Merge pull request #1772 from Infisical/service-token-deprecation-notice

Add deprecation notice banner to service token section

.github/resources/rename_migration_files.py

@@ -0,0 +1,26 @@
+import os
+from datetime import datetime, timedelta
+
+def rename_migrations():
+    migration_folder = "./backend/src/db/migrations"
+    with open("added_files.txt", "r") as file:
+        changed_files = file.readlines()
+    
+    # Find the latest file among the changed files
+    latest_timestamp = datetime.now() # utc time
+    for file_path in changed_files:
+        file_path = file_path.strip()
+        # each new file bump by 1s
+        latest_timestamp = latest_timestamp + timedelta(seconds=1)
+
+        new_filename = os.path.join(migration_folder, latest_timestamp.strftime("%Y%m%d%H%M%S") + f"_{file_path.split('_')[1]}")
+        old_filename = os.path.join(migration_folder, file_path)
+        os.rename(old_filename, new_filename)
+        print(f"Renamed {old_filename} to {new_filename}")
+
+    if len(changed_files) == 0:
+        print("No new files added to migration folder")
+
+if __name__ == "__main__":
+    rename_migrations()
+

.github/workflows/release_build_infisical_cli.yml

@@ -1,6 +1,8 @@
 name: Build and release CLI
 
 on:
+    workflow_dispatch:
+
     push:
         # run only against tags
         tags:
@@ -14,6 +16,12 @@ jobs:
     cli-integration-tests:
         name: Run tests before deployment
         uses: ./.github/workflows/run-cli-tests.yml
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
 
     goreleaser:
         runs-on: ubuntu-20.04

.github/workflows/run-cli-tests.yml

@@ -6,7 +6,20 @@ on:
         paths:
             - "cli/**"
 
+    workflow_dispatch:
+
     workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
 
 jobs:
     test:

.github/workflows/update-be-new-migration-latest-timestamp.yml

@@ -0,0 +1,48 @@
+name: Rename Migrations
+
+on:
+  pull_request:
+    types: [closed]
+    paths:
+      - 'backend/src/db/migrations/**'
+
+jobs:
+  rename:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get list of newly added files in migration folder
+        run: |
+          git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^A' | cut -f2 | xargs -n1 basename > added_files.txt
+          if [ ! -s added_files.txt ]; then
+            echo "No new files added. Skipping"
+            echo "SKIP_RENAME=true" >> $GITHUB_ENV
+          fi
+
+      - name: Script to rename migrations
+        if: env.SKIP_RENAME != 'true'
+        run: python .github/resources/rename_migration_files.py
+
+      - name: Commit and push changes
+        if: env.SKIP_RENAME != 'true'
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add ./backend/src/db/migrations
+          rm added_files.txt
+          git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
+
+      - name: Create Pull Request
+        if: env.SKIP_RENAME != 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
+          title: 'GH Action: rename new migration file timestamp'
+          branch-suffix: timestamp

README.md

@@ -76,7 +76,7 @@ Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/int
 
 | Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). |  <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
 
 ### Run Infisical locally
 

backend/package-lock.json

@@ -45,6 +45,7 @@
         "jsonwebtoken": "^9.0.2",
         "jsrp": "^0.2.4",
         "knex": "^3.0.1",
+        "ldapjs": "^3.0.7",
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
@@ -2510,6 +2511,83 @@
         "@jridgewell/sourcemap-codec": "^1.4.10"
       }
     },
+    "node_modules/@ldapjs/asn1": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/asn1/-/asn1-2.0.0.tgz",
+      "integrity": "sha512-G9+DkEOirNgdPmD0I8nu57ygQJKOOgFEMKknEuQvIHbGLwP3ny1mY+OTUYLCbCaGJP4sox5eYgBJRuSUpnAddA=="
+    },
+    "node_modules/@ldapjs/attribute": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/attribute/-/attribute-1.0.0.tgz",
+      "integrity": "sha512-ptMl2d/5xJ0q+RgmnqOi3Zgwk/TMJYG7dYMC0Keko+yZU6n+oFM59MjQOUht5pxJeS4FWrImhu/LebX24vJNRQ==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "@ldapjs/protocol": "^1.2.1",
+        "process-warning": "^2.1.0"
+      }
+    },
+    "node_modules/@ldapjs/change": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/change/-/change-1.0.0.tgz",
+      "integrity": "sha512-EOQNFH1RIku3M1s0OAJOzGfAohuFYXFY4s73wOhRm4KFGhmQQ7MChOh2YtYu9Kwgvuq1B0xKciXVzHCGkB5V+Q==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "@ldapjs/attribute": "1.0.0"
+      }
+    },
+    "node_modules/@ldapjs/controls": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/controls/-/controls-2.1.0.tgz",
+      "integrity": "sha512-2pFdD1yRC9V9hXfAWvCCO2RRWK9OdIEcJIos/9cCVP9O4k72BY1bLDQQ4KpUoJnl4y/JoD4iFgM+YWT3IfITWw==",
+      "dependencies": {
+        "@ldapjs/asn1": "^1.2.0",
+        "@ldapjs/protocol": "^1.2.1"
+      }
+    },
+    "node_modules/@ldapjs/controls/node_modules/@ldapjs/asn1": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/asn1/-/asn1-1.2.0.tgz",
+      "integrity": "sha512-KX/qQJ2xxzvO2/WOvr1UdQ+8P5dVvuOLk/C9b1bIkXxZss8BaR28njXdPgFCpj5aHaf1t8PmuVnea+N9YG9YMw=="
+    },
+    "node_modules/@ldapjs/dn": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/dn/-/dn-1.1.0.tgz",
+      "integrity": "sha512-R72zH5ZeBj/Fujf/yBu78YzpJjJXG46YHFo5E4W1EqfNpo1UsVPqdLrRMXeKIsJT3x9dJVIfR6OpzgINlKpi0A==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "process-warning": "^2.1.0"
+      }
+    },
+    "node_modules/@ldapjs/filter": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@ldapjs/filter/-/filter-2.1.1.tgz",
+      "integrity": "sha512-TwPK5eEgNdUO1ABPBUQabcZ+h9heDORE4V9WNZqCtYLKc06+6+UAJ3IAbr0L0bYTnkkWC/JEQD2F+zAFsuikNw==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "@ldapjs/protocol": "^1.2.1",
+        "process-warning": "^2.1.0"
+      }
+    },
+    "node_modules/@ldapjs/messages": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/messages/-/messages-1.3.0.tgz",
+      "integrity": "sha512-K7xZpXJ21bj92jS35wtRbdcNrwmxAtPwy4myeh9duy/eR3xQKvikVycbdWVzkYEAVE5Ce520VXNOwCHjomjCZw==",
+      "dependencies": {
+        "@ldapjs/asn1": "^2.0.0",
+        "@ldapjs/attribute": "^1.0.0",
+        "@ldapjs/change": "^1.0.0",
+        "@ldapjs/controls": "^2.1.0",
+        "@ldapjs/dn": "^1.1.0",
+        "@ldapjs/filter": "^2.1.1",
+        "@ldapjs/protocol": "^1.2.1",
+        "process-warning": "^2.2.0"
+      }
+    },
+    "node_modules/@ldapjs/protocol": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@ldapjs/protocol/-/protocol-1.2.1.tgz",
+      "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
+    },
     "node_modules/@lukeed/ms": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
@@ -9304,15 +9382,7 @@
         "node": ">=0.8.0"
       }
     },
-    "node_modules/ldapauth-fork/node_modules/lru-cache": {
-      "version": "7.18.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz",
-      "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/ldapjs": {
+    "node_modules/ldapauth-fork/node_modules/ldapjs": {
       "version": "2.3.3",
       "resolved": "https://registry.npmjs.org/ldapjs/-/ldapjs-2.3.3.tgz",
       "integrity": "sha512-75QiiLJV/PQqtpH+HGls44dXweviFwQ6SiIK27EqzKQ5jU/7UFrl2E5nLdQ3IYRBzJ/AVFJI66u0MZ0uofKYwg==",
@@ -9330,6 +9400,35 @@
         "node": ">=10.13.0"
       }
     },
+    "node_modules/ldapauth-fork/node_modules/lru-cache": {
+      "version": "7.18.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz",
+      "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/ldapjs": {
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/ldapjs/-/ldapjs-3.0.7.tgz",
+      "integrity": "sha512-1ky+WrN+4CFMuoekUOv7Y1037XWdjKpu0xAPwSP+9KdvmV9PG+qOKlssDV6a+U32apwxdD3is/BZcWOYzN30cg==",
+      "dependencies": {
+        "@ldapjs/asn1": "^2.0.0",
+        "@ldapjs/attribute": "^1.0.0",
+        "@ldapjs/change": "^1.0.0",
+        "@ldapjs/controls": "^2.1.0",
+        "@ldapjs/dn": "^1.1.0",
+        "@ldapjs/filter": "^2.1.1",
+        "@ldapjs/messages": "^1.3.0",
+        "@ldapjs/protocol": "^1.2.1",
+        "abstract-logging": "^2.0.1",
+        "assert-plus": "^1.0.0",
+        "backoff": "^2.5.0",
+        "once": "^1.4.0",
+        "vasync": "^2.2.1",
+        "verror": "^1.10.1"
+      }
+    },
     "node_modules/leven": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/leven/-/leven-2.1.0.tgz",

backend/package.json

@@ -106,6 +106,7 @@
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",
     "knex": "^3.0.1",
+    "ldapjs": "^3.0.7",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "ms": "^2.1.3",

backend/src/@types/knex.d.ts

@@ -74,6 +74,9 @@ import {
   TLdapConfigs,
   TLdapConfigsInsert,
   TLdapConfigsUpdate,
+  TLdapGroupMaps,
+  TLdapGroupMapsInsert,
+  TLdapGroupMapsUpdate,
   TOrganizations,
   TOrganizationsInsert,
   TOrganizationsUpdate,
@@ -398,6 +401,7 @@ declare module "knex/types/tables" {
     >;
     [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
     [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
+    [TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
     [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
     [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
     [TableName.GitAppInstallSession]: Knex.CompositeTableType<

backend/src/db/migrations/20240423023203_ldap-config-groups.ts

@@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.LdapGroupMap))) {
+    await knex.schema.createTable(TableName.LdapGroupMap, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("ldapConfigId").notNullable();
+      t.foreign("ldapConfigId").references("id").inTable(TableName.LdapConfig).onDelete("CASCADE");
+      t.string("ldapGroupCN").notNullable();
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.unique(["ldapGroupCN", "groupId", "ldapConfigId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.LdapGroupMap);
+
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.string("groupSearchBase").notNullable().defaultTo("");
+    t.string("groupSearchFilter").notNullable().defaultTo("");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.LdapGroupMap);
+  await dropOnUpdateTrigger(knex, TableName.LdapGroupMap);
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.dropColumn("groupSearchBase");
+    t.dropColumn("groupSearchFilter");
+  });
+}

backend/src/db/migrations/20240424235842_user-search-filter.ts

@@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.string("searchFilter").notNullable().defaultTo("");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.dropColumn("searchFilter");
+  });
+}

backend/src/db/migrations/20240429154610_audit-log-index.ts

@@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist && doesCreatedAtExist) t.index(["projectId", "createdAt"]);
+      if (doesOrgIdExist && doesCreatedAtExist) t.index(["orgId", "createdAt"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist && doesCreatedAtExist) t.dropIndex(["projectId", "createdAt"]);
+      if (doesOrgIdExist && doesCreatedAtExist) t.dropIndex(["orgId", "createdAt"]);
+    });
+  }
+}

backend/src/db/schemas/index.ts

@@ -22,6 +22,7 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./ldap-configs";
+export * from "./ldap-group-maps";
 export * from "./models";
 export * from "./org-bots";
 export * from "./org-memberships";

backend/src/db/schemas/ldap-configs.ts

@@ -23,7 +23,10 @@ export const LdapConfigsSchema = z.object({
   caCertIV: z.string(),
   caCertTag: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  groupSearchBase: z.string().default(""),
+  groupSearchFilter: z.string().default(""),
+  searchFilter: z.string().default("")
 });
 
 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;

backend/src/db/schemas/ldap-group-maps.ts

@@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const LdapGroupMapsSchema = z.object({
+  id: z.string().uuid(),
+  ldapConfigId: z.string().uuid(),
+  ldapGroupCN: z.string(),
+  groupId: z.string().uuid()
+});
+
+export type TLdapGroupMaps = z.infer<typeof LdapGroupMapsSchema>;
+export type TLdapGroupMapsInsert = Omit<z.input<typeof LdapGroupMapsSchema>, TImmutableDBKeys>;
+export type TLdapGroupMapsUpdate = Partial<Omit<z.input<typeof LdapGroupMapsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/models.ts

@@ -60,6 +60,7 @@ export enum TableName {
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
   LdapConfig = "ldap_configs",
+  LdapGroupMap = "ldap_group_maps",
   AuditLog = "audit_logs",
   GitAppInstallSession = "git_app_install_sessions",
   GitAppOrg = "git_app_org",

backend/src/ee/routes/v1/ldap-router.ts

@@ -14,7 +14,9 @@ import { FastifyRequest } from "fastify";
 import LdapStrategy from "passport-ldapauth";
 import { z } from "zod";
 
-import { LdapConfigsSchema } from "@app/db/schemas";
+import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
+import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
+import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -50,20 +52,38 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
       // eslint-disable-next-line
       async (req: IncomingMessage, user, cb) => {
         try {
+          const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;
+
+          let groups: { dn: string; cn: string }[] | undefined;
+          if (ldapConfig.groupSearchBase) {
+            const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
+            const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
+              .replace(/{{\.Username}}/g, user.uid)
+              .replace(/{{\.UserDN}}/g, user.dn);
+
+            if (!isValidLdapFilter(groupSearchFilter)) {
+              throw new Error("Generated LDAP search filter is invalid.");
+            }
+
+            groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
+          }
+
           const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
+            ldapConfigId: ldapConfig.id,
             externalId: user.uidNumber,
             username: user.uid,
-            firstName: user.givenName,
-            lastName: user.sn,
+            firstName: user.givenName ?? user.cn ?? "",
+            lastName: user.sn ?? "",
             emails: user.mail ? [user.mail] : [],
+            groups,
             relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
             orgId: (req as unknown as FastifyRequest).ldapConfig.organization
           });
 
           return cb(null, { isUserCompleted, providerAuthToken });
-        } catch (err) {
-          logger.error(err);
-          return cb(err, false);
+        } catch (error) {
+          logger.error(error);
+          return cb(error, false);
         }
       }
     )
@@ -117,6 +137,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           bindDN: z.string(),
           bindPass: z.string(),
           searchBase: z.string(),
+          searchFilter: z.string(),
+          groupSearchBase: z.string(),
+          groupSearchFilter: z.string(),
           caCert: z.string()
         })
       }
@@ -148,6 +171,12 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         bindDN: z.string().trim(),
         bindPass: z.string().trim(),
         searchBase: z.string().trim(),
+        searchFilter: z.string().trim().default("(uid={{username}})"),
+        groupSearchBase: z.string().trim(),
+        groupSearchFilter: z
+          .string()
+          .trim()
+          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"),
         caCert: z.string().trim().default("")
       }),
       response: {
@@ -183,6 +212,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           bindDN: z.string().trim(),
           bindPass: z.string().trim(),
           searchBase: z.string().trim(),
+          searchFilter: z.string().trim(),
+          groupSearchBase: z.string().trim(),
+          groupSearchFilter: z.string().trim(),
           caCert: z.string().trim()
         })
         .partial()
@@ -204,4 +236,134 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
       return ldap;
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/config/:configId/group-maps",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      response: {
+        200: z.array(
+          z.object({
+            id: z.string(),
+            ldapConfigId: z.string(),
+            ldapGroupCN: z.string(),
+            group: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            })
+          })
+        )
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMaps = await server.services.ldap.getLdapGroupMaps({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId
+      });
+      return ldapGroupMaps;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config/:configId/group-maps",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      body: z.object({
+        ldapGroupCN: z.string().trim(),
+        groupSlug: z.string().trim()
+      }),
+      response: {
+        200: LdapGroupMapsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMap = await server.services.ldap.createLdapGroupMap({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId,
+        ...req.body
+      });
+      return ldapGroupMap;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/config/:configId/group-maps/:groupMapId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim(),
+        groupMapId: z.string().trim()
+      }),
+      response: {
+        200: LdapGroupMapsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMap = await server.services.ldap.deleteLdapGroupMap({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId,
+        ldapGroupMapId: req.params.groupMapId
+      });
+      return ldapGroupMap;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config/:configId/test-connection",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      response: {
+        200: z.boolean()
+      }
+    },
+    handler: async (req) => {
+      const result = await server.services.ldap.testLDAPConnection({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId
+      });
+      return result;
+    }
+  });
 };

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -0,0 +1,194 @@
+import {
+  AddUserToGroupCommand,
+  AttachUserPolicyCommand,
+  CreateAccessKeyCommand,
+  CreateUserCommand,
+  DeleteAccessKeyCommand,
+  DeleteUserCommand,
+  DeleteUserPolicyCommand,
+  DetachUserPolicyCommand,
+  GetUserCommand,
+  IAMClient,
+  ListAccessKeysCommand,
+  ListAttachedUserPoliciesCommand,
+  ListGroupsForUserCommand,
+  ListUserPoliciesCommand,
+  PutUserPolicyCommand,
+  RemoveUserFromGroupCommand
+} from "@aws-sdk/client-iam";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
+
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
+};
+
+export const AwsIamProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretAwsIamSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
+    const client = new IAMClient({
+      region: providerInputs.region,
+      credentials: {
+        accessKeyId: providerInputs.accessKey,
+        secretAccessKey: providerInputs.secretAccessKey
+      }
+    });
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const isConnected = await client.send(new GetUserCommand({})).then(() => true);
+    return isConnected;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const username = generateUsername();
+    const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
+    const createUserRes = await client.send(
+      new CreateUserCommand({
+        Path: awsPath,
+        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
+        Tags: [{ Key: "createdBy", Value: "infisical-dynamic-secret" }],
+        UserName: username
+      })
+    );
+    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
+    if (userGroups) {
+      await Promise.all(
+        userGroups
+          .split(",")
+          .filter(Boolean)
+          .map((group) =>
+            client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
+          )
+      );
+    }
+    if (policyArns) {
+      await Promise.all(
+        policyArns
+          .split(",")
+          .filter(Boolean)
+          .map((policyArn) =>
+            client.send(new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn }))
+          )
+      );
+    }
+    if (policyDocument) {
+      await client.send(
+        new PutUserPolicyCommand({
+          UserName: createUserRes.User.UserName,
+          PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
+          PolicyDocument: policyDocument
+        })
+      );
+    }
+
+    const createAccessKeyRes = await client.send(
+      new CreateAccessKeyCommand({
+        UserName: createUserRes.User.UserName
+      })
+    );
+    if (!createAccessKeyRes.AccessKey)
+      throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
+
+    return {
+      entityId: username,
+      data: {
+        ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
+        SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
+        USERNAME: username
+      }
+    };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const username = entityId;
+
+    // remove user from groups
+    const userGroups = await client.send(new ListGroupsForUserCommand({ UserName: username }));
+    await Promise.all(
+      (userGroups.Groups || []).map(({ GroupName }) =>
+        client.send(
+          new RemoveUserFromGroupCommand({
+            GroupName,
+            UserName: username
+          })
+        )
+      )
+    );
+
+    // remove user access keys
+    const userAccessKeys = await client.send(new ListAccessKeysCommand({ UserName: username }));
+    await Promise.all(
+      (userAccessKeys.AccessKeyMetadata || []).map(({ AccessKeyId }) =>
+        client.send(
+          new DeleteAccessKeyCommand({
+            AccessKeyId,
+            UserName: username
+          })
+        )
+      )
+    );
+
+    // remove user inline policies
+    const userInlinePolicies = await client.send(new ListUserPoliciesCommand({ UserName: username }));
+    await Promise.all(
+      (userInlinePolicies.PolicyNames || []).map((policyName) =>
+        client.send(
+          new DeleteUserPolicyCommand({
+            PolicyName: policyName,
+            UserName: username
+          })
+        )
+      )
+    );
+
+    // remove user attached  policies
+    const userAttachedPolicies = await client.send(new ListAttachedUserPoliciesCommand({ UserName: username }));
+    await Promise.all(
+      (userAttachedPolicies.AttachedPolicies || []).map((policy) =>
+        client.send(
+          new DetachUserPolicyCommand({
+            PolicyArn: policy.PolicyArn,
+            UserName: username
+          })
+        )
+      )
+    );
+
+    await client.send(new DeleteUserCommand({ UserName: username }));
+    return { entityId: username };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // do nothing
+    const username = entityId;
+    return { entityId: username };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,8 +1,10 @@
+import { AwsIamProvider } from "./aws-iam";
 import { CassandraProvider } from "./cassandra";
 import { DynamicSecretProviders } from "./models";
 import { SqlDatabaseProvider } from "./sql-database";
 
 export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider(),
-  [DynamicSecretProviders.Cassandra]: CassandraProvider()
+  [DynamicSecretProviders.Cassandra]: CassandraProvider(),
+  [DynamicSecretProviders.AwsIam]: AwsIamProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -8,38 +8,51 @@ export enum SqlProviders {
 
 export const DynamicSecretSqlDBSchema = z.object({
   client: z.nativeEnum(SqlProviders),
-  host: z.string().toLowerCase(),
+  host: z.string().trim().toLowerCase(),
   port: z.number(),
-  database: z.string(),
-  username: z.string(),
-  password: z.string(),
-  creationStatement: z.string(),
-  revocationStatement: z.string(),
-  renewStatement: z.string().optional(),
+  database: z.string().trim(),
+  username: z.string().trim(),
+  password: z.string().trim(),
+  creationStatement: z.string().trim(),
+  revocationStatement: z.string().trim(),
+  renewStatement: z.string().trim().optional(),
   ca: z.string().optional()
 });
 
 export const DynamicSecretCassandraSchema = z.object({
-  host: z.string().toLowerCase(),
+  host: z.string().trim().toLowerCase(),
   port: z.number(),
-  localDataCenter: z.string().min(1),
-  keyspace: z.string().optional(),
-  username: z.string(),
-  password: z.string(),
-  creationStatement: z.string(),
-  revocationStatement: z.string(),
-  renewStatement: z.string().optional(),
+  localDataCenter: z.string().trim().min(1),
+  keyspace: z.string().trim().optional(),
+  username: z.string().trim(),
+  password: z.string().trim(),
+  creationStatement: z.string().trim(),
+  revocationStatement: z.string().trim(),
+  renewStatement: z.string().trim().optional(),
   ca: z.string().optional()
 });
 
