7 +272,7 @@ export const dynamicSecretServiceFactory = ({
       secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
     ) as object;
     const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
-    const updatedInput = await selectedProvider.validateProviderInputs(newInput);
+    const updatedInput = await selectedProvider.validateProviderInputs(newInput, { projectId });
 
     let selectedGatewayId: string | null = null;
     if (updatedInput && typeof updatedInput === "object" && "gatewayId" in updatedInput && updatedInput?.gatewayId) {
@@ -301,7 +301,7 @@ export const dynamicSecretServiceFactory = ({
       selectedGatewayId = gateway.id;
     }
 
-    const isConnected = await selectedProvider.validateConnection(newInput);
+    const isConnected = await selectedProvider.validateConnection(newInput, { projectId });
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
     const updatedDynamicCfg = await dynamicSecretDAL.transaction(async (tx) => {
@@ -472,7 +472,9 @@ export const dynamicSecretServiceFactory = ({
       secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
     ) as object;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
+    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput, {
+      projectId
+    })) as object;
 
     return { ...dynamicSecretCfg, inputs: providerInputs };
   };

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -16,6 +16,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const CreateElastiCacheUserSchema = z.object({
   UserId: z.string().trim().min(1),
@@ -132,14 +133,14 @@ const generatePassword = () => {
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-";
   const randomUsername = `inf-${customAlphabet(charset, 32)()}`;
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -174,14 +175,21 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
     return true;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: {
+      name: string;
+    };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     if (!(await validateConnection(providerInputs))) {
       throw new BadRequestError({ message: "Failed to establish connection" });
     }
 
-    const leaseUsername = generateUsername(usernameTemplate);
+    const leaseUsername = generateUsername(usernameTemplate, identity);
     const leasePassword = generatePassword();
     const leaseExpiration = new Date(expireAt).toISOString();
 

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -16,21 +16,25 @@ import {
   PutUserPolicyCommand,
   RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
-import handlebars from "handlebars";
+import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
 import { z } from "zod";
 
+import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
+import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32);
   if (!usernameTemplate) return randomUsername;
 
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -40,7 +44,43 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>, projectId: string) => {
+    const appCfg = getConfig();
+    if (providerInputs.method === AwsIamAuthType.AssumeRole) {
+      const stsClient = new STSClient({
+        region: providerInputs.region,
+        credentials:
+          appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+            ? {
+                accessKeyId: appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID,
+                secretAccessKey: appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
+              }
+            : undefined // if hosting on AWS
+      });
+
+      const command = new AssumeRoleCommand({
+        RoleArn: providerInputs.roleArn,
+        RoleSessionName: `infisical-dynamic-secret-${randomUUID()}`,
+        DurationSeconds: 900, // 15 mins
+        ExternalId: projectId
+      });
+
+      const assumeRes = await stsClient.send(command);
+
+      if (!assumeRes.Credentials?.AccessKeyId || !assumeRes.Credentials?.SecretAccessKey) {
+        throw new BadRequestError({ message: "Failed to assume role - verify credentials and role configuration" });
+      }
+      const client = new IAMClient({
+        region: providerInputs.region,
+        credentials: {
+          accessKeyId: assumeRes.Credentials?.AccessKeyId,
+          secretAccessKey: assumeRes.Credentials?.SecretAccessKey,
+          sessionToken: assumeRes.Credentials?.SessionToken
+        }
+      });
+      return client;
+    }
+
     const client = new IAMClient({
       region: providerInputs.region,
       credentials: {
@@ -52,21 +92,41 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     return client;
   };
 
-  const validateConnection = async (inputs: unknown) => {
+  const validateConnection = async (inputs: unknown, { projectId }: { projectId: string }) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
-
-    const isConnected = await client.send(new GetUserCommand({})).then(() => true);
+    const client = await $getClient(providerInputs, projectId);
+    const isConnected = await client
+      .send(new GetUserCommand({}))
+      .then(() => true)
+      .catch((err) => {
+        const message = (err as Error)?.message;
+        if (
+          providerInputs.method === AwsIamAuthType.AssumeRole &&
+          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
+          message.includes("Must specify userName when calling with non-User credentials")
+        ) {
+          return true;
+        }
+        throw err;
+      });
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: {
+      name: string;
+    };
+    metadata: { projectId: string };
+  }) => {
+    const { inputs, usernameTemplate, metadata, identity } = data;
 
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
+    const client = await $getClient(providerInputs, metadata.projectId);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
     const createUserRes = await client.send(
       new CreateUserCommand({
@@ -76,6 +136,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
         UserName: username
       })
     );
+
     if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
     if (userGroups) {
       await Promise.all(
@@ -125,9 +186,9 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     };
   };
 
-  const revoke = async (inputs: unknown, entityId: string) => {
+  const revoke = async (inputs: unknown, entityId: string, metadata: { projectId: string }) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await $getClient(providerInputs);
+    const client = await $getClient(providerInputs, metadata.projectId);
 
     const username = entityId;
 

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -8,19 +8,20 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = (size = 48) => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -75,12 +76,17 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
     const { keyspace } = providerInputs;
     const expiration = new Date(expireAt).toISOString();

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -1,5 +1,4 @@
 import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
-import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
@@ -7,19 +6,20 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretElasticSearchSchema, ElasticSearchAuthTypes, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = () => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -71,12 +71,12 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
     return infoResponse;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
 
     await connection.security.putUser({

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -9,6 +9,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = () => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
@@ -22,13 +23,13 @@ const encodePassword = (password?: string) => {
   return base64Password;
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -196,8 +197,8 @@ export const LdapProvider = (): TDynamicProviderFns => {
     return dnArray;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
@@ -224,7 +225,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
         });
       }
     } else {
-      const username = generateUsername(usernameTemplate);
+      const username = generateUsername(usernameTemplate, identity);
       const password = generatePassword();
       const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
 

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -20,6 +20,11 @@ export enum SqlProviders {
   Vertica = "vertica"
 }
 
+export enum AwsIamAuthType {
+  AssumeRole = "assume-role",
+  AccessKey = "access-key"
+}
+
 export enum ElasticSearchAuthTypes {
   User = "user",
   ApiKey = "api-key"
@@ -168,16 +173,38 @@ export const DynamicSecretSapAseSchema = z.object({
   revocationStatement: z.string().trim()
 });
 
-export const DynamicSecretAwsIamSchema = z.object({
-  accessKey: z.string().trim().min(1),
-  secretAccessKey: z.string().trim().min(1),
-  region: z.string().trim().min(1),
-  awsPath: z.string().trim().optional(),
-  permissionBoundaryPolicyArn: z.string().trim().optional(),
-  policyDocument: z.string().trim().optional(),
-  userGroups: z.string().trim().optional(),
-  policyArns: z.string().trim().optional()
-});
+export const DynamicSecretAwsIamSchema = z.preprocess(
+  (val) => {
+    if (typeof val === "object" && val !== null && !Object.hasOwn(val, "method")) {
+      // eslint-disable-next-line no-param-reassign
+      (val as { method: string }).method = AwsIamAuthType.AccessKey;
+    }
+    return val;
+  },
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(AwsIamAuthType.AccessKey),
+      accessKey: z.string().trim().min(1),
+      secretAccessKey: z.string().trim().min(1),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional()
+    }),
+    z.object({
+      method: z.literal(AwsIamAuthType.AssumeRole),
+      roleArn: z.string().trim().min(1, "Role ARN required"),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional()
+    })
+  ])
+);
 
 export const DynamicSecretMongoAtlasSchema = z.object({
   adminPublicKey: z.string().trim().min(1).describe("Admin user public api key"),
@@ -400,9 +427,18 @@ export type TDynamicProviderFns = {
     inputs: unknown;
     expireAt: number;
     usernameTemplate?: string | null;
+    identity?: {
+      name: string;
+    };
+    metadata: { projectId: string };
   }) => Promise<{ entityId: string; data: unknown }>;
-  validateConnection: (inputs: unknown) => Promise<boolean>;
-  validateProviderInputs: (inputs: object) => Promise<unknown>;
-  revoke: (inputs: unknown, entityId: string) => Promise<{ entityId: string }>;
-  renew: (inputs: unknown, entityId: string, expireAt: number) => Promise<{ entityId: string }>;
+  validateConnection: (inputs: unknown, metadata: { projectId: string }) => Promise<boolean>;
+  validateProviderInputs: (inputs: object, metadata: { projectId: string }) => Promise<unknown>;
+  revoke: (inputs: unknown, entityId: string, metadata: { projectId: string }) => Promise<{ entityId: string }>;
+  renew: (
+    inputs: unknown,
+    entityId: string,
+    expireAt: number,
+    metadata: { projectId: string }
+  ) => Promise<{ entityId: string }>;
 };

backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts

@@ -1,5 +1,4 @@
 import axios, { AxiosError } from "axios";
-import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
@@ -7,19 +6,20 @@ import { createDigestAuthRequestInterceptor } from "@app/lib/axios/digest-auth";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = (size = 48) => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32);
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -64,12 +64,17 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
     await client({

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -1,4 +1,3 @@
-import handlebars from "handlebars";
 import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
@@ -7,19 +6,20 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretMongoDBSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = (size = 48) => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32);
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -60,12 +60,12 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
 
     const db = client.db(providerInputs.database);

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -1,5 +1,4 @@
 import axios, { Axios } from "axios";
-import handlebars from "handlebars";
 import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
@@ -9,19 +8,20 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRabbitMqSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = () => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -117,12 +117,12 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
     return infoResponse;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
 
     await createRabbitMqUser({

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -9,19 +9,20 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = () => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -121,12 +122,17 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
     return pingResponse;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
 

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -9,19 +9,20 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSapAseSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = (size = 48) => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = `inf_${alphaNumericNanoId(25)}`; // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -87,11 +88,11 @@ export const SapAseProvider = (): TDynamicProviderFns => {
     return true;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
+    const { inputs, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
 
     const client = await $getClient(providerInputs);

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -15,19 +15,20 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSapHanaSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const generatePassword = (size = 48) => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -97,11 +98,16 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
     return testResult;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
 

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -8,6 +8,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretSnowflakeSchema, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 // destroy client requires callback...
 const noop = () => {};
@@ -17,13 +18,13 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
   const randomUsername = `infisical_${alphaNumericNanoId(32)}`; // Username must start with an ascii letter, so we prepend the username with "inf-"
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity
   });
 };
 
@@ -88,13 +89,18 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
     return isValidConnection;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
     const providerInputs = await validateProviderInputs(inputs);
 
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
 
     try {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -10,6 +10,7 @@ import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars
 import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSqlDBSchema, PasswordRequirements, SqlProviders, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
@@ -104,9 +105,8 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
   }
 };
 
-const generateUsername = (provider: SqlProviders, usernameTemplate?: string | null) => {
+const generateUsername = (provider: SqlProviders, usernameTemplate?: string | null, identity?: { name: string }) => {
   let randomUsername = "";
-
   // For oracle, the client assumes everything is upper case when not using quotes around the password
   if (provider === SqlProviders.Oracle) {
     randomUsername = alphaNumericNanoId(32).toUpperCase();
@@ -114,10 +114,13 @@ const generateUsername = (provider: SqlProviders, usernameTemplate?: string | nu
     randomUsername = alphaNumericNanoId(32);
   }
   if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
+  return compileUsernameTemplate({
+    usernameTemplate,
     randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
+    identity,
+    options: {
+      toUpperCase: provider === SqlProviders.Oracle
+    }
   });
 };
 
@@ -221,11 +224,16 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (data: {
+    inputs: unknown;
+    expireAt: number;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const { inputs, expireAt, usernameTemplate, identity } = data;
 
     const providerInputs = await validateProviderInputs(inputs);
-    const username = generateUsername(providerInputs.client, usernameTemplate);
+    const username = generateUsername(providerInputs.client, usernameTemplate, identity);
 
     const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
     const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {

backend/src/ee/services/dynamic-secret/providers/templateUtils.ts

@@ -0,0 +1,80 @@
+/* eslint-disable func-names */
+import handlebars from "handlebars";
+import RE2 from "re2";
+
+import { logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+export const compileUsernameTemplate = ({
+  usernameTemplate,
+  randomUsername,
+  identity,
+  unixTimestamp,
+  options
+}: {
+  usernameTemplate: string;
+  randomUsername: string;
+  identity?: { name: string };
+  unixTimestamp?: number;
+  options?: {
+    toUpperCase?: boolean;
+  };
+}): string => {
+  // Create isolated handlebars instance
+  const hbs = handlebars.create();
+
+  // Register random helper on local instance
+  hbs.registerHelper("random", function (length: number) {
+    if (typeof length !== "number" || length <= 0 || length > 100) {
+      return "";
+    }
+    return alphaNumericNanoId(length);
+  });
+
+  // Register replace helper on local instance
+  hbs.registerHelper("replace", function (text: string, searchValue: string, replaceValue: string) {
+    // Convert to string if it's not already
+    const textStr = String(text || "");
+    if (!textStr) {
+      return textStr;
+    }
+
+    try {
+      const re2Pattern = new RE2(searchValue, "g");
+      // Replace all occurrences
+      return re2Pattern.replace(textStr, replaceValue);
+    } catch (error) {
+      logger.error(error, "RE2 pattern failed, using original template");
+      return textStr;
+    }
+  });
+
+  // Register truncate helper on local instance
+  hbs.registerHelper("truncate", function (text: string, length: number) {
+    // Convert to string if it's not already
+    const textStr = String(text || "");
+    if (!textStr) {
+      return textStr;
+    }
+
+    if (typeof length !== "number" || length <= 0) return textStr;
+    return textStr.substring(0, length);
+  });
+
+  // Compile template with context using local instance
+  const context = {
+    randomUsername,
+    unixTimestamp: unixTimestamp || Math.floor(Date.now() / 100),
+    identity: {
+      name: identity?.name
+    }
+  };
+
+  const result = hbs.compile(usernameTemplate)(context);
+
+  if (options?.toUpperCase) {
+    return result.toUpperCase();
+  }
+
+  return result;
+};

backend/src/ee/services/group/group-types.ts

@@ -42,6 +42,10 @@ export type TListGroupUsersDTO = {
   filter?: EFilterReturnedUsers;
 } & TGenericPermission;
 
+export type TListProjectGroupUsersDTO = TListGroupUsersDTO & {
+  projectId: string;
+};
+
 export type TAddUserToGroupDTO = {
   id: string;
   username: string;

backend/src/ee/services/license/license-service.ts

@@ -709,6 +709,10 @@ export const licenseServiceFactory = ({
     return licenses;
   };
 
+  const invalidateGetPlan = async (orgId: string) => {
+    await keyStore.deleteItem(FEATURE_CACHE_KEY(orgId));
+  };
+
   return {
     generateOrgCustomerId,
     removeOrgCustomer,
@@ -723,6 +727,7 @@ export const licenseServiceFactory = ({
       return onPremFeatures;
     },
     getPlan,
+    invalidateGetPlan,
     updateSubscriptionOrgMemberCount,
     refreshPlan,
     getOrgPlan,

backend/src/ee/services/permission/project-permission.ts

@@ -376,7 +376,8 @@ const DynamicSecretConditionV2Schema = z
         .object({
           [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
           [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
         })
         .partial()
     ]),
@@ -404,6 +405,23 @@ const DynamicSecretConditionV2Schema = z
   })
   .partial();
 
