Update infisical-agent.mdx

GH Action: rename new migration file timestamp

backend/package-lock.json

@@ -36,6 +36,7 @@
         "bcrypt": "^5.1.1",
         "bullmq": "^5.4.2",
         "cassandra-driver": "^4.7.2",
+        "cron": "^3.1.7",
         "dotenv": "^16.4.1",
         "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
@@ -4806,6 +4807,11 @@
         "long": "*"
       }
     },
+    "node_modules/@types/luxon": {
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/@types/luxon/-/luxon-3.4.2.tgz",
+      "integrity": "sha512-TifLZlFudklWlMBfhubvgqTXRzLDI5pCbGa4P8a3wPyUQSW+1xQ5eDsreP9DWHX3tjq1ke96uYG/nwundroWcA=="
+    },
     "node_modules/@types/mime": {
       "version": "1.3.5",
       "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz",
@@ -6689,6 +6695,15 @@
       "integrity": "sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ==",
       "dev": true
     },
+    "node_modules/cron": {
+      "version": "3.1.7",
+      "resolved": "https://registry.npmjs.org/cron/-/cron-3.1.7.tgz",
+      "integrity": "sha512-tlBg7ARsAMQLzgwqVxy8AZl/qlTc5nibqYwtNGoCrd+cV+ugI+tvZC1oT/8dFH8W455YrywGykx/KMmAqOr7Jw==",
+      "dependencies": {
+        "@types/luxon": "~3.4.0",
+        "luxon": "~3.4.0"
+      }
+    },
     "node_modules/cron-parser": {
       "version": "4.9.0",
       "resolved": "https://registry.npmjs.org/cron-parser/-/cron-parser-4.9.0.tgz",

backend/package.json

@@ -97,6 +97,7 @@
     "bcrypt": "^5.1.1",
     "bullmq": "^5.4.2",
     "cassandra-driver": "^4.7.2",
+    "cron": "^3.1.7",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",

backend/src/@types/fastify.d.ts

@@ -48,6 +48,7 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { TRateLimitServiceFactory } from "@app/services/rate-limit/rate-limit-service";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -147,6 +148,7 @@ declare module "fastify" {
       projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
       identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
       secretSharing: TSecretSharingServiceFactory;
+      rateLimit: TRateLimitServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -149,6 +149,9 @@ import {
   TProjectUserMembershipRoles,
   TProjectUserMembershipRolesInsert,
   TProjectUserMembershipRolesUpdate,
+  TRateLimit,
+  TRateLimitInsert,
+  TRateLimitUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -343,6 +346,7 @@ declare module "knex/types/tables" {
       TSecretFolderVersionsUpdate
     >;
     [TableName.SecretSharing]: Knex.CompositeTableType<TSecretSharing, TSecretSharingInsert, TSecretSharingUpdate>;
+    [TableName.RateLimit]: Knex.CompositeTableType<TRateLimit, TRateLimitInsert, TRateLimitUpdate>;
     [TableName.SecretTag]: Knex.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
     [TableName.SecretImport]: Knex.CompositeTableType<TSecretImports, TSecretImportsInsert, TSecretImportsUpdate>;
     [TableName.Integration]: Knex.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;

backend/src/db/migrations/20240614010847_custom-rate-limits-for-self-hosting.ts

@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.RateLimit))) {
+    await knex.schema.createTable(TableName.RateLimit, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("readRateLimit").defaultTo(600).notNullable();
+      t.integer("writeRateLimit").defaultTo(200).notNullable();
+      t.integer("secretsRateLimit").defaultTo(60).notNullable();
+      t.integer("authRateLimit").defaultTo(60).notNullable();
+      t.integer("inviteUserRateLimit").defaultTo(30).notNullable();
+      t.integer("mfaRateLimit").defaultTo(20).notNullable();
+      t.integer("creationLimit").defaultTo(30).notNullable();
+      t.integer("publicEndpointLimit").defaultTo(30).notNullable();
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.RateLimit);
+
+    // create init rate limit entry with defaults
+    await knex(TableName.RateLimit).insert({});
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.RateLimit);
+  await dropOnUpdateTrigger(knex, TableName.RateLimit);
+}

backend/src/db/schemas/index.ts

@@ -48,6 +48,7 @@ export * from "./project-roles";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
+export * from "./rate-limit";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";

backend/src/db/schemas/models.ts

@@ -18,6 +18,7 @@ export enum TableName {
   IncidentContact = "incident_contacts",
   UserAction = "user_actions",
   SuperAdmin = "super_admin",
+  RateLimit = "rate_limit",
   ApiKey = "api_keys",
   Project = "projects",
   ProjectBot = "project_bots",

backend/src/db/schemas/rate-limit.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RateLimitSchema = z.object({
+  id: z.string().uuid(),
+  readRateLimit: z.number().default(600),
+  writeRateLimit: z.number().default(200),
+  secretsRateLimit: z.number().default(60),
+  authRateLimit: z.number().default(60),
+  inviteUserRateLimit: z.number().default(30),
+  mfaRateLimit: z.number().default(20),
+  creationLimit: z.number().default(30),
+  publicEndpointLimit: z.number().default(30),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TRateLimit = z.infer<typeof RateLimitSchema>;
+export type TRateLimitInsert = Omit<z.input<typeof RateLimitSchema>, TImmutableDBKeys>;
+export type TRateLimitUpdate = Partial<Omit<z.input<typeof RateLimitSchema>, TImmutableDBKeys>>;

backend/src/server/app.ts

@@ -17,6 +17,8 @@ import { Logger } from "pino";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
+import { rateLimitDALFactory } from "@app/services/rate-limit/rate-limit-dal";
+import { rateLimitServiceFactory } from "@app/services/rate-limit/rate-limit-service";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 
 import { globalRateLimiterCfg } from "./config/rateLimiter";
@@ -69,8 +71,12 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
 
     // Rate limiters and security headers
     if (appCfg.isProductionMode) {
+      const rateLimitDAL = rateLimitDALFactory(db);
+      const rateLimitService = rateLimitServiceFactory({ rateLimitDAL });
+      await rateLimitService.syncRateLimitConfiguration();
       await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
     }
+
     await server.register(helmet, { contentSecurityPolicy: false });
 
     await server.register(maintenanceMode);

backend/src/server/config/rateLimiter.ts

@@ -2,6 +2,7 @@ import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-lim
 import { Redis } from "ioredis";
 
 import { getConfig } from "@app/lib/config/env";
+import { getRateLimiterConfig } from "@app/services/rate-limit/rate-limit-service";
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   const appCfg = getConfig();
@@ -21,14 +22,14 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 // GET endpoints
 export const readLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: 600,
+  max: () => getRateLimiterConfig().readLimit,
   keyGenerator: (req) => req.realIp
 };
 
 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: 200, // (too low, FA having issues so increasing it - maidul)
+  max: () => getRateLimiterConfig().writeLimit,
   keyGenerator: (req) => req.realIp
 };
 
@@ -36,25 +37,25 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: 60,
+  max: () => getRateLimiterConfig().secretsLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const authRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: 60,
+  max: () => getRateLimiterConfig().authRateLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const inviteUserRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: 30,
+  max: () => getRateLimiterConfig().inviteUserRateLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const mfaRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: 20,
+  max: () => getRateLimiterConfig().mfaRateLimit,
   keyGenerator: (req) => {
     return req.headers.authorization?.split(" ")[1] || req.realIp;
   }
@@ -63,7 +64,7 @@ export const mfaRateLimit: RateLimitOptions = {
 export const creationLimit: RateLimitOptions = {
   // identity, project, org
   timeWindow: 60 * 1000,
-  max: 30,
+  max: () => getRateLimiterConfig().creationLimit,
   keyGenerator: (req) => req.realIp
 };
 