+export const DynamicSecretAwsIamSchema = z.object({
+  accessKey: z.string().trim().min(1),
+  secretAccessKey: z.string().trim().min(1),
+  region: z.string().trim().min(1),
+  awsPath: z.string().trim().optional(),
+  permissionBoundaryPolicyArn: z.string().trim().optional(),
+  policyDocument: z.string().trim().optional(),
+  userGroups: z.string().trim().optional(),
+  policyArns: z.string().trim().optional()
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
-  Cassandra = "cassandra"
+  Cassandra = "cassandra",
+  AwsIam = "aws-iam"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.AwsIam), inputs: DynamicSecretAwsIamSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/group/group-fns.ts

@@ -22,10 +22,6 @@ const addAcceptedUsersToGroup = async ({
   projectBotDAL,
   tx
 }: TAddUsersToGroup) => {
-  console.log("addAcceptedUsersToGroup args: ", {
-    userIds,
-    group
-  });
   const users = await userDAL.findUserEncKeyByUserIdsBatch(
     {
       userIds

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -2,6 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
 import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
+import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
+import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
+import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { getConfig } from "@app/lib/config/env";
 import {
   decryptSymmetric,
@@ -13,8 +16,12 @@ import {
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
@@ -23,16 +30,40 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TLdapConfigDALFactory } from "./ldap-config-dal";
-import { TCreateLdapCfgDTO, TGetLdapCfgDTO, TLdapLoginDTO, TUpdateLdapCfgDTO } from "./ldap-config-types";
+import {
+  TCreateLdapCfgDTO,
+  TCreateLdapGroupMapDTO,
+  TDeleteLdapGroupMapDTO,
+  TGetLdapCfgDTO,
+  TGetLdapGroupMapsDTO,
+  TLdapLoginDTO,
+  TTestLdapConnectionDTO,
+  TUpdateLdapCfgDTO
+} from "./ldap-config-types";
+import { testLDAPConfig } from "./ldap-fns";
+import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";
 
 type TLdapConfigServiceFactoryDep = {
-  ldapConfigDAL: TLdapConfigDALFactory;
+  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
+  ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
   >;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
+  groupDAL: Pick<TGroupDALFactory, "find" | "findOne">;
+  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  userGroupMembershipDAL: Pick<
+    TUserGroupMembershipDALFactory,
+    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
+  >;
+  userDAL: Pick<
+    TUserDALFactory,
+    "create" | "findOne" | "transaction" | "updateById" | "findUserEncKeyByUserIdsBatch" | "find"
+  >;
   userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -42,8 +73,15 @@ export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFacto
 
 export const ldapConfigServiceFactory = ({
   ldapConfigDAL,
+  ldapGroupMapDAL,
   orgDAL,
   orgBotDAL,
+  groupDAL,
+  groupProjectDAL,
+  projectKeyDAL,
+  projectDAL,
+  projectBotDAL,
+  userGroupMembershipDAL,
   userDAL,
   userAliasDAL,
   permissionService,
@@ -60,6 +98,9 @@ export const ldapConfigServiceFactory = ({
     bindDN,
     bindPass,
     searchBase,
+    searchFilter,
+    groupSearchBase,
+    groupSearchFilter,
     caCert
   }: TCreateLdapCfgDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -135,6 +176,9 @@ export const ldapConfigServiceFactory = ({
       bindPassIV,
       bindPassTag,
       searchBase,
+      searchFilter,
+      groupSearchBase,
+      groupSearchFilter,
       encryptedCACert,
       caCertIV,
       caCertTag
@@ -154,6 +198,9 @@ export const ldapConfigServiceFactory = ({
     bindDN,
     bindPass,
     searchBase,
+    searchFilter,
+    groupSearchBase,
+    groupSearchFilter,
     caCert
   }: TUpdateLdapCfgDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -169,7 +216,10 @@ export const ldapConfigServiceFactory = ({
     const updateQuery: TLdapConfigsUpdate = {
       isActive,
       url,
-      searchBase
+      searchBase,
+      searchFilter,
+      groupSearchBase,
+      groupSearchFilter
     };
 
     const orgBot = await orgBotDAL.findOne({ orgId });
@@ -271,6 +321,9 @@ export const ldapConfigServiceFactory = ({
       bindDN,
       bindPass,
       searchBase: ldapConfig.searchBase,
+      searchFilter: ldapConfig.searchFilter,
+      groupSearchBase: ldapConfig.groupSearchBase,
+      groupSearchFilter: ldapConfig.groupSearchFilter,
       caCert
     };
   };
@@ -304,8 +357,8 @@ export const ldapConfigServiceFactory = ({
         bindDN: ldapConfig.bindDN,
         bindCredentials: ldapConfig.bindPass,
         searchBase: ldapConfig.searchBase,
-        searchFilter: "(uid={{username}})",
-        searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
+        searchFilter: ldapConfig.searchFilter || "(uid={{username}})",
+        // searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
         ...(ldapConfig.caCert !== ""
           ? {
               tlsOptions: {
@@ -320,7 +373,17 @@ export const ldapConfigServiceFactory = ({
     return { opts, ldapConfig };
   };
 
-  const ldapLogin = async ({ externalId, username, firstName, lastName, emails, orgId, relayState }: TLdapLoginDTO) => {
+  const ldapLogin = async ({
+    ldapConfigId,
+    externalId,
+    username,
+    firstName,
+    lastName,
+    emails,
+    groups,
+    orgId,
+    relayState
+  }: TLdapLoginDTO) => {
     const appCfg = getConfig();
     let userAlias = await userAliasDAL.findOne({
       externalId,
@@ -394,7 +457,84 @@ export const ldapConfigServiceFactory = ({
       });
     }
 
-    const user = await userDAL.findOne({ id: userAlias.userId });
+    const user = await userDAL.transaction(async (tx) => {
+      const newUser = await userDAL.findOne({ id: userAlias.userId }, tx);
+      if (groups) {
+        const ldapGroupIdsToBePartOf = (
+          await ldapGroupMapDAL.find({
+            ldapConfigId,
+            $in: {
+              ldapGroupCN: groups.map((group) => group.cn)
+            }
+          })
+        ).map((groupMap) => groupMap.groupId);
+
+        const groupsToBePartOf = await groupDAL.find({
+          orgId,
+          $in: {
+            id: ldapGroupIdsToBePartOf
+          }
+        });
+        const toBePartOfGroupIdsSet = new Set(groupsToBePartOf.map((groupToBePartOf) => groupToBePartOf.id));
+
+        const allLdapGroupMaps = await ldapGroupMapDAL.find({
+          ldapConfigId
+        });
+
+        const ldapGroupIdsCurrentlyPartOf = (
+          await userGroupMembershipDAL.find({
+            userId: newUser.id,
+            $in: {
+              groupId: allLdapGroupMaps.map((groupMap) => groupMap.groupId)
+            }
+          })
+        ).map((userGroupMembership) => userGroupMembership.groupId);
+
+        const userGroupMembershipGroupIdsSet = new Set(ldapGroupIdsCurrentlyPartOf);
+
+        for await (const group of groupsToBePartOf) {
+          if (!userGroupMembershipGroupIdsSet.has(group.id)) {
+            // add user to group that they should be part of
+            await addUsersToGroupByUserIds({
+              group,
+              userIds: [newUser.id],
+              userDAL,
+              userGroupMembershipDAL,
+              orgDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              projectDAL,
+              projectBotDAL,
+              tx
+            });
+          }
+        }
+
+        const groupsCurrentlyPartOf = await groupDAL.find({
+          orgId,
+          $in: {
+            id: ldapGroupIdsCurrentlyPartOf
+          }
+        });
+
+        for await (const group of groupsCurrentlyPartOf) {
+          if (!toBePartOfGroupIdsSet.has(group.id)) {
+            // remove user from group that they should no longer be part of
+            await removeUsersFromGroupByUserIds({
+              group,
+              userIds: [newUser.id],
+              userDAL,
+              userGroupMembershipDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              tx
+            });
+          }
+        }
+      }
+
+      return newUser;
+    });
 
     const isUserCompleted = Boolean(user.isAccepted);
 
@@ -424,6 +564,116 @@ export const ldapConfigServiceFactory = ({
     return { isUserCompleted, providerAuthToken };
   };
 
+  const getLdapGroupMaps = async ({
+    ldapConfigId,
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetLdapGroupMapsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
+
+    const ldapConfig = await ldapConfigDAL.findOne({
+      id: ldapConfigId,
+      orgId
+    });
+
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const groupMaps = await ldapGroupMapDAL.findLdapGroupMapsByLdapConfigId(ldapConfigId);
+
+    return groupMaps;
+  };
+
+  const createLdapGroupMap = async ({
+    ldapConfigId,
+    ldapGroupCN,
+    groupSlug,
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TCreateLdapGroupMapDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message: "Failed to create LDAP group map due to plan restriction. Upgrade plan to create LDAP group map."
+      });
+
+    const ldapConfig = await ldapConfigDAL.findOne({
+      id: ldapConfigId,
+      orgId
+    });
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const group = await groupDAL.findOne({ slug: groupSlug, orgId });
+    if (!group) throw new BadRequestError({ message: "Failed to find group" });
+
+    const groupMap = await ldapGroupMapDAL.create({
+      ldapConfigId,
+      ldapGroupCN,
+      groupId: group.id
+    });
+
+    return groupMap;
+  };
+
+  const deleteLdapGroupMap = async ({
+    ldapConfigId,
+    ldapGroupMapId,
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteLdapGroupMapDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message: "Failed to delete LDAP group map due to plan restriction. Upgrade plan to delete LDAP group map."
+      });
+
+    const ldapConfig = await ldapConfigDAL.findOne({
+      id: ldapConfigId,
+      orgId
+    });
+
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const [deletedGroupMap] = await ldapGroupMapDAL.delete({
+      ldapConfigId: ldapConfig.id,
+      id: ldapGroupMapId
+    });
+
+    return deletedGroupMap;
+  };
+
+  const testLDAPConnection = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TTestLdapConnectionDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message: "Failed to test LDAP connection due to plan restriction. Upgrade plan to test the LDAP connection."
+      });
+
+    const ldapConfig = await getLdapCfg({
+      orgId
+    });
+
+    return testLDAPConfig(ldapConfig);
+  };
+
   return {
     createLdapCfg,
     updateLdapCfg,
@@ -431,6 +681,10 @@ export const ldapConfigServiceFactory = ({
     getLdapCfg,
     // getLdapPassportOpts,
     ldapLogin,
-    bootLdap
+    bootLdap,
+    getLdapGroupMaps,
+    createLdapGroupMap,
+    deleteLdapGroupMap,
+    testLDAPConnection
   };
 };

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -1,5 +1,18 @@
 import { TOrgPermission } from "@app/lib/types";
 
+export type TLDAPConfig = {
+  id: string;
+  organization: string;
+  isActive: boolean;
+  url: string;
+  bindDN: string;
+  bindPass: string;
+  searchBase: string;
+  groupSearchBase: string;
+  groupSearchFilter: string;
+  caCert: string;
+};
+
 export type TCreateLdapCfgDTO = {
   orgId: string;
   isActive: boolean;
@@ -7,6 +20,9 @@ export type TCreateLdapCfgDTO = {
   bindDN: string;
   bindPass: string;
   searchBase: string;
+  searchFilter: string;
+  groupSearchBase: string;
+  groupSearchFilter: string;
   caCert: string;
 } & TOrgPermission;
 
@@ -18,6 +34,9 @@ export type TUpdateLdapCfgDTO = {
   bindDN: string;
   bindPass: string;
   searchBase: string;
+  searchFilter: string;
+  groupSearchBase: string;
+  groupSearchFilter: string;
   caCert: string;
 }> &
   TOrgPermission;
@@ -27,11 +46,35 @@ export type TGetLdapCfgDTO = {
 } & TOrgPermission;
 
 export type TLdapLoginDTO = {
+  ldapConfigId: string;
   externalId: string;
   username: string;
   firstName: string;
   lastName: string;
   emails: string[];
   orgId: string;
+  groups?: {
+    dn: string;
+    cn: string;
+  }[];
   relayState?: string;
 };
+
+export type TGetLdapGroupMapsDTO = {
+  ldapConfigId: string;
+} & TOrgPermission;
+
+export type TCreateLdapGroupMapDTO = {
+  ldapConfigId: string;
+  ldapGroupCN: string;
+  groupSlug: string;
+} & TOrgPermission;
+
+export type TDeleteLdapGroupMapDTO = {
+  ldapConfigId: string;
+  ldapGroupMapId: string;
+} & TOrgPermission;
+
+export type TTestLdapConnectionDTO = {
+  ldapConfigId: string;
+} & TOrgPermission;

backend/src/ee/services/ldap-config/ldap-fns.ts

@@ -0,0 +1,119 @@
+import ldapjs from "ldapjs";
+
+import { logger } from "@app/lib/logger";
+
+import { TLDAPConfig } from "./ldap-config-types";
+
+export const isValidLdapFilter = (filter: string) => {
+  try {
+    ldapjs.parseFilter(filter);
+    return true;
+  } catch (error) {
+    logger.error("Invalid LDAP filter");
+    logger.error(error);
+    return false;
+  }
+};
+
+/**
+ * Test the LDAP configuration by attempting to bind to the LDAP server
+ * @param ldapConfig - The LDAP configuration to test
+ * @returns {Boolean} isConnected - Whether or not the connection was successful
+ */
+export const testLDAPConfig = async (ldapConfig: TLDAPConfig): Promise<boolean> => {
+  return new Promise((resolve) => {
+    const ldapClient = ldapjs.createClient({
+      url: ldapConfig.url,
+      bindDN: ldapConfig.bindDN,
+      bindCredentials: ldapConfig.bindPass,
+      ...(ldapConfig.caCert !== ""
+        ? {
+            tlsOptions: {
+              ca: [ldapConfig.caCert]
+            }
+          }
+        : {})
+    });
+
+    ldapClient.on("error", (err) => {
+      logger.error("LDAP client error:", err);
+      logger.error(err);
+      resolve(false);
+    });
+
+    ldapClient.bind(ldapConfig.bindDN, ldapConfig.bindPass, (err) => {
+      if (err) {
+        logger.error("Error binding to LDAP");
+        logger.error(err);
+        ldapClient.unbind();
+        resolve(false);
+      } else {
+        logger.info("Successfully connected and bound to LDAP.");
+        ldapClient.unbind();
+        resolve(true);
+      }
+    });
+  });
+};
+
+/**
+ * Search for groups in the LDAP server
+ * @param ldapConfig - The LDAP configuration to use
+ * @param filter - The filter to use when searching for groups
+ * @param base - The base to search from
+ * @returns
+ */
+export const searchGroups = async (
+  ldapConfig: TLDAPConfig,
+  filter: string,
+  base: string
+): Promise<{ dn: string; cn: string }[]> => {
+  return new Promise((resolve, reject) => {
+    const ldapClient = ldapjs.createClient({
+      url: ldapConfig.url,
+      bindDN: ldapConfig.bindDN,
+      bindCredentials: ldapConfig.bindPass,
+      ...(ldapConfig.caCert !== ""
+        ? {
+            tlsOptions: {
+              ca: [ldapConfig.caCert]
+            }
+          }
+        : {})
+    });
+
+    ldapClient.search(
+      base,
+      {
+        filter,
+        scope: "sub"
+      },
+      (err, res) => {
+        if (err) {
+          ldapClient.unbind();
+          return reject(err);
+        }
+
+        const groups: { dn: string; cn: string }[] = [];
+
+        res.on("searchEntry", (entry) => {
+          const dn = entry.dn.toString();
+          const regex = /cn=([^,]+)/;
+          const match = dn.match(regex);
+          // parse the cn from the dn
+          const cn = (match && match[1]) as string;
+
+          groups.push({ dn, cn });
+        });
+        res.on("error", (error) => {
+          ldapClient.unbind();
+          reject(error);
+        });
+        res.on("end", () => {
+          ldapClient.unbind();
+          resolve(groups);
+        });
+      }
+    );
+  });
+};

backend/src/ee/services/ldap-config/ldap-group-map-dal.ts

@@ -0,0 +1,41 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TLdapGroupMapDALFactory = ReturnType<typeof ldapGroupMapDALFactory>;
+
+export const ldapGroupMapDALFactory = (db: TDbClient) => {
+  const ldapGroupMapOrm = ormify(db, TableName.LdapGroupMap);
+
+  const findLdapGroupMapsByLdapConfigId = async (ldapConfigId: string) => {
+    try {
+      const docs = await db(TableName.LdapGroupMap)
+        .where(`${TableName.LdapGroupMap}.ldapConfigId`, ldapConfigId)
+        .join(TableName.Groups, `${TableName.LdapGroupMap}.groupId`, `${TableName.Groups}.id`)
+        .select(selectAllTableCols(TableName.LdapGroupMap))
+        .select(
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
+        );
+
+      return docs.map((doc) => {
+        return {
+          id: doc.id,
+          ldapConfigId: doc.ldapConfigId,
+          ldapGroupCN: doc.ldapGroupCN,
+          group: {
+            id: doc.groupId,
+            name: doc.groupName,
+            slug: doc.groupSlug
+          }
+        };
+      });
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findGroupMaps" });
+    }
+  };
+
+  return { ...ldapGroupMapOrm, findLdapGroupMapsByLdapConfigId };
+};

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -340,11 +340,12 @@ export const samlConfigServiceFactory = ({
               orgId,
               inviteEmail: email,
               role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
-        } else if (orgMembership.status === OrgMembershipStatus.Invited) {
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
           await orgDAL.updateMembershipById(
             orgMembership.id,
             {

backend/src/server/config/rateLimiter.ts

@@ -36,7 +36,7 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: 600,
+  max: 1000,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/routes/index.ts

@@ -18,6 +18,7 @@ import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/i
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
+import { ldapGroupMapDALFactory } from "@app/ee/services/ldap-config/ldap-group-map-dal";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
 import { licenseServiceFactory } from "@app/ee/services/license/license-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
@@ -200,6 +201,7 @@ export const registerRoutes = async (
   const samlConfigDAL = samlConfigDALFactory(db);
   const scimDAL = scimDALFactory(db);
   const ldapConfigDAL = ldapConfigDALFactory(db);
+  const ldapGroupMapDAL = ldapGroupMapDALFactory(db);
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@@ -300,8 +302,15 @@ export const registerRoutes = async (
 
   const ldapService = ldapConfigServiceFactory({
     ldapConfigDAL,
+    ldapGroupMapDAL,
     orgDAL,
     orgBotDAL,
+    groupDAL,
+    groupProjectDAL,
+    projectKeyDAL,
+    projectDAL,
+    projectBotDAL,
+    userGroupMembershipDAL,
     userDAL,
     userAliasDAL,
     permissionService,

backend/src/server/routes/v1/project-env-router.ts

@@ -1,3 +1,4 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
@@ -26,7 +27,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
-        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
+        slug: z
+          .string()
+          .trim()
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .describe(ENVIRONMENTS.CREATE.slug)
       }),
       response: {
         200: z.object({
@@ -84,7 +91,14 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
       }),
       body: z.object({
-        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
+        slug: z
+          .string()
+          .trim()
+          .optional()
+          .refine((v) => !v || slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .describe(ENVIRONMENTS.UPDATE.slug),
         name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
         position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
       }),

backend/src/services/auth/auth-login-service.ts

@@ -191,7 +191,7 @@ export const authLoginServiceFactory = ({
       const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
 
       authMethod = decodedProviderToken.authMethod;
-      if (isAuthMethodSaml(authMethod) && decodedProviderToken.orgId) {
+      if ((isAuthMethodSaml(authMethod) || authMethod === AuthMethod.LDAP) && decodedProviderToken.orgId) {
         organizationId = decodedProviderToken.orgId;
       }
     }

backend/src/services/auth/auth-signup-service.ts

@@ -4,6 +4,7 @@ import { OrgMembershipStatus } from "@app/db/schemas";
 import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
@@ -139,9 +140,11 @@ export const authSignupServiceFactory = ({
       throw new Error("Failed to complete account for complete user");
     }
 