+const SecretImportConditionSchema = z
+  .object({
+    environment: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
+        })
+        .partial()
+    ]),
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA
+  })
+  .partial();
+
 const SecretConditionV2Schema = z
   .object({
     environment: z.union([
@@ -741,7 +759,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     ),
-    conditions: SecretConditionV1Schema.describe(
+    conditions: SecretImportConditionSchema.describe(
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-fns.ts

@@ -117,6 +117,7 @@ export const OCIVaultSyncFns = {
   syncSecrets: async (secretSync: TOCIVaultSyncWithCredentials, secretMap: TSecretMap) => {
     const {
       connection,
+      environment,
       destinationConfig: { compartmentOcid, vaultOcid, keyOcid }
     } = secretSync;
 
@@ -213,7 +214,7 @@ export const OCIVaultSyncFns = {
     // Update and delete secrets
     for await (const [key, variable] of Object.entries(variables)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       // Only update / delete active secrets
       if (variable.lifecycleState === vault.models.SecretSummary.LifecycleState.Active) {

backend/src/keystore/keystore.ts

@@ -10,7 +10,8 @@ export const PgSqlLock = {
   KmsRootKeyInit: 2025,
   OrgGatewayRootCaInit: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-root-ca:${orgId}`),
   OrgGatewayCertExchange: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-cert-exchange:${orgId}`),
-  SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`)
+  SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
+  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`)
 } as const;
 
 export type TKeyStoreFactory = ReturnType<typeof keyStoreFactory>;

backend/src/lib/api-docs/constants.ts

@@ -89,6 +89,7 @@ export const GROUPS = {
     limit: "The number of users to return.",
     username: "The username to search for.",
     search: "The text string that user email or name will be filtered by.",
+    projectId: "The ID of the project the group belongs to.",
     filterUsers:
       "Whether to filter the list of returned users. 'existingMembers' will only return existing users in the group, 'nonMembers' will only return users not in the group, undefined will return all users in the organization."
   },
@@ -2276,7 +2277,8 @@ export const SecretSyncs = {
     },
     GCP: {
       scope: "The Google project scope that secrets should be synced to.",
-      projectId: "The ID of the Google project secrets should be synced to."
+      projectId: "The ID of the Google project secrets should be synced to.",
+      locationId: 'The ID of the Google project location secrets should be synced to (ie "us-west4").'
     },
     DATABRICKS: {
       scope: "The Databricks secret scope that secrets should be synced to."

backend/src/lib/config/env.ts

@@ -213,6 +213,12 @@ const envSchema = z
     GATEWAY_RELAY_AUTH_SECRET: zpStr(z.string().optional()),
 
     DYNAMIC_SECRET_ALLOW_INTERNAL_IP: zodStrBool.default("false"),
+    DYNAMIC_SECRET_AWS_ACCESS_KEY_ID: zpStr(z.string().optional()).default(
+      process.env.INF_APP_CONNECTION_AWS_ACCESS_KEY_ID
+    ),
+    DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY: zpStr(z.string().optional()).default(
+      process.env.INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY
+    ),
     /* ----------------------------------------------------------------------------- */
 
     /* App Connections ----------------------------------------------------------------------------- */

backend/src/lib/template/validate-handlebars.ts

@@ -7,13 +7,24 @@ type SanitizationArg = {
   allowedExpressions?: (arg: string) => boolean;
 };
 
+const isValidExpression = (expression: string, dto: SanitizationArg): boolean => {
+  // Allow helper functions (replace, truncate)
+  const allowedHelpers = ["replace", "truncate", "random"];
+  if (allowedHelpers.includes(expression)) {
+    return true;
+  }
+
+  // Check regular allowed expressions
+  return dto?.allowedExpressions?.(expression) || false;
+};
+
 export const validateHandlebarTemplate = (templateName: string, template: string, dto: SanitizationArg) => {
   const parsedAst = handlebars.parse(template);
   parsedAst.body.forEach((el) => {
     if (el.type === "ContentStatement") return;
     if (el.type === "MustacheStatement" && "path" in el) {
       const { path } = el as { type: "MustacheStatement"; path: { type: "PathExpression"; original: string } };
-      if (path.type === "PathExpression" && dto?.allowedExpressions?.(path.original)) return;
+      if (path.type === "PathExpression" && isValidExpression(path.original, dto)) return;
     }
     logger.error(el, "Template sanitization failed");
     throw new BadRequestError({ message: `Template sanitization failed: ${templateName}` });
@@ -26,7 +37,7 @@ export const isValidHandleBarTemplate = (template: string, dto: SanitizationArg)
     if (el.type === "ContentStatement") return true;
     if (el.type === "MustacheStatement" && "path" in el) {
       const { path } = el as { type: "MustacheStatement"; path: { type: "PathExpression"; original: string } };
-      if (path.type === "PathExpression" && dto?.allowedExpressions?.(path.original)) return true;
+      if (path.type === "PathExpression" && isValidExpression(path.original, dto)) return true;
     }
     return false;
   });

backend/src/server/config/rateLimiter.ts

@@ -11,7 +11,7 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   return {
     errorResponseBuilder: (_, context) => {
       throw new RateLimitError({
-        message: `Rate limit exceeded. Please try again in ${context.after}`
+        message: `Rate limit exceeded. Please try again in ${Math.ceil(context.ttl / 1000)} seconds`
       });
     },
     timeWindow: 60 * 1000,
@@ -113,3 +113,12 @@ export const requestAccessLimit: RateLimitOptions = {
   max: 10,
   keyGenerator: (req) => req.realIp
 };
+
+export const smtpRateLimit = ({
+  keyGenerator = (req) => req.realIp
+}: Pick<RateLimitOptions, "keyGenerator"> = {}): RateLimitOptions => ({
+  timeWindow: 40 * 1000,
+  hook: "preValidation",
+  max: 2,
+  keyGenerator
+});

backend/src/server/plugins/auth/inject-identity.ts

@@ -155,6 +155,12 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
             oidc: token?.identityAuth?.oidc
           });
         }
+        if (token?.identityAuth?.kubernetes) {
+          requestContext.set("identityAuthInfo", {
+            identityId: identity.identityId,
+            kubernetes: token?.identityAuth?.kubernetes
+          });
+        }
         break;
       }
       case AuthMode.SERVICE_TOKEN: {

backend/src/server/routes/index.ts

@@ -1516,7 +1516,9 @@ export const registerRoutes = async (
     dynamicSecretProviders,
     folderDAL,
     licenseService,
-    kmsService
+    kmsService,
+    userDAL,
+    identityDAL
   });
   const dailyResourceCleanUp = dailyResourceCleanUpQueueServiceFactory({
     auditLogDAL,

backend/src/server/routes/v1/app-connection-routers/gcp-connection-router.ts

@@ -45,4 +45,37 @@ export const registerGcpConnectionRouter = async (server: FastifyZodProvider) =>
       return projects;
     }
   });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/secret-manager-project-locations`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        projectId: z.string()
+      }),
+      response: {
+        200: z.object({ displayName: z.string(), locationId: z.string() }).array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        params: { connectionId },
+        query: { projectId }
+      } = req;
+
+      const locations = await server.services.appConnection.gcp.listSecretManagerProjectLocations(
+        { connectionId, projectId },
+        req.permission
+      );
+
+      return locations;
+    }
+  });
 };

backend/src/server/routes/v1/invite-org-router.ts

@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { OrgMembershipRole, ProjectMembershipRole, UsersSchema } from "@app/db/schemas";
-import { inviteUserRateLimit } from "@app/server/config/rateLimiter";
+import { inviteUserRateLimit, smtpRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@@ -11,7 +11,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/signup",
     config: {
-      rateLimit: inviteUserRateLimit
+      rateLimit: smtpRateLimit()
     },
     method: "POST",
     schema: {
@@ -81,7 +81,10 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/signup-resend",
     config: {
-      rateLimit: inviteUserRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) =>
+          (req.body as { membershipId?: string })?.membershipId?.trim().substring(0, 100) ?? req.realIp
+      })
     },
     method: "POST",
     schema: {

backend/src/server/routes/v1/org-admin-router.ts

@@ -2,9 +2,9 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, smtpRateLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
 import { SanitizedProjectSchema } from "../sanitizedSchemas";
 
@@ -47,7 +47,9 @@ export const registerOrgAdminRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/projects/:projectId/grant-admin-access",
     config: {
-      rateLimit: writeLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.auth.actor === ActorType.USER ? req.auth.userId : req.realIp)
+      })
     },
     schema: {
       params: z.object({

backend/src/server/routes/v1/password-router.ts

@@ -2,10 +2,10 @@ import { z } from "zod";
 
 import { BackupPrivateKeySchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { authRateLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, smtpRateLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { validateSignUpAuthorization } from "@app/services/auth/auth-fns";
-import { AuthMode } from "@app/services/auth/auth-type";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { UserEncryption } from "@app/services/user/user-types";
 
 export const registerPasswordRouter = async (server: FastifyZodProvider) => {
@@ -80,7 +80,9 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/email/password-reset",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) ?? req.realIp
+      })
     },
     schema: {
       body: z.object({
@@ -224,7 +226,9 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/email/password-setup",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.auth.actor === ActorType.USER ? req.auth.userId : req.realIp)
+      })
     },
     schema: {
       response: {
@@ -233,6 +237,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
+    onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
       await server.services.password.sendPasswordSetupEmail(req.permission);
 
@@ -267,6 +272,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
+    onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req, res) => {
       await server.services.password.setupPassword(req.body, req.permission);
 

backend/src/server/routes/v2/group-project-router.ts

@@ -4,9 +4,11 @@ import {
   GroupProjectMembershipsSchema,
   GroupsSchema,
   ProjectMembershipRole,
-  ProjectUserMembershipRolesSchema
+  ProjectUserMembershipRolesSchema,
+  UsersSchema
 } from "@app/db/schemas";
-import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
+import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
+import { ApiDocsTags, GROUPS, PROJECTS } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -301,4 +303,61 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
       return { groupMembership };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/groups/:groupId/users",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectGroups],
+      description: "Return project group users",
+      params: z.object({
+        projectId: z.string().trim().describe(GROUPS.LIST_USERS.projectId),
+        groupId: z.string().trim().describe(GROUPS.LIST_USERS.id)
+      }),
+      querystring: z.object({
+        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
+        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
+        username: z.string().trim().optional().describe(GROUPS.LIST_USERS.username),
+        search: z.string().trim().optional().describe(GROUPS.LIST_USERS.search),
+        filter: z.nativeEnum(EFilterReturnedUsers).optional().describe(GROUPS.LIST_USERS.filterUsers)
+      }),
+      response: {
+        200: z.object({
+          users: UsersSchema.pick({
+            email: true,
+            username: true,
+            firstName: true,
+            lastName: true,
+            id: true
+          })
+            .merge(
+              z.object({
+                isPartOfGroup: z.boolean(),
+                joinedGroupAt: z.date().nullable()
+              })
+            )
+            .array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { users, totalCount } = await server.services.groupProject.listProjectGroupUsers({
+        id: req.params.groupId,
+        projectId: req.params.projectId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+
+      return { users, totalCount };
+    }
+  });
 };

backend/src/server/routes/v2/user-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { AuthTokenSessionsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
-import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, readLimit, smtpRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
 import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
@@ -12,7 +12,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/me/emails/code",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) ?? req.realIp
+      })
     },
     schema: {
       body: z.object({

backend/src/server/routes/v3/signup-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError } from "@app/lib/errors";
-import { authRateLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, smtpRateLimit } from "@app/server/config/rateLimiter";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -13,7 +13,9 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
     url: "/email/signup",
     method: "POST",
     config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) ?? req.realIp
+      })
     },
     schema: {
       body: z.object({

backend/src/services/app-connection/gcp/gcp-connection-fns.ts

@@ -11,8 +11,10 @@ import { AppConnection } from "../app-connection-enums";
 import { GcpConnectionMethod } from "./gcp-connection-enums";
 import {
   GCPApp,
+  GCPGetProjectLocationsRes,
   GCPGetProjectsRes,
   GCPGetServiceRes,
+  GCPLocation,
   TGcpConnection,
   TGcpConnectionConfig
 } from "./gcp-connection-types";
@@ -145,6 +147,45 @@ export const getGcpSecretManagerProjects = async (appConnection: TGcpConnection)
   return projects;
 };
 
+export const getGcpSecretManagerProjectLocations = async (projectId: string, appConnection: TGcpConnection) => {
+  const accessToken = await getGcpConnectionAuthToken(appConnection);
+
+  let gcpLocations: GCPLocation[] = [];
+
+  const pageSize = 100;
+  let pageToken: string | undefined;
+  let hasMorePages = true;
+
+  while (hasMorePages) {
+    const params = new URLSearchParams({
+      pageSize: String(pageSize),
+      ...(pageToken ? { pageToken } : {})
+    });
+
+    // eslint-disable-next-line no-await-in-loop
+    const { data } = await request.get<GCPGetProjectLocationsRes>(
+      `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${projectId}/locations`,
+      {
+        params,
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+
+    gcpLocations = gcpLocations.concat(data.locations);
+
+    if (!data.nextPageToken) {
+      hasMorePages = false;
+    }
+
+    pageToken = data.nextPageToken;
+  }
+
+  return gcpLocations.sort((a, b) => a.displayName.localeCompare(b.displayName));
+};
+
 export const validateGcpConnectionCredentials = async (appConnection: TGcpConnectionConfig) => {
   // Check if provided service account email suffix matches organization ID.
   // We do this to mitigate confused deputy attacks in multi-tenant instances

backend/src/services/app-connection/gcp/gcp-connection-service.ts

@@ -1,8 +1,8 @@
 import { OrgServiceActor } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
-import { getGcpSecretManagerProjects } from "./gcp-connection-fns";
-import { TGcpConnection } from "./gcp-connection-types";
+import { getGcpSecretManagerProjectLocations, getGcpSecretManagerProjects } from "./gcp-connection-fns";
+import { TGcpConnection, TGetGCPProjectLocationsDTO } from "./gcp-connection-types";
 
 type TGetAppConnectionFunc = (
   app: AppConnection,
@@ -23,7 +23,23 @@ export const gcpConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
     }
   };
 
+  const listSecretManagerProjectLocations = async (
+    { connectionId, projectId }: TGetGCPProjectLocationsDTO,
+    actor: OrgServiceActor
+  ) => {
+    const appConnection = await getAppConnection(AppConnection.GCP, connectionId, actor);
+
+    try {
+      const locations = await getGcpSecretManagerProjectLocations(projectId, appConnection);
+
+      return locations;
+    } catch (error) {
+      return [];
+    }
+  };
+
   return {
-    listSecretManagerProjects
+    listSecretManagerProjects,
+    listSecretManagerProjectLocations
   };
 };

backend/src/services/app-connection/gcp/gcp-connection-types.ts

@@ -38,6 +38,22 @@ export type GCPGetProjectsRes = {
   nextPageToken?: string;
 };
 