@@ -71,6 +72,6 @@ export const creationLimit: RateLimitOptions = {
 export const publicEndpointLimit: RateLimitOptions = {
   // Shared Secrets
   timeWindow: 60 * 1000,
-  max: 30,
+  max: () => getRateLimiterConfig().publicEndpointLimit,
   keyGenerator: (req) => req.realIp
 };

backend/src/server/routes/index.ts

@@ -1,3 +1,4 @@
+import { CronJob } from "cron";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -121,6 +122,8 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { rateLimitDALFactory } from "@app/services/rate-limit/rate-limit-dal";
+import { rateLimitServiceFactory } from "@app/services/rate-limit/rate-limit-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
@@ -185,6 +188,7 @@ export const registerRoutes = async (
   const incidentContactDAL = incidentContactDALFactory(db);
   const orgRoleDAL = orgRoleDALFactory(db);
   const superAdminDAL = superAdminDALFactory(db);
+  const rateLimitDAL = rateLimitDALFactory(db);
   const apiKeyDAL = apiKeyDALFactory(db);
 
   const projectDAL = projectDALFactory(db);
@@ -444,6 +448,9 @@ export const registerRoutes = async (
     orgService,
     keyStore
   });
+  const rateLimitService = rateLimitServiceFactory({
+    rateLimitDAL
+  });
   const apiKeyService = apiKeyServiceFactory({ apiKeyDAL, userDAL });
 
   const secretScanningQueue = secretScanningQueueFactory({
@@ -862,6 +869,7 @@ export const registerRoutes = async (
     secret: secretService,
     secretReplication: secretReplicationService,
     secretTag: secretTagService,
+    rateLimit: rateLimitService,
     folder: folderService,
     secretImport: secretImportService,
     projectBot: projectBotService,
@@ -900,6 +908,11 @@ export const registerRoutes = async (
     secretSharing: secretSharingService
   });
 
+  const cronJobs: CronJob[] = [];
+  if (appCfg.isProductionMode) {
+    cronJobs.push(rateLimitService.initializeBackgroundSync());
+  }
+
   server.decorate<FastifyZodProvider["store"]>("store", {
     user: userDAL
   });
@@ -954,6 +967,7 @@ export const registerRoutes = async (
   await server.register(registerV3Routes, { prefix: "/api/v3" });
 
   server.addHook("onClose", async () => {
+    cronJobs.forEach((job) => job.stop());
     await telemetryService.flushAll();
   });
 };

backend/src/server/routes/v1/index.ts

@@ -17,6 +17,7 @@ import { registerProjectEnvRouter } from "./project-env-router";
 import { registerProjectKeyRouter } from "./project-key-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
+import { registerRateLimitRouter } from "./rate-limit-router";
 import { registerSecretFolderRouter } from "./secret-folder-router";
 import { registerSecretImportRouter } from "./secret-import-router";
 import { registerSecretSharingRouter } from "./secret-sharing-router";
@@ -43,6 +44,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerPasswordRouter, { prefix: "/password" });
   await server.register(registerOrgRouter, { prefix: "/organization" });
   await server.register(registerAdminRouter, { prefix: "/admin" });
+  await server.register(registerRateLimitRouter, { prefix: "/rate-limit" });
   await server.register(registerUserRouter, { prefix: "/user" });
   await server.register(registerInviteOrgRouter, { prefix: "/invite-org" });
   await server.register(registerUserActionRouter, { prefix: "/user-action" });

backend/src/server/routes/v1/rate-limit-router.ts

@@ -0,0 +1,75 @@
+import { z } from "zod";
+
+import { RateLimitSchema } from "@app/db/schemas";
+import { BadRequestError } from "@app/lib/errors";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          rateLimit: RateLimitSchema
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async () => {
+      const rateLimit = await server.services.rateLimit.getRateLimits();
+      if (!rateLimit) {
+        throw new BadRequestError({
+          name: "Get Rate Limit Error",
+          message: "Rate limit configuration does not exist."
+        });
+      }
+      return { rateLimit };
+    }
+  });
+
+  server.route({
+    method: "PUT",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+
+    schema: {
+      body: z.object({
+        readRateLimit: z.number(),
+        writeRateLimit: z.number(),
+        secretsRateLimit: z.number(),
+        authRateLimit: z.number(),
+        inviteUserRateLimit: z.number(),
+        mfaRateLimit: z.number(),
+        creationLimit: z.number(),
+        publicEndpointLimit: z.number()
+      }),
+      response: {
+        200: z.object({
+          rateLimit: RateLimitSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const rateLimit = await server.services.rateLimit.updateRateLimit(req.body);
+      return { rateLimit };
+    }
+  });
+};

backend/src/services/rate-limit/rate-limit-dal.ts

@@ -0,0 +1,7 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TRateLimitDALFactory = ReturnType<typeof rateLimitDALFactory>;
+
+export const rateLimitDALFactory = (db: TDbClient) => ormify(db, TableName.RateLimit, {});

backend/src/services/rate-limit/rate-limit-service.ts

@@ -0,0 +1,95 @@
+import { CronJob } from "cron";
+
+import { logger } from "@app/lib/logger";
+
+import { TRateLimitDALFactory } from "./rate-limit-dal";
+import { TRateLimit, TRateLimitUpdateDTO } from "./rate-limit-types";
+
+let rateLimitMaxConfiguration = {
+  readLimit: 60,
+  publicEndpointLimit: 30,
+  writeLimit: 200,
+  secretsLimit: 60,
+  authRateLimit: 60,
+  inviteUserRateLimit: 30,
+  mfaRateLimit: 20,
+  creationLimit: 30
+};
+
+Object.freeze(rateLimitMaxConfiguration);
+
+export const getRateLimiterConfig = () => {
+  return rateLimitMaxConfiguration;
+};
+
+type TRateLimitServiceFactoryDep = {
+  rateLimitDAL: TRateLimitDALFactory;
+};
+
+export type TRateLimitServiceFactory = ReturnType<typeof rateLimitServiceFactory>;
+
+export const rateLimitServiceFactory = ({ rateLimitDAL }: TRateLimitServiceFactoryDep) => {
+  const DEFAULT_RATE_LIMIT_CONFIG_ID = "00000000-0000-0000-0000-000000000000";
+
+  const getRateLimits = async (): Promise<TRateLimit | undefined> => {
+    let rateLimit: TRateLimit;
+
+    try {
+      rateLimit = await rateLimitDAL.findOne({ id: DEFAULT_RATE_LIMIT_CONFIG_ID });
+      if (!rateLimit) {
+        // rate limit might not exist
+        rateLimit = await rateLimitDAL.create({
+          // @ts-expect-error id is kept as fixed because there should only be one rate limit config per instance
+          id: DEFAULT_RATE_LIMIT_CONFIG_ID
+        });
+      }
+      return rateLimit;
+    } catch (err) {
+      logger.error("Error fetching rate limits %o", err);
+      return undefined;
+    }
+  };
+
+  const updateRateLimit = async (updates: TRateLimitUpdateDTO): Promise<TRateLimit> => {
+    return rateLimitDAL.updateById(DEFAULT_RATE_LIMIT_CONFIG_ID, updates);
+  };
+
+  const syncRateLimitConfiguration = async () => {
+    try {
+      const rateLimit = await getRateLimits();
+      if (rateLimit) {
+        const newRateLimitMaxConfiguration: typeof rateLimitMaxConfiguration = {
+          readLimit: rateLimit.readRateLimit,
+          publicEndpointLimit: rateLimit.publicEndpointLimit,
+          writeLimit: rateLimit.writeRateLimit,
+          secretsLimit: rateLimit.secretsRateLimit,
+          authRateLimit: rateLimit.authRateLimit,
+          inviteUserRateLimit: rateLimit.inviteUserRateLimit,
+          mfaRateLimit: rateLimit.mfaRateLimit,
+          creationLimit: rateLimit.creationLimit
+        };
+
+        logger.info(`syncRateLimitConfiguration: rate limit configuration: %o`, newRateLimitMaxConfiguration);
+        Object.freeze(newRateLimitMaxConfiguration);
+        rateLimitMaxConfiguration = newRateLimitMaxConfiguration;
+      }
+    } catch (error) {
+      logger.error(`Error syncing rate limit configurations: %o`, error);
+    }
+  };
+
+  const initializeBackgroundSync = () => {
+    // sync rate limits configuration every 10 minutes
+    const job = new CronJob("*/10 * * * *", syncRateLimitConfiguration);
+    job.start();
+
+    return job;
+  };
+
+  return {
+    getRateLimits,
+    updateRateLimit,
+    initializeBackgroundSync,
+    syncRateLimitConfiguration
+  };
+};