-    let organizationId;
+    let organizationId: string | null = null;
+    let authMethod: AuthMethod | null = null;
     if (providerAuthToken) {
-      const { orgId } = validateProviderAuthToken(providerAuthToken, user.username);
+      const { orgId, authMethod: userAuthMethod } = validateProviderAuthToken(providerAuthToken, user.username);
+      authMethod = userAuthMethod;
       organizationId = orgId;
     } else {
       validateSignUpAuthorization(authorization, user.id);
@@ -165,6 +168,26 @@ export const authSignupServiceFactory = ({
         },
         tx
       );
+      // If it's SAML Auth and the organization ID is present, we should check if the user has a pending invite for this org, and accept it
+      if (isAuthMethodSaml(authMethod) && organizationId) {
+        const [pendingOrgMembership] = await orgDAL.findMembership({
+          inviteEmail: email,
+          userId: user.id,
+          status: OrgMembershipStatus.Invited,
+          orgId: organizationId
+        });
+
+        if (pendingOrgMembership) {
+          await orgDAL.updateMembershipById(
+            pendingOrgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+      }
+
       return { info: us, key: userEncKey };
     });
 

backend/src/services/integration-auth/integration-auth-service.ts

@@ -566,20 +566,32 @@ export const integrationAuthServiceFactory = ({
       }
     });
     const kms = new AWS.KMS();
-
     const aliases = await kms.listAliases({}).promise();
-    const keys = await kms.listKeys({}).promise();
-    const response = keys
-      .Keys!.map((key) => {
-        const keyAlias = aliases.Aliases!.find((alias) => key.KeyId === alias.TargetKeyId);
-        if (!keyAlias?.AliasName?.includes("alias/aws/") || keyAlias?.AliasName?.includes("alias/aws/secretsmanager")) {
-          return { id: String(key.KeyId), alias: String(keyAlias?.AliasName || key.KeyId) };
-        }
-        return { id: "null", alias: "null" };
-      })
-      .filter((elem) => elem.id !== "null");
 
-    return response;
+    const keyAliases = aliases.Aliases!.filter((alias) => {
+      if (!alias.TargetKeyId) return false;
+
+      if (integrationAuth.integration === Integrations.AWS_PARAMETER_STORE && alias.AliasName === "alias/aws/ssm")
+        return true;
+
+      if (
+        integrationAuth.integration === Integrations.AWS_SECRET_MANAGER &&
+        alias.AliasName === "alias/aws/secretsmanager"
+      )
+        return true;
+
+      if (alias.AliasName?.includes("alias/aws/")) return false;
+      return alias.TargetKeyId;
+    });
+
+    const keysWithAliases = keyAliases.map((alias) => {
+      return {
+        id: alias.TargetKeyId!,
+        alias: alias.AliasName!
+      };
+    });
+
+    return keysWithAliases;
   };
 
   const getQoveryProjects = async ({

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -458,7 +458,7 @@ const syncSecretsAWSParameterStore = async ({
   });
   ssm.config.update(config);
 
-  const metadata = z.record(z.any()).parse(integration.metadata);
+  const metadata = z.record(z.any()).parse(integration.metadata || {});
 
   const params = {
     Path: integration.path as string,
@@ -477,24 +477,29 @@ const syncSecretsAWSParameterStore = async ({
       }),
       {} as Record<string, AWS.SSM.Parameter>
     );
-
   // Identify secrets to create
   await Promise.all(
     Object.keys(secrets).map(async (key) => {
       if (!(key in awsParameterStoreSecretsObj)) {
         // case: secret does not exist in AWS parameter store
         // -> create secret
-        await ssm
-          .putParameter({
-            Name: `${integration.path}${key}`,
-            Type: "SecureString",
-            Value: secrets[key].value,
-            // Overwrite: true,
-            Tags: metadata.secretAWSTag
-              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-              : []
-          })
-          .promise();
+        if (secrets[key].value) {
+          await ssm
+            .putParameter({
+              Name: `${integration.path}${key}`,
+              Type: "SecureString",
+              Value: secrets[key].value,
+              ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId }),
+              // Overwrite: true,
+              Tags: metadata.secretAWSTag
+                ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({
+                    Key: tag.key,
+                    Value: tag.value
+                  }))
+                : []
+            })
+            .promise();
+        }
         // case: secret exists in AWS parameter store
       } else if (awsParameterStoreSecretsObj[key].Value !== secrets[key].value) {
         // case: secret value doesn't match one in AWS parameter store
@@ -544,7 +549,7 @@ const syncSecretsAWSSecretManager = async ({
 }) => {
   let secretsManager;
   const secKeyVal = getSecretKeyValuePair(secrets);
-  const metadata = z.record(z.any()).parse(integration.metadata);
+  const metadata = z.record(z.any()).parse(integration.metadata || {});
   try {
     if (!accessId) return;
 
@@ -567,7 +572,6 @@ const syncSecretsAWSSecretManager = async ({
     if (awsSecretManagerSecret?.SecretString) {
       awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
     }
-
     if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
       await secretsManager.send(
         new UpdateSecretCommand({
@@ -582,7 +586,7 @@ const syncSecretsAWSSecretManager = async ({
         new CreateSecretCommand({
           Name: integration.app as string,
           SecretString: JSON.stringify(secKeyVal),
-          KmsKeyId: metadata.kmsKeyId ? metadata.kmsKeyId : null,
+          ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
           Tags: metadata.secretAWSTag
             ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
             : []

backend/src/services/secret-import/secret-import-fns.ts

@@ -1,33 +1,66 @@
-import { SecretType, TSecretImports } from "@app/db/schemas";
+import { SecretType, TSecretImports, TSecrets } from "@app/db/schemas";
 import { groupBy } from "@app/lib/fn";
 
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "./secret-import-dal";
 
+type TSecretImportSecrets = {
+  secretPath: string;
+  environment: string;
+  environmentInfo: {
+    id: string;
+    slug: string;
+    name: string;
+  };
+  folderId: string | undefined;
+  importFolderId: string;
+  secrets: (TSecrets & { workspace: string; environment: string; _id: string })[];
+};
+
+const LEVEL_BREAK = 10;
+const getImportUniqKey = (envSlug: string, path: string) => `${envSlug}=${path}`;
 export const fnSecretsFromImports = async ({
-  allowedImports,
+  allowedImports: possibleCyclicImports,
   folderDAL,
-  secretDAL
+  secretDAL,
+  secretImportDAL,
+  depth = 0,
+  cyclicDetector = new Set()
 }: {
   allowedImports: (Omit<TSecretImports, "importEnv"> & {
     importEnv: { id: string; slug: string; name: string };
   })[];
   folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">;
   secretDAL: Pick<TSecretDALFactory, "find">;
+  secretImportDAL: Pick<TSecretImportDALFactory, "findByFolderIds">;
+  depth?: number;
+  cyclicDetector?: Set<string>;
 }) => {
-  const importedFolders = await folderDAL.findByManySecretPath(
-    allowedImports.map(({ importEnv, importPath }) => ({
-      envId: importEnv.id,
-      secretPath: importPath
-    }))
+  // avoid going more than a depth
+  if (depth >= LEVEL_BREAK) return [];
+
+  const allowedImports = possibleCyclicImports.filter(
+    ({ importPath, importEnv }) => !cyclicDetector.has(getImportUniqKey(importEnv.slug, importPath))
   );
-  const folderIds = importedFolders.map((el) => el?.id).filter(Boolean) as string[];
-  if (!folderIds.length) {
+
+  const importedFolders = (
+    await folderDAL.findByManySecretPath(
+      allowedImports.map(({ importEnv, importPath }) => ({
+        envId: importEnv.id,
+        secretPath: importPath
+      }))
+    )
+  ).filter(Boolean); // remove undefined ones
+  if (!importedFolders.length) {
     return [];
   }
+
+  const importedFolderIds = importedFolders.map((el) => el?.id) as string[];
+  const importedFolderGroupBySourceImport = groupBy(importedFolders, (i) => `${i?.envId}-${i?.path}`);
   const importedSecrets = await secretDAL.find(
     {
-      $in: { folderId: folderIds },
+      $in: { folderId: importedFolderIds },
       type: SecretType.Shared
     },
     {
@@ -35,18 +68,50 @@ export const fnSecretsFromImports = async ({
     }
   );
 
-  const importedSecsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
-  return allowedImports.map(({ importPath, importEnv }, i) => ({
-    secretPath: importPath,
-    environment: importEnv.slug,
-    environmentInfo: importEnv,
-    folderId: importedFolders?.[i]?.id,
-    // this will ensure for cases when secrets are empty. Could be due to missing folder for a path or when emtpy secrets inside a given path
-    secrets: (importedSecsGroupByFolderId?.[importedFolders?.[i]?.id as string] || []).map((item) => ({
-      ...item,
+  const importedSecretsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
+
+  allowedImports.forEach(({ importPath, importEnv }) => {
+    cyclicDetector.add(getImportUniqKey(importEnv.slug, importPath));
+  });
+  // now we need to check recursively deeper imports made inside other imports
+  // we go level wise meaning we take all imports of a tree level and then go deeper ones level by level
+  const deeperImports = await secretImportDAL.findByFolderIds(importedFolderIds);
+  let secretsFromDeeperImports: TSecretImportSecrets[] = [];
+  if (deeperImports.length) {
+    secretsFromDeeperImports = await fnSecretsFromImports({
+      allowedImports: deeperImports,
+      secretImportDAL,
+      folderDAL,
+      secretDAL,
+      depth: depth + 1,
+      cyclicDetector
+    });
+  }
+  const secretsFromdeeperImportGroupedByFolderId = groupBy(secretsFromDeeperImports, (i) => i.importFolderId);
+
+  const secrets = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
+    const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`][0];
+    const folderDeeperImportSecrets =
+      secretsFromdeeperImportGroupedByFolderId?.[sourceImportFolder?.id || ""]?.[0]?.secrets || [];
+
+    return {
+      secretPath: importPath,
       environment: importEnv.slug,
-      workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-      _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-    }))
-  }));
+      environmentInfo: importEnv,
+      folderId: importedFolders?.[i]?.id,
+      id,
+      importFolderId: folderId,
+      // this will ensure for cases when secrets are empty. Could be due to missing folder for a path or when emtpy secrets inside a given path
+      secrets: (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
+        .map((item) => ({
+          ...item,
+          environment: importEnv.slug,
+          workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+          _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+        }))
+        .concat(folderDeeperImportSecrets)
+    };
+  });
+
+  return secrets;
 };

backend/src/services/secret-import/secret-import-service.ts

@@ -290,7 +290,7 @@ export const secretImportServiceFactory = ({
         })
       )
     );
-    return fnSecretsFromImports({ allowedImports, folderDAL, secretDAL });
+    return fnSecretsFromImports({ allowedImports, folderDAL, secretDAL, secretImportDAL });
   };
 
   return {

backend/src/services/secret/secret-queue.ts

@@ -318,7 +318,7 @@ export const secretQueueFactory = ({
         });
 
         // add the imported secrets to the current folder secrets
-        content = { ...content, ...importedSecrets };
+        content = { ...importedSecrets, ...content };
       }
     }
 

backend/src/services/secret/secret-service.ts

@@ -525,7 +525,8 @@ export const secretServiceFactory = ({
       const importedSecrets = await fnSecretsFromImports({
         allowedImports,
         secretDAL,
-        folderDAL
+        folderDAL,
+        secretImportDAL
       });
 
       return {
@@ -630,7 +631,8 @@ export const secretServiceFactory = ({
       const importedSecrets = await fnSecretsFromImports({
         allowedImports,
         secretDAL,
-        folderDAL
+        folderDAL,
+        secretImportDAL
       });
       for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
         for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {

cli/packages/cmd/folder.go

@@ -22,10 +22,6 @@ var folderCmd = &cobra.Command{
 var getCmd = &cobra.Command{
 	Use:   "get",
 	Short: "Get folders in a directory",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		util.RequireLocalWorkspaceFile()
-		util.RequireLogin()
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 
 		environmentName, _ := cmd.Flags().GetString("env")

cli/packages/cmd/secrets.go

@@ -7,6 +7,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"os"
 	"regexp"
 	"sort"
 	"strings"
@@ -204,8 +205,10 @@ var secretsSetCmd = &cobra.Command{
 		// decrypt workspace key
 		plainTextEncryptionKey := crypto.DecryptAsymmetric(encryptedWorkspaceKey, encryptedWorkspaceKeyNonce, encryptedWorkspaceKeySenderPublicKey, currentUsersPrivateKey)
 
+		infisicalTokenEnv := os.Getenv(util.INFISICAL_TOKEN_NAME)
+
 		// pull current secrets
-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, SecretsPath: secretsPath}, "")
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, SecretsPath: secretsPath, InfisicalToken: infisicalTokenEnv}, "")
 		if err != nil {
 			util.HandleError(err, "unable to retrieve secrets")
 		}

cli/packages/util/folders.go

@@ -2,7 +2,6 @@ package util
 
 import (
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/Infisical/infisical-merge/packages/api"
@@ -13,13 +12,11 @@ import (
 
 func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder, error) {
 
-	if params.InfisicalToken == "" {
-		params.InfisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
-	}
-
 	var foldersToReturn []models.SingleFolder
 	var folderErr error
 	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {
+		RequireLogin()
+		RequireLocalWorkspaceFile()
 
 		log.Debug().Msg("GetAllFolders: Trying to fetch folders using logged in details")
 

cli/packages/util/secrets.go

@@ -307,10 +307,6 @@ func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tag
 }
 
 func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
-	if params.InfisicalToken == "" {
-		params.InfisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
-	}
-
 	isConnected := CheckIsConnectedToInternet()
 	var secretsToReturn []models.SingleEnvironmentVariable
 	// var serviceTokenDetails api.GetServiceTokenDetailsResponse

company/documentation/getting-started/introduction.mdx

@@ -0,0 +1,97 @@
+---
+title: "What is Infisical?"
+sidebarTitle: "What is Infisical?"
+description: "An Introduction to the Infisical secret management platform."
+---
+
+Infisical is an [open-source](https://github.com/infisical/infisical) secret management platform for developers. 
+It provides capabilities for  storing, managing, and syncing application configuration and secrets like API keys, database 
+credentials, and certificates across infrastructure. In addition, Infisical prevents secrets leaks to git and enables secure 
+sharing of secrets among engineers.
+
+Start managing secrets securely with [Infisical Cloud](https://app.infisical.com) or learn how to [host Infisical](/self-hosting/overview) yourself.
+
+<CardGroup cols={2}>
+    <Card
+        title="Infisical Cloud"
+        href="https://app.infisical.com/signup"
+        icon="cloud"
+        color="#000000"
+    >
+        Get started with Infisical Cloud in just a few minutes.
+    </Card>
+    <Card 
+        href="/self-hosting/overview" 
+        title="Self-hosting" 
+        icon="server" 
+        color="#000000"
+    >
+        Self-host Infisical on your own infrastructure.
+    </Card>
+</CardGroup>
+
+## Why Infisical? 
+
+Infisical helps developers achieve secure centralized secret management and provides all the tools to easily manage secrets in various environments and infrastructure components. In particular, here are some of the most common points that developers mention after adopting Infisical: 
+- Streamlined **local development** processes (switching .env files to [Infisical CLI](/cli/commands/run) and removing secrets from developer machines).
+- **Best-in-class developer experience** with an easy-to-use [Web Dashboard](/documentation/platform/project). 
+- Simple secret management inside **[CI/CD pipelines](/integrations/cicd/githubactions)** and staging environments. 
+- Secure and compliant secret management practices in **[production environments](/sdks/overview)**. 
+- **Facilitated workflows** around [secret change management](/documentation/platform/pr-workflows), [access requests](/documentation/platform/access-controls/access-requests), [temporary access provisioning](/documentation/platform/access-controls/temporary-access), and more.
+- **Improved security posture** thanks to [secret scanning](/cli/scanning-overview), [granular access control policies](/documentation/platform/access-controls/overview), [automated secret rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview), and [dynamic secrets](/documentation/platform/dynamic-secrets/overview) capabilities.
+
+## How does Infisical work? 
+
+To make secret management effortless and secure, Infisical follows a certain structure for enabling secret management workflows as defined below. 
+
+**Identities** in Infisical are users or machine which have a certain set of roles and permissions assigned to them. Such identities are able to manage secrets in various **Clients** throughout the entire infrastructure. To do that, identities have to verify themselves through one of the available **Authentication Methods**. 
+
+As a result, the 3 main concepts that are important to understand are: 
+- **[Identities](/documentation/platform/identities/overview)**: users or machines with a set permissions assigned to them. 
+- **[Clients](/integrations/platforms/kubernetes)**: Infisical-developed tools for managing secrets in various infrastructure components (e.g., [Kubernetes Operator](/integrations/platforms/kubernetes), [Infisical Agent](/integrations/platforms/infisical-agent), [CLI](/cli/usage), [SDKs](/sdks/overview), [API](/api-reference/overview/introduction), [Web Dashboard](/documentation/platform/organization)).
+- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, etc.).
+
+## How to get started with Infisical? 
+
+Depending on your use case, it might be helpful to look into some of the resources and guides provided below.
+
+<CardGroup cols={2}>
+  <Card href="../../cli/overview" title="Command Line Interface (CLI)" icon="square-terminal" color="#000000">
+    Inject secrets into any application process/environment.
+  </Card>
+  <Card
+    title="SDKs"
+    href="/documentation/getting-started/sdks"
+    icon="boxes-stacked"
+    color="#000000"
+  >
+    Fetch secrets with any programming language on demand.
+  </Card>
+  <Card href="../../integrations/platforms/docker-intro" title="Docker" icon="docker" color="#000000">
+    Inject secrets into Docker containers.
+  </Card>
+  <Card
+    href="../../integrations/platforms/kubernetes"
+    title="Kubernetes"
+    icon="server"
+    color="#000000"
+  >
+    Fetch and save secrets as native Kubernetes secrets.
+  </Card>
+  <Card
+    href="/documentation/getting-started/api"
+    title="REST API"
+    icon="cloud"
+    color="#000000"
+  >
+    Fetch secrets via HTTP request.
+  </Card>
+  <Card
+    href="/integrations/overview"
+    title="Native Integrations"
+    icon="clouds"
+    color="#000000"
+  >
+    Explore integrations for GitHub, Vercel, AWS, and more.
+  </Card>
+</CardGroup>

company/mint.json

@@ -0,0 +1,80 @@
+{
+  "name": "Infisical",
+  "openapi": "https://app.infisical.com/api/docs/json",
+  "logo": {
+    "dark": "/logo/dark.svg",
+    "light": "/logo/light.svg",
+    "href": "https://infisical.com"
+  },
+  "favicon": "/favicon.png",
+  "colors": {
+    "primary": "#26272b",
+    "light": "#97b31d",
+    "dark": "#A1B659",
+    "ultraLight": "#E7F256",
+    "ultraDark": "#8D9F4C",
+    "background": {
+      "light": "#ffffff",
+      "dark": "#0D1117"
+    },
+    "anchors": {
+      "from": "#000000",
+      "to": "#707174"
+    }
+  },
+  "modeToggle": {
+    "default": "light",
+    "isHidden": true
+  },
+  "feedback": {
+    "suggestEdit": true,
+    "raiseIssue": true,
+    "thumbsRating": true
+  },
+  "api": {
+    "baseUrl": ["https://app.infisical.com", "http://localhost:8080"]
+  },
+  "topbarLinks": [
+    {
+      "name": "Log In",
+      "url": "https://app.infisical.com/login"
+    }
+  ],
+  "topbarCtaButton": {
+    "name": "Start for Free",
+    "url": "https://app.infisical.com/signup"
+  },
+  "tabs": [
+    {
+      "name": "Integrations",
+      "url": "integrations"
+    },
+    {
+      "name": "CLI",
+      "url": "cli"
+    },
+    {
+      "name": "API Reference",
+      "url": "api-reference"
+    },
+    {
+      "name": "SDKs",
+      "url": "sdks"
+    },
+    {
+      "name": "Changelog",
+      "url": "changelog"
+    }
+  ],
+  "navigation": [
+    {
+      "group": "Getting Started",
+      "pages": [
+        "documentation/getting-started/introduction"
+      ]
+    }
+  ],
+  "integrations": {
+    "intercom": "hsg644ru"
+  }
+}