+export type GCPLocation = {
+  name: string;
+  locationId: string;
+  displayName: string;
+};
+
+export type GCPGetProjectLocationsRes = {
+  locations: GCPLocation[];
+  nextPageToken?: string;
+};
+
+export type TGetGCPProjectLocationsDTO = {
+  projectId: string;
+  connectionId: string;
+};
+
 export type GCPGetServiceRes = {
   name: string;
   parent: string;

backend/src/services/auth/auth-login-service.ts

@@ -397,7 +397,7 @@ export const authLoginServiceFactory = ({
 
     // Check if the user actually has access to the specified organization.
     const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
-    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId);
+    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId && org.userStatus !== "invited");
     const selectedOrg = await orgDAL.findById(organizationId);
 
     if (!hasOrganizationMembership) {

backend/src/services/group-project/group-project-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
+import { TListProjectGroupUsersDTO } from "@app/ee/services/group/group-types";
 import {
   constructPermissionErrorMessage,
   validatePrivilegeChangeOperation
@@ -42,7 +43,7 @@ type TGroupProjectServiceFactoryDep = {
   projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany" | "transaction">;
   projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
   projectBotDAL: TProjectBotDALFactory;
-  groupDAL: Pick<TGroupDALFactory, "findOne">;
+  groupDAL: Pick<TGroupDALFactory, "findOne" | "findAllGroupPossibleMembers">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissionByRole">;
 };
 
@@ -471,11 +472,54 @@ export const groupProjectServiceFactory = ({
     return groupMembership;
   };
 
+  const listProjectGroupUsers = async ({
+    id,
+    projectId,
+    offset,
+    limit,
+    username,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    search,
+    filter
+  }: TListProjectGroupUsersDTO) => {
+    const project = await projectDAL.findById(projectId);
+
+    if (!project) {
+      throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
+
+    const { members, totalCount } = await groupDAL.findAllGroupPossibleMembers({
+      orgId: project.orgId,
+      groupId: id,
+      offset,
+      limit,
+      username,
+      search,
+      filter
+    });
+
+    return { users: members, totalCount };
+  };
+
   return {
     addGroupToProject,
     updateGroupInProject,
     removeGroupFromProject,
     listGroupsInProject,
-    getGroupInProject
+    getGroupInProject,
+    listProjectGroupUsers
   };
 };

backend/src/services/identity-access-token/identity-access-token-types.ts

@@ -11,5 +11,9 @@ export type TIdentityAccessTokenJwtPayload = {
     oidc?: {
       claims: Record<string, string>;
     };
+    kubernetes?: {
+      namespace: string;
+      name: string;
+    };
   };
 };

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -274,9 +274,27 @@ export const identityKubernetesAuthServiceFactory = ({
 
     if (identityKubernetesAuth.tokenReviewMode === IdentityKubernetesAuthTokenReviewMode.Gateway) {
       const { kubernetesHost } = identityKubernetesAuth;
-      const lastColonIndex = kubernetesHost.lastIndexOf(":");
-      const k8sHost = kubernetesHost.substring(0, lastColonIndex);
-      const k8sPort = kubernetesHost.substring(lastColonIndex + 1);
+
+      let urlString = kubernetesHost;
+      if (!kubernetesHost.startsWith("http://") && !kubernetesHost.startsWith("https://")) {
+        urlString = `https://${kubernetesHost}`;
+      }
+
+      const url = new URL(urlString);
+      let { port: k8sPort } = url;
+      const { protocol, hostname: k8sHost } = url;
+
+      const cleanedProtocol = new RE2(/[^a-zA-Z0-9]/g).replace(protocol, "").toLowerCase();
+
+      if (!["https", "http"].includes(cleanedProtocol)) {
+        throw new BadRequestError({
+          message: "Invalid Kubernetes host URL, must start with http:// or https://"
+        });
+      }
+
+      if (!k8sPort) {
+        k8sPort = cleanedProtocol === "https" ? "443" : "80";
+      }
 
       if (!identityKubernetesAuth.gatewayId) {
         throw new BadRequestError({
@@ -287,7 +305,7 @@ export const identityKubernetesAuthServiceFactory = ({
       data = await $gatewayProxyWrapper(
         {
           gatewayId: identityKubernetesAuth.gatewayId,
-          targetHost: k8sHost, // note(daniel): must include the protocol (https|http)
+          targetHost: `${cleanedProtocol}://${k8sHost}`, // note(daniel): must include the protocol (https|http)
           targetPort: k8sPort ? Number(k8sPort) : 443,
           caCert,
           reviewTokenThroughGateway: true
@@ -398,7 +416,13 @@ export const identityKubernetesAuthServiceFactory = ({
       {
         identityId: identityKubernetesAuth.identityId,
         identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN,
+        identityAuth: {
+          kubernetes: {
+            namespace: targetNamespace,
+            name: targetName
+          }
+        }
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
       // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error

backend/src/services/org/org-dal.ts

@@ -212,7 +212,7 @@ export const orgDALFactory = (db: TDbClient) => {
   // special query
   const findAllOrgsByUserId = async (
     userId: string
-  ): Promise<(TOrganizations & { orgAuthMethod: string; userRole: string })[]> => {
+  ): Promise<(TOrganizations & { orgAuthMethod: string; userRole: string; userStatus: string })[]> => {
     try {
       const org = (await db
         .replicaNode()(TableName.OrgMembership)
@@ -234,6 +234,7 @@ export const orgDALFactory = (db: TDbClient) => {
         })
         .select(selectAllTableCols(TableName.Organization))
         .select(db.ref("role").withSchema(TableName.OrgMembership).as("userRole"))
+        .select(db.ref("status").withSchema(TableName.OrgMembership).as("userStatus"))
         .select(
           db.raw(`
             CASE
@@ -242,7 +243,7 @@ export const orgDALFactory = (db: TDbClient) => {
               ELSE ''
             END as "orgAuthMethod"
         `)
-        )) as (TOrganizations & { orgAuthMethod: string; userRole: string })[];
+        )) as (TOrganizations & { orgAuthMethod: string; userRole: string; userStatus: string })[];
 
       return org;
     } catch (error) {

backend/src/services/org/org-service.ts

@@ -183,7 +183,9 @@ export const orgServiceFactory = ({
    * */
   const findAllOrganizationOfUser = async (userId: string) => {
     const orgs = await orgDAL.findAllOrgsByUserId(userId);
-    return orgs;
+
+    // Filter out orgs where the membership object is an invitation
+    return orgs.filter((org) => org.userStatus !== "invited");
   };
   /*
    * Get all workspace members
@@ -835,16 +837,22 @@ export const orgServiceFactory = ({
 
         // if the user doesn't exist we create the user with the email
         if (!inviteeUser) {
-          inviteeUser = await userDAL.create(
-            {
-              isAccepted: false,
-              email: inviteeEmail,
-              username: inviteeEmail,
-              authMethods: [AuthMethod.EMAIL],
-              isGhost: false
-            },
-            tx
-          );
+          // TODO(carlos): will be removed once the function receives usernames instead of emails
+          const usersByEmail = await userDAL.findUserByEmail(inviteeEmail, tx);
+          if (usersByEmail?.length === 1) {
+            [inviteeUser] = usersByEmail;
+          } else {
+            inviteeUser = await userDAL.create(
+              {
+                isAccepted: false,
+                email: inviteeEmail,
+                username: inviteeEmail,
+                authMethods: [AuthMethod.EMAIL],
+                isGhost: false
+              },
+              tx
+            );
+          }
         }
 
         const inviteeUserId = inviteeUser?.id;

backend/src/services/project/project-service.ts

@@ -30,7 +30,7 @@ import { TSshCertificateDALFactory } from "@app/ee/services/ssh-certificate/ssh-
 import { TSshCertificateTemplateDALFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-dal";
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
 import { TSshHostGroupDALFactory } from "@app/ee/services/ssh-host-group/ssh-host-group-dal";
-import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -165,7 +165,7 @@ type TProjectServiceFactoryDep = {
   sshHostGroupDAL: Pick<TSshHostGroupDALFactory, "find" | "findSshHostGroupsWithLoginMappings">;
   permissionService: TPermissionServiceFactory;
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "invalidateGetPlan">;
   queueService: Pick<TQueueServiceFactory, "stopRepeatableJob">;
   smtpService: Pick<TSmtpService, "sendMail">;
   orgDAL: Pick<TOrgDALFactory, "findOne">;
@@ -259,16 +259,17 @@ export const projectServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
 
-    const plan = await licenseService.getPlan(organization.id);
-    if (plan.workspaceLimit !== null && plan.workspacesUsed >= plan.workspaceLimit) {
-      // case: limit imposed on number of workspaces allowed
-      // case: number of workspaces used exceeds the number of workspaces allowed
-      throw new BadRequestError({
-        message: "Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces."
-      });
-    }
-
     const results = await (trx || projectDAL).transaction(async (tx) => {
+      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateProject(organization.id)]);
+
+      const plan = await licenseService.getPlan(organization.id);
+      if (plan.workspaceLimit !== null && plan.workspacesUsed >= plan.workspaceLimit) {
+        // case: limit imposed on number of workspaces allowed
+        // case: number of workspaces used exceeds the number of workspaces allowed
+        throw new BadRequestError({
+          message: "Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces."
+        });
+      }
       const ghostUser = await orgService.addGhostUser(organization.id, tx);
 
       if (kmsKeyId) {
@@ -493,6 +494,10 @@ export const projectServiceFactory = ({
         );
       }
 
+      // no need to invalidate if there was no limit
+      if (plan.workspaceLimit) {
+        await licenseService.invalidateGetPlan(organization.id);
+      }
       return {
         ...project,
         environments: envs,

backend/src/services/secret-sync/1password/1password-sync-fns.ts

@@ -127,6 +127,7 @@ export const OnePassSyncFns = {
   syncSecrets: async (secretSync: TOnePassSyncWithCredentials, secretMap: TSecretMap) => {
     const {
       connection,
+      environment,
       destinationConfig: { vaultId }
     } = secretSync;
 
@@ -164,7 +165,7 @@ export const OnePassSyncFns = {
 
     for await (const [key, variable] of Object.entries(items)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       if (!(key in secretMap)) {
         try {

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -294,7 +294,7 @@ const deleteParametersBatch = async (
 
 export const AwsParameterStoreSyncFns = {
   syncSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig, syncOptions } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;
 
     const ssm = await getSSM(secretSync);
 
@@ -391,7 +391,7 @@ export const AwsParameterStoreSyncFns = {
       const [key, parameter] = entry;
 
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, syncOptions.keySchema)) continue;
+      if (!matchesSchema(key, environment?.slug || "", syncOptions.keySchema)) continue;
 
       if (!(key in secretMap) || !secretMap[key].value) {
         parametersToDelete.push(parameter);

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts

@@ -57,7 +57,11 @@ const sleep = async () =>
     setTimeout(resolve, 1000);
   });
 
-const getSecretsRecord = async (client: SecretsManagerClient, keySchema?: string): Promise<TAwsSecretsRecord> => {
+const getSecretsRecord = async (
+  client: SecretsManagerClient,
+  environment: string,
+  keySchema?: string
+): Promise<TAwsSecretsRecord> => {
   const awsSecretsRecord: TAwsSecretsRecord = {};
   let hasNext = true;
   let nextToken: string | undefined;
@@ -72,7 +76,7 @@ const getSecretsRecord = async (client: SecretsManagerClient, keySchema?: string
 
       if (output.SecretList) {
         output.SecretList.forEach((secretEntry) => {
-          if (secretEntry.Name && matchesSchema(secretEntry.Name, keySchema)) {
+          if (secretEntry.Name && matchesSchema(secretEntry.Name, environment, keySchema)) {
             awsSecretsRecord[secretEntry.Name] = secretEntry;
           }
         });
@@ -307,11 +311,11 @@ const processTags = ({
 
 export const AwsSecretsManagerSyncFns = {
   syncSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig, syncOptions } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;
 
     const client = await getSecretsManagerClient(secretSync);
 
-    const awsSecretsRecord = await getSecretsRecord(client, syncOptions.keySchema);
+    const awsSecretsRecord = await getSecretsRecord(client, environment?.slug || "", syncOptions.keySchema);
 
     const awsValuesRecord = await getSecretValuesRecord(client, awsSecretsRecord);
 
@@ -401,7 +405,7 @@ export const AwsSecretsManagerSyncFns = {
 
       for await (const secretKey of Object.keys(awsSecretsRecord)) {
         // eslint-disable-next-line no-continue
-        if (!matchesSchema(secretKey, syncOptions.keySchema)) continue;
+        if (!matchesSchema(secretKey, environment?.slug || "", syncOptions.keySchema)) continue;
 
         if (!(secretKey in secretMap) || !secretMap[secretKey].value) {
           try {
@@ -468,7 +472,11 @@ export const AwsSecretsManagerSyncFns = {
   getSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials): Promise<TSecretMap> => {
     const client = await getSecretsManagerClient(secretSync);
 
-    const awsSecretsRecord = await getSecretsRecord(client, secretSync.syncOptions.keySchema);
+    const awsSecretsRecord = await getSecretsRecord(
+      client,
+      secretSync.environment?.slug || "",
+      secretSync.syncOptions.keySchema
+    );
     const awsValuesRecord = await getSecretValuesRecord(client, awsSecretsRecord);
 
     const { destinationConfig } = secretSync;
@@ -503,11 +511,11 @@ export const AwsSecretsManagerSyncFns = {
     }
   },
   removeSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig, syncOptions } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;
 
     const client = await getSecretsManagerClient(secretSync);
 
-    const awsSecretsRecord = await getSecretsRecord(client, syncOptions.keySchema);
+    const awsSecretsRecord = await getSecretsRecord(client, environment?.slug || "", syncOptions.keySchema);
 
     if (destinationConfig.mappingBehavior === AwsSecretsManagerSyncMappingBehavior.OneToOne) {
       for await (const secretKey of Object.keys(awsSecretsRecord)) {

backend/src/services/secret-sync/azure-app-configuration/azure-app-configuration-sync-fns.ts