backend/src/services/rate-limit/rate-limit-types.ts

@@ -0,0 +1,16 @@
+export type TRateLimitUpdateDTO = {
+  readRateLimit: number;
+  writeRateLimit: number;
+  secretsRateLimit: number;
+  authRateLimit: number;
+  inviteUserRateLimit: number;
+  mfaRateLimit: number;
+  creationLimit: number;
+  publicEndpointLimit: number;
+};
+
+export type TRateLimit = {
+  id: string;
+  createdAt: Date;
+  updatedAt: Date;
+} & TRateLimitUpdateDTO;

cli/go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
+	github.com/infisical/go-sdk v0.2.0
 	github.com/mattn/go-isatty v0.0.14
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
@@ -22,23 +23,48 @@ require (
 	github.com/rs/zerolog v1.26.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
-	github.com/stretchr/testify v1.8.1
-	golang.org/x/crypto v0.14.0
-	golang.org/x/term v0.13.0
+	github.com/stretchr/testify v1.9.0
+	golang.org/x/crypto v0.23.0
+	golang.org/x/term v0.20.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
+	cloud.google.com/go/auth v0.5.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/iam v1.1.8 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/errors v0.20.2 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
@@ -59,17 +85,30 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/api v0.183.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (
 	github.com/fatih/color v1.13.0
-	github.com/go-resty/resty/v2 v2.10.0
+	github.com/go-resty/resty/v2 v2.13.1
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jedib0t/go-pretty v4.3.0+incompatible
 	github.com/manifoldco/promptui v0.9.0

cli/go.sum

@@ -18,15 +18,23 @@ cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmW
 cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
 cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
 cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
+cloud.google.com/go/auth v0.5.1 h1:0QNO7VThG54LUzKiQxv8C6x1YX7lUrzlAa1nVLF8CIw=
+cloud.google.com/go/auth v0.5.1/go.mod h1:vbZT8GjzDf3AVqCcQmqeeM32U9HBFc32vVVAbwDsa6s=
+cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
+cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0=
+cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -49,6 +57,32 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
+github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
+github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
@@ -97,6 +131,8 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/semgroup v1.2.0 h1:h/OLXwEM+3NNyAdZEpMiH1OzfplU09i2qXPVThGZvyg=
 github.com/fatih/semgroup v1.2.0/go.mod h1:1KAD4iIYfXjE4U13B48VM4z9QUwV5Tt8O4rS879kgm8=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -105,12 +141,17 @@ github.com/gitleaks/go-gitdiff v0.8.0/go.mod h1:pKz0X4YzCKZs30BL+weqBIG7mx0jl4tF
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8=
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-resty/resty/v2 v2.10.0 h1:Qla4W/+TMmv0fOeeRqzEpXPLfTUnR5HZ1+lGs+CkiCo=
-github.com/go-resty/resty/v2 v2.10.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A=
+github.com/go-resty/resty/v2 v2.13.1 h1:x+LHXBI2nMB1vqndymf26quycC4aggYJ7DECYbiz03g=
+github.com/go-resty/resty/v2 v2.13.1/go.mod h1:GznXlLxkq6Nh4sU59rPmUw3VtgpO3aS96ORAI6Q7d+0=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -119,6 +160,8 @@ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfU
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -144,6 +187,8 @@ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -157,8 +202,9 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -175,11 +221,18 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
+github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
+github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
+github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
@@ -210,6 +263,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/infisical/go-sdk v0.2.0 h1:n1/KNdYpeQavSqVwC9BfeV8VRzf3N2X9zO1tzQOSj5Q=
+github.com/infisical/go-sdk v0.2.0/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -330,8 +385,9 @@ github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -340,8 +396,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
@@ -372,6 +429,18 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
@@ -385,8 +454,9 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -465,8 +535,9 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -479,6 +550,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -491,8 +564,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -546,14 +620,16 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -565,13 +641,14 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -652,6 +729,8 @@ google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjR
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
 google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
+google.golang.org/api v0.183.0 h1:PNMeRDwo1pJdgNcFQ9GstuLe/noWKIc89pRWRLMvLwE=
+google.golang.org/api v0.183.0/go.mod h1:q43adC5/pHoSZTx5h2mSmdF7NcyfW9JuDyIOJAgS9ZQ=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -700,6 +779,10 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e h1:SkdGTrROJl2jRGT/Fxv5QUf9jtdKCQh4KQJXbXVLAi0=
+google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e/go.mod h1:LweJcLbyVij6rCex8YunD8DYR5VDonap/jYl3ZRxcIU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -720,6 +803,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -732,6 +817,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

cli/packages/api/api.go

@@ -490,7 +490,7 @@ func CallUniversalAuthLogin(httpClient *resty.Client, request UniversalAuthLogin
 	return universalAuthLoginResponse, nil
 }
 
-func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request UniversalAuthRefreshRequest) (UniversalAuthRefreshResponse, error) {
+func CallMachineIdentityRefreshAccessToken(httpClient *resty.Client, request UniversalAuthRefreshRequest) (UniversalAuthRefreshResponse, error) {
 	var universalAuthRefreshResponse UniversalAuthRefreshResponse
 	response, err := httpClient.
 		R().
@@ -500,11 +500,11 @@ func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request Unive
 		Post(fmt.Sprintf("%v/v1/auth/token/renew", config.INFISICAL_URL))
 
 	if err != nil {
-		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallUniversalAuthRefreshAccessToken: Unable to complete api request [err=%s]", err)
+		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallMachineIdentityRefreshAccessToken: Unable to complete api request [err=%s]", err)
 	}
 
 	if response.IsError() {
-		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallUniversalAuthRefreshAccessToken: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallMachineIdentityRefreshAccessToken: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
 	}
 
 	return universalAuthRefreshResponse, nil

cli/packages/cmd/agent.go

@@ -20,6 +20,7 @@ import (
 	"text/template"
 	"time"
 
+	infisicalSdk "github.com/infisical/go-sdk"
 	"github.com/rs/zerolog/log"
 	"gopkg.in/yaml.v2"
 
@@ -59,9 +60,26 @@ type UniversalAuth struct {
 	RemoveClientSecretOnRead bool   `yaml:"remove_client_secret_on_read"`
 }
 
-type OAuthConfig struct {
-	ClientID     string `yaml:"client-id"`
-	ClientSecret string `yaml:"client-secret"`
+type KubernetesAuth struct {
+	IdentityID          string `yaml:"identity-id"`
+	ServiceAccountToken string `yaml:"service-account-token"`
+}
+
+type AzureAuth struct {
+	IdentityID string `yaml:"identity-id"`
+}
+
+type GcpIdTokenAuth struct {
+	IdentityID string `yaml:"identity-id"`
+}
+
+type GcpIamAuth struct {
+	IdentityID        string `yaml:"identity-id"`
+	ServiceAccountKey string `yaml:"service-account-key"`
+}
+
+type AwsIamAuth struct {
+	IdentityID string `yaml:"identity-id"`
 }
 
 type Sink struct {
@@ -87,15 +105,6 @@ type Template struct {
 	} `yaml:"config"`
 }
 
-func newAgentTemplateChannels(templates []Template) map[string]chan bool {
-	// we keep each destination as an identifier for various channel
-	templateChannel := make(map[string]chan bool)
-	for _, template := range templates {
-		templateChannel[template.DestinationPath] = make(chan bool)
-	}
-	return templateChannel
-}
-
 type DynamicSecretLease struct {
 	LeaseID     string
 	ExpireAt    time.Time
@@ -256,6 +265,14 @@ func WriteBytesToFile(data *bytes.Buffer, outputPath string) error {
 	return err
 }
 