company/style.css

@@ -0,0 +1,142 @@
+#navbar .max-w-8xl {
+  max-width: 100%;
+  border-bottom: 1px solid #ebebeb;
+  background-color: #fcfcfc;
+}
+
+.max-w-8xl {
+  /* background-color: #f5f5f5; */
+}
+
+#sidebar {
+  left: 0;
+  padding-left: 48px;
+  padding-right: 30px;
+  border-right: 1px;
+  border-color: #cdd64b;
+  background-color: #fcfcfc;
+  border-right: 1px solid #ebebeb;
+}
+
+#sidebar .relative .sticky {
+  opacity: 0;
+}
+
+#sidebar li > div.mt-2 {
+  border-radius: 0;
+  padding: 5px;
+}
+
+#sidebar li > a.mt-2 {
+  border-radius: 0;
+  padding: 5px;
+}
+
+#sidebar li > a.leading-6 {
+  border-radius: 0;
+  padding: 0px;
+}
+
+/* #sidebar ul > div.mt-12 {
+  padding-top: 30px;
+  position: relative;
+}
+
+#sidebar ul > div.mt-12 h5 {
+  position: absolute;
+  left: -12px;
+  top: -0px;
+} */
+
+#header {
+  border-left: 1px solid #26272b;
+  padding-left: 16px;
+  padding-right: 16px;
+  background-color: #f5f5f5;
+  padding-bottom: 10px;
+  padding-top: 10px;
+}
+
+#content-area .mt-8 .block{
+  border-radius: 0;
+  border-width: 1px;
+  border-color: #ebebeb;
+}
+
+#content-area .mt-8 .rounded-xl{
+  border-radius: 0;
+}
+
+#content-area .mt-8 .rounded-lg{
+  border-radius: 0;
+}
+
+#content-area .mt-6 .rounded-xl{
+  border-radius: 0;
+}
+
+#content-area .mt-6 .rounded-lg{
+  border-radius: 0;
+}
+
+#content-area .mt-6 .rounded-md{
+  border-radius: 0;
+}
+
+#content-area .mt-8 .rounded-md{
+  border-radius: 0;
+}
+
+#content-area div.my-4{
+  border-radius: 0;
+  border-width: 1px;
+}
+
+#content-area div.flex-1 {
+  /* text-transform: uppercase; */
+  opacity: 0.8;
+  font-weight: 400;
+}
+
+#content-area button {
+  border-radius: 0;
+}
+
+#content-area a {
+  border-radius: 0;
+}
+
+#content-area .not-prose {
+  border-radius: 0;
+}
+
+/* .eyebrow {
+  text-transform: uppercase;
+  font-weight: 400;
+  color: red;
+} */
+
+#content-container {
+  /* background-color: #f5f5f5; */
+  margin-top: 2rem;
+}
+
+#topbar-cta-button .group .absolute {
+  background-color: black;
+  border-radius: 0px;
+}
+
+/* #topbar-cta-button .group .absolute:hover {
+  background-color: white;
+  border-radius: 0px;
+} */
+
+#topbar-cta-button .group .flex {
+  margin-top: 5px;
+  margin-bottom: 5px;
+  font-size: medium;
+}
+
+.flex-1 .flex .items-center {
+  /* background-color: #f5f5f5; */
+}

docker-swarm/.env-example

@@ -8,16 +8,10 @@ ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
 
-# Postgres creds
-POSTGRES_PASSWORD=infisical
-POSTGRES_USER=infisical
-POSTGRES_DB=infisical
-
-# Required
-DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
-
+DB_CONNECTION_URI=postgres://infisical:infisical@haproxy:5433/infisical?sslmode=no-verify
 # Redis
-REDIS_URL=redis://redis:6379
+REDIS_URL=redis://:123456@haproxy:6379
+
 
 # Website URL
 # Required

docker-swarm/haproxy.cfg

@@ -0,0 +1,78 @@
+global
+    maxconn 10000
+    log stdout format raw local0
+
+defaults
+    log global
+    mode tcp
+    retries 3
+    timeout client 30m
+    timeout connect 10s
+    timeout server 30m
+    timeout check 5s
+
+listen stats
+    mode http
+    bind *:7000
+    stats enable
+    stats uri /
+
+resolvers hostdns
+    nameserver dns 127.0.0.11:53
+    resolve_retries 3
+    timeout resolve 1s
+    timeout retry 1s
+    hold valid 5s
+
+frontend master
+    bind *:5433
+    default_backend master_backend
+
+frontend replicas
+    bind *:5434
+    default_backend replica_backend
+
+
+backend master_backend
+    option httpchk GET /master
+    http-check expect status 200
+    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+    server postgres-1 postgres-1:5432 check port 8008 resolvers hostdns
+    server postgres-2 postgres-2:5432 check port 8008 resolvers hostdns
+    server postgres-3 postgres-3:5432 check port 8008 resolvers hostdns
+
+backend replica_backend
+    option httpchk GET /replica
+    http-check expect status 200
+    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+    server postgres-1 postgres-1:5432 check port 8008 resolvers hostdns
+    server postgres-2 postgres-2:5432 check port 8008 resolvers hostdns
+    server postgres-3 postgres-3:5432 check port 8008 resolvers hostdns
+
+
+frontend redis_frontend
+  bind *:6379
+  default_backend redis_backend
+
+backend redis_backend
+  option tcp-check
+  tcp-check send AUTH\ 123456\r\n
+  tcp-check expect string +OK
+  tcp-check send PING\r\n
+  tcp-check expect string +PONG
+  tcp-check send info\ replication\r\n
+  tcp-check expect string role:master
+  tcp-check send QUIT\r\n
+  tcp-check expect string +OK
+  server redis_master redis_replica0:6379 check inter 1s
+  server redis_replica1 redis_replica1:6379 check inter 1s
+  server redis_replica2 redis_replica2:6379 check inter 1s
+
+frontend infisical_frontend
+  bind *:8080
+  default_backend infisical_backend
+
+backend infisical_backend
+  option httpchk GET /api/status
+  http-check expect status 200
+  server infisical infisical:8080 check inter 1s

docker-swarm/stack.yaml

@@ -0,0 +1,265 @@
+version: "3"
+
+services:
+  haproxy:
+    image: haproxy:latest
+    ports:
+      - '7001:7000'
+      - '5002:5433'
+      - '5003:5434'
+      - '6379:6379'
+      - '8080:8080'
+    networks:
+    - infisical
+    configs:
+      - source: haproxy-config
+        target: /usr/local/etc/haproxy/haproxy.cfg
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node1
+          
+  infisical:
+    container_name: infisical-backend
+    image: infisical/infisical:latest-postgres
+    env_file: .env
+    ports:
+      - 80:8080
+    environment:
+      - NODE_ENV=production
+    networks:
+      - infisical
+    secrets:
+      - env_file
+    
+  etcd1:
+    image: ghcr.io/zalando/spilo-16:3.2-p2
+    networks:
+      - infisical
+    environment:
+      ETCD_UNSUPPORTED_ARCH: arm64
+    container_name: demo-etcd1
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node1
+    hostname: etcd1
+    command: |
+      etcd --name etcd1 
+      --listen-client-urls http://0.0.0.0:2379 
+      --listen-peer-urls=http://0.0.0.0:2380 
+      --advertise-client-urls http://etcd1:2379 
+      --initial-cluster=etcd1=http://etcd1:2380,etcd2=http://etcd2:2380,etcd3=http://etcd3:2380 
+      --initial-advertise-peer-urls=http://etcd1:2380 
+      --initial-cluster-state=new
+
+  etcd2:
+    image: ghcr.io/zalando/spilo-16:3.2-p2
+    networks:
+      - infisical
+    environment:
+      ETCD_UNSUPPORTED_ARCH: arm64
+    container_name: demo-etcd2
+    hostname: etcd2
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node2
+    command: |
+      etcd --name etcd2 
+      --listen-client-urls http://0.0.0.0:2379 
+      --listen-peer-urls=http://0.0.0.0:2380 
+      --advertise-client-urls http://etcd2:2379 
+      --initial-cluster=etcd1=http://etcd1:2380,etcd2=http://etcd2:2380,etcd3=http://etcd3:2380 
+      --initial-advertise-peer-urls=http://etcd2:2380 
+      --initial-cluster-state=new
+
+  etcd3:
+    image: ghcr.io/zalando/spilo-16:3.2-p2
+    networks:
+      - infisical
+    environment:
+      ETCD_UNSUPPORTED_ARCH: arm64
+    container_name: demo-etcd3
+    hostname: etcd3
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node3
+    command: |
+      etcd --name etcd3 
+      --listen-client-urls http://0.0.0.0:2379 
+      --listen-peer-urls=http://0.0.0.0:2380 
+      --advertise-client-urls http://etcd3:2379 
+      --initial-cluster=etcd1=http://etcd1:2380,etcd2=http://etcd2:2380,etcd3=http://etcd3:2380 
+      --initial-advertise-peer-urls=http://etcd3:2380 
+      --initial-cluster-state=new
+
+  spolo1:
+    image: ghcr.io/zalando/spilo-16:3.2-p2
+    container_name: postgres-1
+    networks:
+    - infisical
+    hostname: postgres-1
+    environment:
+        ETCD_HOSTS: etcd1:2379,etcd2:2379,etcd3:2379
+        PGPASSWORD_SUPERUSER: "postgres"
+        PGUSER_SUPERUSER: "postgres"
+        SCOPE: infisical
+    volumes:
+      - postgres_data1:/home/postgres/pgdata
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node1
+
+  spolo2:
+    image: ghcr.io/zalando/spilo-16:3.2-p2
+    container_name: postgres-2
+    networks:
+    - infisical
+    hostname: postgres-2
+    environment:
+        ETCD_HOSTS: etcd1:2379,etcd2:2379,etcd3:2379
+        PGPASSWORD_SUPERUSER: "postgres"
+        PGUSER_SUPERUSER: "postgres"
+        SCOPE: infisical
+    volumes:
+      - postgres_data2:/home/postgres/pgdata
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node2
+
+  spolo3:
+    image: ghcr.io/zalando/spilo-16:3.2-p2
+    container_name: postgres-3
+    networks:
+    - infisical
+    hostname: postgres-3
+    environment:
+        ETCD_HOSTS: etcd1:2379,etcd2:2379,etcd3:2379
+        PGPASSWORD_SUPERUSER: "postgres"
+        PGUSER_SUPERUSER: "postgres"
+        SCOPE: infisical
+    volumes:
+      - postgres_data3:/home/postgres/pgdata
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node3
+
+
+  redis_replica0:
+    image: bitnami/redis:6.2.10
+    environment:
+      - REDIS_REPLICATION_MODE=master
+      - REDIS_PASSWORD=123456
+    networks:
+      - infisical
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node1
+
+  redis_replica1:
+    image: bitnami/redis:6.2.10
+    environment:
+      - REDIS_REPLICATION_MODE=slave
+      - REDIS_MASTER_HOST=redis_replica0
+      - REDIS_MASTER_PORT_NUMBER=6379
+      - REDIS_MASTER_PASSWORD=123456
+      - REDIS_PASSWORD=123456
+    networks:
+      - infisical
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node2
+
+  redis_replica2:
+    image: bitnami/redis:6.2.10
+    environment:
+      - REDIS_REPLICATION_MODE=slave
+      - REDIS_MASTER_HOST=redis_replica0
+      - REDIS_MASTER_PORT_NUMBER=6379
+      - REDIS_MASTER_PASSWORD=123456
+      - REDIS_PASSWORD=123456
+    networks:
+      - infisical
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node3
+
+  redis_sentinel1:
+    image: bitnami/redis-sentinel:6.2.10
+    environment:
+      - REDIS_SENTINEL_QUORUM=2
+      - REDIS_SENTINEL_DOWN_AFTER_MILLISECONDS=5000
+      - REDIS_SENTINEL_FAILOVER_TIMEOUT=60000
+      - REDIS_SENTINEL_PORT_NUMBER=26379
+      - REDIS_MASTER_HOST=redis_replica1
+      - REDIS_MASTER_PORT_NUMBER=6379
+      - REDIS_MASTER_PASSWORD=123456
+    networks:
+      - infisical
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node1
+
+  redis_sentinel2:
+    image: bitnami/redis-sentinel:6.2.10
+    environment:
+      - REDIS_SENTINEL_QUORUM=2
+      - REDIS_SENTINEL_DOWN_AFTER_MILLISECONDS=5000
+      - REDIS_SENTINEL_FAILOVER_TIMEOUT=60000
+      - REDIS_SENTINEL_PORT_NUMBER=26379
+      - REDIS_MASTER_HOST=redis_replica1
+      - REDIS_MASTER_PORT_NUMBER=6379
+      - REDIS_MASTER_PASSWORD=123456
+    networks:
+      - infisical
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node2
+
+  redis_sentinel3:
+    image: bitnami/redis-sentinel:6.2.10
+    environment:
+      - REDIS_SENTINEL_QUORUM=2
+      - REDIS_SENTINEL_DOWN_AFTER_MILLISECONDS=5000
+      - REDIS_SENTINEL_FAILOVER_TIMEOUT=60000
+      - REDIS_SENTINEL_PORT_NUMBER=26379
+      - REDIS_MASTER_HOST=redis_replica1
+      - REDIS_MASTER_PORT_NUMBER=6379
+      - REDIS_MASTER_PASSWORD=123456
+    networks:
+      - infisical
+    deploy:
+      placement:
+        constraints:
+          - node.labels.name == node3
+
+networks:
+  infisical:
+
+
+volumes:
+  postgres_data1:
+  postgres_data2:
+  postgres_data3:
+  postgres_data4:
+  redis0:
+  redis1:
+  redis2:
+
+configs:
+  haproxy-config:
+    file: ./haproxy.cfg
+
+secrets:
+  env_file:
+    file: .env

docs/api-reference/endpoints/service-tokens/get.mdx

@@ -4,7 +4,7 @@ openapi: "GET /api/v2/service-token"
 ---
 
 <Warning>
-    This endpoint will be deprecated in the near future with the removal of service tokens in Q1/Q2 2024.
+    This endpoint is deprecated and will be removed in the future.
 
-    We recommend switching to using [identities](/documentation/platform/identities/overview) if your client supports it.
+    We recommend switching to using [Machine Identities](/documentation/platform/identities/machine-identities).
 </Warning>

docs/cli/commands/export.mdx

@@ -16,36 +16,48 @@ Export environment variables from the platform into a file format.
 <Accordion title="infisical export" defaultOpen="true">
   Use this command to export environment variables from the platform into a raw file formats
 
-  ```bash
-  $ infisical export 
+```bash
+$ infisical export
 
-  # Export variables to a .env file
-  infisical export > .env
+# Export variables to a .env file
+infisical export > .env
 
-  # Export variables to a .env file (with export keyword)
-  infisical export --format=dotenv-export > .env
+# Export variables to a .env file (with export keyword)
+infisical export --format=dotenv-export > .env
 
-  # Export variables to a CSV file
-  infisical export --format=csv > secrets.csv
+# Export variables to a CSV file
+infisical export --format=csv > secrets.csv
 
-  # Export variables to a JSON file
-  infisical export --format=json > secrets.json
+# Export variables to a JSON file
+infisical export --format=json > secrets.json
 
-  # Export variables to a YAML file
-  infisical export --format=yaml > secrets.yaml
+# Export variables to a YAML file
+infisical export --format=yaml > secrets.yaml
 
-  # Render secrets using a custom template file
-  infisical export --template=<path to template>
-  ```
+# Render secrets using a custom template file
+infisical export --template=<path to template>
+```
+
+### Environment variables
 
-  ### Environment variables
   <Accordion title="INFISICAL_TOKEN">
-    Used to fetch secrets via a [service token](/documentation/platform/token) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
+    Used to fetch secrets via a [machine identities](/documentation/platform/identities/machine-identities) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
 
     ```bash
-    # Example 
-    export INFISICAL_TOKEN=st.63e03c4a97cb4a747186c71e.ed5b46a34c078a8f94e8228f4ab0ff97.4f7f38034811995997d72badf44b42ec
+    # Example
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
     ```
+
+  <Info>
+    Alternatively, you may use service tokens.
+
+    Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+    ```bash
+    # Example
+    export INFISICAL_TOKEN=<service-token>
+    ```
+
+  </Info>
   </Accordion>
 
   <Accordion title="INFISICAL_DISABLE_UPDATE_CHECK">
@@ -54,16 +66,18 @@ Export environment variables from the platform into a file format.
     To use, simply export this variable in the terminal before running this command.
 
     ```bash
-    # Example 
+    # Example
     export INFISICAL_DISABLE_UPDATE_CHECK=true
     ```
+
   </Accordion>
 
-  ### flags 
+### flags
+
   <Accordion title="--template">
     The `--template` flag specifies the path to the template file used for rendering secrets. When using templates, you can omit the other format flags.
 
-		```text my-template-file
+    	```text my-template-file
     {{$secrets := secret "<infisical-project-id>" "<environment-slug>" "<folder-path>"}}
     {{$length := len $secrets}}
     {{- "{"}}
@@ -73,24 +87,26 @@ Export environment variables from the platform into a file format.
       {{- end }}
     {{- end }}
     {{ "}" -}}
-		```
+    	```
 
     ```bash
     # Example
     infisical export --template="/path/to/template/file"
     ```
+
   </Accordion>
   <Accordion title="--env">
-    Used to set the environment that secrets are pulled from. 
+    Used to set the environment that secrets are pulled from.
 
     ```bash
-    # Example 
-    infisical export --env=prod 
+    # Example
+    infisical export --env=prod
     ```
 
     Note: this flag only accepts environment slug names not the fully qualified name. To view the slug name of an environment, visit the project settings page.
 
     default value: `dev`
+
   </Accordion>
 
   <Accordion title="--projectId">
@@ -98,28 +114,32 @@ Export environment variables from the platform into a file format.
     This flag allows you to override this behavior by explicitly defining the project to fetch your secrets from.
 
     ```bash
-    # Example 
-    
+    # Example
+
     infisical export --projectId=XXXXXXXXXXXXXX
     ```
+
   </Accordion>
 
   <Accordion title="--expand">
     Parse shell parameter expansions in your secrets (e.g., `${DOMAIN}`)
 
     Default value: `true`
+
   </Accordion>
 
   <Accordion title="--format">
-    Format of the output file. Accepted values: `dotenv`, `dotenv-export`, `csv`, `json` and `yaml` 
+    Format of the output file. Accepted values: `dotenv`, `dotenv-export`, `csv`, `json` and `yaml`
 
     Default value: `dotenv`
+
   </Accordion>
 
   <Accordion title="--secret-overriding">
     Prioritizes personal secrets with the same name over shared secrets
 
     Default value: `true`
+
   </Accordion>
 
   <Accordion title="--path">
@@ -129,19 +149,21 @@ Export environment variables from the platform into a file format.
     # Example
     infisical export --path="/path/to/folder" --env=dev
     ```
+
   </Accordion>
 
   <Accordion title="--tags">
     When working with tags, you can use this flag to filter and retrieve only secrets that are associated with a specific tag(s).
 
     ```bash
-    # Example 
+    # Example
     infisical run --tags=tag1,tag2,tag3 -- npm run dev
     ```
 
     Note: you must reference the tag by its slug name not its fully qualified name. Go to project settings to view all tag slugs.
 
     By default, all secrets are fetched
+
   </Accordion>
 
 </Accordion>

docs/cli/commands/run.mdx

@@ -11,6 +11,7 @@ description: "The command that injects your secrets into local environment"
     # Example
     infisical run [options] -- npm run dev
     ```
+
   </Tab>
 
   <Tab title="Chained commands">
@@ -20,6 +21,7 @@ description: "The command that injects your secrets into local environment"
     # Example
     infisical run [options] --command "npm run bootstrap && npm run dev start; other-bash-command"
     ```
+
   </Tab>
 </Tabs>
 
@@ -27,27 +29,38 @@ description: "The command that injects your secrets into local environment"
 
 Inject secrets from Infisical into your application process.
 
-
 ## Subcommands & flags
 
 <Accordion title="infisical run" defaultOpen="true">
   Use this command to inject secrets into your applications process
 
-  ```bash
-  $ infisical run -- <your application command>
+```bash
+$ infisical run -- <your application command>
 
-  # Example 
-  $ infisical run -- npm run dev
-  ```
+# Example
+$ infisical run -- npm run dev
+```
+
+### Environment variables
 
-  ### Environment variables
   <Accordion title="INFISICAL_TOKEN">
-    Used to fetch secrets via a [service token](/documentation/platform/token) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
+    Used to fetch secrets via a [machine identity](/documentation/platform/identities/machine-identities) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
 
     ```bash
-    # Example 
-    export INFISICAL_TOKEN=st.63e03c4a97cb4a747186c71e.ed5b46a34c078a8f94e8228f4ab0ff97.4f7f38034811995997d72badf44b42ec
+    # Example
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
     ```
+
+    <Info>
+      Alternatively, you may use service tokens.
+
+      Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+      ```bash
+      # Example
+      export INFISICAL_TOKEN=<service-token>
+      ```
+
+  </Info>
   </Accordion>
 
   <Accordion title="INFISICAL_DISABLE_UPDATE_CHECK">
@@ -56,71 +69,90 @@ Inject secrets from Infisical into your application process.
     To use, simply export this variable in the terminal before running this command.
 