@@ -141,7 +141,7 @@ export const azureAppConfigurationSyncFactory = ({
 
     for await (const key of Object.keys(azureAppConfigSecrets)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       const azureSecret = azureAppConfigSecrets[key];
       if (

backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-fns.ts

@@ -194,7 +194,7 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
 
     for await (const deleteSecretKey of deleteSecrets.filter(
       (secret) =>
-        matchesSchema(secret, secretSync.syncOptions.keySchema) &&
+        matchesSchema(secret, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema) &&
         !setSecrets.find((setSecret) => setSecret.key === secret)
     )) {
       await request.delete(`${secretSync.destinationConfig.vaultBaseUrl}/secrets/${deleteSecretKey}?api-version=7.3`, {

backend/src/services/secret-sync/camunda/camunda-sync-fns.ts

@@ -118,7 +118,7 @@ export const camundaSyncFactory = ({ kmsService, appConnectionDAL }: TCamundaSec
 
     for await (const secret of Object.keys(camundaSecrets)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(secret, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(secret, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       if (!(secret in secretMap) || !secretMap[secret].value) {
         try {

backend/src/services/secret-sync/databricks/databricks-sync-fns.ts

@@ -117,7 +117,7 @@ export const databricksSyncFactory = ({ kmsService, appConnectionDAL }: TDatabri
 
     for await (const secret of databricksSecretKeys) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(secret.key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(secret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       if (!(secret.key in secretMap)) {
         await deleteDatabricksSecrets({

backend/src/services/secret-sync/gcp/gcp-sync-enums.ts

@@ -1,3 +1,63 @@
 export enum GcpSyncScope {
-  Global = "global"
+  Global = "global",
+  Region = "region"
+}
+
+export enum GCPSecretManagerLocation {
+  // Asia Pacific
+  ASIA_SOUTHEAST3 = "asia-southeast3", // Bangkok
+  ASIA_SOUTH2 = "asia-south2", // Delhi
+  ASIA_EAST2 = "asia-east2", // Hong Kong
+  ASIA_SOUTHEAST2 = "asia-southeast2", // Jakarta
+  AUSTRALIA_SOUTHEAST2 = "australia-southeast2", // Melbourne
+  ASIA_SOUTH1 = "asia-south1", // Mumbai
+  ASIA_NORTHEAST2 = "asia-northeast2", // Osaka
+  ASIA_NORTHEAST3 = "asia-northeast3", // Seoul
+  ASIA_SOUTHEAST1 = "asia-southeast1", // Singapore
+  AUSTRALIA_SOUTHEAST1 = "australia-southeast1", // Sydney
+  ASIA_EAST1 = "asia-east1", // Taiwan
+  ASIA_NORTHEAST1 = "asia-northeast1", // Tokyo
+
+  // Europe
+  EUROPE_WEST1 = "europe-west1", // Belgium
+  EUROPE_WEST10 = "europe-west10", // Berlin
+  EUROPE_NORTH1 = "europe-north1", // Finland
+  EUROPE_NORTH2 = "europe-north2", // Stockholm
+  EUROPE_WEST3 = "europe-west3", // Frankfurt
+  EUROPE_WEST2 = "europe-west2", // London
+  EUROPE_SOUTHWEST1 = "europe-southwest1", // Madrid
+  EUROPE_WEST8 = "europe-west8", // Milan
+  EUROPE_WEST4 = "europe-west4", // Netherlands
+  EUROPE_WEST12 = "europe-west12", // Turin
+  EUROPE_WEST9 = "europe-west9", // Paris
+  EUROPE_CENTRAL2 = "europe-central2", // Warsaw
+  EUROPE_WEST6 = "europe-west6", // Zurich
+
+  // North America
+  US_CENTRAL1 = "us-central1", // Iowa
+  US_WEST4 = "us-west4", // Las Vegas
+  US_WEST2 = "us-west2", // Los Angeles
+  NORTHAMERICA_SOUTH1 = "northamerica-south1", // Mexico
+  NORTHAMERICA_NORTHEAST1 = "northamerica-northeast1", // Montréal
+  US_EAST4 = "us-east4", // Northern Virginia
+  US_CENTRAL2 = "us-central2", // Oklahoma
+  US_WEST1 = "us-west1", // Oregon
+  US_WEST3 = "us-west3", // Salt Lake City
+  US_EAST1 = "us-east1", // South Carolina
+  NORTHAMERICA_NORTHEAST2 = "northamerica-northeast2", // Toronto
+  US_EAST5 = "us-east5", // Columbus
+  US_SOUTH1 = "us-south1", // Dallas
+  US_WEST8 = "us-west8", // Phoenix
+
+  // South America
+  SOUTHAMERICA_EAST1 = "southamerica-east1", // São Paulo
+  SOUTHAMERICA_WEST1 = "southamerica-west1", // Santiago
+
+  // Middle East
+  ME_CENTRAL2 = "me-central2", // Dammam
+  ME_CENTRAL1 = "me-central1", // Doha
+  ME_WEST1 = "me-west1", // Tel Aviv
+
+  // Africa
+  AFRICA_SOUTH1 = "africa-south1" // Johannesburg
 }

backend/src/services/secret-sync/gcp/gcp-sync-fns.ts

@@ -4,6 +4,7 @@ import { request } from "@app/lib/config/request";
 import { logger } from "@app/lib/logger";
 import { getGcpConnectionAuthToken } from "@app/services/app-connection/gcp";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { GcpSyncScope } from "@app/services/secret-sync/gcp/gcp-sync-enums";
 import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 
 import { SecretSyncError } from "../secret-sync-errors";
@@ -15,9 +16,17 @@ import {
   TGcpSyncWithCredentials
 } from "./gcp-sync-types";
 
-const getGcpSecrets = async (accessToken: string, secretSync: TGcpSyncWithCredentials) => {
+const getProjectUrl = (secretSync: TGcpSyncWithCredentials) => {
   const { destinationConfig } = secretSync;
 
+  if (destinationConfig.scope === GcpSyncScope.Global) {
+    return `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}`;
+  }
+
+  return `https://secretmanager.${destinationConfig.locationId}.rep.googleapis.com/v1/projects/${destinationConfig.projectId}/locations/${destinationConfig.locationId}`;
+};
+
+const getGcpSecrets = async (accessToken: string, secretSync: TGcpSyncWithCredentials) => {
   let gcpSecrets: GCPSecret[] = [];
 
   const pageSize = 100;
@@ -31,16 +40,13 @@ const getGcpSecrets = async (accessToken: string, secretSync: TGcpSyncWithCreden
     });
 
     // eslint-disable-next-line no-await-in-loop
-    const { data: secretsRes } = await request.get<GCPSMListSecretsRes>(
-      `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${secretSync.destinationConfig.projectId}/secrets`,
-      {
-        params,
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json"
-        }
+    const { data: secretsRes } = await request.get<GCPSMListSecretsRes>(`${getProjectUrl(secretSync)}/secrets`, {
+      params,
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
       }
-    );
+    });
 
     if (secretsRes.secrets) {
       gcpSecrets = gcpSecrets.concat(secretsRes.secrets);
@@ -61,7 +67,7 @@ const getGcpSecrets = async (accessToken: string, secretSync: TGcpSyncWithCreden
 
     try {
       const { data: secretLatest } = await request.get<GCPLatestSecretVersionAccess>(
-        `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}/versions/latest:access`,
+        `${getProjectUrl(secretSync)}/secrets/${key}/versions/latest:access`,
         {
           headers: {
             Authorization: `Bearer ${accessToken}`,
@@ -113,11 +119,14 @@ export const GcpSyncFns = {
         if (!(key in gcpSecrets)) {
           // case: create secret
           await request.post(
-            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets`,
+            `${getProjectUrl(secretSync)}/secrets`,
             {
-              replication: {
-                automatic: {}
-              }
+              replication:
+                destinationConfig.scope === GcpSyncScope.Global
+                  ? {
+                      automatic: {}
+                    }
+                  : undefined
             },
             {
               params: {
@@ -131,7 +140,7 @@ export const GcpSyncFns = {
           );
 
           await request.post(
-            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}:addVersion`,
+            `${getProjectUrl(secretSync)}/secrets/${key}:addVersion`,
             {
               payload: {
                 data: Buffer.from(secretMap[key].value).toString("base64")
@@ -155,7 +164,7 @@ export const GcpSyncFns = {
 
     for await (const key of Object.keys(gcpSecrets)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       try {
         if (!(key in secretMap) || !secretMap[key].value) {
@@ -163,15 +172,12 @@ export const GcpSyncFns = {
           if (secretSync.syncOptions.disableSecretDeletion) continue;
 
           // case: delete secret
-          await request.delete(
-            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}`,
-            {
-              headers: {
-                Authorization: `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json"
-              }
+          await request.delete(`${getProjectUrl(secretSync)}/secrets/${key}`, {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json"
             }
-          );
+          });
         } else if (secretMap[key].value !== gcpSecrets[key]) {
           if (!secretMap[key].value) {
             logger.warn(
@@ -180,7 +186,7 @@ export const GcpSyncFns = {
           }
 
           await request.post(
-            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}:addVersion`,
+            `${getProjectUrl(secretSync)}/secrets/${key}:addVersion`,
             {
               payload: {
                 data: Buffer.from(secretMap[key].value).toString("base64")
@@ -212,21 +218,18 @@ export const GcpSyncFns = {
   },
 
   removeSecrets: async (secretSync: TGcpSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig, connection } = secretSync;
+    const { connection } = secretSync;
     const accessToken = await getGcpConnectionAuthToken(connection);
 
     const gcpSecrets = await getGcpSecrets(accessToken, secretSync);
     for await (const [key] of Object.entries(gcpSecrets)) {
       if (key in secretMap) {
-        await request.delete(
-          `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}`,
-          {
-            headers: {
-              Authorization: `Bearer ${accessToken}`,
-              "Accept-Encoding": "application/json"
-            }
+        await request.delete(`${getProjectUrl(secretSync)}/secrets/${key}`, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json"
           }
-        );
+        });
       }
     }
   }

backend/src/services/secret-sync/gcp/gcp-sync-schemas.ts

@@ -10,14 +10,33 @@ import {
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
 import { SecretSync } from "../secret-sync-enums";
-import { GcpSyncScope } from "./gcp-sync-enums";
+import { GCPSecretManagerLocation, GcpSyncScope } from "./gcp-sync-enums";
 
 const GcpSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
 
-const GcpSyncDestinationConfigSchema = z.object({
-  scope: z.literal(GcpSyncScope.Global).describe(SecretSyncs.DESTINATION_CONFIG.GCP.scope),
-  projectId: z.string().min(1, "Project ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GCP.projectId)
-});
+const GcpSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
+  z
+    .object({
+      scope: z.literal(GcpSyncScope.Global).describe(SecretSyncs.DESTINATION_CONFIG.GCP.scope),
+      projectId: z.string().min(1, "Project ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GCP.projectId)
+    })
+    .describe(
+      JSON.stringify({
+        title: "Global"
+      })
+    ),
+  z
+    .object({
+      scope: z.literal(GcpSyncScope.Region).describe(SecretSyncs.DESTINATION_CONFIG.GCP.scope),
+      projectId: z.string().min(1, "Project ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GCP.projectId),
+      locationId: z.nativeEnum(GCPSecretManagerLocation).describe(SecretSyncs.DESTINATION_CONFIG.GCP.locationId)
+    })
+    .describe(
+      JSON.stringify({
+        title: "Region"
+      })
+    )
+]);
 
 export const GcpSyncSchema = BaseSecretSyncSchema(SecretSync.GCPSecretManager, GcpSyncOptionsConfig).extend({
   destination: z.literal(SecretSync.GCPSecretManager),

backend/src/services/secret-sync/github/github-sync-fns.ts

@@ -223,8 +223,9 @@ export const GithubSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const encryptedSecret of encryptedSecrets) {
-      // eslint-disable-next-line no-continue
-      if (!matchesSchema(encryptedSecret.name, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(encryptedSecret.name, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema))
+        // eslint-disable-next-line no-continue
+        continue;
 
       if (!(encryptedSecret.name in secretMap)) {
         await deleteSecret(client, secretSync, encryptedSecret);

backend/src/services/secret-sync/hc-vault/hc-vault-sync-fns.ts

@@ -68,6 +68,7 @@ export const HCVaultSyncFns = {
   syncSecrets: async (secretSync: THCVaultSyncWithCredentials, secretMap: TSecretMap) => {
     const {
       connection,
+      environment,
       destinationConfig: { mount, path },
       syncOptions: { disableSecretDeletion, keySchema }
     } = secretSync;
@@ -97,7 +98,7 @@ export const HCVaultSyncFns = {
 
     for await (const [key] of Object.entries(variables)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, keySchema)) continue;
+      if (!matchesSchema(key, environment?.slug || "", keySchema)) continue;
 
       if (!(key in secretMap)) {
         delete variables[key];

backend/src/services/secret-sync/humanitec/humanitec-sync-fns.ts

@@ -200,8 +200,9 @@ export const HumanitecSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const humanitecSecret of humanitecSecrets) {
-      // eslint-disable-next-line no-continue
-      if (!matchesSchema(humanitecSecret.key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(humanitecSecret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema))
+        // eslint-disable-next-line no-continue
+        continue;
 
       if (!secretMap[humanitecSecret.key]) {
         await deleteSecret(secretSync, humanitecSecret);

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -1,5 +1,5 @@
 import { AxiosError } from "axios";
-import RE2 from "re2";
+import handlebars from "handlebars";
 
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OCI_VAULT_SYNC_LIST_OPTION, OCIVaultSyncFns } from "@app/ee/services/secret-sync/oci-vault";
@@ -68,13 +68,17 @@ type TSyncSecretDeps = {
 };
 
 // Add schema to secret keys
-const addSchema = (unprocessedSecretMap: TSecretMap, schema?: string): TSecretMap => {
+const addSchema = (unprocessedSecretMap: TSecretMap, environment: string, schema?: string): TSecretMap => {
   if (!schema) return unprocessedSecretMap;
 
   const processedSecretMap: TSecretMap = {};
 
   for (const [key, value] of Object.entries(unprocessedSecretMap)) {
-    const newKey = new RE2("{{secretKey}}").replace(schema, key);
+    const newKey = handlebars.compile(schema)({
+      secretKey: key,
+      environment
+    });
+
     processedSecretMap[newKey] = value;
   }
 
@@ -82,10 +86,17 @@ const addSchema = (unprocessedSecretMap: TSecretMap, schema?: string): TSecretMa
 };
 
 // Strip schema from secret keys
-const stripSchema = (unprocessedSecretMap: TSecretMap, schema?: string): TSecretMap => {
+const stripSchema = (unprocessedSecretMap: TSecretMap, environment: string, schema?: string): TSecretMap => {
   if (!schema) return unprocessedSecretMap;
 
-  const [prefix, suffix] = schema.split("{{secretKey}}");
+  const compiledSchemaPattern = handlebars.compile(schema)({
+    secretKey: "{{secretKey}}", // Keep secretKey
+    environment
+  });
+
+  const parts = compiledSchemaPattern.split("{{secretKey}}");
+  const prefix = parts[0];
+  const suffix = parts[parts.length - 1];
 
   const strippedMap: TSecretMap = {};
 
@@ -103,21 +114,40 @@ const stripSchema = (unprocessedSecretMap: TSecretMap, schema?: string): TSecret
 };
 
 // Checks if a key matches a schema
-export const matchesSchema = (key: string, schema?: string): boolean => {
+export const matchesSchema = (key: string, environment: string, schema?: string): boolean => {
   if (!schema) return true;
 
-  const [prefix, suffix] = schema.split("{{secretKey}}");
-  if (prefix === undefined || suffix === undefined) return true;
+  const compiledSchemaPattern = handlebars.compile(schema)({
+    secretKey: "{{secretKey}}", // Keep secretKey
+    environment
+  });
 
-  return key.startsWith(prefix) && key.endsWith(suffix);
+  // This edge-case shouldn't be possible
+  if (!compiledSchemaPattern.includes("{{secretKey}}")) {
+    return key === compiledSchemaPattern;
+  }
+
+  const parts = compiledSchemaPattern.split("{{secretKey}}");
+  const prefix = parts[0];
+  const suffix = parts[parts.length - 1];
+
+  if (prefix === "" && suffix === "") return true;
+
+  // If prefix is empty, key must end with suffix
+  if (prefix === "") return key.endsWith(suffix);
+
+  // If suffix is empty, key must start with prefix
+  if (suffix === "") return key.startsWith(prefix);
+
+  return key.startsWith(prefix) && key.endsWith(suffix) && key.length >= prefix.length + suffix.length;
 };
 