+func ParseAuthConfig(authConfigFile []byte, destination interface{}) error {
+	if err := yaml.Unmarshal(authConfigFile, destination); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func ParseAgentConfig(configFile []byte) (*Config, error) {
 	var rawConfig struct {
 		Infisical InfisicalConfig `yaml:"infisical"`
@@ -283,36 +300,13 @@ func ParseAgentConfig(configFile []byte) (*Config, error) {
 	config := &Config{
 		Infisical: rawConfig.Infisical,
 		Auth: AuthConfig{
-			Type: rawConfig.Auth.Type,
+			Type:   rawConfig.Auth.Type,
+			Config: rawConfig.Auth.Config,
 		},
 		Sinks:     rawConfig.Sinks,
 		Templates: rawConfig.Templates,
 	}
 
-	// Marshal and then unmarshal the config based on the type
-	configBytes, err := yaml.Marshal(rawConfig.Auth.Config)
-	if err != nil {
-		return nil, err
-	}
-
-	switch rawConfig.Auth.Type {
-	case "universal-auth":
-		var tokenConfig UniversalAuth
-		if err := yaml.Unmarshal(configBytes, &tokenConfig); err != nil {
-			return nil, err
-		}
-
-		config.Auth.Config = tokenConfig
-	case "oauth": // aws, gcp, k8s service account, etc
-		var oauthConfig OAuthConfig
-		if err := yaml.Unmarshal(configBytes, &oauthConfig); err != nil {
-			return nil, err
-		}
-		config.Auth.Config = oauthConfig
-	default:
-		return nil, fmt.Errorf("unknown auth type: %s", rawConfig.Auth.Type)
-	}
-
 	return config, nil
 }
 
@@ -337,7 +331,7 @@ func dynamicSecretTemplateFunction(accessToken string, dynamicSecretManager *Dyn
 	return func(args ...string) (map[string]interface{}, error) {
 		argLength := len(args)
 		if argLength != 4 && argLength != 5 {
-			return nil, fmt.Errorf("Invalid arguments found for dynamic-secret function. Check template %i", templateId)
+			return nil, fmt.Errorf("invalid arguments found for dynamic-secret function. Check template %d", templateId)
 		}
 
 		projectSlug, envSlug, secretPath, slug, ttl := args[0], args[1], args[2], args[3], ""
@@ -421,32 +415,54 @@ func ProcessBase64Template(templateId int, encodedTemplate string, data interfac
 }
 
 type AgentManager struct {
-	accessToken                    string
-	accessTokenTTL                 time.Duration
-	accessTokenMaxTTL              time.Duration
-	accessTokenFetchedTime         time.Time
-	accessTokenRefreshedTime       time.Time
-	mutex                          sync.Mutex
-	filePaths                      []Sink // Store file paths if needed
-	templates                      []Template
-	dynamicSecretLeases            *DynamicSecretLeaseManager
-	clientIdPath                   string
-	clientSecretPath               string
-	newAccessTokenNotificationChan chan bool
-	removeClientSecretOnRead       bool
-	cachedClientSecret             string
-	exitAfterAuth                  bool
+	accessToken              string
+	accessTokenTTL           time.Duration
+	accessTokenMaxTTL        time.Duration
+	accessTokenFetchedTime   time.Time
+	accessTokenRefreshedTime time.Time
+	mutex                    sync.Mutex
+	filePaths                []Sink // Store file paths if needed
+	templates                []Template
+	dynamicSecretLeases      *DynamicSecretLeaseManager
+
+	authConfigBytes []byte
+	authStrategy    util.AuthStrategyType
+
+	newAccessTokenNotificationChan        chan bool
+	removeUniversalAuthClientSecretOnRead bool
+	cachedUniversalAuthClientSecret       string
+	exitAfterAuth                         bool
+
+	infisicalClient infisicalSdk.InfisicalClientInterface
 }
 
-func NewAgentManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *AgentManager {
+type NewAgentMangerOptions struct {
+	FileDeposits []Sink
+	Templates    []Template
+
+	AuthConfigBytes []byte
+	AuthStrategy    util.AuthStrategyType
+
+	NewAccessTokenNotificationChan chan bool
+	ExitAfterAuth                  bool
+}
+
+func NewAgentManager(options NewAgentMangerOptions) *AgentManager {
+
 	return &AgentManager{
-		filePaths:                      fileDeposits,
-		templates:                      templates,
-		clientIdPath:                   clientIdPath,
-		clientSecretPath:               clientSecretPath,
-		newAccessTokenNotificationChan: newAccessTokenNotificationChan,
-		removeClientSecretOnRead:       removeClientSecretOnRead,
-		exitAfterAuth:                  exitAfterAuth,
+		filePaths: options.FileDeposits,
+		templates: options.Templates,
+
+		authConfigBytes: options.AuthConfigBytes,
+		authStrategy:    options.AuthStrategy,
+
+		newAccessTokenNotificationChan: options.NewAccessTokenNotificationChan,
+		exitAfterAuth:                  options.ExitAfterAuth,
+
+		infisicalClient: infisicalSdk.NewInfisicalClient(infisicalSdk.Config{
+			SiteUrl:   config.INFISICAL_URL,
+			UserAgent: api.USER_AGENT, // ? Should we perhaps use a different user agent for the Agent for better analytics?
+		}),
 	}
 
 }
@@ -469,52 +485,164 @@ func (tm *AgentManager) GetToken() string {
 	return tm.accessToken
 }
 
+func (tm *AgentManager) FetchUniversalAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	var universalAuthConfig UniversalAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &universalAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	clientID, err := util.GetEnvVarOrFileContent(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME, universalAuthConfig.ClientIDPath)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get client id: %v", err)
+	}
+
+	clientSecret, err := util.GetEnvVarOrFileContent("INFISICAL_UNIVERSAL_CLIENT_SECRET", universalAuthConfig.ClientSecretPath)
+	if err != nil {
+		if len(tm.cachedUniversalAuthClientSecret) == 0 {
+			return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get client secret: %v", err)
+		}
+		clientSecret = tm.cachedUniversalAuthClientSecret
+	}
+
+	tm.cachedUniversalAuthClientSecret = clientSecret
+	if tm.removeUniversalAuthClientSecretOnRead {
+		defer os.Remove(universalAuthConfig.ClientSecretPath)
+	}
+
+	return tm.infisicalClient.Auth().UniversalAuthLogin(clientID, clientSecret)
+
+}
+
+func (tm *AgentManager) FetchKubernetesAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var kubernetesAuthConfig KubernetesAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &kubernetesAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, kubernetesAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	serviceAccountTokenPath := os.Getenv(util.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_NAME)
+	if serviceAccountTokenPath == "" {
+		serviceAccountTokenPath = kubernetesAuthConfig.ServiceAccountToken
+		if serviceAccountTokenPath == "" {
+			serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+		}
+	}
+
+	return tm.infisicalClient.Auth().KubernetesAuthLogin(identityId, serviceAccountTokenPath)
+
+}
+
+func (tm *AgentManager) FetchAzureAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var azureAuthConfig AzureAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &azureAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, azureAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	return tm.infisicalClient.Auth().AzureAuthLogin(identityId)
+
+}
+
+func (tm *AgentManager) FetchGcpIdTokenAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var gcpIdTokenAuthConfig GcpIdTokenAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &gcpIdTokenAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, gcpIdTokenAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	return tm.infisicalClient.Auth().GcpIdTokenAuthLogin(identityId)
+
+}
+
+func (tm *AgentManager) FetchGcpIamAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var gcpIamAuthConfig GcpIamAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &gcpIamAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, gcpIamAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	serviceAccountKeyPath := os.Getenv(util.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH_NAME)
+	if serviceAccountKeyPath == "" {
+		// we don't need to read this file, because the service account key path is directly read inside the sdk
+		serviceAccountKeyPath = gcpIamAuthConfig.ServiceAccountKey
+		if serviceAccountKeyPath == "" {
+			return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("gcp service account key path not found")
+		}
+	}
+
+	return tm.infisicalClient.Auth().GcpIamAuthLogin(identityId, serviceAccountKeyPath)
+
+}
+
+func (tm *AgentManager) FetchAwsIamAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var awsIamAuthConfig AwsIamAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &awsIamAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, awsIamAuthConfig.IdentityID)
+
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	return tm.infisicalClient.Auth().AwsIamAuthLogin(identityId)
+
+}
+
 // Fetches a new access token using client credentials
 func (tm *AgentManager) FetchNewAccessToken() error {
-	clientID := os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
-	if clientID == "" {
-		clientIDAsByte, err := ReadFile(tm.clientIdPath)
-		if err != nil {
-			return fmt.Errorf("unable to read client id from file path '%s' due to error: %v", tm.clientIdPath, err)
-		}
-		clientID = string(clientIDAsByte)
+
+	authStrategies := map[util.AuthStrategyType]func() (credential infisicalSdk.MachineIdentityCredential, e error){
+		util.AuthStrategy.UNIVERSAL_AUTH:    tm.FetchUniversalAuthAccessToken,
+		util.AuthStrategy.KUBERNETES_AUTH:   tm.FetchKubernetesAuthAccessToken,
+		util.AuthStrategy.AZURE_AUTH:        tm.FetchAzureAuthAccessToken,
+		util.AuthStrategy.GCP_ID_TOKEN_AUTH: tm.FetchGcpIdTokenAuthAccessToken,
+		util.AuthStrategy.GCP_IAM_AUTH:      tm.FetchGcpIamAuthAccessToken,
+		util.AuthStrategy.AWS_IAM_AUTH:      tm.FetchAwsIamAuthAccessToken,
 	}
 