     ```bash
-    # Example 
+    # Example
     export INFISICAL_DISABLE_UPDATE_CHECK=true
     ```
+
   </Accordion>
 
-  ### Flags 
-  
+### Flags
+
    <Accordion title="--project-config-dir">
-    Explicitly set the directory where the .infisical.json resides. This is useful for some monorepo setups. 
+    Explicitly set the directory where the .infisical.json resides. This is useful for some monorepo setups.
 
     ```bash
-    # Example 
+    # Example
     infisical run --project-config-dir=/some-dir -- printenv
     ```
+
   </Accordion>
 
   <Accordion title="--command">
     Pass secrets into multiple commands at once
 
     ```bash
-    # Example 
+    # Example
     infisical run --command="npm run build && npm run dev; more-commands..."
     ```
+
+  </Accordion>
+
+  <Accordion title="--projectId">
+    The project ID to fetch secrets from. This is required when using a machine identity to authenticate.
+
+    ```bash
+    # Example
+    infisical run --projectId=<project-id> -- npm run dev
+    ```
+
   </Accordion>
 
   <Accordion title="--token">
-    If you are using a [service token](/documentation/platform/token) to authenticate, you can pass the token as a flag
+    If you are using a [machine identity](/documentation/platform/identities/machine-identities) to authenticate, you can pass the token as a flag
 
     ```bash
-    # Example 
-    infisical run --token="st.63e03c4a97cb4a747186c71e.ed5b46a34c078a8f94e8228f4ab0ff97.4f7f38034811995997d72badf44b42ec" -- npm run start
+    # Example
+    infisical run --token="<universal-auth-access-token>" --projectId=<project-id> -- npm run start
     ```
 
-    You may also expose the token to the CLI by setting the environment variable `INFISICAL_TOKEN` before executing the run command. This will have the same effect as setting the token with `--token` flag 
+    You may also expose the token to the CLI by setting the environment variable `INFISICAL_TOKEN` before executing the run command. This will have the same effect as setting the token with `--token` flag
+
   </Accordion>
 
   <Accordion title="--expand">
     Turn on or off the shell parameter expansion in your secrets. If you have used shell parameters in your secret(s), activating this feature will populate them before injecting them into your application process.
 
     Default value: `true`
+
   </Accordion>
 
-  <Accordion title="--env">
-    This is used to specify the environment from which secrets should be retrieved. The accepted values are the environment slugs defined for your project, such as `dev`, `staging`, `test`, and `prod`.
-    
-    Default value: `dev`
-  </Accordion>
+{" "}
+
+<Accordion title="--env">
+  This is used to specify the environment from which secrets should be
+  retrieved. The accepted values are the environment slugs defined for your
+  project, such as `dev`, `staging`, `test`, and `prod`. Default value: `dev`
+</Accordion>
 
   <Accordion title="--secret-overriding">
     Prioritizes personal secrets with the same name over shared secrets
 
     Default value: `true`
+
   </Accordion>
 
   <Accordion title="--tags">
     When working with tags, you can use this flag to filter and retrieve only secrets that are associated with a specific tag(s).
 
     ```bash
-    # Example 
+    # Example
     infisical run --tags=tag1,tag2,tag3 -- npm run dev
     ```
 
     Note: you must reference the tag by its slug name not its fully qualified name. Go to project settings to view all tag slugs.
 
     By default, all secrets are fetched
+
   </Accordion>
 
   <Accordion title="--path">

docs/cli/commands/secrets.mdx

@@ -23,13 +23,23 @@ $ infisical secrets
 ### Environment variables
 
   <Accordion title="INFISICAL_TOKEN">
-    Used to fetch secrets via a [service token](/documentation/platform/token) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
+    Used to fetch secrets via a [machine identity](/documentation/platform/identities/machine-identities) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
 
     ```bash
     # Example
-    export INFISICAL_TOKEN=st.63e03c4a97cb4a747186c71e.ed5b46a34c078a8f94e8228f4ab0ff97.4f7f38034811995997d72badf44b42ec
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
     ```
 
+    <Info>
+      Alternatively, you may use service tokens.
+
+      Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+      ```bash
+      # Example
+      export INFISICAL_TOKEN=<service-token>
+      ```
+    </Info>
+
   </Accordion>
 
   <Accordion title="INFISICAL_DISABLE_UPDATE_CHECK">
@@ -53,6 +63,16 @@ $ infisical secrets
 
   </Accordion>
 
+  <Accordion title="--projectId">
+   The project ID to fetch secrets from. This is required when using a machine identity to authenticate.
+
+    ```bash
+    # Example
+    infisical secrets --projectId=<project-id>
+    ```
+
+  </Accordion>
+
   <Accordion title="--env">
     Used to select the environment name on which actions should be taken on
 
@@ -186,7 +206,7 @@ $ infisical secrets folders
     </Accordion>
 
     <Accordion title="--token">
-      Fetch folders using the Infisical service token
+      Fetch folders using a [machine identity](/documentation/platform/identities/machine-identities) access token.
 
       Default value: ``
     </Accordion>

docs/cli/commands/service-token.mdx

@@ -3,37 +3,47 @@ title: "infisical service-token"
 description: "Manage Infisical service tokens"
 ---
 
-```bash 
+<Warning>
+  This command is deprecated and will be removed in the near future. Please
+  switch to using [Machine
+  Identities](/documentation/platform/identities/machine-identities) for
+  authenticating with Infisical.
+</Warning>
+
+```bash
 infisical service-token create --scope=dev:/global --scope=dev:/backend --access-level=read --access-level=write
 ```
 
 ## Description
-The Infisical `service-token` command allows you to manage service tokens for a given Infisical project. 
+
+The Infisical `service-token` command allows you to manage service tokens for a given Infisical project.
 With this command, you can create, view, and delete service tokens.
 
 <Accordion title="service-token create" defaultOpen="true">
   Use this command to create a service token
 
-  ```bash
-  $ infisical service-token create --scope=dev:/backend/** --access-level=read --access-level=write
-  ```
+```bash
+$ infisical service-token create --scope=dev:/backend/** --access-level=read --access-level=write
+```
+
+### Flags
 
-  ### Flags 
   <Accordion title="--scope">
     ```bash
     infisical service-token create --scope=dev:/global --scope=dev:/backend/** --access-level=read
     ```
 
     Use the scope flag to define which environments and paths your service token should be authorized to access.
-    
-    The value of your scope flag should be in the following `<environment slug>:<path>`. 
+
+    The value of your scope flag should be in the following `<environment slug>:<path>`.
     Here, `environment slug` refers to the slug name of the environment, and `path` indicates the folder path where your secrets are stored.
 
     For specifying multiple scopes, you can use multiple --scope flags.
-    
+
     <Info>
       The `path` can be a Glob pattern
     </Info>
+
   </Accordion>
 
   <Accordion title="--projectId">
@@ -41,8 +51,9 @@ With this command, you can create, view, and delete service tokens.
     infisical service-token create --scope=dev:/global --access-level=read --projectId=63cefb15c8d3175601cfa989
     ```
 
-    The project ID you'd like to create the service token for. 
+    The project ID you'd like to create the service token for.
     By default, the CLI will attempt to use the linked Infisical project in `.infisical.json` generated by `infisical init` command.
+
   </Accordion>
   <Accordion title="--name">
     ```bash
@@ -52,6 +63,7 @@ With this command, you can create, view, and delete service tokens.
     Service token name
 
     Default: `Service token generated via CLI`
+
   </Accordion>
   <Accordion title="--expiry-seconds">
     ```bash
@@ -61,6 +73,7 @@ With this command, you can create, view, and delete service tokens.
     Set the service token's expiration time in seconds from now. To never expire set to zero.
 
     Default: `1 day`
+
   </Accordion>
   <Accordion title="--access-level">
     ```bash
@@ -68,6 +81,7 @@ With this command, you can create, view, and delete service tokens.
     ```
 
     The type of access the service token should have. Can be `read` and or `write`
+
   </Accordion>
   <Accordion title="--token-only">
     ```bash
@@ -77,5 +91,6 @@ With this command, you can create, view, and delete service tokens.
     When true, only the service token will be printed
 
     Default: `false`
+
   </Accordion>
 </Accordion>

docs/cli/token.mdx

@@ -1,22 +0,0 @@
----
-title: "Infisical Token"
-description: "How to use Infisical service token within the CLI."
----
-
-Prerequisite: [Infisical Token and How to Generate One](/documentation/platform/token).
-
-It's possible to use the CLI to sync environment variables without manually entering login credentials by using a service token in the prerequisite link above.
-
-## Feeding Infisical Token to the CLI
-
-The CLI looks out for an environment variable called the `INFISICAL_TOKEN` which you can set depending on where you run the CLI. If `INFISICAL_TOKEN` is detected by the CLI, it will authenticate and retrieve the environment variables which the token is authorized for.
-
-A common use-case is to use the Infisical Token to fetch environment variables with Docker. More specifically, a token can be passed to a container as an environment variable for the CLI to authenticate and pull its corresponding secrets. Check out the integration guides for that:
-
-- [Docker](../../integrations/platforms/docker)
-- [Docker Compose](../../integrations/platforms/docker-compose)
-
-<Info>
-  Once the token is expired, the CLI using it will no longer be able to make
-  requests with it.
-</Info>

docs/cli/usage.mdx

@@ -1,141 +1,125 @@
 ---
-title: "Quick usage"
+title: "Quickstart"
 description: "Manage secrets with Infisical CLI"
 ---
 
-The CLI is designed for a variety of applications, ranging from local secret management to CI/CD and production scenarios. 
-The distinguishing factor, however, is the authentication method used.
+The CLI is designed for a variety of secret management applications ranging from local development to CI/CD and production scenarios.
 
 <Tabs>
-  <Tab title="Local development only">
-    To use the Infisical CLI in your local development environment, simply run the command below and follow the interactive guide. 
+  <Tab title="Local development">
+    In the following steps, we explore how to use the Infisical CLI to fetch back environment variables from Infisical
+    and inject them into your local development process.
+  
+    <Steps>
+      <Step title="Log in with the CLI">
+        Start by running the `infisical login` command to authenticate with Infisical.
+        
+        ```bash
+        infisical login
+        ```
+        <Note>
+          If you are in a containerized environment such as WSL 2 or Codespaces, run `infisical login -i` to avoid browser based login
+        </Note>
+      </Step>
+      <Step title="Initialize Infisical for your project">
+        Next, navigate to your project and initialize Infisical.
+        
+        ```bash
+        # navigate to your project
+        cd /path/to/project
 
-    ```bash 
-    infisical login 
-    ```
+        # initialize infisical
+        infisical init
+        ```
 
-    <Note>
-      If you are in a containerized environment such as WSL 2 or Codespaces, run `infisical login -i` to avoid browser based login 
-    </Note>
+        The `infisical init` command creates a `.infisical.json` file, containing [local project settings](./project-config), at the location where the command is executed.
 
-    ## Initialize Infisical for your project
+        <Note>
+          The `.infisical.json` file does not contain any sensitive data, so you may commit it to your git repository.
+        </Note>
+      </Step>
+      <Step title="Inject environment variables">
+        Finally, pass environment variables from Infisical into your application.
 
-    ```bash
-    # navigate to your project
-    cd /path/to/project
+        <Tabs>
+          <Tab title="Feed secrets to your application">
+            ```bash
+            infisical run --env=dev --path=/apps/firefly -- [your application start command] # e.g. npm run dev
 
-    # initialize infisical
-    infisical init
-    ```
+            # example with node (nodemon)
+            infisical run --env=staging --path=/apps/spotify -- nodemon index.js
+
+            # example with flask
+            infisical run --env=prod --path=/apps/backend -- flask run
+
+            # example with spring boot - maven
+            infisical run --env=dev --path=/apps/ -- ./mvnw spring-boot:run --quiet
+            ```
+
+          </Tab>
+          <Tab title="Feed secrets via custom aliases (advanced)">
+            Custom aliases can utilize secrets from Infisical. Suppose there is a custom alias `yd` in `custom.sh` that runs `yarn dev` and needs the secrets provided by Infisical.
+            ```bash
+            #!/bin/sh
+
+            yd() {
+              yarn dev
+            }
+            ```
+
+            To make the secrets available from Infisical to `yd`, you can run the following command:
+
+            ```bash
+            infisical run --env=prod --path=/apps/reddit --command="source custom.sh && yd"
+            ```
+          </Tab>
+        </Tabs>
+
+        View all available options for `run` command [here](./commands/run)
+      </Step>
+    </Steps>
 
-    This will create `.infisical.json` file at the location the command was executed. This file contains your [local project settings](./project-config). It does not contain any sensitive data. 
-    
   </Tab>
 
-  <Tab title="Staging, production & all other use case">
-    To use Infisical for non local development scenarios, please create a [service token](../documentation/platform/token). The service token will allow you to authenticate and interact with Infisical. 
-    Once you have created a service token with the required permissions, you'll need to feed the token to the CLI. 
+  <Tab title="Staging, production & all other use cases">
+    In the following steps, we explore how to use the Infisical CLI in a non-local development scenario
+    to fetch back environment variables and export them to a file.
+    <Steps>
+      <Step title="Create a machine identity and obtain credentials for it">
+        Follow the steps listed [here](/documentation/platform/identities/universal-auth) to create a machine identity and obtain a **client ID** and **client secret** for it.
+      </Step>
+      <Step title="Obtain a machine identity access token">
+        Run the following command to authenticate with Infisical using the **client ID** and **client secret** credentials from step 1 and set the `INFISICAL_TOKEN` environment variable to the retrieved access token.
+        
+        ```bash
+        export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
+        ```
 
-    #### Pass as flag
-    You may use the --token flag to set the token 
+        The CLI is configured to look out for the `INFISICAL_TOKEN` environment variable, so going forward any command used will be authenticated.
 
-    ```
-    infisical export --token=<>
-    infisical secrets --token=<>
-    infisical run --token=<> -- npm run dev
-    ```
+        Alternatively, assuming you have an access token on hand, you can also pass it directly to the CLI using the `--token` flag in conjunction with other CLI commands.
 
-    #### Pass via shell environment variable
-    The CLI is configured to look for an environment variable named `INFISICAL_TOKEN`. If set, it'll attempt to use it for authentication.
+        <Info>
+        Keep in mind that the machine identity access token has a limited lifetime. It is recommended to use it only for the duration of the task at hand.
+        You can [refresh the token](./commands/token) if needed.
+        </Info>
+      </Step>
+      <Step title="Export environment variables back into a file">
+        Finally, export the environment variables from Infisical to a file of choice.
 
-    ```
-    export INFISICAL_TOKEN=<>
-    ```
-    
+        ```bash
+        # export variables to a .env file (with export keyword)
+        infisical export --format=dotenv-export > .env
+
+        # export variables to a YAML file
+        infisical export --format=yaml > secrets.yaml
+        ```
+      </Step>
+    </Steps>
 
   </Tab>
 </Tabs>
 
-
-## Inject environment variables
-<Tabs>
-  <Tab title="Feed secrets to your application">
-    ```bash
-    infisical run --env=dev --path=/apps/firefly -- [your application start command]
-
-    # example with node (nodemon)
-    infisical run --env=staging --path=/apps/spotify -- nodemon index.js
-
-    # example with flask
-    infisical run --env=prod --path=/apps/backend -- flask run
-
-    # example with spring boot - maven
-    infisical run --env=dev --path=/apps/ -- ./mvnw spring-boot:run --quiet
-    ```
-  </Tab>
-  <Tab title="Feed secrets via custom aliases (advanced)">
-    Custom aliases can utilize secrets from Infisical. Suppose there is a custom alias `yd` in `custom.sh` that runs `yarn dev` and needs the secrets provided by Infisical.
-    ```bash
-    #!/bin/sh
-
-    yd() {
-      yarn dev
-    }
-    ```
-
-    To make the secrets available from Infisical to `yd`, you can run the following command:
-
-    ```bash
-    infisical run --env=prod --path=/apps/reddit --command="source custom.sh && yd"
-    ```
-  </Tab>
-</Tabs>
-
-View all available options for `run` command [here](./commands/run)
-
-## Connect CLI to self hosted Infisical 
-
-<Accordion title="Optional: point CLI to self-hosted">
-The CLI is set to connect to Infisical Cloud by default, but if you're running your own instance of Infisical, you can direct the CLI to it using one of the methods provided below.
-
-#### Method 1: Use the updated CLI
-Beginning with CLI version V0.4.0, it is now possible to choose between logging in through the Infisical cloud or your own self-hosted instance. Simply execute the `infisical login` command and follow the on-screen instructions.
-
-#### Method 2: Export environment variable 
-You can point the CLI to the self hosted Infisical instance by exporting the environment variable `INFISICAL_API_URL` in your terminal.
-
-<Tabs>
-  <Tab title="Linux/MacOs">
-		```bash
-		# Set backend host 
-		export INFISICAL_API_URL="https://your-self-hosted-infisical.com/api"
-
-		# Remove backend host 
-		unset INFISICAL_API_URL
-		```
-  </Tab>
-  <Tab title="Windows Powershell">
-		```bash
-		# Set backend host 
-		setx INFISICAL_API_URL "https://your-self-hosted-infisical.com/api"
-
-		# Remove backend host 
-		setx INFISICAL_API_URL ""
-
-		# NOTE: Once set or removed, please restart powershell for the change to take effect
-		```
-  </Tab>
-</Tabs>
-
-#### Method 3: Set manually on every command
-Another option to point the CLI to your self hosted Infisical instance is to set it via a flag on every command you run.
-
-```bash 
-# Example
-infisical <any-command> --domain="https://your-self-hosted-infisical.com/api"
-```
-</Accordion>
-
 ## History
 
 Your terminal keeps a history with the commands you run. When you create Infisical secrets directly from your terminal, they'll stay there for a while.
@@ -143,30 +127,101 @@ Your terminal keeps a history with the commands you run. When you create Infisic
 For security and privacy concerns, we recommend you to configure your terminal to ignore those specific Infisical commands.
 