 // Filter only for secrets with keys that match the schema
-const filterForSchema = (secretMap: TSecretMap, schema?: string): TSecretMap => {
+const filterForSchema = (secretMap: TSecretMap, environment: string, schema?: string): TSecretMap => {
   const filteredMap: TSecretMap = {};
 
   for (const [key, value] of Object.entries(secretMap)) {
-    if (matchesSchema(key, schema)) {
+    if (matchesSchema(key, environment, schema)) {
       filteredMap[key] = value;
     }
   }
@@ -131,7 +161,7 @@ export const SecretSyncFns = {
     secretMap: TSecretMap,
     { kmsService, appConnectionDAL }: TSyncSecretDeps
   ): Promise<void> => {
-    const schemaSecretMap = addSchema(secretMap, secretSync.syncOptions.keySchema);
+    const schemaSecretMap = addSchema(secretMap, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema);
 
     switch (secretSync.destination) {
       case SecretSync.AWSParameterStore:
@@ -255,14 +285,16 @@ export const SecretSyncFns = {
         );
     }
 
-    return stripSchema(filterForSchema(secretMap), secretSync.syncOptions.keySchema);
+    const filtered = filterForSchema(secretMap, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema);
+    const stripped = stripSchema(filtered, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema);
+    return stripped;
   },
   removeSecrets: (
     secretSync: TSecretSyncWithCredentials,
     secretMap: TSecretMap,
     { kmsService, appConnectionDAL }: TSyncSecretDeps
   ): Promise<void> => {
-    const schemaSecretMap = addSchema(secretMap, secretSync.syncOptions.keySchema);
+    const schemaSecretMap = addSchema(secretMap, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema);
 
     switch (secretSync.destination) {
       case SecretSync.AWSParameterStore:

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -28,10 +28,30 @@ const BaseSyncOptionsSchema = <T extends AnyZodObject | undefined = undefined>({
     keySchema: z
       .string()
       .optional()
-      .refine((val) => !val || new RE2(/^(?:[a-zA-Z0-9_\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9_\-/]*)$/).test(val), {
-        message:
-          "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, underscores, slashes, and the {{secretKey}} placeholder."
-      })
+      .refine(
+        (val) => {
+          if (!val) return true;
+
+          const allowedOptionalPlaceholders = ["{{environment}}"];
+
+          const allowedPlaceholdersRegexPart = ["{{secretKey}}", ...allowedOptionalPlaceholders]
+            .map((p) => p.replace(/[-/\\^$*+?.()|[\]{}]/g, "\\$&")) // Escape regex special characters
+            .join("|");
+
+          const allowedContentRegex = new RE2(`^([a-zA-Z0-9_\\-/]|${allowedPlaceholdersRegexPart})*$`);
+          const contentIsValid = allowedContentRegex.test(val);
+
+          // Check if {{secretKey}} is present
+          const secretKeyRegex = new RE2(/\{\{secretKey\}\}/);
+          const secretKeyIsPresent = secretKeyRegex.test(val);
+
+          return contentIsValid && secretKeyIsPresent;
+        },
+        {
+          message:
+            "Key schema must include exactly one {{secretKey}} placeholder. It can also include {{environment}} placeholders. Only alphanumeric characters (a-z, A-Z, 0-9), dashes (-), underscores (_), and slashes (/) are allowed besides the placeholders."
+        }
+      )
       .describe(SecretSyncs.SYNC_OPTIONS(destination).keySchema),
     disableSecretDeletion: z.boolean().optional().describe(SecretSyncs.SYNC_OPTIONS(destination).disableSecretDeletion)
   });

backend/src/services/secret-sync/teamcity/teamcity-sync-fns.ts

@@ -127,7 +127,7 @@ export const TeamCitySyncFns = {
 
     for await (const [key, variable] of Object.entries(variables)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
 
       if (!(key in secretMap)) {
         try {

backend/src/services/secret-sync/terraform-cloud/terraform-cloud-sync-fns.ts

@@ -232,8 +232,11 @@ export const TerraformCloudSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for (const terraformCloudVariable of terraformCloudVariables) {
-      // eslint-disable-next-line no-continue
-      if (!matchesSchema(terraformCloudVariable.key, secretSync.syncOptions.keySchema)) continue;
+      if (
+        !matchesSchema(terraformCloudVariable.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema)
+      )
+        // eslint-disable-next-line no-continue
+        continue;
 
       if (!Object.prototype.hasOwnProperty.call(secretMap, terraformCloudVariable.key)) {
         await deleteVariable(secretSync, terraformCloudVariable);

backend/src/services/secret-sync/vercel/vercel-sync-fns.ts

@@ -291,8 +291,9 @@ export const VercelSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const vercelSecret of vercelSecrets) {
-      // eslint-disable-next-line no-continue
-      if (!matchesSchema(vercelSecret.key, secretSync.syncOptions.keySchema)) continue;
+      if (!matchesSchema(vercelSecret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema))
+        // eslint-disable-next-line no-continue
+        continue;
 
       if (!secretMap[vercelSecret.key]) {
         await deleteSecret(secretSync, vercelSecret);

backend/src/services/secret-sync/windmill/windmill-sync-fns.ts

@@ -128,6 +128,7 @@ export const WindmillSyncFns = {
   syncSecrets: async (secretSync: TWindmillSyncWithCredentials, secretMap: TSecretMap) => {
     const {
       connection,
+      environment,
       destinationConfig: { path },
       syncOptions: { disableSecretDeletion, keySchema }
     } = secretSync;
@@ -171,7 +172,7 @@ export const WindmillSyncFns = {
 
     for await (const [key, variable] of Object.entries(variables)) {
       // eslint-disable-next-line no-continue
-      if (!matchesSchema(key, keySchema)) continue;
+      if (!matchesSchema(key, environment?.slug || "", keySchema)) continue;
 
       if (!(key in secretMap)) {
         try {

backend/src/services/user/user-dal.ts

@@ -21,6 +21,11 @@ export const userDALFactory = (db: TDbClient) => {
   const findUserByUsername = async (username: string, tx?: Knex) =>
     (tx || db)(TableName.Users).whereRaw('lower("username") = :username', { username: username.toLowerCase() });
 
+  const findUserByEmail = async (email: string, tx?: Knex) =>
+    (tx || db)(TableName.Users).whereRaw('lower("email") = :email', { email: email.toLowerCase() }).where({
+      isEmailVerified: true
+    });
+
   const getUsersByFilter = async ({
     limit,
     offset,
@@ -234,6 +239,7 @@ export const userDALFactory = (db: TDbClient) => {
     findOneUserAction,
     createUserAction,
     getUsersByFilter,
-    findAllMyAccounts
+    findAllMyAccounts,
+    findUserByEmail
   };
 };

cli/packages/gateway/connection.go

@@ -12,6 +12,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"sync"
@@ -25,9 +26,13 @@ func handleConnection(ctx context.Context, quicConn quic.Connection) {
 	log.Info().Msgf("New connection from: %s", quicConn.RemoteAddr().String())
 	// Use WaitGroup to track all streams
 	var wg sync.WaitGroup
+
+	contextWithTimeout, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
 	for {
 		// Accept the first stream, which we'll use for commands
-		stream, err := quicConn.AcceptStream(ctx)
+		stream, err := quicConn.AcceptStream(contextWithTimeout)
 		if err != nil {
 			log.Printf("Failed to accept QUIC stream: %v", err)
 			break
@@ -51,7 +56,12 @@ func handleStream(stream quic.Stream, quicConn quic.Connection) {
 
 	// Use buffered reader for better handling of fragmented data
 	reader := bufio.NewReader(stream)
-	defer stream.Close()
+	defer func() {
+		log.Info().Msgf("Closing stream %d", streamID)
+		if stream != nil {
+			stream.Close()
+		}
+	}()
 
 	for {
 		msg, err := reader.ReadBytes('\n')
@@ -106,6 +116,11 @@ func handleStream(stream quic.Stream, quicConn quic.Connection) {
 
 			targetURL := string(argParts[0])
 
+			if !isValidURL(targetURL) {
+				log.Error().Msgf("Invalid target URL: %s", targetURL)
+				return
+			}
+
 			// Parse optional parameters
 			var caCertB64, verifyParam string
 			for _, part := range argParts[1:] {
@@ -160,7 +175,6 @@ func handleHTTPProxy(stream quic.Stream, reader *bufio.Reader, targetURL string,
 			}
 		}
 
-		// set certificate verification based on what the gateway client sent
 		if verifyParam != "" {
 			tlsConfig.InsecureSkipVerify = verifyParam == "false"
 			log.Info().Msgf("TLS verification set to: %s", verifyParam)
@@ -169,82 +183,94 @@ func handleHTTPProxy(stream quic.Stream, reader *bufio.Reader, targetURL string,
 		transport.TLSClientConfig = tlsConfig
 	}
 
-	// read and parse the http request from the stream
-	req, err := http.ReadRequest(reader)
-	if err != nil {
-		return fmt.Errorf("failed to read HTTP request: %v", err)
-	}
-
-	actionHeader := req.Header.Get("x-infisical-action")
-	if actionHeader != "" {
-
-		if actionHeader == "inject-k8s-sa-auth-token" {
-			token, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
-
-			if err != nil {
-				stream.Write([]byte(buildHttpInternalServerError("failed to read k8s sa auth token")))
-				return fmt.Errorf("failed to read k8s sa auth token: %v", err)
-			}
-
-			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", string(token)))
-			log.Info().Msgf("Injected gateway k8s SA auth token in request to %s", targetURL)
-		}
-
-		req.Header.Del("x-infisical-action")
-	}
-
-	var targetFullURL string
-	if strings.HasPrefix(targetURL, "http://") || strings.HasPrefix(targetURL, "https://") {
-		baseURL := strings.TrimSuffix(targetURL, "/")
-		targetFullURL = baseURL + req.URL.Path
-		if req.URL.RawQuery != "" {
-			targetFullURL += "?" + req.URL.RawQuery
-		}
-	} else {
-		baseURL := strings.TrimSuffix("http://"+targetURL, "/")
-		targetFullURL = baseURL + req.URL.Path
-		if req.URL.RawQuery != "" {
-			targetFullURL += "?" + req.URL.RawQuery
-		}
-	}
-
-	// create the request to the target
-	proxyReq, err := http.NewRequest(req.Method, targetFullURL, req.Body)
-	proxyReq.Header = req.Header.Clone()
-	if err != nil {
-		return fmt.Errorf("failed to create proxy request: %v", err)
-	}
-
-	log.Info().Msgf("Proxying %s %s to %s", req.Method, req.URL.Path, targetFullURL)
-
 	client := &http.Client{
 		Transport: transport,
 		Timeout:   30 * time.Second,
 	}
 
-	// make the request to the target
-	resp, err := client.Do(proxyReq)
-	if err != nil {
-		stream.Write([]byte(buildHttpInternalServerError(fmt.Sprintf("failed to reach target due to networking error: %s", err.Error()))))
-		return fmt.Errorf("failed to reach target due to networking error: %v", err)
+	// Loop to handle multiple HTTP requests on the same stream
+	for {
+		req, err := http.ReadRequest(reader)
+
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				log.Info().Msg("Client closed HTTP connection")
+				return nil
+			}
+			return fmt.Errorf("failed to read HTTP request: %v", err)
+		}
+		log.Info().Msgf("Received HTTP request: %s", req.URL.Path)
+
+		actionHeader := req.Header.Get("x-infisical-action")
+		if actionHeader != "" {
+			if actionHeader == "inject-k8s-sa-auth-token" {
+				token, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+				if err != nil {
+					stream.Write([]byte(buildHttpInternalServerError("failed to read k8s sa auth token")))
+					continue // Continue to next request instead of returning
+				}
+				req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", string(token)))
+				log.Info().Msgf("Injected gateway k8s SA auth token in request to %s", targetURL)
+			}
+			req.Header.Del("x-infisical-action")
+		}
+
+		// Build full target URL
+		var targetFullURL string
+		if strings.HasPrefix(targetURL, "http://") || strings.HasPrefix(targetURL, "https://") {
+			baseURL := strings.TrimSuffix(targetURL, "/")
+			targetFullURL = baseURL + req.URL.Path
+			if req.URL.RawQuery != "" {
+				targetFullURL += "?" + req.URL.RawQuery
+			}
+		} else {
+			baseURL := strings.TrimSuffix("http://"+targetURL, "/")
+			targetFullURL = baseURL + req.URL.Path
+			if req.URL.RawQuery != "" {
+				targetFullURL += "?" + req.URL.RawQuery
+			}
+		}
+
+		// create the request to the target
+		proxyReq, err := http.NewRequest(req.Method, targetFullURL, req.Body)
+		if err != nil {
+			log.Error().Msgf("Failed to create proxy request: %v", err)
+			stream.Write([]byte(buildHttpInternalServerError("failed to create proxy request")))
+			continue // Continue to next request
+		}
+		proxyReq.Header = req.Header.Clone()
+
+		log.Info().Msgf("Proxying %s %s to %s", req.Method, req.URL.Path, targetFullURL)
+
+		resp, err := client.Do(proxyReq)
+		if err != nil {
+			log.Error().Msgf("Failed to reach target: %v", err)
+			stream.Write([]byte(buildHttpInternalServerError(fmt.Sprintf("failed to reach target due to networking error: %s", err.Error()))))
+			continue // Continue to next request
+		}
+
+		// Write the entire response (status line, headers, body) to the stream
+		// http.Response.Write handles this for "Connection: close" correctly.
+		// For other connection tokens, manual removal might be needed if they cause issues with QUIC.
+		// For a simple proxy, this is generally sufficient.
+		resp.Header.Del("Connection") // Good practice for proxies
+
+		log.Info().Msgf("Writing response to stream: %s", resp.Status)
+
+		if err := resp.Write(stream); err != nil {
+			log.Error().Err(err).Msg("Failed to write response to stream")
+			resp.Body.Close()
+			return fmt.Errorf("failed to write response to stream: %w", err)
+		}
+
+		resp.Body.Close()
+
+		// Check if client wants to close connection
+		if req.Header.Get("Connection") == "close" {
+			log.Info().Msg("Client requested connection close")
+			return nil
+		}
 	}
-	defer resp.Body.Close()
-
-	// Write the entire response (status line, headers, body) to the stream
-	// http.Response.Write handles this for "Connection: close" correctly.
-	// For other connection tokens, manual removal might be needed if they cause issues with QUIC.
-	// For a simple proxy, this is generally sufficient.
-	resp.Header.Del("Connection") // Good practice for proxies
-
-	log.Info().Msgf("Writing response to stream: %s", resp.Status)
-	if err := resp.Write(stream); err != nil {
-		// If writing the response fails, the connection to the client might be broken.
-		// Logging the error is important. The original error will be returned.
-		log.Error().Err(err).Msg("Failed to write response to stream")
-		return fmt.Errorf("failed to write response to stream: %w", err)
-	}
-
-	return nil
 }
 
 func buildHttpInternalServerError(message string) string {
@@ -255,6 +281,11 @@ type CloseWrite interface {
 	CloseWrite() error
 }
 
+func isValidURL(str string) bool {
+	u, err := url.Parse(str)
+	return err == nil && u.Scheme != "" && u.Host != ""
+}
+
 func CopyDataFromQuicToTcp(quicStream quic.Stream, tcpConn net.Conn) {
 	// Create a WaitGroup to wait for both copy operations
 	var wg sync.WaitGroup

docs/documentation/platform/access-controls/abac/managing-machine-identity-attributes.mdx

@@ -1,5 +1,5 @@
 ---
-title: "Machine identities"  
+title: "Machine identities"
 description: "Learn how to set metadata and leverage authentication attributes for machine identities."
 ---
 
@@ -25,7 +25,7 @@ Machine identities can have metadata set manually, just like users. In addition,
 
 #### Accessing Attributes From Machine Identity Login
 
-When machine identities authenticate, they may receive additional payloads/attributes from the service provider. 
+When machine identities authenticate, they may receive additional payloads/attributes from the service provider.
 For methods like OIDC, these come as claims in the token and can be made available in your policies.
 