-	clientSecret := os.Getenv("INFISICAL_UNIVERSAL_CLIENT_SECRET")
-	if clientSecret == "" {
-		clientSecretAsByte, err := ReadFile(tm.clientSecretPath)
-		if err != nil {
-			if len(tm.cachedClientSecret) == 0 {
-				return fmt.Errorf("unable to read client secret from file and no cached client secret found: %v", err)
-			} else {
-				clientSecretAsByte = []byte(tm.cachedClientSecret)
-			}
-		}
-		clientSecret = string(clientSecretAsByte)
+	if _, ok := authStrategies[tm.authStrategy]; !ok {
+		return fmt.Errorf("auth strategy %s not found", tm.authStrategy)
 	}
 
-	// remove client secret after first read
-	if tm.removeClientSecretOnRead {
-		os.Remove(tm.clientSecretPath)
-	}
+	credential, err := authStrategies[tm.authStrategy]()
 
-	// save as cache in memory
-	tm.cachedClientSecret = clientSecret
-
-	loginResponse, err := util.UniversalAuthLogin(clientID, clientSecret)
 	if err != nil {
 		return err
 	}
 
-	accessTokenTTL := time.Duration(loginResponse.AccessTokenTTL * int(time.Second))
-	accessTokenMaxTTL := time.Duration(loginResponse.AccessTokenMaxTTL * int(time.Second))
+	accessTokenTTL := time.Duration(credential.ExpiresIn * int64(time.Second))
+	accessTokenMaxTTL := time.Duration(credential.AccessTokenMaxTTL * int64(time.Second))
 
 	if accessTokenTTL <= time.Duration(5)*time.Second {
-		util.PrintErrorMessageAndExit("At this this, agent does not support refresh of tokens with 5 seconds or less ttl. Please increase access token ttl and try again")
+		util.PrintErrorMessageAndExit("At this time, agent does not support refresh of tokens with 5 seconds or less ttl. Please increase access token ttl and try again")
 	}
 
 	tm.accessTokenFetchedTime = time.Now()
-	tm.SetToken(loginResponse.AccessToken, accessTokenTTL, accessTokenMaxTTL)
+	tm.SetToken(credential.AccessToken, accessTokenTTL, accessTokenMaxTTL)
 
 	return nil
 }
@@ -527,7 +655,7 @@ func (tm *AgentManager) RefreshAccessToken() error {
 		SetRetryWaitTime(5 * time.Second)
 
 	accessToken := tm.GetToken()
-	response, err := api.CallUniversalAuthRefreshAccessToken(httpClient, api.UniversalAuthRefreshRequest{AccessToken: accessToken})
+	response, err := api.CallMachineIdentityRefreshAccessToken(httpClient, api.UniversalAuthRefreshRequest{AccessToken: accessToken})
 	if err != nil {
 		return err
 	}
@@ -564,6 +692,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 				continue
 			}
 		} else if time.Now().After(accessTokenMaxTTLExpiresInTime) {
+			// case: token has reached max ttl and we should re-authenticate entirely (cannot refresh)
 			log.Info().Msgf("token has reached max ttl, attempting to re authenticate...")
 			err := tm.FetchNewAccessToken()
 			if err != nil {
@@ -574,6 +703,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 				continue
 			}
 		} else {
+			// case: token ttl has expired, but the token is still within max ttl, so we can refresh
 			log.Info().Msgf("attempting to refresh existing token...")
 			err := tm.RefreshAccessToken()
 			if err != nil {
@@ -770,18 +900,33 @@ var agentCmd = &cobra.Command{
 			return
 		}
 
-		if agentConfig.Auth.Type != "universal-auth" {
-			util.PrintErrorMessageAndExit("Only auth type of 'universal-auth' is supported at this time")
-		}
+		authMethodValid, authStrategy := util.IsAuthMethodValid(agentConfig.Auth.Type)
 
-		configUniversalAuthType := agentConfig.Auth.Config.(UniversalAuth)
+		if !authMethodValid {
+			util.PrintErrorMessageAndExit(fmt.Sprintf("The auth method '%s' is not supported.", agentConfig.Auth.Type))
+		}
 
 		tokenRefreshNotifier := make(chan bool)
 		sigChan := make(chan os.Signal, 1)
 		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 
 		filePaths := agentConfig.Sinks
-		tm := NewAgentManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
+
+		configBytes, err := yaml.Marshal(agentConfig.Auth.Config)
+		if err != nil {
+			log.Error().Msgf("unable to marshal auth config because %v", err)
+			return
+		}
+
+		tm := NewAgentManager(NewAgentMangerOptions{
+			FileDeposits:                   filePaths,
+			Templates:                      agentConfig.Templates,
+			AuthConfigBytes:                configBytes,
+			NewAccessTokenNotificationChan: tokenRefreshNotifier,
+			ExitAfterAuth:                  agentConfig.Infisical.ExitAfterAuth,
+			AuthStrategy:                   authStrategy,
+		})
+
 		tm.dynamicSecretLeases = NewDynamicSecretLeaseManager(sigChan)
 
 		go tm.ManageTokenLifecycle()

cli/packages/cmd/token.go

@@ -39,7 +39,7 @@ var tokenRenewCmd = &cobra.Command{
 			util.PrintErrorMessageAndExit("You are trying to renew a service token. You can only renew universal auth access tokens.")
 		}
 