 <Accordion title="Ignore commands">
+  <Tabs>
+    <Tab title="Unix/Linux">
+        <Tip>
+          `$HOME/.profile` is pretty common but, you could place it under `$HOME/.profile.d/infisical.sh` or any profile file run at login 
+        </Tip>
 
-<Tabs>
-   <Tab title="Unix/Linux">
-      <Tip>
-        `$HOME/.profile` is pretty common but, you could place it under `$HOME/.profile.d/infisical.sh` or any profile file run at login 
-      </Tip>
+        ```bash
+        cat <<EOF >> $HOME/.profile && source $HOME/.profile
 
+        # Ignoring specific Infisical CLI commands
+        DEFAULT_HISTIGNORE=$HISTIGNORE
+        export HISTIGNORE="*infisical secrets set*:$DEFAULT_HISTIGNORE"
+        EOF
+        ```
+
+    </Tab>
+    <Tab title="Windows">
+        If you're on WSL, then you can use the Unix/Linux method.
+
+        <Tip>
+          Here's some [documentation](https://superuser.com/a/1658331) about how to clear the terminal history, in PowerShell and CMD
+        </Tip>
+
+    </Tab>
+
+  </Tabs>
+</Accordion>
+
+## FAQ
+
+<AccordionGroup>
+  <Accordion title="Can I connect the CLI to my self-hosted Infisical instance?">
+    Yes. The CLI is set to connect to Infisical Cloud by default, but if you're running your own instance of Infisical, you can direct the CLI to it using one of the methods provided below.
+
+    #### Method 1: Use the updated CLI
+
+    Beginning with CLI version V0.4.0, it is now possible to choose between logging in through the Infisical cloud or your own self-hosted instance. Simply execute the `infisical login` command and follow the on-screen instructions.
+
+    #### Method 2: Export environment variable
+
+    You can point the CLI to the self hosted Infisical instance by exporting the environment variable `INFISICAL_API_URL` in your terminal.
+
+    <Tabs>
+    <Tab title="Linux/MacOs">
       ```bash
-      cat <<EOF >> $HOME/.profile && source $HOME/.profile
+      # set backend host
+      export INFISICAL_API_URL="https://your-self-hosted-infisical.com/api"
 
-      # Ignoring specific Infisical CLI commands
-      DEFAULT_HISTIGNORE=$HISTIGNORE
-      export HISTIGNORE="*infisical secrets set*:$DEFAULT_HISTIGNORE"
-      EOF
+      # remove backend host
+      unset INFISICAL_API_URL
       ```
 
-   </Tab>
-   <Tab title="Windows">
-      If you're on WSL, then you can use the Unix/Linux method.
+    </Tab>
+    <Tab title="Windows Powershell">
+      ```bash
+      # set backend host
+      setx INFISICAL_API_URL "https://your-self-hosted-infisical.com/api"
 
-      <Tip>
-        Here's some [documentation](https://superuser.com/a/1658331) about how to clear the terminal history, in PowerShell and CMD
-      </Tip>
+      # remove backend host
+      setx INFISICAL_API_URL ""
 
-   </Tab>
-</Tabs>
-</Accordion>
+      # NOTE: Once set or removed, please restart powershell for the change to take effect
+      ```
+
+    </Tab>
+
+  </Tabs>
+
+#### Method 3: Set manually on every command
+
+Another option to point the CLI to your self hosted Infisical instance is to set it via a flag on every command you run.
+
+```bash
+# Example
+infisical <any-command> --domain="https://your-self-hosted-infisical.com/api"
+```
+
+  </Accordion>
+  <Accordion title="Can I use the CLI with service tokens?">
+    Yes. Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+
+    To use Infisical for non local development scenarios, please create a service token. The service token will allow you to authenticate and interact with Infisical. Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI.
+
+    ```bash
+      infisical export --token=<service-token>
+      infisical secrets --token=<service-token>
+      infisical run --token=<service-token> -- npm run dev
+    ```
+
+    #### Pass via shell environment variable
+    The CLI is configured to look for an environment variable named `INFISICAL_TOKEN`. If set, it’ll attempt to use it for authentication.
+
+    ```bash
+      export INFISICAL_TOKEN=<service-token>
+    ```
+
+  </Accordion>
+</AccordionGroup>

docs/documentation/getting-started/kubernetes.mdx

@@ -1,87 +0,0 @@
----
-title: "Kubernetes"
----
-
-The Infisical Secrets Operator fetches secrets from Infisical and saves them as Kubernetes secrets using the custom `InfisicalSecret` resource to define authentication and storage methods.
-The operator updates secrets continuously and can reload dependent deployments automatically on secret changes.
-
-Prerequisites:
-
-- Connected to your cluster via kubectl
-- Have a project with secrets ready in [Infisical Cloud](https://app.infisical.com).
-- Create an [Infisical Token](/documentation/platform/token) scoped to an environment in your project in Infisical.
-
-## Installation
-
-Follow the instructions for either [Helm](https://helm.sh/) or [kubectl](https://github.com/kubernetes/kubectl) to install the Infisical Secrets Operator.
-
-<Tabs>
-    <Tab title="Helm">
-        Install the Infisical Helm repository
-        
-        ```console
-        helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
-  
-        helm repo update
-        ```
-        
-        Install the Helm chart
-        ```console
-        helm install --generate-name infisical-helm-charts/secrets-operator
-        ```
-        
-    </Tab>
-    <Tab title="Kubectl">
-    The operator will be installed in `infisical-operator-system` namespace
-    ```
-    kubectl apply -f https://raw.githubusercontent.com/Infisical/infisical/main/k8-operator/kubectl-install/install-secrets-operator.yaml
-    ```
-    </Tab>
-</Tabs>
-
-
-## Usage
-
-**Step 1: Create Kubernetes secret containing service token** 
-
-Once you have generated the service token, create a Kubernetes secret containing the service token you generated by running the command below.
-
-``` bash
-kubectl create secret generic service-token --from-literal=infisicalToken=<your-service-token-here> 
-```
-
-**Step 2: Fill out the InfisicalSecrets CRD and apply it to your cluster**
-
-```yaml infisical-secrets-config.yaml
-apiVersion: secrets.infisical.com/v1alpha1
-kind: InfisicalSecret
-metadata:
-  # Name of of this InfisicalSecret resource
-  name: infisicalsecret-sample
-spec:
-  # The host that should be used to pull secrets from. If left empty, the value specified in Global configuration will be used
-  hostAPI: https://app.infisical.com/api
-  resyncInterval:
-  authentication:
-    serviceToken:
-      serviceTokenSecretReference:
-        secretName: service-token
-        secretNamespace: option
-      secretsScope:
-        envSlug: dev
-        secretsPath: "/"
-  managedSecretReference:
-    secretName: managed-secret # <-- the name of kubernetes secret that will be created
-    secretNamespace: default # <-- where the kubernetes secret should be created
-```
-
-```
-kubectl apply -f infisical-secrets-config.yaml
-```
-
-You should now see a new kubernetes secret automatically created in the namespace you defined in the `managedSecretReference` property above. 
-
-See also:
-
-- [Documentation for the Infisical Kubernetes Operator](../../integrations/platforms/kubernetes)
-

docs/documentation/platform/dynamic-secrets/aws-iam.mdx

@@ -0,0 +1,151 @@
+---
+title: "AWS IAM"
+description: "How to dynamically generate AWS IAM Users."
+---
+
+The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on configured AWS policy.
+
+## Prerequisite
+
+Infisical needs an initial AWS IAM user with the required permissions to create sub IAM users. This IAM user will be responsible for managing the lifecycle of new IAM users.
+
+<Accordion title="Managing AWS IAM User minimum permission policy">
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:AttachUserPolicy",
+        "iam:CreateAccessKey",
+        "iam:CreateUser",
+        "iam:DeleteAccessKey",
+        "iam:DeleteUser",
+        "iam:DeleteUserPolicy",
+        "iam:DetachUserPolicy",
+        "iam:GetUser",
+        "iam:ListAccessKeys",
+        "iam:ListAttachedUserPolicies",
+        "iam:ListGroupsForUser",
+        "iam:ListUserPolicies",
+        "iam:PutUserPolicy",
+        "iam:AddUserToGroup",
+        "iam:RemoveUserFromGroup"
+      ],
+      "Resource": ["*"]
+    }
+  ]
+}
+```
+
+To minimize managing user access you can attach a resource in format 
+
+> arn:aws:iam::\<account-id\>:user/\<aws-scope-path\>
+
+Replace **\<account id\>** with your AWS account id and **\<aws-scope-path\>** with a path to minimize managing user access.
+
+</Accordion>
+
+## Set up Dynamic Secrets with AWS IAM
+
+<Steps>
+  <Step title="Secret Overview Dashboard">
+	Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select AWS IAM">
+	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-iam.png)
+  </Step>
+  <Step title="Provide the inputs for dynamic secret parameters">
+	<ParamField path="Secret Name" type="string" required>
+		Name by which you want the secret to be referenced
+	</ParamField>
+
+	<ParamField path="Default TTL" type="string" required>
+		Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
+	</ParamField>
+
+	<ParamField path="Max TTL" type="string" required>
+		Maximum time-to-live for a generated secret
+	</ParamField>
+
+	<ParamField path="AWS Access Key" type="string" required>
+				The managing AWS IAM User Access Key
+  </ParamField>
+
+	<ParamField path="AWS Secret Key" type="string" required>
+				The managing AWS IAM User Secret Key
+  </ParamField>
+
+	<ParamField path="AWS IAM Path" type="string">
+				[IAM AWS Path](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) to scope created IAM User resource access.
+	</ParamField>
+
+	<ParamField path="AWS Region" type="string" required>
+				The AWS data center region.
+	</ParamField>
+
+	<ParamField path="IAM User Permission Boundary" type="string" required>
+				The IAM Policy ARN of the [AWS Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to attach to IAM users created in the role.
+	</ParamField>
+
+	<ParamField path="AWS IAM Groups" type="string">
+	The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas	
+</ParamField>
+ 
+	<ParamField path="AWS Policy ARNs" type="string">
+	The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas	
+</ParamField>
+
+<ParamField path="AWS IAM Policy Document" type="string">
+	The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas	
+</ParamField>
+
+	![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-aws-iam.png)
+
+  </Step>
+  <Step title="Click 'Submit'">
+  	After submitting the form, you will see a dynamic secret created in the dashboard. 
+
+	![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
+  </Step>
+  <Step title="Generate dynamic secrets">
+	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. 
+	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. 
+	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+	![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+	When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+	![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+	<Tip>
+		Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret in step 4.
+	</Tip>
+
+
+	Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you. 
+
+	![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
+  </Step>
+</Steps>
+
+## Audit or Revoke Leases
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. 
+This will allow you see the lease details  and delete the lease ahead of its expiration time.
+
+![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
+
+## Renew Leases
+To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the **Renew** as illustrated below.
+![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
+
+<Warning>
+	Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret
+</Warning>

docs/documentation/platform/dynamic-secrets/overview.mdx

@@ -1,13 +1,14 @@
 ---
-title: "Overview"
+title: "Dynamic Secrets"
+sidebarTitle: "Overview"
 description: "Learn how to generate secrets dynamically on-demand."
 ---
 
 ## Introduction
 
-Contrary to static key-value secrets, which require manual input of data into the secure Infisical storage, dynamic secrets are generated on-demand upon access. 
+Contrary to static key-value secrets, which require manual input of data into the secure Infisical storage, **dynamic secrets are generated on-demand upon access**. 
 
-Dynamic secrets are unique to every identity using them. Such secrets come are generated only at the moment they are retrieved, eliminating the possibility of theft or reuse by another identity. Thanks to Infisical's integrated revocation capabilities, dynamic secrets can be promptly invalidated post-use, significantly reducing their lifespan.
+**Dynamic secrets are unique to every identity using them**. Such secrets come are generated only at the moment they are retrieved, eliminating the possibility of theft or reuse by another identity. Thanks to Infisical's integrated revocation capabilities, dynamic secrets can be promptly invalidated post-use, significantly reducing their lifespan.
 
 ## Benefits of Dynamic Secrets
 
@@ -23,8 +24,12 @@ This approach offers several advantages in terms of security and management:
 
 - **Scalability**: Dynamic secret management systems can scale more effectively to handle a large number of services and applications, as they automate much of the overhead associated with manual secret management.
 
-Dynamic secrets are particularly useful in environments with stringent security requirements, such as cloud environments, distributed systems, and microservices architectures, where they help to manage database credentials, API keys, service tokens, and other types of secrets.
+Dynamic secrets are particularly useful in environments with stringent security requirements, such as cloud environments, distributed systems, and microservices architectures, where they help to manage database credentials, API keys, tokens, and other types of secrets.
 
 ## Infisical Dynamic Secret Templates
 
 1. [PostgreSQL](./postgresql)
+2. [MySQL](./mysql)
+3. [Cassandra](./cassandra)
+4. [Oracle](./oracle)
+5. [AWS IAM](./aws-iam)

docs/documentation/platform/identities/machine-identities.mdx

@@ -1,5 +1,5 @@
 ---
-title:  Machine Identities
+title: Machine Identities
 description: "Learn how to use Machine Identities to programmatically interact with Infisical."
 ---
 
@@ -21,18 +21,17 @@ Key Features:
 A typical workflow for using identities consists of four steps:
 
 1. Creating the identity with a name and [role](/documentation/platform/role-based-access-controls) in Organization Access Control > Machine Identities.
-This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth).
+   This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth).
 2. Adding the identity to the project(s) you want it to have access to.
 3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
 4. Authenticating subsequent requests with the Infisical API using the short-lived access token.
 
-
 <Note>
   Currently, identities can only be used to make authenticated requests to the Infisical API, SDKs, Terraform, Kubernetes Operator, and Infisical Agent. They do not work with clients such as CLI, Ansible look up plugin, etc.
 
-  Machine Identity support for the rest of the clients is planned to be released in the current quarter.
-</Note>
+Machine Identity support for the rest of the clients is planned to be released in the current quarter.
 
+</Note>
 
 ## Authentication Methods
 
@@ -43,8 +42,16 @@ To interact with various resources in Infisical, Machine Identities are able to
 ## FAQ
 
 <AccordionGroup>
+<Accordion title="Can I use machine identities with the CLI?">
+
+Yes - Identities can be used with the CLI.
+
+You can learn more about how to do this in the CLI quickstart [here](/cli/usage).
+
+</Accordion>
+
 <Accordion title="What is the difference between an identity and service token?">
-  A service token is a project-level authentication method that is being phased out in favor of identities.
+  A service token is a project-level authentication method that is being deprecated in favor of identities. The service token method will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
   
   Amongst many differences, identities provide broader access over the Infisical API, utilizes the same
   permission system as user identities, and come with a significantly larger number of configurable authentication and security features.

docs/documentation/platform/identities/user-identities.mdx

@@ -17,7 +17,6 @@ Upon being added to an organization and projects, users assume a certain set of
 
 To interact with various resources in Infisical, users are able to utilize a number of authentication methods: 
 - **Email & Password**: the most common authentication method that is used for authentication into Web Dashboard and Infisical CLI. It is recommended to utilize [Multi-factor Authentication](/documentation/platform/mfa) in addition to it.  
-- **Service Tokens**: Service tokens allow users authenticate into CLI and other clients under their own identity. For the majority of use cases, it is not a recommended approach. Instead, it is often a good idea to utilize [Machine Identities](./machine-identities) with [Universal Authentication](/documentation/platform/identities/universal-auth). 
 - **SSO**: Infisical natively integrates with a number of SSO identity providers like [Google](/documentation/platform/sso/google), [GitHub](/documentation/platform/sso/github), and [GitLab](/documentation/platform/sso/gitlab). 
 - **SAML SSO**: It is also possible to set up SAML SSO integration with identity providers like [Okta](/documentation/platform/sso/okta), [Microsoft Entra ID](/documentation/platform/sso/azure) (formerly known as Azure AD), [JumpCloud](/documentation/platform/sso/jumpcloud), [Google](/documentation/platform/sso/google-saml), and more. 
 - **LDAP**: For organizations with more advanced needs, Infisical also provides user authentication with [LDAP](/documentation/platform/ldap/overview) that includes a number of LDAP providers.

docs/documentation/platform/ip-allowlisting.mdx

@@ -1,38 +0,0 @@
----
-title: "IP Allowlisting"
-description: "Restrict access to your secrets in Infisical using trusted IPs"
----
-
-<Warning>
-  IP allowlisting at the project-level is being replaced with IP allowlisting at the token-level now available with the Service Token V3 authentication method.
-  
-  Instead of providing trusted IPs (specific IPs and CIDR ranges) to be applied across all service tokens, 
-  you can now specify trusted IPs at the token-level.
-  
-</Warning>
-<Info>
-  Note that IP Allowlisting is a paid feature.
-
-  If you're using Infisical Cloud, then it is available under the **Pro Tier**. If you're self-hosting Infisical,
-  then you should contact sales@infisical.com to purchase an enterprise license to use it.
-</Info>
-
-Projects in Infisical can be configured to restrict client access to specific IP addresses or CIDR ranges. This applies to any client using service tokens and
-can be useful, for example, for limiting access to traffic coming from corporate networks.
-
-By default, each project is initialized with the `0.0.0.0/0` entry, representing all possible IPv4 addresses.
-For enhanced security, we strongly recommend replacing the default entry with your client IPs to tighten access to your secrets.
-
-<Note>
-  You must be a project `admin` to manage your project's IP whitelist.
-</Note>
-
-![IP whitelist](../../images/platform/ip-allowlisting/ip-allowlisting-table.png)
-
-## Creating a trusted IP entry
-
-To create a trusted IP entry, head over to the **IP Whitelist** tab in your project. When creating an entry,
-you can specify either a specific IP address like `192.0.2.1` or a CIDR range like `2001:db8::/32`; both IPv4 and IPv6
-formats are accepted.
-
-![IP whitelist add](../../images/platform/ip-allowlisting/ip-allowlisting-modal.png)

docs/documentation/platform/ldap.mdx

@@ -1,36 +0,0 @@
----
-title: "LDAP"
-description: "Log in to Infisical with LDAP"
----
-
-<Info>
-    LDAP is a paid feature.
-   
-   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-   then you should contact sales@infisical.com to purchase an enterprise license to use it.
-</Info>
-
-You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol).
-
-<Steps>
-   <Step title="Prepare the LDAP configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
-        
-        Next, input your LDAP server settings.
-        
-        ![LDAP configuration](/images/platform/ldap/ldap-config.png)
-        
-        Here's some guidance for each field:
-
-        - URL: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.
-        - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
-        - Bind Pass: The password to use along with `Bind DN` when performing the user search.
-        - Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=example,dc=com`
-        - CA Certificate: The CA certificate to use when verifying the LDAP server certificate.
-   </Step>
-   <Step title="Enable LDAP in Infisical">
-        Enabling LDAP allows members in your organization to log into Infisical via LDAP.
-        
-        ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
-   </Step>
-</Steps>

docs/documentation/platform/ldap/general.mdx

@@ -4,16 +4,17 @@ description: "Learn how to log in to Infisical with LDAP."
 ---
 
 <Info>
-    LDAP is a paid feature.
-   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-   then you should contact sales@infisical.com to purchase an enterprise license to use it.
+  LDAP is a paid feature. If you're using Infisical Cloud, then it is available
+  under the **Enterprise Tier**. If you're self-hosting Infisical, then you
+  should contact sales@infisical.com to purchase an enterprise license to use
+  it.
 </Info>
 
 You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
 
 <Steps>
    <Step title="Prepare the LDAP configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+        In Infisical, head to your Organization Settings > Security > LDAP and select **Manage**.
 
         Next, input your LDAP server settings.
 
@@ -24,11 +25,50 @@ You can configure your organization in Infisical to have members authenticate wi
         - URL: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.
         - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
         - Bind Pass: The password to use along with `Bind DN` when performing the user search.
-        - Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=example,dc=com`
+        - User Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=acme,dc=com`.
+        - User Search Filter (optional): Template used to construct the LDAP user search filter such as `(uid={{username}})`; use literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.
+        - Group Search Base / Group DN (optional): LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`.
+        - Group Filter (optional): Template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: [`UserDN`, `UserName`]. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.
         - CA Certificate: The CA certificate to use when verifying the LDAP server certificate.
+
+     <Note>
+          The **Group Search Base / Group DN** and **Group Filter** fields are both required if you wish to sync LDAP groups to Infisical.
+     </Note>
+
+   </Step>
+   <Step title="Test the LDAP connection">
+      Once you've filled out the LDAP configuration, you can test that part of the configuration is correct by pressing the **Test Connection** button.
+
+      Infisical will attempt to bind to the LDAP server using the provided **URL**, **Bind DN**, and **Bind Pass**. If the operation is successful, then Infisical will display a success message; if not, then Infisical will display an error message and provide a fuller error in the server logs.
+
+        ![LDAP test connection](/images/platform/ldap/ldap-test-connection.png)
+    </Step>
+
+   <Step title="Define mappings from LDAP groups to groups in Infisical">
+     In order to sync LDAP groups to Infisical, head to the **LDAP Group Mappings** section to define mappings from LDAP groups to groups in Infisical.
+     
+     ![LDAP group mappings section](/images/platform/ldap/ldap-group-mappings-section.png)
+     
+     Group mappings ensure that users who log into Infisical via LDAP are added to or removed from the Infisical group(s) that corresponds to the LDAP group(s) they are a member of.
+     
+     ![LDAP group mappings table](/images/platform/ldap/ldap-group-mappings-table.png)
+     
+     Each group mapping consists of two parts: 
+     - LDAP Group CN: The common name of the LDAP group to map.
+     - Infisical Group: The Infisical group to map the LDAP group to.
+     
+     For example, suppose you want to automatically add a user who is part of the LDAP group with CN `Engineers` to the Infisical group `Engineers` when the user sets up their account with Infisical.
+     
+     In this case, you would specify a mapping from the LDAP group with CN `Engineers` to the Infisical group `Engineers`.
+     Now when the user logs into Infisical via LDAP, Infisical will check the LDAP groups that the user is a part of whilst referencing the group mappings you created earlier. Since the user is a member of the LDAP group with CN `Engineers`, they will be added to the Infisical group `Engineers`.
+     In the future, if the user is no longer part of the LDAP group with CN `Engineers`, they will be removed from the Infisical group `Engineers` upon their next login.
+     <Note>
+          Prior to defining any group mappings, ensure that you've created the Infisical groups that you want to map the LDAP groups to.
+          You can read more about creating (user) groups in Infisical [here](/documentation/platform/groups).
+     </Note>
    </Step>
    <Step title="Enable LDAP in Infisical">
         Enabling LDAP allows members in your organization to log into Infisical via LDAP.
         ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
    </Step>
-</Steps>
+</Steps>

docs/documentation/platform/ldap/jumpcloud.mdx

@@ -4,9 +4,10 @@ description: "Learn how to configure JumpCloud LDAP for authenticating into Infi
 ---
 
 <Info>
-    LDAP is a paid feature.
-    If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-    then you should contact sales@infisical.com to purchase an enterprise license to use it.
+  LDAP is a paid feature. If you're using Infisical Cloud, then it is available
+  under the **Enterprise Tier**. If you're self-hosting Infisical, then you
+  should contact sales@infisical.com to purchase an enterprise license to use
+  it.
 </Info>
 
 <Steps>
@@ -17,13 +18,12 @@ description: "Learn how to configure JumpCloud LDAP for authenticating into Infi
         When creating the user, input their **First Name**, **Last Name**, **Username** (required), **Company Email** (required), and **Description**.
         Also, create a password for the user.
 