 <Tabs>
@@ -50,17 +50,29 @@ For methods like OIDC, these come as claims in the token and can be made availab
     ```
 
     You might map:
-    
-    - **department:** to `user.department`  
+
+    - **department:** to `user.department`
     - **role:** to `user.role`
 
     Once configured, these attributes become available in your policies using the following format:
-    
+
     ```
     {{ identity.auth.oidc.claims.<permission claim name> }}
     ```
 
     <img src="/images/platform/access-controls/abac-policy-oidc-format.png" />
+
+  </Tab>
+  <Tab title="Kubernetes Login Attributes">
+				For identities authenticated using Kubernetes, the service account's namespace and name are available in their policy and can be accessed as follows:
+
+    ```
+    {{ identity.auth.kubernetes.namespace }}
+    {{ identity.auth.kubernetes.name }}
+    ```
+
+    <img src="/images/platform/access-controls/abac-policy-k8s-format.png" />
+
   </Tab>
   <Tab title="Other Authentication Method Attributes">
     At the moment we only support OIDC claims. Payloads on other authentication methods are not yet accessible.

docs/documentation/platform/dynamic-secrets/aws-elasticache.mdx

@@ -95,12 +95,28 @@ The Infisical AWS ElastiCache dynamic secret allows you to generate AWS ElastiCa
   </Step>
   <Step title="(Optional) Modify ElastiCache Statements">
   ![Modify ElastiCache Statements Modal](/images/platform/dynamic-secrets/modify-elasticache-statement.png)
-   <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-       Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+  <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-       Allowed template variables are
-       - `{{randomUsername}}`: Random username string
-       - `{{unixTimestamp}}`: Current Unix timestamp
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
 	<ParamField path="Customize ElastiCache Statement" type="string">
   	If you want to provide specific privileges for the generated dynamic credentials, you can modify the ElastiCache statement to your needs. This is useful if you want to only give access to a specific resource.

docs/documentation/platform/dynamic-secrets/aws-iam.mdx

@@ -50,110 +50,304 @@ Replace **\<account id\>** with your AWS account id and **\<aws-scope-path\>** w
 
 ## Set up Dynamic Secrets with AWS IAM
 
-<Steps>
-  <Step title="Secret Overview Dashboard">
-	Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
-  </Step>
-  <Step title="Click on the 'Add Dynamic Secret' button">
-	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
-  </Step>
-  <Step title="Select AWS IAM">
-	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-iam.png)
-  </Step>
-  <Step title="Provide the inputs for dynamic secret parameters">
-	<ParamField path="Secret Name" type="string" required>
-		Name by which you want the secret to be referenced
-	</ParamField>
+<Tabs>
+  <Tab title="Assume Role (Recommended)">
+    Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.
+        <Accordion title="Self-Hosted Instance">
+            To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.
 
-	<ParamField path="Default TTL" type="string" required>
-		Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
-	</ParamField>
+            If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.
 
-	<ParamField path="Max TTL" type="string" required>
-		Maximum time-to-live for a generated secret
-	</ParamField>
+            The following steps are for instances not deployed on AWS:
+            <Steps>
+                <Step title="Create an IAM User">
+                    Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
+                </Step>
+                <Step title="Create an Inline Policy">
+                    Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
+                    ```json
+                    {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                    {
+                        "Sid": "AllowAssumeAnyRole",
+                        "Effect": "Allow",
+                        "Action": "sts:AssumeRole",
+                        "Resource": "arn:aws:iam::*:role/*"
+                    }
+                        ]
+                    }
+                    ```
+                </Step>
+                <Step title="Obtain the IAM User Credentials">
+                    Obtain the AWS access key ID and secret access key for your IAM User by navigating to **IAM > Users > [Your User] > Security credentials > Access keys**.
 
-	<ParamField path="AWS Access Key" type="string" required>
-				The managing AWS IAM User Access Key
-  </ParamField>
+                    ![Access Key Step 1](/images/integrations/aws/integrations-aws-access-key-1.png)
+                    ![Access Key Step 2](/images/integrations/aws/integrations-aws-access-key-2.png)
+                    ![Access Key Step 3](/images/integrations/aws/integrations-aws-access-key-3.png)
+                </Step>
+                <Step title="Set Up Connection Keys">
+                    1. Set the access key as **DYNAMIC_SECRET_AWS_ACCESS_KEY_ID**.
+                    2. Set the secret key as **DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY**.
+                </Step>
+            </Steps>
+        </Accordion>
 
-	<ParamField path="AWS Secret Key" type="string" required>
-				The managing AWS IAM User Secret Key
-  </ParamField>
+    <Steps>
+         <Step title="Create the Managing User IAM Role for Infisical">
+                1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
+                ![IAM Role Creation](/images/integrations/aws/integration-aws-iam-assume-role.png)
 
-	<ParamField path="AWS IAM Path" type="string">
-				[IAM AWS Path](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) to scope created IAM User resource access.
-	</ParamField>
+                2. Select **AWS Account** as the **Trusted Entity Type**.
+                3. Select **Another AWS Account** and provide the appropriate Infisical AWS Account ID: use **381492033652** for the **US region**, and **345594589636** for the **EU region**. This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
+                4. (Recommended) <strong>Enable "Require external ID"</strong> and input your **Project ID** to strengthen security and mitigate the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
+                5. Assign permission as shared in prerequisite.
 
-	<ParamField path="AWS Region" type="string" required>
-				The AWS data center region.
-	</ParamField>
+                <Warning type="warning" title="Security Best Practice: Use External ID to Prevent Confused Deputy Attacks">
+                    When configuring an IAM Role that Infisical will assume, it’s highly recommended to enable the **"Require external ID"** option and specify your **Project ID**.
 
-	<ParamField path="IAM User Permission Boundary" type="string" required>
-				The IAM Policy ARN of the [AWS Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to attach to IAM users created in the role.
-	</ParamField>
+                    This precaution helps protect your AWS account against the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html), a potential security vulnerability where Infisical could be tricked into performing actions on your behalf by an unauthorized actor.
 
-	<ParamField path="AWS IAM Groups" type="string">
-	The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
-</ParamField>
+                    <strong>Always enable "Require external ID" and use your Project ID when setting up the IAM Role.</strong>
+                </Warning>
+      </Step>
+    			<Step title="Copy the AWS IAM Role ARN">
+                ![Copy IAM Role ARN](/images/integrations/aws/integration-aws-iam-assume-arn.png)
+            </Step>
+      <Step title="Secret Overview Dashboard">
+        Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
+      </Step>
+      <Step title="Click on the 'Add Dynamic Secret' button">
+        ![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+      </Step>
+      <Step title="Select AWS IAM">
+        ![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-iam.png)
+      </Step>
+      <Step title="Provide the inputs for dynamic secret parameters">
+        ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-aws-iam-assume-role.png)
+        <ParamField path="Secret Name" type="string" required>
+          Name by which you want the secret to be referenced
+        </ParamField>
 
-	<ParamField path="AWS Policy ARNs" type="string">
-	The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
-</ParamField>
+        <ParamField path="Default TTL" type="string" required>
+          Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
+        </ParamField>
 
-<ParamField path="AWS IAM Policy Document" type="string">
-	The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
-</ParamField>
+        <ParamField path="Max TTL" type="string" required>
+          Maximum time-to-live for a generated secret
+        </ParamField>
 
-<ParamField path="Username Template" type="string" default="{{randomUsername}}">
-Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+        <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+          Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-Allowed template variables are
-- `{{randomUsername}}`: Random username string
-- `{{unixTimestamp}}`: Current Unix timestamp
-</ParamField>
+          Allowed template variables are
+          - `{{randomUsername}}`: Random username string
+          - `{{unixTimestamp}}`: Current Unix timestamp
+          - `{{identity.name}}`: Name of the identity that is generating the secret
+          - `{{random N}}`: Random string of N characters
 
-	![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-aws-iam.png)
+          Allowed template functions are
+          - `truncate`: Truncates a string to a specified length
+          - `replace`: Replaces a substring with another value
 
-  </Step>
-  <Step title="Click 'Submit'">
-  	After submitting the form, you will see a dynamic secret created in the dashboard.
+          Examples:
+          ```
+          {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+          {{unixTimestamp}}                               // 17490641580
+          {{identity.name}}                               // testuser
+          {{random-5}}                                    // x9k2m
+          {{truncate identity.name 4}}                    // test
+          {{replace identity.name 'user' 'replace'}}      // testreplace
+          ```
+        </ParamField>
+        <ParamField path="Method" type="string" required>
+            Select *Assume Role* method.
+        </ParamField>
 
-	![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
-  </Step>
-  <Step title="Generate dynamic secrets">
-	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
-	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
-	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+        <ParamField path="Aws Role ARN" type="string" required>
+    			   The ARN of the AWS Role to assume.
+        </ParamField>
 
-	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
-	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+        <ParamField path="AWS IAM Path" type="string">
+          [IAM AWS Path](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) to scope created IAM User resource access.
+        </ParamField>
 
-	When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+        <ParamField path="AWS Region" type="string" required>
+          The AWS data center region.
+        </ParamField>
 
-	![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+        <ParamField path="IAM User Permission Boundary" type="string" required>
+          The IAM Policy ARN of the [AWS Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to attach to IAM users created in the role.
+        </ParamField>
 
-	<Tip>
-		Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret in step 4.
-	</Tip>
+        <ParamField path="AWS IAM Groups" type="string">
+          The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
+        </ParamField>
 
+        <ParamField path="AWS Policy ARNs" type="string">
+          The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
+        </ParamField>
 
-	Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+        <ParamField path="AWS IAM Policy Document" type="string">
+          The AWS IAM inline policy that should be attached to the created users.
+          Multiple values can be provided by separating them with commas
+        </ParamField>
 
-	![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
-  </Step>
-</Steps>
+        <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+          Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+
+          Allowed template variables are
+
+          - `{{randomUsername}}`: Random username string
+          - `{{unixTimestamp}}`: Current Unix timestamp
+        </ParamField>
+      </Step>
+
+      <Step title="Click 'Submit'">
+        After submitting the form, you will see a dynamic secret created in the dashboard.
+        ![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
+      </Step>
+
+      <Step title="Generate dynamic secrets">
+        Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
+        To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+        Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+        When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+        ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+        <Tip>
+          Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
+        </Tip>
+
+        Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+
+        ![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
+      </Step>
+    </Steps>
+
+  </Tab>
+  <Tab title="Access Key">
+        Infisical will use the provided **Access Key ID** and **Secret Key** to connect to your AWS instance.
+  <Steps>
+      <Step title="Secret Overview Dashboard">
+        Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
+      </Step>
+      <Step title="Click on the 'Add Dynamic Secret' button">
+        ![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+      </Step>
+      <Step title="Select AWS IAM">
+        ![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-iam.png)
+      </Step>
+      <Step title="Provide the inputs for dynamic secret parameters">
+        ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-aws-iam-access-key.png)
+        <ParamField path="Secret Name" type="string" required>
+          Name by which you want the secret to be referenced
+        </ParamField>
+
+        <ParamField path="Default TTL" type="string" required>
+          Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
+        </ParamField>
+
+        <ParamField path="Max TTL" type="string" required>
+          Maximum time-to-live for a generated secret
+        </ParamField>
+
+    			<ParamField path="Method" type="string" required>
+    			   Select *Access Key* method.
+    			</ParamField>
+
+        <ParamField path="AWS Access Key" type="string" required>
+          The managing AWS IAM User Access Key
+        </ParamField>
+
+        <ParamField path="AWS Secret Key" type="string" required>
+          The managing AWS IAM User Secret Key
+        </ParamField>
+
+        <ParamField path="AWS IAM Path" type="string">
+          [IAM AWS Path](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) to scope created IAM User resource access.
+        </ParamField>
+
+        <ParamField path="AWS Region" type="string" required>
+          The AWS data center region.
+        </ParamField>
+
+        <ParamField path="IAM User Permission Boundary" type="string" required>
+          The IAM Policy ARN of the [AWS Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to attach to IAM users created in the role.
+        </ParamField>
+
+        <ParamField path="AWS IAM Groups" type="string">
+          The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
+        </ParamField>
+
+        <ParamField path="AWS Policy ARNs" type="string">
+          The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
+        </ParamField>
+
+        <ParamField path="AWS IAM Policy Document" type="string">
+          The AWS IAM inline policy that should be attached to the created users.
+          Multiple values can be provided by separating them with commas
+        </ParamField>
+
+        <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+          Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+
+          Allowed template variables are
+
+          - `{{randomUsername}}`: Random username string
+          - `{{unixTimestamp}}`: Current Unix timestamp
+        </ParamField>
+
+      </Step>
+
+      <Step title="Click 'Submit'">
+        After submitting the form, you will see a dynamic secret created in the dashboard.
+        ![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
+      </Step>
+
+      <Step title="Generate dynamic secrets">
+        Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
+        To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+        Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+        When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+        ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+        <Tip>
+          Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
+        </Tip>
+
+        Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+
+        ![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
+      </Step>
+    </Steps>
+
+  </Tab>
+</Tabs>
 
 ## Audit or Revoke Leases
+
 Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
 This will allow you to see the lease details and delete the lease ahead of its expiration time.
 
 ![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
 
 ## Renew Leases
+
 To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the **Renew** button as illustrated below.
 ![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
 
 <Warning>
-	Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret
+  Lease renewals cannot exceed the maximum TTL set when configuring the dynamic
+  secret
 </Warning>

docs/documentation/platform/dynamic-secrets/cassandra.mdx

@@ -80,11 +80,27 @@ The above configuration allows user creation and granting permissions.
   <Step title="(Optional) Modify CQL Statements">
   ![Modify CQL Statements Modal](../../../images/platform/dynamic-secrets/modify-cql-statements.png)
   <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-       Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-       Allowed template variables are
-       - `{{randomUsername}}`: Random username string
-       - `{{unixTimestamp}}`: Current Unix timestamp
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
 	<ParamField path="Customize CQL Statement" type="string">