-		renewedAccessToken, err := util.RenewUniversalAuthAccessToken(token)
+		renewedAccessToken, err := util.RenewMachineIdentityAccessToken(token)
 
 		if err != nil {
 			util.HandleError(err, "Unable to renew token")

cli/packages/util/auth.go

@@ -0,0 +1,42 @@
+package util
+
+type AuthStrategyType string
+
+var AuthStrategy = struct {
+	UNIVERSAL_AUTH    AuthStrategyType
+	KUBERNETES_AUTH   AuthStrategyType
+	AZURE_AUTH        AuthStrategyType
+	GCP_ID_TOKEN_AUTH AuthStrategyType
+	GCP_IAM_AUTH      AuthStrategyType
+	AWS_IAM_AUTH      AuthStrategyType
+}{
+	UNIVERSAL_AUTH:    "universal-auth",
+	KUBERNETES_AUTH:   "kubernetes",
+	AZURE_AUTH:        "azure",
+	GCP_ID_TOKEN_AUTH: "gcp-id-token",
+	GCP_IAM_AUTH:      "gcp-iam",
+	AWS_IAM_AUTH:      "aws-iam",
+}
+
+var AVAILABLE_AUTH_STRATEGIES = []AuthStrategyType{
+	AuthStrategy.UNIVERSAL_AUTH,
+	AuthStrategy.KUBERNETES_AUTH,
+	AuthStrategy.AZURE_AUTH,
+	AuthStrategy.GCP_ID_TOKEN_AUTH,
+	AuthStrategy.GCP_IAM_AUTH,
+	AuthStrategy.AWS_IAM_AUTH,
+}
+
+func IsAuthMethodValid(authMethod string) (isValid bool, strategy AuthStrategyType) {
+
+	if authMethod == "user" {
+		return true, ""
+	}
+
+	for _, strategy := range AVAILABLE_AUTH_STRATEGIES {
+		if string(strategy) == authMethod {
+			return true, strategy
+		}
+	}
+	return false, ""
+}

cli/packages/util/constants.go

@@ -1,20 +1,32 @@
 package util
 
 const (
-	CONFIG_FILE_NAME                            = "infisical-config.json"
-	CONFIG_FOLDER_NAME                          = ".infisical"
-	INFISICAL_DEFAULT_API_URL                   = "https://app.infisical.com/api"
-	INFISICAL_DEFAULT_URL                       = "https://app.infisical.com"
-	INFISICAL_WORKSPACE_CONFIG_FILE_NAME        = ".infisical.json"
-	INFISICAL_TOKEN_NAME                        = "INFISICAL_TOKEN"
+	CONFIG_FILE_NAME                           = "infisical-config.json"
+	CONFIG_FOLDER_NAME                         = ".infisical"
+	INFISICAL_DEFAULT_API_URL                  = "https://app.infisical.com/api"
+	INFISICAL_DEFAULT_URL                      = "https://app.infisical.com"
+	INFISICAL_WORKSPACE_CONFIG_FILE_NAME       = ".infisical.json"
+	INFISICAL_TOKEN_NAME                       = "INFISICAL_TOKEN"
+	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
+
+	// Universal Auth
 	INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME     = "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"
 	INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME = "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"
-	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME  = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
-	SECRET_TYPE_PERSONAL                        = "personal"
-	SECRET_TYPE_SHARED                          = "shared"
-	KEYRING_SERVICE_NAME                        = "infisical"
-	PERSONAL_SECRET_TYPE_NAME                   = "personal"
-	SHARED_SECRET_TYPE_NAME                     = "shared"
+
+	// Kubernetes auth
+	INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_NAME = "INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH"
+
+	// GCP Auth
+	INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH_NAME = "INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH"
+
+	// Generic env variable used for auth methods that require a machine identity ID
+	INFISICAL_MACHINE_IDENTITY_ID_NAME = "INFISICAL_MACHINE_IDENTITY_ID"
+
+	SECRET_TYPE_PERSONAL      = "personal"
+	SECRET_TYPE_SHARED        = "shared"
+	KEYRING_SERVICE_NAME      = "infisical"
+	PERSONAL_SECRET_TYPE_NAME = "personal"
+	SHARED_SECRET_TYPE_NAME   = "shared"
 
 	SERVICE_TOKEN_IDENTIFIER        = "service-token"
 	UNIVERSAL_AUTH_TOKEN_IDENTIFIER = "universal-auth-token"

cli/packages/util/helper.go

@@ -123,7 +123,7 @@ func UniversalAuthLogin(clientId string, clientSecret string) (api.UniversalAuth
 	return tokenResponse, nil
 }
 
-func RenewUniversalAuthAccessToken(accessToken string) (string, error) {
+func RenewMachineIdentityAccessToken(accessToken string) (string, error) {
 
 	httpClient := resty.New()
 	httpClient.SetRetryCount(10000).
@@ -134,7 +134,7 @@ func RenewUniversalAuthAccessToken(accessToken string) (string, error) {
 		AccessToken: accessToken,
 	}
 
-	tokenResponse, err := api.CallUniversalAuthRefreshAccessToken(httpClient, request)
+	tokenResponse, err := api.CallMachineIdentityRefreshAccessToken(httpClient, request)
 	if err != nil {
 		return "", err
 	}
@@ -246,3 +246,30 @@ func AppendAPIEndpoint(address string) string {
 	}
 	return address + "/api"
 }
+
+func ReadFileAsString(filePath string) (string, error) {
+	fileBytes, err := os.ReadFile(filePath)
+
+	if err != nil {
+		return "", err
+	}
+
+	return string(fileBytes), nil
+
+}
+
+func GetEnvVarOrFileContent(envName string, filePath string) (string, error) {
+	// First check if the environment variable is set
+	if envVarValue := os.Getenv(envName); envVarValue != "" {
+		return envVarValue, nil
+	}
+
+	// If it's not set, try to read the file
+	fileContent, err := ReadFileAsString(filePath)
+
+	if err != nil {
+		return "", fmt.Errorf("unable to read file content from file path '%s' [err=%v]", filePath, err)
+	}
+
+	return fileContent, nil
+}

docs/integrations/platforms/infisical-agent.mdx

@@ -41,22 +41,212 @@ It then formats these secrets using the user provided templates and writes the f
 To set up the authentication method for token renewal and to define secret templates, the Infisical agent requires a YAML configuration file containing properties defined below. 
 While specifying an authentication method is mandatory to start the agent, configuring sinks and secret templates are optional.
 
-| Field                        | Description |
-| ---------------------------- | ----------- |
-| `infisical.address`          | The URL of the Infisical service. Default: `"https://app.infisical.com"`. |
-| `auth.type`                  | The type of authentication method used. Only `"universal-auth"` type is currently available |
-| `auth.config.client-id`      | The file path where the universal-auth client id is stored.  |
-| `auth.config.client-secret`  | The file path where the universal-auth client secret is stored.  |
-| `auth.config.remove_client_secret_on_read`     | This will instruct the agent to remove the client secret from disk.  |
-| `sinks[].type`               | The type of sink in a list of sinks. Each item specifies a sink type. Currently, only `"file"` type is available. |
-| `sinks[].config.path`        | The file path where the access token should be stored for each sink in the list. |
-| `templates[].source-path`    | The path to the template file that should be used to render secrets. |
-| `templates[].destination-path` | The path where the rendered secrets from the source template will be saved to. |
-| `templates[].config.polling-interval` | How frequently to check for secret changes. Default: `5 minutes` (optional)  |
-| `templates[].config.execute.command` | The command to execute when secret change is detected (optional) |
-| `templates[].config.execute.timeout` | How long in seconds to wait for command to execute before timing out (optional) |
+| Field                                           | Description                   |
+| ------------------------------------------------| ----------------------------- |
+| `infisical.address`                             | The URL of the Infisical service. Default: `"https://app.infisical.com"`. |
+| `auth.type`                                     | The type of authentication method used. Available options: `universal-auth`, `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, `aws-iam`|
+| `auth.config.identity-id`                       | The file path where the machine identity id is stored<br/><br/>This field is required when using any of the following auth types: `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, or `aws-iam`. |
+| `auth.config.service-account-token`             | Path to the Kubernetes service account token to use (optional)<br/><br/>Default: `/var/run/secrets/kubernetes.io/serviceaccount/token`  |
+| `auth.config.service-account-key`               | Path to your GCP service account key file. This field is required when using `gcp-iam` auth type.<br/><br/>Please note that the file should be in JSON format. |
+| `auth.config.client-id`                         | The file path where the universal-auth client id is stored.  |
+| `auth.config.client-secret`                     | The file path where the universal-auth client secret is stored.  |
+| `auth.config.remove_client_secret_on_read`      | This will instruct the agent to remove the client secret from disk.  |
+| `sinks[].type`                                  | The type of sink in a list of sinks. Each item specifies a sink type. Currently, only `"file"` type is available. |
+| `sinks[].config.path`                           | The file path where the access token should be stored for each sink in the list. |
+| `templates[].source-path`                       | The path to the template file that should be used to render secrets. |
+| `templates[].destination-path`                  | The path where the rendered secrets from the source template will be saved to. |
+| `templates[].config.polling-interval`           | How frequently to check for secret changes. Default: `5 minutes` (optional)  |
+| `templates[].config.execute.command`            | The command to execute when secret change is detected (optional) |
+| `templates[].config.execute.timeout`            | How long in seconds to wait for command to execute before timing out (optional) |
 