-        Next, under User Security Settings and Permissions > Permission Settings, check the box next to **Enable as LDAP Bind DN**. 
+        Next, under User Security Settings and Permissions > Permission Settings, check the box next to **Enable as LDAP Bind DN**.
 
         ![LDAP JumpCloud](/images/platform/ldap/jumpcloud/ldap-jumpcloud-enable-bind-dn.png)
-
     </Step>
     <Step title="Prepare the LDAP configuration in Infisical">
-            In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+            In Infisical, head to your Organization Settings > Security > LDAP and select **Manage**.
 
             Next, input your JumpCloud LDAP server settings.
 
@@ -34,21 +34,57 @@ description: "Learn how to configure JumpCloud LDAP for authenticating into Infi
             - URL: The LDAP server to connect to (`ldaps://ldap.jumpcloud.com:636`).
             - Bind DN: The distinguished name of object to bind when performing the user search (`uid=<ldap-user-username>,ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
             - Bind Pass: The password to use along with `Bind DN` when performing the user search.
-            - Search Base / User DN: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - User Search Base / User DN: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - User Search Filter (optional): Template used to construct the LDAP user search filter (`(uid={{username}})`).
+            - Group Search Base / Group DN (optional): LDAP search base to use for group membership search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - Group Filter (optional): Template used when constructing the group membership query (`(&(objectClass=groupOfNames)(member=uid={{.Username}},ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com))`)
             - CA Certificate: The CA certificate to use when verifying the LDAP server certificate (instructions to obtain the certificate for JumpCloud [here](https://jumpcloud.com/support/connect-to-ldap-with-tls-ssl)).
 
             <Tip>
                 When filling out the **Bind DN** and **Bind Pass** fields, refer to the username and password of the user created in Step 1.
 
-                Also, for the **Bind DN** and **Search Base / User DN** fields, you'll want to use the organization ID that appears 
+                Also, for the **Bind DN** and **Search Base / User DN** fields, you'll want to use the organization ID that appears
                 in your LDAP instance **ORG DN**.
             </Tip>
     </Step>
+    <Step title="Test the LDAP connection">
+      Once you've filled out the LDAP configuration, you can test that part of the configuration is correct by pressing the **Test Connection** button.
+
+      Infisical will attempt to bind to the LDAP server using the provided **URL**, **Bind DN**, and **Bind Pass**. If the operation is successful, then Infisical will display a success message; if not, then Infisical will display an error message and provide a fuller error in the server logs.
+
+        ![LDAP test connection](/images/platform/ldap/ldap-test-connection.png)
+    </Step>
+    <Step title="Define mappings from LDAP groups to groups in Infisical">
+     In order to sync LDAP groups to Infisical, head to the **LDAP Group Mappings** section to define mappings from LDAP groups to groups in Infisical.
+
+     ![LDAP group mappings section](/images/platform/ldap/ldap-group-mappings-section.png)
+
+     Group mappings ensure that users who log into Infisical via LDAP are added to or removed from the Infisical group(s) that corresponds to the LDAP group(s) they are a member of.
+
+     ![LDAP group mappings table](/images/platform/ldap/ldap-group-mappings-table.png)
+
+     Each group mapping consists of two parts:
+     - LDAP Group CN: The common name of the LDAP group to map.
+     - Infisical Group: The Infisical group to map the LDAP group to.
+
+     For example, suppose you want to automatically add a user who is part of the LDAP group with CN `Engineers` to the Infisical group `Engineers` when the user sets up their account with Infisical.
+
+     In this case, you would specify a mapping from the LDAP group with CN `Engineers` to the Infisical group `Engineers`.
+     Now when the user logs into Infisical via LDAP, Infisical will check the LDAP groups that the user is a part of whilst referencing the group mappings you created earlier. Since the user is a member of the LDAP group with CN `Engineers`, they will be added to the Infisical group `Engineers`.
+     In the future, if the user is no longer part of the LDAP group with CN `Engineers`, they will be removed from the Infisical group `Engineers` upon their next login.
+     <Note>
+          Prior to defining any group mappings, ensure that you've created the Infisical groups that you want to map the LDAP groups to.
+          You can read more about creating (user) groups in Infisical [here](/documentation/platform/groups).
+     </Note>
+
+   </Step>
     <Step title="Enable LDAP in Infisical">
             Enabling LDAP allows members in your organization to log into Infisical via LDAP.
             ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
     </Step>
+
 </Steps>
 
 Resources:
-- [JumpCloud Cloud LDAP Guide](https://jumpcloud.com/support/use-cloud-ldap)
+
+- [JumpCloud Cloud LDAP Guide](https://jumpcloud.com/support/use-cloud-ldap)

docs/documentation/platform/secret-reference.mdx

@@ -19,7 +19,7 @@ This means that updating the value of a base secret propagates directly to other
 
 ![secret referencing](../../images/platform/secret-references-imports/secret-reference.png)
 
-Since secret referencing works by reconstructing values back on the client side, the client, be it a user or service token, fetching back secrets 
+Since secret referencing works by reconstructing values back on the client side, the client, be it a user, service token, or a machine identity, fetching back secrets 
 must be permissioned access to all base and dependent secrets.
 
 For example, to access some secret `A` whose values depend on secrets `B` and `C` from different scopes, a client must have `read` access to the scopes of secrets `A`, `B`, and `C`.

docs/documentation/platform/secret-versioning.mdx

@@ -5,7 +5,7 @@ description: "Learn how secret versioning works in Infisical."
 
 Every time a secret change is persformed, a new version of the same secret is created. 
 
-Such versions can be accessed visually by opening up the [secret sidebar](/documentation/platform/project#drawer) (as seen below) or [retrived via API](/api-reference/endpoints/secrets/read) 
+Such versions can be accessed visually by opening up the [secret sidebar](/documentation/platform/project#drawer) (as seen below) or [retrieved via API](/api-reference/endpoints/secrets/read) 
 by specifying the `version` query parameter.
 
 ![secret versioning](../../images/platform/secret-versioning.png)

docs/documentation/platform/token.mdx

@@ -3,6 +3,13 @@ title: "Service Token"
 description: "Infisical service tokens allow users to programmatically interact with Infisical."
 ---
 
+<Warning>
+  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
+
+They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+
+</Warning>
+
 Service tokens are authentication credentials that services can use to access designated endpoints in the Infisical API to manage project resources like secrets.
 Each service token can be provisioned scoped access to select environment(s) and path(s) within them.
 
@@ -17,8 +24,8 @@ Service Token (ST) is the current widely-used authentication method for managing
 Here's a few pointers to get you acquainted with it:
 
 - When you create a ST, you get a token prefixed with `st`. The part after the last `.` delimiter is a symmetric key; everything
-before it is an access token. When authenticating with the Infisical API, it is important to send in only the access token portion
-of the token.
+  before it is an access token. When authenticating with the Infisical API, it is important to send in only the access token portion
+  of the token.
 - ST supports expiration; it gets deleted automatically upon expiration.
 - ST supports provisioning `read` and/or `write` permissions broadly applied to all accessible environment(s) and path(s).
 - ST is not editable.
@@ -35,7 +42,7 @@ the token access to. Here's some guidance for each field:
 - Name: A friendly name for the token.
 - Scopes: The environment(s) and path(s) the token should have access to.
 - Permissions: You can indicate whether or not the token should have `read/write` access to the paths.
-Also, note that Infisical supports [glob patterns](https://www.malikbrowne.com/blog/a-beginners-guide-glob-patterns/) when defining access scopes to path(s).
+  Also, note that Infisical supports [glob patterns](https://www.malikbrowne.com/blog/a-beginners-guide-glob-patterns/) when defining access scopes to path(s).
 - Expiration: The time when this token should be rendered inactive.
 
 ![token add](../../images/project-token-old-permissions.png)
@@ -44,28 +51,31 @@ In the above screenshot, you can see that we are creating a token token with `re
 of the `/common` path within the development environment of the project; the token expires in 6 months and can be used from any IP address.
 
 <Note>
-For a deeper understanding of service tokens, it is recommended to read [this guide](https://infisical.com/docs/internals/service-tokens). 
+  For a deeper understanding of service tokens, it is recommended to read [this
+  guide](https://infisical.com/docs/internals/service-tokens).
 </Note>
 
 **FAQ**
 
 <AccordionGroup>
-<Accordion title="Why is the Infisical API rejecting my service token?">
-  There are a few reasons for why this might happen:
+  <Accordion title="Why is the Infisical API rejecting my service token?">
+      There are a few reasons for why this might happen:
 
-  - The service token has expired.
-  - The service token is insufficiently permissioned to interact with the secrets in the given environment and path.
-  - You are attempting to access a `/raw` secrets endpoint that requires your project to disable E2EE.
-  - (If using ST V3) The service token has not been activated yet.
-  - (If using ST V3) The service token is being used from an untrusted IP.
-</Accordion>
-<Accordion title="Can you provide examples for using glob patterns?">
-  1. `/**`: This pattern matches all folders at any depth in the directory structure. For example, it would match folders like `/folder1/`, `/folder1/subfolder/`, and so on.
+    - The service token has expired.
+    - The service token is insufficiently permissioned to interact with the secrets in the given environment and path.
+    - You are attempting to access a `/raw` secrets endpoint that requires your project to disable E2EE.
+    - (If using ST V3) The service token has not been activated yet.
+    - (If using ST V3) The service token is being used from an untrusted IP.
 
-  2. `/*`: This pattern matches all immediate subfolders in the current directory. It does not match any folders at a deeper level. For example, it would match folders like `/folder1/`, `/folder2/`, but not `/folder1/subfolder/`.
+  </Accordion>
+  <Accordion title="Can you provide examples for using glob patterns?">
+    1. `/**`: This pattern matches all folders at any depth in the directory structure. For example, it would match folders like `/folder1/`, `/folder1/subfolder/`, and so on.
 
-  3. `/*/*`: This pattern matches all subfolders at a depth of two levels in the current directory. It does not match any folders at a shallower or deeper level. For example, it would match folders like `/folder1/subfolder/`, `/folder2/subfolder/`, but not `/folder1/` or `/folder1/subfolder/subsubfolder/`.
+    2. `/*`: This pattern matches all immediate subfolders in the current directory. It does not match any folders at a deeper level. For example, it would match folders like `/folder1/`, `/folder2/`, but not `/folder1/subfolder/`.
 
-  4. `/folder1/*`: This pattern matches all immediate subfolders within the `/folder1/` directory. It does not match any folders outside of `/folder1/`, nor does it match any subfolders within those immediate subfolders. For example, it would match folders like `/folder1/subfolder1/`, `/folder1/subfolder2/`, but not `/folder2/subfolder/`.
-</Accordion>
+    3. `/*/*`: This pattern matches all subfolders at a depth of two levels in the current directory. It does not match any folders at a shallower or deeper level. For example, it would match folders like `/folder1/subfolder/`, `/folder2/subfolder/`, but not `/folder1/` or `/folder1/subfolder/subsubfolder/`.
+
+    4. `/folder1/*`: This pattern matches all immediate subfolders within the `/folder1/` directory. It does not match any folders outside of `/folder1/`, nor does it match any subfolders within those immediate subfolders. For example, it would match folders like `/folder1/subfolder1/`, `/folder1/subfolder2/`, but not `/folder2/subfolder/`.
+
+  </Accordion>
 </AccordionGroup>

docs/integrations/cicd/jenkins.mdx

@@ -6,134 +6,277 @@ description: "How to effectively and securely manage secrets in Jenkins using In
 **Objective**: Fetch secrets from Infisical to Jenkins pipelines
 
 In this guide, we'll outline the steps to deliver secrets from Infisical to Jenkins via the Infisical CLI.
-At a high level, the Infisical CLI will be executed within your build environment and use a service token to authenticate with Infisical. 
+At a high level, the Infisical CLI will be executed within your build environment and use a machine identity to authenticate with Infisical.
 This token must be added as a Jenkins Credential and then passed to the Infisical CLI as an environment variable, enabling it to access and retrieve secrets within your workflows.
 
 Prerequisites:
 
 - Set up and add secrets to [Infisical](https://app.infisical.com).
+- Create a [machine identity](/documentation/platform/identities/machine-identities) (Recommended), or a service token in Infisical.
 - You have a working Jenkins installation with the [credentials plugin](https://plugins.jenkins.io/credentials/) installed.
 - You have the [Infisical CLI](/cli/overview) installed on your Jenkins executor nodes or container images.
 
+<Tabs>
 
-## Add Infisical Service Token to Jenkins
+  <Tab title="Machine Identity (Recommended)">
+      ## Add Infisical Machine Identity to Jenkins
 
-After setting up your project in Infisical and installing the Infisical CLI to the environment where your Jenkins builds will run, you will need to add the Infisical Service Token to Jenkins.
+      After setting up your project in Infisical and installing the Infisical CLI to the environment where your Jenkins builds will run, you will need to add the Infisical Machine Identity to Jenkins.
 
-To generate a Infisical service token, follow the guide [here](/documentation/platform/token). 
-Once you have generated the token, navigate to **Manage Jenkins > Manage Credentials** in your Jenkins instance.
+      To generate a Infisical machine identity, follow the guide [here](/documentation/platform/identities/machine-identities).
+      Once you have generated the token, navigate to **Manage Jenkins > Manage Credentials** in your Jenkins instance.
 
-![Jenkins step 1](../../images/integrations/jenkins/jenkins_1.png)
+      ![Jenkins step 1](../../images/integrations/jenkins/jenkins_1.png)
 
-Click on the credential store you want to store the Infisical Service Token in. In this case, we're using the default Jenkins global store.
+      Click on the credential store you want to store the Infisical Machine Identity in. In this case, we're using the default Jenkins global store.
 
-<Info>
-  Each of your projects will have a different `INFISICAL_TOKEN`.
-  As a result, it may make sense to spread these out into separate credential domains depending on your use case.
-</Info>
+      <Info>
+        Each of your projects will have a different `INFISICAL_TOKEN`.
+        As a result, it may make sense to spread these out into separate credential domains depending on your use case.
+      </Info>
 
-![Jenkins step 2](../../images/integrations/jenkins/jenkins_2.png)
+      ![Jenkins step 2](../../images/integrations/jenkins/jenkins_2.png)
 
-Now, click Add Credentials.
+      Now, click Add Credentials.
 
-![Jenkins step 3](../../images/integrations/jenkins/jenkins_3.png)
+      ![Jenkins step 3](../../images/integrations/jenkins/jenkins_3.png)
 
-Choose **Secret text** for the **Kind** option from the dropdown list and enter the Infisical Service Token in the **Secret** field.
-Although the **ID** can be any value, we'll set it to `infisical-service-token` for the sake of this guide.
-The description is optional and can be any text you prefer.
+      Choose **Secret text** for the **Kind** option from the dropdown list and enter the Infisical Service Token in the **Secret** field.
+      Although the **ID** can be any value, we'll set it to `infisical-machine-identity-client-id` and `infisical-machine-identity-client-secret` for the sake of this guide.
+      The description is optional and can be any text you prefer.
 
 
-![Jenkins step 4](../../images/integrations/jenkins/jenkins_4.png)
+      ![Jenkins step 4](../../images/integrations/jenkins/jenkins_4_identity_id.png)
+      ![Jenkins step 5](../../images/integrations/jenkins/jenkins_4_identity_secret.png)
 
-When you're done, you should see a credential similar to the one below:
+      When you're done, you should see two credentials similar to the one below:
 
-![Jenkins step 5](../../images/integrations/jenkins/jenkins_5.png)
+      ![Jenkins step 6](../../images/integrations/jenkins/jenkins_5_identity.png)
 
 
-## Use Infisical in a Freestyle Project
+      ## Use Infisical in a Freestyle Project
 
-To fetch secrets with Infisical in a Freestyle Project job, you'll need to expose the credential you created above as an environment variable to the Infisical CLI. 
-To do so, first click **New Item** from the dashboard navigation sidebar:
+      To fetch secrets with Infisical in a Freestyle Project job, you'll need to expose the credential you created above as an environment variable to the Infisical CLI.
+      To do so, first click **New Item** from the dashboard navigation sidebar:
 
-![Jenkins step 6](../../images/integrations/jenkins/jenkins_6.png)
+      ![Jenkins step 6](../../images/integrations/jenkins/jenkins_6.png)
 
-Enter the name of the job, choose the **Freestyle Project** option, and click **OK**.
+      Enter the name of the job, choose the **Freestyle Project** option, and click **OK**.
 
-![Jenkins step 7](../../images/integrations/jenkins/jenkins_7.png)
+      ![Jenkins step 7](../../images/integrations/jenkins/jenkins_7.png)
 
-Scroll down to the **Build Environment** section and enable the **Use secret text(s) or file(s)** option. Then click **Add** under the **Bindings** section and choose **Secret text** from the dropdown menu.
+      Scroll down to the **Build Environment** section and enable the **Use secret text(s) or file(s)** option. Then click **Add** under the **Bindings** section and choose **Secret text** from the dropdown menu.
 
-![Jenkins step 8](../../images/integrations/jenkins/jenkins_8.png)
+      ![Jenkins step 8](../../images/integrations/jenkins/jenkins_8.png)
 
-Enter `INFISICAL_TOKEN` in the **Variable** field then click the **Specific credentials** option from the Credentials section and select the credential you created earlier. 
-In this case, we saved it as `Infisical service token` so we'll choose that from the dropdown menu.
+      Enter `INFISICAL_MACHINE_IDENTITY_CLIENT_ID` in the **Variable** field for the client ID, and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET` for the client secret. Then click the **Specific credentials** option from the Credentials section and select the credentials you created earlier.
+      In this case, we saved it as `Infisical Machine Identity Client ID` and `Infisical Machine Identity Client Secret` so we'll choose those from the dropdown menu.
 
-![Jenkins step 9](../../images/integrations/jenkins/jenkins_9.png)
+      Make sure to add bindings for both the client ID and the client secret.
 
-Scroll down to the **Build** section and choose **Execute shell** from the **Add build step** menu.
+      ![Jenkins step 9](../../images/integrations/jenkins/jenkins_9_identity.png)
 
-![Jenkins step 10](../../images/integrations/jenkins/jenkins_10.png)
+      Scroll down to the **Build** section and choose **Execute shell** from the **Add build step** menu.
 
-In the command field, you can now use the Infisical CLI to fetch secrets. 
-The example command below will print the secrets using the service token passed as a credential. When done, click  **Save**.
+      ![Jenkins step 10](../../images/integrations/jenkins/jenkins_10_identity.png)
 
-```
-infisical secrets --env=dev --path=/
-```
+      In the command field, you can now use the Infisical CLI to fetch secrets.
+      The example command below will print the secrets using the service token passed as a credential. When done, click  **Save**.
 
-![Jenkins step 11](../../images/integrations/jenkins/jenkins_11.png)
+      ```bash
+        export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_MACHINE_IDENTITY_CLIENT_ID --client-secret=$INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET --silent --plain)
+        infisical secrets --env dev --projectId=<your-project-id>
+      ```
 
-Finally, click **Build Now** from the navigation sidebar to run your new job.
+      ![Jenkins step 11](../../images/integrations/jenkins/jenkins_11_identity.png)
 
-<Info>
-  Running into issues? Join Infisical's [community Slack](https://infisical.com/slack) for quick support.
-</Info>
+      Finally, click **Build Now** from the navigation sidebar to run your new job.
+
+      <Info>
+        Running into issues? Join Infisical's [community Slack](https://infisical.com/slack) for quick support.
+      </Info>
 
 
 
-## Use Infisical in a Jenkins Pipeline
+      ## Use Infisical in a Jenkins Pipeline
 
-To fetch secrets using Infisical in a Pipeline job, you'll need to expose the Jenkins credential you created above as an environment variable.
-To do so, click **New Item** from the dashboard navigation sidebar:
+      To fetch secrets using Infisical in a Pipeline job, you'll need to expose the Jenkins credential you created above as an environment variable.
+      To do so, click **New Item** from the dashboard navigation sidebar:
 
-![Jenkins step 6](../../images/integrations/jenkins/jenkins_6.png)
+      ![Jenkins step 6](../../images/integrations/jenkins/jenkins_6.png)
 
-Enter the name of the job, choose the **Pipeline** option, and click OK.
+      Enter the name of the job, choose the **Pipeline** option, and click OK.
 