   	If you want to provide specific privileges for the generated dynamic credentials, you can modify the CQL statement to your needs. This is useful if you want to only give access to a specific key-space(s).

docs/documentation/platform/dynamic-secrets/elastic-search.mdx

@@ -87,13 +87,29 @@ The port that your Elasticsearch instance is running on. _(Example: 9200)_
     <ParamField path="CA(SSL)" type="string">
     	A CA may be required if your DB requires it for incoming connections. This is often the case when connecting to a managed service.
     </ParamField>
-    <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-      Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-      Allowed template variables are
-      - `{{randomUsername}}`: Random username string
-      - `{{unixTimestamp}}`: Current Unix timestamp
-    </ParamField>
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+	</ParamField>
 
 ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-input-modal-elastic-search.png)
 

docs/documentation/platform/dynamic-secrets/ldap.mdx

@@ -123,13 +123,29 @@ The Infisical LDAP dynamic secret allows you to generate user credentials on dem
             changetype: delete
             ```
         </ParamField>
-         <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
     Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
     Allowed template variables are
     - `{{randomUsername}}`: Random username string
     - `{{unixTimestamp}}`: Current Unix timestamp
-    </ParamField>
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+	</ParamField>
       </Step>
 
       <Step title="Click `Submit`">

docs/documentation/platform/dynamic-secrets/mongo-atlas.mdx

@@ -63,13 +63,29 @@ Create a project scoped API Key with the required permission in your Mongo Atlas
 
 ![Modify Scope Modal](../../../images/platform/dynamic-secrets/advanced-option-atlas.png)
 
-   <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-       Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-       Allowed template variables are
-       - `{{randomUsername}}`: Random username string
-       - `{{unixTimestamp}}`: Current Unix timestamp
-    </ParamField>
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+	</ParamField>
     <ParamField path="Customize Scope" type="string">
 
     List that contains clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Instances that this database user can access. If omitted, MongoDB Cloud grants the database user access to all the clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Instances in the project.

docs/documentation/platform/dynamic-secrets/mongo-db.mdx

@@ -66,12 +66,28 @@ Create a user with the required permission in your MongoDB instance. This user w
 	<ParamField path="CA(SSL)" type="string">
 		A CA may be required if your DB requires it for incoming connections.
 	</ParamField>
-  <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
     Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
     Allowed template variables are
     - `{{randomUsername}}`: Random username string
     - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
 
 	![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-mongodb.png)

docs/documentation/platform/dynamic-secrets/mssql.mdx

@@ -9,7 +9,6 @@ The Infisical MS SQL dynamic secret allows you to generate Microsoft SQL server
 
 Create a user with the required permission in your SQL instance. This user will be used to create new accounts on-demand.
 
-
 ## Set up Dynamic Secrets with MS SQL
 
 <Steps>
@@ -27,104 +26,123 @@ Create a user with the required permission in your SQL instance. This user will
 		Name by which you want the secret to be referenced
 	</ParamField>
 
-	<ParamField path="Default TTL" type="string" required>
-		Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
-	</ParamField>
+    <ParamField path="Default TTL" type="string" required>
+    	Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
+    </ParamField>
 
-	<ParamField path="Max TTL" type="string" required>
-		Maximum time-to-live for a generated secret
-	</ParamField>
+    <ParamField path="Max TTL" type="string" required>
+    	Maximum time-to-live for a generated secret
+    </ParamField>
 
-	<ParamField path="Metadata" type="list" required>
-		List of key/value metadata pairs
-	</ParamField>
+    <ParamField path="Metadata" type="list" required>
+    	List of key/value metadata pairs
+    </ParamField>
 
-	<ParamField path="Service" type="string" required>
-		Choose the service you want to generate dynamic secrets for. This must be selected as **MS SQL**.
-	</ParamField>
+    <ParamField path="Service" type="string" required>
+    	Choose the service you want to generate dynamic secrets for. This must be selected as **MS SQL**.
+    </ParamField>
 
-	<ParamField path="Host" type="string" required>
-		Database host
-	</ParamField>
+    <ParamField path="Host" type="string" required>
+    	Database host
+    </ParamField>
 
-	<ParamField path="Port" type="number" required>
-		Database port
-	</ParamField>
+    <ParamField path="Port" type="number" required>
+    	Database port
+    </ParamField>
 
-	<ParamField path="User" type="string" required>
-		Username that will be used to create dynamic secrets
-	</ParamField>
+    <ParamField path="User" type="string" required>
+    	Username that will be used to create dynamic secrets
+    </ParamField>
 
-	<ParamField path="Password" type="string" required>
-		Password that will be used to create dynamic secrets
-	</ParamField>
+    <ParamField path="Password" type="string" required>
+    	Password that will be used to create dynamic secrets
+    </ParamField>
 
-	<ParamField path="Database Name" type="string" required>
-		Name of the database for which you want to create dynamic secrets
-	</ParamField>
+    <ParamField path="Database Name" type="string" required>
+    	Name of the database for which you want to create dynamic secrets
+    </ParamField>
 
-	<ParamField path="CA(SSL)" type="string">
-		A CA may be required if your DB requires it for incoming connections. AWS RDS instances with default settings will requires a CA which can be downloaded [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions).
-	</ParamField>
+    <ParamField path="CA(SSL)" type="string">
+    	A CA may be required if your DB requires it for incoming connections. AWS RDS instances with default settings will requires a CA which can be downloaded [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions).
+    </ParamField>
 
-	![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-mssql.png)
+    ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-mssql.png)
 
   </Step>
   <Step title="(Optional) Modify SQL Statements">
   ![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sql-statements-mssql.png)
-  <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-       Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+    </ParamField>
 
-       Allowed template variables are
-       - `{{randomUsername}}`: Random username string
-       - `{{unixTimestamp}}`: Current Unix timestamp
-	</ParamField>
-	<ParamField path="Customize SQL Statement" type="string">
-   	If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs. This is useful if you want to only give access to a specific table(s).
-	</ParamField>
   </Step>
   <Step title="Click 'Submit'">
   	After submitting the form, you will see a dynamic secret created in the dashboard.
 
-	<Note>
-		If this step fails, you may have to add the CA certificate.
-	</Note>
+    <Note>
+    	If this step fails, you may have to add the CA certificate.
+    </Note>
+
+    ![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
 
-	![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
   </Step>
   <Step title="Generate dynamic secrets">
 	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
 	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
 	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
 
-	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
-	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
 
-	When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+    When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
 
-	![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+    ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
 
-	<Tip>
-		Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
-	</Tip>
+    <Tip>
+    	Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
+    </Tip>
 
 
-	Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+    Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+
+    ![Provision Lease](/images/platform/dynamic-secrets/lease-values.png)
 
-	![Provision Lease](/images/platform/dynamic-secrets/lease-values.png)
   </Step>
 </Steps>
 
 ## Audit or Revoke Leases
+
 Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
 This will allow you to see the expiration time of the lease or delete the lease before it's set time to live.
 
 ![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
 
 ## Renew Leases
+
 To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the **Renew** button as illustrated below.
 ![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
 
 <Warning>
-	Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret
+  Lease renewals cannot exceed the maximum TTL set when configuring the dynamic
+  secret
 </Warning>

docs/documentation/platform/dynamic-secrets/mysql.mdx

@@ -69,15 +69,28 @@ Create a user with the required permission in your SQL instance. This user will
   </Step>
   <Step title="(Optional) Modify SQL Statements">
   ![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sql-statement-mysql.png)
-  <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-       Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-       Allowed template variables are
-       - `{{randomUsername}}`: Random username string
-       - `{{unixTimestamp}}`: Current Unix timestamp
-	</ParamField>
-	<ParamField path="Customize SQL Statement" type="string">
-   	If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs. This is useful if you want to only give access to a specific table(s).
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
   </Step>
   <Step title="Click `Submit`">

docs/documentation/platform/dynamic-secrets/oracle.mdx

@@ -71,15 +71,28 @@ Create a user with the required permission in your SQL instance. This user will
   </Step>
   <Step title="(Optional) Modify SQL Statements">
 	![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sql-statement-oracle.png)
-	<ParamField path="Username Template" type="string" default="{{randomUsername}}">
-      Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-      Allowed template variables are
-      - `{{randomUsername}}`: Random username string
-      - `{{unixTimestamp}}`: Current Unix timestamp
-	</ParamField>
-	<ParamField path="Customize SQL Statement" type="string">
-  	If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs. This is useful if you want to only give access to a specific table(s).
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
   </Step>
   <Step title="Click 'Submit'">

docs/documentation/platform/dynamic-secrets/postgresql.mdx

@@ -72,12 +72,28 @@ Create a user with the required permission in your SQL instance. This user will
   </Step>
   <Step title="(Optional) Modify SQL Statements">
 	![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sql-statements.png)
-	<ParamField path="Username Template" type="string" default="{{randomUsername}}">
-      Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-      Allowed template variables are
-      - `{{randomUsername}}`: Random username string
-      - `{{unixTimestamp}}`: Current Unix timestamp
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
 	<ParamField path="Customize SQL Statement" type="string">
   	If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs. This is useful if you want to only give access to a specific table(s).

docs/documentation/platform/dynamic-secrets/rabbit-mq.mdx

@@ -66,12 +66,28 @@ The port that the RabbitMQ management plugin is listening on. This is `15672` by
 </ParamField>
 
 <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-Allowed template variables are
-- `{{randomUsername}}`: Random username string
-- `{{unixTimestamp}}`: Current Unix timestamp
-</ParamField>
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+	</ParamField>
 
 <ParamField path="CA(SSL)" type="string">
    	A CA may be required if your DB requires it for incoming connections. This is often the case when connecting to a managed service.

docs/documentation/platform/dynamic-secrets/redis.mdx

@@ -57,12 +57,28 @@ Create a user with the required permission in your Redis instance. This user wil
   </Step>
   <Step title="(Optional) Modify Redis Statements">
   ![Modify Redis Statements Modal](/images/platform/dynamic-secrets/modify-redis-statement.png)
-   <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-       Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-       Allowed template variables are
-       - `{{randomUsername}}`: Random username string
-       - `{{unixTimestamp}}`: Current Unix timestamp
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
 	</ParamField>
 	<ParamField path="Customize Redis Statement" type="string">
   	If you want to provide specific privileges for the generated dynamic credentials, you can modify the Redis statement to your needs. This is useful if you want to only give access to a specific table(s).

docs/documentation/platform/dynamic-secrets/sap-ase.mdx

@@ -64,13 +64,29 @@ The Infisical SAP ASE dynamic secret allows you to generate SAP ASE database cre
   </Step>
   <Step title="(Optional) Modify SAP SQL Statements">
     ![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/sap-ase/dynamic-secret-sap-ase-statements.png)
-    <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-        Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-        Allowed template variables are
-        - `{{randomUsername}}`: Random username string
-        - `{{unixTimestamp}}`: Current Unix timestamp
-    </ParamField>
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+	</ParamField>
     <ParamField path="Customize Statement" type="string">
 
 If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs.

docs/documentation/platform/dynamic-secrets/sap-hana.mdx

@@ -64,12 +64,28 @@ The Infisical SAP HANA dynamic secret allows you to generate SAP HANA database c
   </Step>
   <Step title="(Optional) Modify SAP SQL Statements">
   ![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sap-hana-sql-statements.png)
-    <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-        Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+<ParamField path="Username Template" type="string" default="{{randomUsername}}">
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-        Allowed template variables are
-        - `{{randomUsername}}`: Random username string
-        - `{{unixTimestamp}}`: Current Unix timestamp
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
     </ParamField>
     <ParamField path="Customize Statement" type="string">
 

docs/documentation/platform/dynamic-secrets/snowflake.mdx

@@ -78,12 +78,28 @@ Infisical's Snowflake dynamic secrets allow you to generate Snowflake user crede
     <Step title="(Optional) Modify SQL Statements">
         ![Modify SQL Statements Modal](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-sql-statements.png)
     <ParamField path="Username Template" type="string" default="{{randomUsername}}">
-        Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+    Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
 
-        Allowed template variables are
-        - `{{randomUsername}}`: Random username string
-        - `{{unixTimestamp}}`: Current Unix timestamp
-    </ParamField>
+    Allowed template variables are
+    - `{{randomUsername}}`: Random username string
+    - `{{unixTimestamp}}`: Current Unix timestamp
+    - `{{identity.name}}`: Name of the identity that is generating the secret
+    - `{{random N}}`: Random string of N characters
+
+    Allowed template functions are
+    - `truncate`: Truncates a string to a specified length
+    - `replace`: Replaces a substring with another value
+
+    Examples:
+    ```
+    {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+    {{unixTimestamp}}                               // 17490641580
+    {{identity.name}}                               // testuser
+    {{random-5}}                                    // x9k2m
+    {{truncate identity.name 4}}                    // test
+    {{replace identity.name 'user' 'replace'}}      // testreplace
+    ```
+	</ParamField>
     <ParamField path="Customize Statement" type="string">
 
     If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL

docs/documentation/platform/gateways/gateway-security.mdx

@@ -89,22 +89,3 @@ The relay system provides secure tunneling:
    - Gateways only accept connections to approved resources
    - Each connection requires explicit project authorization
    - Resources remain private to their assigned organization
-
-## Security Measures
-
-### Certificate Lifecycle
-- Certificates have limited validity periods
-- Automatic certificate rotation
-- Immediate certificate revocation capabilities
-
-### Monitoring and Verification
-1. **Continuous Verification**:
-   - Regular heartbeat checks
-   - Certificate chain validation
-   - Connection state monitoring
-
-2. **Security Controls**:
-   - Automatic connection termination on verification failure
-   - Audit logging of all access attempts
-   - Machine identity based authentication
-

docs/documentation/platform/gateways/networking.mdx

@@ -0,0 +1,168 @@
+---
+title: "Networking"
+description: "Network configuration and firewall requirements for Infisical Gateway"
+---
+
+The Infisical Gateway requires outbound network connectivity to establish secure communication with Infisical's relay infrastructure. 
+This page outlines the required ports, protocols, and firewall configurations needed for optimal gateway usage.
+
+## Network Architecture
+
+The gateway uses a relay-based architecture to establish secure connections:
+
+1. **Gateway** connects outbound to **Relay Servers** using UDP/QUIC protocol
+2. **Relay Servers** facilitate secure communication between Gateway and Infisical Cloud
+3. All traffic is end-to-end encrypted using mutual TLS over QUIC
+
+## Required Network Connectivity
+
+### Outbound Connections (Required)
+
+The gateway requires the following outbound connectivity:
+
+| Protocol | Destination | Ports | Purpose |
+|----------|-------------|-------|---------|
+| UDP | Relay Servers | 49152-65535 | Allocated relay communication (TLS) |
+| TCP | app.infisical.com / eu.infisical.com | 443 | API communication and relay allocation |
+
+### Relay Server IP Addresses
+