 
+## Authentication
+
+The Infisical agent supports multiple authentication methods. Below are the available authentication methods, with their respective configurations.
+
+<AccordionGroup>
+<Accordion title="Universal Auth">
+  The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
+
+  <ParamField query="config" type="UniversalAuthConfig">
+    <Expandable title="properties">
+        <ParamField query="client-id" type="string" required>
+          Path to the file containing the universal auth client ID.
+        </ParamField>
+        <ParamField query="client-secret" type="string" required>
+          Path to the file containing the universal auth client secret.
+        </ParamField>
+        <ParamField query="remove_client_secret_on_read" type="boolean" optional>
+          Instructs the agent to remove the client secret from disk after reading it.
+        </ParamField>
+    </Expandable>
+  </ParamField>
+
+  <Steps>
+    <Step title="Create a universal auth machine identity">
+      To create a universal auth machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/universal-auth).
+    </Step>
+    <Step title="Configure the agent">
+      Update the agent configuration file with the specified auth method, client ID, and client secret. In the snippet below you can see a sample configuration of the `auth` field when using the Universal Auth method.
+
+    ```yaml example-auth-config.yaml
+    auth:
+      type: "universal-auth"
+      config:
+        client-id: "./client-id" # Path to the file containing the client ID
+        client-secret: "./client" # Path to the file containing the client secret
+        remove_client_secret_on_read: false # Optional field, instructs the agent to remove the client secret from disk after reading it
+    ```
+    </Step>
+  </Steps>
+</Accordion>
+<Accordion title="Native Kubernetes">
+  The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
+
+  <ParamField query="config" type="KubernetesAuthConfig">
+    <Expandable title="properties">
+        <ParamField query="identity-id" type="string" required>
+          Path to the file containing the machine identity ID.
+        </ParamField>
+        <ParamField query="service-account-token" type="string" optional>
+          Path to the Kubernetes service account token to use. Default: `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+        </ParamField>
+    </Expandable>
+  </ParamField>
+
+  <Steps>
+    <Step title="Create a Kubernetes machine identity">
+      To create a Kubernetes machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/kubernetes-auth).
+    </Step>
+    <Step title="Configure the agent">
+      Update the agent configuration file with the specified auth method, identity ID, and service account token. In the snippet below you can see a sample configuration of the `auth` field when using the Kubernetes method.
+
+    ```yaml example-auth-config.yaml
+    auth:
+      type: "kubernetes"
+      config:
+        identity-id: "./identity-id" # Path to the file containing the machine identity ID
+        service-account-token: "/var/run/secrets/kubernetes.io/serviceaccount/token" # Optional field, custom path to the Kubernetes service account token to use
+    ```
+    </Step>
+  </Steps>
+
+</Accordion>
+  <Accordion title="Native Azure">
+    The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
+
+    <ParamField query="config" type="AzureAuthConfig">
+      <Expandable title="properties">
+          <ParamField query="identity-id" type="string" required>
+            Path to the file containing the machine identity ID.
+          </ParamField>
+      </Expandable>
+    </ParamField>
+
+    <Steps>
+      <Step title="Create an Azure machine identity">
+        To create an Azure machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/azure-auth).
+      </Step>
+      <Step title="Configure the agent">
+        Update the agent configuration file with the specified auth method and identity ID. In the snippet below you can see a sample configuration of the `auth` field when using the Azure method.
+
+      ```yaml example-auth-config.yaml
+      auth:
+        type: "azure"
+        config:
+          identity-id: "./identity-id" # Path to the file containing the machine identity ID
+      ```
+      </Step>
+    </Steps>
+
+  </Accordion>
+  <Accordion title="Native GCP ID Token">
+    The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
+
+    <ParamField query="config" type="GCPIDTokenAuthConfig">
+      <Expandable title="properties">
+          <ParamField query="identity-id" type="string" required>
+            Path to the file containing the machine identity ID.
+          </ParamField>
+      </Expandable>
+    </ParamField>
+
+    <Steps>
+      <Step title="Create a GCP machine identity">
+        To create a GCP machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/gcp-auth).
+      </Step>
+      <Step title="Configure the agent">
+        Update the agent configuration file with the specified auth method and identity ID. In the snippet below you can see a sample configuration of the `auth` field when using the GCP ID Token method.
+
+      ```yaml example-auth-config.yaml
+      auth:
+        type: "gcp-id-token"
+        config:
+          identity-id: "./identity-id" # Path to the file containing the machine identity ID
+      ```
+      </Step>
+    </Steps>
+  </Accordion>
+  <Accordion title="GCP IAM">
+    The GCP IAM method is used to authenticate with Infisical with a GCP service account key.
+
+    <ParamField query="config" type="GCPIAMAuthConfig">
+      <Expandable title="properties">
+          <ParamField query="identity-id" type="string" required>
+            Path to the file containing the machine identity ID.
+          </ParamField>
+          <ParamField query="service-account-key" type="string" required>
+            Path to your GCP service account key file.
+          </ParamField>
+      </Expandable>
+    </ParamField>
+
+    <Steps>
+      <Step title="Create a GCP machine identity">
+        To create a GCP machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/gcp-auth).
+      </Step>
+      <Step title="Configure the agent">
+        Update the agent configuration file with the specified auth method, identity ID, and service account key. In the snippet below you can see a sample configuration of the `auth` field when using the GCP IAM method.
+
+      ```yaml example-auth-config.yaml
+      auth:
+        type: "gcp-iam"
+        config:
+          identity-id: "./identity-id" # Path to the file containing the machine identity ID
+          service-account-key: "./service-account-key.json" # Path to your GCP service account key file
+      ```
+      </Step>
+    </Steps>
+  </Accordion>
+  <Accordion title="Native AWS IAM">
+    The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
+
+    <ParamField query="config" type="AWSIAMAuthConfig">
+      <Expandable title="properties">
+          <ParamField query="identity-id" type="string" required>
+            Path to the file containing the machine identity ID.
+          </ParamField>
+      </Expandable>
+    </ParamField>
+
+    <Steps>
+      <Step title="Create an AWS machine identity">
+        To create an AWS machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/aws-auth).
+      </Step>
+      <Step title="Configure the agent">
+        Update the agent configuration file with the specified auth method and identity ID. In the snippet below you can see a sample configuration of the `auth` field when using the AWS IAM method.
+
+      ```yaml example-auth-config.yaml
+      auth:
+        type: "aws-iam"
+        config:
+          identity-id: "./identity-id" # Path to the file containing the machine identity ID
+      ```
+      </Step>
+    </Steps>
+  </Accordion>
+</AccordionGroup>
+
 ## Quick start Infisical Agent
 To install the Infisical agent, you must first install the [Infisical CLI](../cli/overview) in the desired environment where you'd like the agent to run. This is because the Infisical agent is a sub-command of the Infisical CLI.
 

frontend/src/hooks/api/index.tsx

@@ -17,6 +17,7 @@ export * from "./keys";
 export * from "./ldapConfig";
 export * from "./organization";
 export * from "./projectUserAdditionalPrivilege";
+export * from "./rateLimit";
 export * from "./roles";
 export * from "./scim";
 export * from "./secretApproval";

frontend/src/hooks/api/rateLimit/index.ts

@@ -0,0 +1,2 @@
+export { useUpdateRateLimit } from "./mutation";
+export { useGetRateLimit } from "./queries";

frontend/src/hooks/api/rateLimit/mutation.ts

@@ -0,0 +1,21 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { rateLimitQueryKeys } from "./queries";
+import { TRateLimit } from "./types";
+
+export const useUpdateRateLimit = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<TRateLimit, {}, TRateLimit>({
+    mutationFn: async (opt) => {
+      const { data } = await apiRequest.put<{ rateLimit: TRateLimit }>("/api/v1/rate-limit", opt);
+      return data.rateLimit;
+    },
+    onSuccess: (data) => {
+      queryClient.setQueryData(rateLimitQueryKeys.rateLimit(), data);
+      queryClient.invalidateQueries(rateLimitQueryKeys.rateLimit());
+    }
+  });
+};

frontend/src/hooks/api/rateLimit/queries.ts

@@ -0,0 +1,34 @@
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { TRateLimit } from "./types";
+
+export const rateLimitQueryKeys = {
+  rateLimit: () => ["rate-limit"] as const
+};
+
+const fetchRateLimit = async () => {
+  const { data } = await apiRequest.get<{ rateLimit: TRateLimit }>("/api/v1/rate-limit");
+  return data.rateLimit;
+};
+
+export const useGetRateLimit = ({
+  options = {}
+}: {
+  options?: Omit<
+    UseQueryOptions<
+      TRateLimit,
+      unknown,
+      TRateLimit,
+      ReturnType<typeof rateLimitQueryKeys.rateLimit>
+    >,
+    "queryKey" | "queryFn"
+  >;
+} = {}) =>
+  useQuery({
+    queryKey: rateLimitQueryKeys.rateLimit(),
+    queryFn: fetchRateLimit,
+    ...options,
+    enabled: options?.enabled ?? true
+  });

frontend/src/hooks/api/rateLimit/types.ts

@@ -0,0 +1,10 @@
+export type TRateLimit = {
+  readRateLimit: number;
+  writeRateLimit: number;
+  secretsRateLimit: number;
+  authRateLimit: number;
+  inviteUserRateLimit: number;
+  mfaRateLimit: number;
+  creationLimit: number;
+  publicEndpointLimit: number;
+};

frontend/src/views/ShareSecretPublicPage/ShareSecretPublicPage.tsx

@@ -7,7 +7,7 @@ import { decryptSymmetric } from "@app/components/utilities/cryptography/crypto"
 import { useTimedReset } from "@app/hooks";
 import { useGetActiveSharedSecretByIdAndHashedHex } from "@app/hooks/api/secretSharing";
 
-import { DragonMainImage, SecretTable } from "./components";
+import { SecretTable } from "./components";
 
 export const ShareSecretPublicPage = () => {
   const router = useRouter();
@@ -68,7 +68,7 @@ export const ShareSecretPublicPage = () => {
         A secret has been shared with you securely via Infisical
       </p>
       <div className="flex min-h-screen w-full flex-col md:flex-row">
-        <DragonMainImage />
+        {/* <DragonMainImage /> */}
         <div className="m-4 flex flex-1 flex-col items-center justify-start md:m-0">
           <p className="mt-8 mb-2 text-xl font-semibold text-mineshaft-100 md:mt-20">
             Shared Secret

frontend/src/views/admin/DashboardPage/DashboardPage.tsx

@@ -18,12 +18,16 @@ import {
   Tab,
   TabList,
   TabPanel,
-  Tabs} from "@app/components/v2";
+  Tabs
+} from "@app/components/v2";
 import { useOrganization, useServerConfig, useUser } from "@app/context";
 import { useUpdateServerConfig } from "@app/hooks/api";
 
+import { RateLimitPanel } from "./RateLimitPanel";
+
 enum TabSections {
-  Settings = "settings"
+  Settings = "settings",
+  RateLimit = "rate-limit"
 }
 
 enum SignUpModes {
@@ -117,6 +121,7 @@ export const AdminDashboardPage = () => {
             <TabList>
               <div className="flex w-full flex-row border-b border-mineshaft-600">
                 <Tab value={TabSections.Settings}>General</Tab>
+                <Tab value={TabSections.RateLimit}>Rate Limit</Tab>
               </div>
             </TabList>
             <TabPanel value={TabSections.Settings}>
@@ -233,6 +238,9 @@ export const AdminDashboardPage = () => {
                 </Button>
               </form>
             </TabPanel>
+            <TabPanel value={TabSections.RateLimit}>
+              <RateLimitPanel />
+            </TabPanel>
           </Tabs>
         </div>
       )}

frontend/src/views/admin/DashboardPage/RateLimitPanel.tsx

@@ -0,0 +1,250 @@
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, ContentLoader, FormControl, Input } from "@app/components/v2";
+import { useGetRateLimit, useUpdateRateLimit } from "@app/hooks/api";
+
+const formSchema = z.object({
+  readRateLimit: z.number(),
+  writeRateLimit: z.number(),
+  secretsRateLimit: z.number(),
+  authRateLimit: z.number(),
+  inviteUserRateLimit: z.number(),
+  mfaRateLimit: z.number(),
+  creationLimit: z.number(),
+  publicEndpointLimit: z.number()
+});
+
+type TRateLimitForm = z.infer<typeof formSchema>;
+
+export const RateLimitPanel = () => {
+  const { data: rateLimit, isLoading } = useGetRateLimit();
+  const { mutateAsync: updateRateLimit } = useUpdateRateLimit();
+
+  const {
+    control,
+    handleSubmit,
+    formState: { isSubmitting, isDirty }
+  } = useForm<TRateLimitForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      // eslint-disable-next-line
+      readRateLimit: rateLimit?.readRateLimit ?? 600,
+      writeRateLimit: rateLimit?.writeRateLimit ?? 200,
+      secretsRateLimit: rateLimit?.secretsRateLimit ?? 60,
+      authRateLimit: rateLimit?.authRateLimit ?? 60,
+      inviteUserRateLimit: rateLimit?.inviteUserRateLimit ?? 30,
+      mfaRateLimit: rateLimit?.mfaRateLimit ?? 20,
+      creationLimit: rateLimit?.creationLimit ?? 30,
+      publicEndpointLimit: rateLimit?.publicEndpointLimit ?? 30
+    }
+  });
+
+  const onRateLimitFormSubmit = async (formData: TRateLimitForm) => {
+    try {
+      const {
+        readRateLimit,
+        writeRateLimit,
+        secretsRateLimit,
+        authRateLimit,
+        inviteUserRateLimit,
+        mfaRateLimit,
+        creationLimit,
+        publicEndpointLimit
+      } = formData;
+
+      await updateRateLimit({
+        readRateLimit,
+        writeRateLimit,
+        secretsRateLimit,
+        authRateLimit,
+        inviteUserRateLimit,
+        mfaRateLimit,
+        creationLimit,
+        publicEndpointLimit
+      });
+      createNotification({
+        text: "Rate limits have been successfully updated. Please allow at least 10 minutes for the changes to take effect.",
+        type: "success"
+      });
+    } catch (e) {
+      console.error(e);
+      createNotification({
+        type: "error",
+        text: "Failed to update rate limiting setting."
+      });
+    }
+  };
+
+  return isLoading ? (
+    <ContentLoader />
+  ) : (
+    <form
+      className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
+      onSubmit={handleSubmit(onRateLimitFormSubmit)}
+    >
+      <div className="mb-8 flex flex-col justify-start">
+        <div className="mb-4 text-xl font-semibold text-mineshaft-100">
+          Configure rate limits
+        </div>
+        <Controller
+          control={control}
+          name="readRateLimit"
+          defaultValue={300}
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Global read requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="writeRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Global write requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="secretsRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Secret requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="authRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Auth requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="inviteUserRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="User invitation requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="mfaRateLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Multi factor auth requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="creationLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="New resource creation requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+        <Controller
+          control={control}
+          defaultValue={300}
+          name="publicEndpointLimit"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Secret sharing requests per minute"
+              className="w-72"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input
+                {...field}
+                value={field.value || ""}
+                onChange={(e) => field.onChange(Number(e.target.value))}
+              />
+            </FormControl>
+          )}
+        />
+      </div>
+      <Button type="submit" isLoading={isSubmitting} isDisabled={isSubmitting || !isDirty}>
+        Save
+      </Button>
+    </form>
+  );
+};