+Your firewall must allow outbound connectivity to the following Infisical relay servers on dynamically allocated ports.
+
+<Tabs>
+  <Tab title="Infisical cloud (US)">
+    ```
+    54.235.197.91:49152-65535
+    18.215.196.229:49152-65535
+    3.222.120.233:49152-65535
+    34.196.115.157:49152-65535
+    ```
+  </Tab>
+  <Tab title="Infisical cloud (EU)">
+    ```
+    3.125.237.40:49152-65535
+    52.28.157.98:49152-65535
+    3.125.176.90:49152-65535
+    ```
+  </Tab>
+  <Tab title="Infisical dedicated">
+    Please contact your Infisical account manager for dedicated relay server IP addresses.
+  </Tab>
+</Tabs>
+
+<Warning>
+    These IP addresses are static and managed by Infisical. Any changes will be communicated with 60-day advance notice.
+</Warning>
+
+## Protocol Details
+
+### QUIC over UDP
+
+The gateway uses QUIC (Quick UDP Internet Connections) for primary communication:
+
+- **Port 5349**: STUN/TURN over TLS (secure relay communication)
+- **Built-in features**: Connection migration, multiplexing, reduced latency
+- **Encryption**: TLS 1.3 with certificate pinning
+
+## Understanding Firewall Behavior with UDP
+
+Unlike TCP connections, UDP is a stateless protocol, and depending on your organization's firewall configuration, you may need to adjust network rules accordingly.
+When the gateway sends UDP packets to a relay server, the return responses need to be allowed back through the firewall. 
+Modern firewalls handle this through "connection tracking" (also called "stateful inspection"), but the behavior can vary depending on your firewall configuration. 
+
+
+### Connection Tracking 
+
+Modern firewalls automatically track UDP connections and allow return responses. This is the preferred configuration as it:
+- Automatically handles return responses
+- Reduces firewall rule complexity
+- Avoids the need for manual IP whitelisting
+
+In the event that your firewall does not support connection tracking, you will need to whitelist the relay IPs to explicitly define return traffic manually.
+
+## Common Network Scenarios
+
+### Corporate Firewalls
+
+For corporate environments with strict egress filtering:
+
+1. **Whitelist relay IP addresses** (listed above)
+2. **Allow UDP port 5349** outbound
+3. **Configure connection tracking** for UDP return traffic
+4. **Allow ephemeral port range** 49152-65535 for return traffic if connection tracking is disabled
+
+### Cloud Environments (AWS/GCP/Azure)
+
+Configure security groups to allow:
+- **Outbound UDP** to relay IPs on port 5349
+- **Outbound HTTPS** to app.infisical.com/eu.infisical.com on port 443
+- **Inbound UDP** on ephemeral ports (if not using stateful rules)
+
+## Frequently Asked Questions
+
+<Accordion title="What happens if there is a network interruption?">
+The gateway is designed to handle network interruptions gracefully:
+
+- **Automatic reconnection**: The gateway will automatically attempt to reconnect to relay servers every 5 seconds if the connection is lost
+- **Connection retry logic**: Built-in retry mechanisms handle temporary network outages without manual intervention
+- **Multiple relay servers**: If one relay server is unavailable, the gateway can connect to alternative relay servers
+- **Persistent sessions**: Existing connections are maintained where possible during brief network interruptions
+- **Graceful degradation**: The gateway logs connection issues and continues attempting to restore connectivity
+
+No manual intervention is typically required during network interruptions.
+</Accordion>
+
+<Accordion title="Why does the gateway use QUIC instead of TCP?">
+QUIC (Quick UDP Internet Connections) provides several advantages over traditional TCP for gateway communication:
+
+- **Faster connection establishment**: QUIC combines transport and security handshakes, reducing connection setup time
+- **Built-in encryption**: TLS 1.3 is integrated into the protocol, ensuring all traffic is encrypted by default
+- **Connection migration**: QUIC connections can survive IP address changes (useful for NAT rebinding)
+- **Reduced head-of-line blocking**: Multiple data streams can be multiplexed without blocking each other
+- **Better performance over unreliable networks**: Advanced congestion control and packet loss recovery
+- **Lower latency**: Optimized for real-time communication between gateway and cloud services
+
+While TCP is stateful and easier for firewalls to track, QUIC's performance benefits outweigh the additional firewall configuration requirements.
+</Accordion>
+
+<Accordion title="Do I need to open any inbound ports on my firewall?">
+No inbound ports need to be opened. The gateway only makes outbound connections:
+
+- **Outbound UDP** to relay servers on ports 49152-65535
+- **Outbound HTTPS** to Infisical API endpoints
+- **Return responses** are handled by connection tracking or explicit IP whitelisting
+
+This design maintains security by avoiding the need for inbound firewall rules that could expose your network to external threats.
+</Accordion>
+
+<Accordion title="What if my firewall blocks the required UDP ports?">
+If your firewall has strict UDP restrictions:
+
+1. **Work with your network team** to allow outbound UDP to the specific relay IP addresses
+2. **Use explicit IP whitelisting** if connection tracking is disabled  
+3. **Consider network policy exceptions** for the gateway host
+4. **Monitor firewall logs** to identify which specific rules are blocking traffic
+
+The gateway requires UDP connectivity to function - TCP-only configurations are not supported.
+</Accordion>
+
+<Accordion title="How many relay servers does the gateway connect to?">
+The gateway connects to **one relay server at a time**:
+
+- **Single active connection**: Only one relay connection is established per gateway instance
+- **Automatic failover**: If the current relay becomes unavailable, the gateway will connect to an alternative relay
+- **Load distribution**: Different gateway instances may connect to different relay servers for load balancing
+- **No manual selection**: The Infisical API automatically assigns the optimal relay server based on availability and proximity
+
+You should whitelist all relay IP addresses to ensure proper failover functionality.
+</Accordion>
+<Accordion title="Can the relay servers decrypt traffic going through them?">
+No, relay servers cannot decrypt any traffic passing through them:
+
+- **End-to-end encryption**: All traffic between the gateway and Infisical Cloud is encrypted using mutual TLS with certificate pinning
+- **Relay acts as a tunnel**: The relay server only forwards encrypted packets - it has no access to encryption keys
+- **No data storage**: Relay servers do not store any traffic or network-identifiable information  
+- **Certificate isolation**: Each organization has its own private PKI system, ensuring complete tenant isolation
+
+The relay infrastructure is designed as a secure forwarding mechanism, similar to a VPN tunnel, where the relay provider cannot see the contents of the traffic flowing through it.
+</Accordion>

docs/documentation/platform/gateways/overview.mdx

@@ -32,7 +32,7 @@ For detailed installation instructions, refer to the Infisical [CLI Installation
 To function, the Gateway must authenticate with Infisical. This requires a machine identity configured with the appropriate permissions to create and manage a Gateway.
 Once authenticated, the Gateway establishes a secure connection with Infisical to allow your private resources to be reachable.
 
-### Deployment process
+### Get started
 
 <Steps>
   <Step title="Create a Gateway Identity">

docs/documentation/platform/identities/oidc-auth/azure.mdx

@@ -0,0 +1,157 @@
+---
+title: Azure
+description: "Learn how to authenticate Azure pipelines with Infisical using OpenID Connect (OIDC)."
+---
+
+**OIDC Auth** is a platform-agnostic JWT-based authentication method that can be used to authenticate from any platform or environment using an identity provider with OpenID Connect.
+
+## Diagram
+
+The following sequence diagram illustrates the OIDC Auth workflow for authenticating Azure pipelines with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Azure Pipeline
+  participant Idp as Identity Provider
+  participant Infis as Infisical
+
+  Client->>Idp: Step 1: Request identity token
+  Idp-->>Client: Return JWT with verifiable claims
+
+  Note over Client,Infis: Step 2: Login Operation
+  Client->>Infis: Send signed JWT to /api/v1/auth/oidc-auth/login
+
+  Note over Infis,Idp: Step 3: Query verification
+  Infis->>Idp: Request JWT public key using OIDC Discovery
+  Idp-->>Infis: Return public key
+
+  Note over Infis: Step 4: JWT validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 5: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high-level, Infisical authenticates a client by verifying the JWT and checking that it meets specific requirements (e.g. it is issued by a trusted identity provider) at the `/api/v1/auth/oidc-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The Azure pipeline requests an identity token from Azure's identity provider.
+2. The fetched identity token is sent to Infisical at the `/api/v1/auth/oidc-auth/login` endpoint.
+3. Infisical fetches the public key that was used to sign the identity token from Azure's identity provider using OIDC Discovery.
+4. Infisical validates the JWT using the public key provided by the identity provider and checks that the subject, audience, and claims of the token matches with the set criteria.
+5. If all is well, Infisical returns a short-lived access token that the Azure pipeline can use to make authenticated requests to the Infisical API.
+
+<Note>
+  Infisical needs network-level access to Azure's identity provider endpoints.
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities to access the Infisical API using the OIDC Auth authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be redirected to a page where you can manage the identity.
+
+    ![identities page](/images/platform/identities/identities-page.png)
+
+    Since the identity has been configured with Universal Auth by default, you should re-configure it to use OIDC Auth instead. To do this, press to edit the **Authentication** section,
+    remove the existing Universal Auth configuration, and add a new OIDC Auth configuration onto the identity.
+
+    ![identities page remove default auth](/images/platform/identities/identities-page-remove-default-auth.png)
+
+    ![identities create oidc auth method](/images/platform/identities/identities-org-create-oidc-auth-method.png)
+
+    <Warning>Restrict access by configuring the Subject, Audiences, and Claims fields</Warning>
+
+    Here's some more guidance on each field:
+    - <div style={{ textAlign: 'justify' }}>**OIDC Discovery URL**: The URL used to retrieve the OpenID Connect configuration from the identity provider. This is used to fetch the public keys needed to verify the JWT. For Azure, set this to `https://login.microsoftonline.com/{tenant-id}/v2.0` (replace `{tenant-id}` with your Azure AD tenant ID).</div>
+    - <div style={{ textAlign: 'justify' }}>**Issuer**: The value of the `iss` claim that the token must match. For Azure, this should be `https://login.microsoftonline.com/{tenant-id}/v2.0`.</div>
+    - **Subject**: This must match the `sub` claim in the JWT.
+    - **Audiences**: Values that must match the `aud` claim.
+    - **Claims**: Additional claims that must be present. Refer to [Azure DevOps docs](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation) for available claims.
+    - **Access Token TTL**: Lifetime of the issued token (in seconds), e.g., `2592000` (30 days)
+    - **Access Token Max TTL**: Maximum allowed lifetime of the token
+    - **Access Token Max Number of Uses**: Max times the token can be used (`0` = unlimited)
+    - **Access Token Trusted IPs**: List of allowed IP ranges (defaults to `0.0.0.0/0`)
+
+    <Tip>If you are unsure about what to configure for the subject, audience, and claims fields, you can inspect the JWT token from your Azure DevOps pipeline by adding a debug step that outputs the token claims.</Tip>
+    <Info>The `subject`, `audiences`, and `claims` fields support glob pattern matching; however, we highly recommend using hardcoded values whenever possible.</Info>
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+    In Azure DevOps, to authenticate with Infisical using OIDC, you must configure a service connection that enables workload identity federation.
+
+    Once set up, the OIDC token can be fetched automatically within the pipeline job context. Here's an example:
+
+    ```yaml
+    trigger:
+    - main
+
+    pool:
+      vmImage: ubuntu-latest
+
+    steps:
+    - task: AzureCLI@2
+      displayName: 'Retrieve secrets from Infisical using OIDC'
+      inputs:
+        azureSubscription: 'your-azure-service-connection-name'
+        scriptType: 'bash'
+        scriptLocation: 'inlineScript'
+        addSpnToEnvironment: true
+        inlineScript: |
+          # Get OIDC access token
+          OIDC_TOKEN=$(az account get-access-token --resource "api://AzureADTokenExchange" --query accessToken -o tsv)
+          
+          [ -z "$OIDC_TOKEN" ] && { echo "Failed to get access token"; exit 1; }
+          
+          # Exchange for Infisical access token
+          ACCESS_TOKEN=$(curl -s -X POST "<YOUR-INFISICAL-INSTANCE-URL>/api/v1/auth/oidc-auth/login" \
+            -H "Content-Type: application/json" \
+            -d "{\"identityId\":\"{your-identity-id}\",\"jwt\":\"$OIDC_TOKEN\"}" \
+            | jq -r '.accessToken')
+          
+          # Fetch secrets
+          curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \
+            "<YOUR-INFISICAL-INSTANCE-URL>/api/v3/secrets/raw?environment={your-environment-slug}&workspaceSlug={your-workspace-slug}"
+    ```
+
+    Make sure the service connection is properly configured for workload identity federation and linked to your Azure AD app registration with appropriate claims.
+
+    <Note>
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+    </Note>
+
+    </Step>
+</Steps>

docs/documentation/setup/networking.mdx

@@ -4,33 +4,36 @@ sidebarTitle: "Networking"
 description: "Network configuration details for Infisical Cloud"
 ---
 
-## Overview
-
 When integrating your infrastructure with Infisical Cloud, you may need to configure network access controls. This page provides the IP addresses that Infisical uses to communicate with your services.
 
-## Egress IP Addresses
+## Infisical IP Addresses
 
-Infisical Cloud operates from two regions: US and EU. If your infrastructure has strict network policies, you may need to allow traffic from Infisical by adding the following IP addresses to your ingress rules. These are the egress IPs Infisical uses when making outbound requests to your services.
+Infisical Cloud operates from multiple regions. If your infrastructure has strict network policies, you may need to allow traffic from Infisical by adding the following IP addresses to your ingress rules. These are the IP addresses that Infisical uses when making outbound requests to your services.
 
-### US Region
+<Tabs>
+  <Tab title="US Region">
+    ```
+    3.213.63.16
+    54.164.68.7
+    ```
+  </Tab>
+  
+  <Tab title="EU Region">
+    ```
+    3.77.89.19
+    3.125.209.189
+    ```
+  </Tab>
+  
+  <Tab title="Dedicated Cloud">
+    For dedicated Infisical deployments, please contact your account manager for the specific IP addresses used in your dedicated environment.
+  </Tab>
+</Tabs>
 
-To allow connections from Infisical US, add these IP addresses to your ingress rules:
+<Warning>
+These IP addresses are static and managed by Infisical. Any changes will be communicated with 60-day advance notice.
+</Warning>
 
-- `3.213.63.16`
-- `54.164.68.7`
+## What These IP Addresses Are Used For
 
-### EU Region
-
-To allow connections from Infisical EU, add these IP addresses to your ingress rules:
-
-- `3.77.89.19`
-- `3.125.209.189`
-
-## Common Use Cases
-
-You may need to allow Infisical’s egress IPs if your services require inbound connections for:
-
-- Secret rotation - When Infisical needs to send requests to your systems to automatically rotate credentials
-- Dynamic secrets - When Infisical generates and manages temporary credentials for your cloud services
-- Secret integrations - When syncing secrets with third-party services like Azure Key Vault
-- Native authentication with machine identities - When using methods like Kubernetes authentication
+These IP addresses represent the source IPs you'll see when Infisical Cloud makes connections to your infrastructure. All outbound traffic from Infisical Cloud originates from these IP addresses, ensuring predictable source IP addresses for your firewall rules.

docs/integrations/secret-syncs/1password.mdx

@@ -46,7 +46,7 @@ description: "Learn how to configure a 1Password Sync for Infisical."
                     - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                     - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over 1Password when keys conflict.
                     - **Import Secrets (Prioritize 1Password)**: Imports secrets from the destination endpoint before syncing, prioritizing values from 1Password over Infisical when keys conflict.
-                - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+                - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
                 <Note>
                     We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
                 </Note>

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -40,7 +40,7 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Parameter Store when keys conflict.
                 - **Import Secrets (Prioritize AWS Parameter Store)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Parameter Store over Infisical when keys conflict.
-            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
             <Note>
                 We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
             </Note>

docs/integrations/secret-syncs/aws-secrets-manager.mdx

@@ -43,7 +43,7 @@ description: "Learn how to configure an AWS Secrets Manager Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize AWS Secrets Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
-            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
             <Note>
                 We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
             </Note>

docs/integrations/secret-syncs/azure-app-configuration.mdx

@@ -48,7 +48,7 @@ description: "Learn how to configure an Azure App Configuration Sync for Infisic
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize Azure App Configuration)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
-            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
             <Note>
                 We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
             </Note>