-![Jenkins step 12](../../images/integrations/jenkins/jenkins_12.png)
+      ![Jenkins step 12](../../images/integrations/jenkins/jenkins_12.png)
 
-Scroll down to the **Pipeline** section, paste the following into the **Script** field, and click **Save**.
+      Scroll down to the **Pipeline** section, paste the following into the **Script** field, and click **Save**.
 
-```
-pipeline {
-    agent any
+      ```
+      pipeline {
+          agent any
 
-    environment {
-        INFISICAL_TOKEN = credentials('infisical-service-token')
-    }
+          environment {
+              MACHINE_IDENTITY_CLIENT_ID = credentials('infisical-machine-identity-client-id')
+              MACHINE_IDENTITY_CLIENT_SECRET = credentials('infisical-machine-identity-client-secret')
 
-    stages {
-        stage('Run Infisical') {
-            steps {
-                sh("infisical secrets --env=dev --path=/")
+          }
 
-                // doesn't work
-                // sh("docker run --rm test-container infisical secrets")
+          stages {
+              stage('Run Infisical') {
+                  steps {
+                      sh("export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=${MACHINE_IDENTITY_CLIENT_ID} --client-secret=${MACHINE_IDENTITY_CLIENT_SECRET} --silent --plain)")
+                      sh("infisical secrets --env=dev --path=/ --projectId=<your-project-id>")
 
-                // works
-                // sh("docker run -e INFISICAL_TOKEN=${INFISICAL_TOKEN} --rm test-container infisical secrets --env=dev --path=/")
+                      // doesn't work
+                      // sh("docker run --rm test-container infisical secrets --projectId=<your-project-id>")
 
-                // doesn't work
-                // sh("docker-compose up -d")
+                      // works
+                      // sh("docker run -e INFISICAL_TOKEN=${INFISICAL_TOKEN} --rm test-container infisical secrets --env=dev --path=/ --projectId=<your-project-id>")
 
-                // works
-                // sh("INFISICAL_TOKEN=${INFISICAL_TOKEN} docker-compose up -d")
+                      // doesn't work
+                      // sh("docker-compose up -d")
+
+                      // works
+                      // sh("INFISICAL_TOKEN=${INFISICAL_TOKEN} docker-compose up -d")
+                  }
+              }
+          }
+      }
+      ```
+
+  </Tab>
+
+  <Tab title="Service Token (Deprecated)">
+    ## Add Infisical Service Token to Jenkins
+
+    <Warning>
+
+Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
+
+They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+
+</Warning>
+
+    After setting up your project in Infisical and installing the Infisical CLI to the environment where your Jenkins builds will run, you will need to add the Infisical Service Token to Jenkins.
+
+    To generate a Infisical service token, follow the guide [here](/documentation/platform/token).
+    Once you have generated the token, navigate to **Manage Jenkins > Manage Credentials** in your Jenkins instance.
+
+    ![Jenkins step 1](../../images/integrations/jenkins/jenkins_1.png)
+
+    Click on the credential store you want to store the Infisical Service Token in. In this case, we're using the default Jenkins global store.
+
+    <Info>
+      Each of your projects will have a different `INFISICAL_TOKEN`.
+      As a result, it may make sense to spread these out into separate credential domains depending on your use case.
+    </Info>
+
+    ![Jenkins step 2](../../images/integrations/jenkins/jenkins_2.png)
+
+    Now, click Add Credentials.
+
+    ![Jenkins step 3](../../images/integrations/jenkins/jenkins_3.png)
+
+    Choose **Secret text** for the **Kind** option from the dropdown list and enter the Infisical Service Token in the **Secret** field.
+    Although the **ID** can be any value, we'll set it to `infisical-service-token` for the sake of this guide.
+    The description is optional and can be any text you prefer.
+
+
+    ![Jenkins step 4](../../images/integrations/jenkins/jenkins_4.png)
+
+    When you're done, you should see a credential similar to the one below:
+
+    ![Jenkins step 5](../../images/integrations/jenkins/jenkins_5.png)
+
+
+    ## Use Infisical in a Freestyle Project
+
+    To fetch secrets with Infisical in a Freestyle Project job, you'll need to expose the credential you created above as an environment variable to the Infisical CLI.
+    To do so, first click **New Item** from the dashboard navigation sidebar:
+
+    ![Jenkins step 6](../../images/integrations/jenkins/jenkins_6.png)
+
+    Enter the name of the job, choose the **Freestyle Project** option, and click **OK**.
+
+    ![Jenkins step 7](../../images/integrations/jenkins/jenkins_7.png)
+
+    Scroll down to the **Build Environment** section and enable the **Use secret text(s) or file(s)** option. Then click **Add** under the **Bindings** section and choose **Secret text** from the dropdown menu.
+
+    ![Jenkins step 8](../../images/integrations/jenkins/jenkins_8.png)
+
+    Enter `INFISICAL_TOKEN` in the **Variable** field then click the **Specific credentials** option from the Credentials section and select the credential you created earlier.
+    In this case, we saved it as `Infisical service token` so we'll choose that from the dropdown menu.
+
+    ![Jenkins step 9](../../images/integrations/jenkins/jenkins_9.png)
+
+    Scroll down to the **Build** section and choose **Execute shell** from the **Add build step** menu.
+
+    ![Jenkins step 10](../../images/integrations/jenkins/jenkins_10.png)
+
+    In the command field, you can now use the Infisical CLI to fetch secrets.
+    The example command below will print the secrets using the service token passed as a credential. When done, click  **Save**.
+
+    ```
+    infisical secrets --env=dev --path=/
+    ```
+
+    ![Jenkins step 11](../../images/integrations/jenkins/jenkins_11.png)
+
+    Finally, click **Build Now** from the navigation sidebar to run your new job.
+
+    <Info>
+      Running into issues? Join Infisical's [community Slack](https://infisical.com/slack) for quick support.
+    </Info>
+
+
+
+    ## Use Infisical in a Jenkins Pipeline
+
+    To fetch secrets using Infisical in a Pipeline job, you'll need to expose the Jenkins credential you created above as an environment variable.
+    To do so, click **New Item** from the dashboard navigation sidebar:
+
+    ![Jenkins step 6](../../images/integrations/jenkins/jenkins_6.png)
+
+    Enter the name of the job, choose the **Pipeline** option, and click OK.
+
+    ![Jenkins step 12](../../images/integrations/jenkins/jenkins_12.png)
+
+    Scroll down to the **Pipeline** section, paste the following into the **Script** field, and click **Save**.
+
+    ```
+    pipeline {
+        agent any
+
+        environment {
+            INFISICAL_TOKEN = credentials('infisical-service-token')
+        }
+
+        stages {
+            stage('Run Infisical') {
+                steps {
+                    sh("infisical secrets --env=dev --path=/")
+
+                    // doesn't work
+                    // sh("docker run --rm test-container infisical secrets")
+
+                    // works
+                    // sh("docker run -e INFISICAL_TOKEN=${INFISICAL_TOKEN} --rm test-container infisical secrets --env=dev --path=/")
+
+                    // doesn't work
+                    // sh("docker-compose up -d")
+
+                    // works
+                    // sh("INFISICAL_TOKEN=${INFISICAL_TOKEN} docker-compose up -d")
+                }
             }
         }
     }
-}
-```
+    ```
+
+  </Tab>
+
+</Tabs>
 
 The example provided above serves as an initial guide. It shows how Jenkins adds the `INFISICAL_TOKEN` environment variable, which is configured in the pipeline, into the shell for executing commands.
-There may be instances where this doesn't work as expected in the context of running Docker commands. 
+There may be instances where this doesn't work as expected in the context of running Docker commands.
 However, the list of working examples should provide some insight into how this can be handled properly.

docs/integrations/cloud/aws-amplify.mdx

@@ -4,73 +4,134 @@ description: "Learn how to sync secrets from Infisical to AWS Amplify."
 ---
 
 Prerequisites:
+
 - Infisical Cloud account
 - Add the secrets you wish to sync to Amplify to [Infisical Cloud](https://app.infisical.com)
 
-There are many approaches to sync secrets stored within Infisical to AWS Amplify. This guide describes two such approaches below. 
+There are many approaches to sync secrets stored within Infisical to AWS Amplify. This guide describes two such approaches below.
 
 ## Access Infisical secrets at Amplify build time
 
-This approach enables you to fetch secrets from Infisical during Amplify build time. 
+This approach enables you to fetch secrets from Infisical during Amplify build time.
 
-<Steps>
-  <Step title="Generate a service token">
-    Go to your project settings in the Infisical dashboard to generate a [service token](/documentation/platform/token). This service token will allow you to authenticate and fetch secrets from Infisical. Once you have created a service token with the required permissions, you’ll need to provide the token to the CLI installed in your Docker container.
-  </Step>
-  <Step title="Set the service token as an Amplify environment variable">
-    ![aws amplify env console](../../images/integrations/aws/integrations-amplify-env-console.png)
-    1. In the Amplify console, choose App Settings, and then select Environment variables.
-    2. In the Environment variables section, select Manage variables.
-    3. Under Variable, enter the key **INFISICAL_TOKEN**. For the value, enter the generated service token from the previous step.
-    4. Click save.
-  </Step>
-  <Step title="Install Infisical CLI to the Amplify build step">
-    In the prebuild phase, add the command in AWS Amplify to install the Infisical CLI.
+<Tabs>
 
-    ```yaml
-    build:
-      phases:
-        preBuild:
-          commands:
-		- sudo curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.rpm.sh' | sudo -E bash
-		- sudo yum -y install infisical
-    ```
-  </Step>
-  <Step title="Modify the build command">
-    You can now pull secrets from Infisical using the CLI and save them as a `.env` file. To do this, modify the build commands.
+  <Tab title="Machine Identity (Recommended)">
+    <Steps>
+      <Step title="Create a machine identity">
+          Create a machine identtiy and connect it to your Infisical project. You can read more about how to use machine identities [here](/documentation/platform/identities/machine-identities). The machine identity will allow you to authenticate and fetch secrets from Infisical.
+      </Step>
 
-    ```yaml
-    build:
-      phases:
+      <Step title="Set the machine identity client ID and client secret as Amplify environment variables">
+        ![aws amplify env console](../../images/integrations/aws/integrations-amplify-env-console-identity.png)
+        1. In the Amplify console, choose App Settings, and then select Environment variables.
+        2. In the Environment variables section, select Manage variables.
+        3. Under the first Variable enter `INFISICAL_MACHINE_IDENTITY_CLIENT_ID`, and for the value, enter the client ID of the machine identity you created in the previous step.
+        4. Under the second Variable enter `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET`, and for the value, enter the client secret of the machine identity you created in the previous step.
+        5. Click save.
+      </Step>
+
+      <Step title="Install Infisical CLI to the Amplify build step">
+        In the prebuild phase, add the command in AWS Amplify to install the Infisical CLI.
+
+        ```yaml
         build:
-          commands:
-		- INFISICAL_TOKEN=${INFISICAL_TOKEN}
-	    	- infisical export --format=dotenv > .env
-	    	- <rest of the commands>
-    ```
-  </Step>
-</Steps>
+          phases:
+            preBuild:
+              commands:
+        - sudo curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.rpm.sh' | sudo -E bash
+        - sudo yum -y install infisical
+        ```
+      </Step>
 
-## Sync Secrets Using AWS SSM Parameter Store 
+      <Step title="Modify the build command">
+        You can now pull secrets from Infisical using the CLI and save them as a `.env` file. To do this, modify the build commands.
 
-Another approach to use secrets from Infisical in AWS Amplify is to utilize AWS Parameter Store. 
-At high level, you begin by using Infisical's AWS SSM Parameter Store integration to sync secrets from Infisical to AWS SSM Parameter Store. You then instruct AWS Amplify to consume those secrets from AWS SSM Parameter Store as [environment secrets](https://docs.aws.amazon.com/amplify/latest/userguide/environment-variables.html#environment-secrets).
+        ```yaml
+        build:
+          phases:
+            build:
+              commands:
+        - INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID} --client-secret=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET} --silent --plain)
+            - infisical export --format=dotenv > .env
+            - <rest of the commands>
+        ```
+      </Step>
+    </Steps>
 
-<Steps>
-  <Step title="Follow the AWS SSM Parameter Store Integration guide">
-    Follow the [Infisical AWS SSM Parameter Store Integration Guide](./aws-parameter-store) to set up the integration. Pause once you reach the step where it asks you to select the path you would like to sync. 
-  </Step>
-  <Step title="Find your Amplify App ID">
-    ![amplify app id](../../images/integrations/aws/integrations-amplify-app-id.png)
-    1. Open your AWS Amplify App console.
-    2. Go to **Actions >> View App Settings**
-    3. The App ID will be the last part of the App ARN field after the slash.
-  </Step>
-  <Step title="Set AWS SSM Parameter Store path">
-    You need to set the path in the format `/amplify/[amplify_app_id]/[your-amplify-environment-name]` as the path option in AWS SSM Parameter Infisical Integration.
-  </Step>
-</Steps>
+  </Tab>
+
+  <Tab title="Service Token (Deprecated)">
+    
+    <Warning>
+      Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
+
+      They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+    </Warning>
+
+    <Steps>
+      <Step title="Generate a service token">
+        Go to your project settings in the Infisical dashboard to generate a [service token](/documentation/platform/token). This service token will allow you to authenticate and fetch secrets from Infisical. Once you have created a service token with the required permissions, you’ll need to provide the token to the CLI installed in your Docker container.
+      </Step>
+      <Step title="Set the service token as an Amplify environment variable">
+        ![aws amplify env console](../../images/integrations/aws/integrations-amplify-env-console.png)
+        1. In the Amplify console, choose App Settings, and then select Environment variables.
+        2. In the Environment variables section, select Manage variables.
+        3. Under Variable, enter the key **INFISICAL_TOKEN**. For the value, enter the generated service token from the previous step.
+        4. Click save.
+      </Step>
+      <Step title="Install Infisical CLI to the Amplify build step">
+        In the prebuild phase, add the command in AWS Amplify to install the Infisical CLI.
+
+        ```yaml
+        build:
+          phases:
+            preBuild:
+              commands:
+        - sudo curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.rpm.sh' | sudo -E bash
+        - sudo yum -y install infisical
+        ```
+      </Step>
+      <Step title="Modify the build command">
+        You can now pull secrets from Infisical using the CLI and save them as a `.env` file. To do this, modify the build commands.
+
+        ```yaml
+        build:
+          phases:
+            build:
+              commands:
+        - INFISICAL_TOKEN=${INFISICAL_TOKEN}
+            - infisical export --format=dotenv > .env
+            - <rest of the commands>
+        ```
+      </Step>
+    </Steps>
+
+    ## Sync Secrets Using AWS SSM Parameter Store
+
+    Another approach to use secrets from Infisical in AWS Amplify is to utilize AWS Parameter Store.
+    At high level, you begin by using Infisical's AWS SSM Parameter Store integration to sync secrets from Infisical to AWS SSM Parameter Store. You then instruct AWS Amplify to consume those secrets from AWS SSM Parameter Store as [environment secrets](https://docs.aws.amazon.com/amplify/latest/userguide/environment-variables.html#environment-secrets).
+
+    <Steps>
+      <Step title="Follow the AWS SSM Parameter Store Integration guide">
+        Follow the [Infisical AWS SSM Parameter Store Integration Guide](./aws-parameter-store) to set up the integration. Pause once you reach the step where it asks you to select the path you would like to sync.
+      </Step>
+      <Step title="Find your Amplify App ID">
+        ![amplify app id](../../images/integrations/aws/integrations-amplify-app-id.png)
+        1. Open your AWS Amplify App console.
+        2. Go to **Actions >> View App Settings**
+        3. The App ID will be the last part of the App ARN field after the slash.
+      </Step>
+      <Step title="Set AWS SSM Parameter Store path">
+        You need to set the path in the format `/amplify/[amplify_app_id]/[your-amplify-environment-name]` as the path option in AWS SSM Parameter Infisical Integration.
+      </Step>
+    </Steps>
+
+  </Tab>
+</Tabs>
 
 <Info>
-  Accessing an environment secret during a build is similar to accessing environment variables, except that environment secrets are stored in `process.env.secrets` as a JSON string.
+  Accessing an environment secret during a build is similar to accessing
+  environment variables, except that environment secrets are stored in
+  `process.env.secrets` as a JSON string.
 </Info>

docs/integrations/cloud/aws-parameter-store.mdx

@@ -30,13 +30,18 @@ Prerequisites:
             "ssm:DeleteParameter",
             "ssm:GetParametersByPath",
             "ssm:DeleteParameters",
-            "ssm:AddTagsToResource" // if you need to add tags to secrets
+            "ssm:AddTagsToResource", // if you need to add tags to secrets
+            "kms:ListKeys", // if you need to specify the KMS key
+            "kms:ListAliases", // if you need to specify the KMS key
+            "kms:Encrypt", // if you need to specify the KMS key
+            "kms:Decrypt" // if you need to specify the KMS key
           ],
           "Resource": "*"
         }
       ]
     }
     ```
+
   </Step>
   <Step title="Authorize Infisical for AWS Parameter store">
     Obtain a AWS access key ID and secret access key for your IAM user in IAM > Users > User > Security credentials > Access keys
@@ -44,7 +49,7 @@ Prerequisites:
       ![access key 1](../../images/integrations/aws/integrations-aws-access-key-1.png)
       ![access key 2](../../images/integrations/aws/integrations-aws-access-key-2.png)
       ![access key 3](../../images/integrations/aws/integrations-aws-access-key-3.png)
-      
+
       Navigate to your project's integrations tab in Infisical.
 
       ![integrations](../../images/integrations.png)
@@ -59,6 +64,7 @@ Prerequisites:
         breaks E2EE, it's necessary for Infisical to sync the environment variables to
         the cloud platform.
     </Info>
+
   </Step>
   <Step title="Start integration">
     Select which Infisical environment secrets you want to sync to which AWS Parameter Store region and indicate the path for your secrets. Then, press create integration to start syncing secrets to AWS Parameter Store.
@@ -72,6 +78,6 @@ Prerequisites:
       secret like `TEST` to be stored as `/[project_name]/[environment]/TEST` in AWS
       Parameter Store.
     </Tip>
+
   </Step>
 </Steps>
-

docs/integrations/cloud/aws-secret-manager.mdx

@@ -31,7 +31,9 @@ Prerequisites:
             "secretsmanager:UpdateSecret",
             "secretsmanager:TagResource", // if you need to add tags to secrets
             "kms:ListKeys", // if you need to specify the KMS key
-            "kms:ListAliases" // if you need to specify the KMS key
+            "kms:ListAliases", // if you need to specify the KMS key
+            "kms:Encrypt", // if you need to specify the KMS key
+            "kms:Decrypt" // if you need to specify the KMS key
           ],
           "Resource": "*"
         }

docs/integrations/frameworks/terraform.mdx

@@ -34,7 +34,9 @@ Set up the Infisical provider by specifying the `host` and `service_token`. Repl
 ```hcl main.tf
 provider "infisical" {
   host          = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
-  service_token = "<>" # Get token https://infisical.com/docs/documentation/platform/token
+  client_id     = "<>"
+  client_secret = "<>"
+  service_token = "<>" # DEPRECATED, USE MACHINE IDENTITY AUTH INSTEAD
 }
 ```
 
@@ -54,6 +56,7 @@ Use the `infisical_secrets` data source to fetch your secrets. In this block, yo
 data "infisical_secrets" "my-secrets" {
   env_slug    = "dev"
   folder_path = "/some-folder/another-folder"
+  workspace_id = "your-project-id"
 }
 ```
 

docs/integrations/platforms/docker-compose.mdx

@@ -11,46 +11,109 @@ Prerequisites:
 
 Follow this [guide](./docker) to configure the Infisical CLI for each service that you wish to inject environment variables into; you'll have to update the Dockerfile of each service.
 
-## Generate service token 
+<Tabs>
+  <Tab title="Machine Identity (Recommended)">
+    ### Generate and configure machine identity
+    Generate a machine identity for each service you want to inject secrets into. You can do this by following the steps in the [Machine Identity](/documentation/platform/identities/machine-identities) guide.
 
-Generate a unique [Infisical Token](/documentation/platform/token) for each service.
+    ### Set the machine identity client ID and client secret as environment variables
+    For each service you want to inject secrets into, set two environment variable called `INFISICAL_MACHINE_IDENTITY_CLIENT_ID`, and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET` equal to the client ID and client secret of the machine identity(s) you created in the previous step.
 
-## Feed service token to your Docker Compose file
+    In the example below, we set two sets of client ID and client secret for the services.
 
-For each service you want to inject secrets into, set an environment variable called `INFISICAL_TOKEN` equal to a unique identifier variable.
+    For the web service we set `INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_WEB` and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_WEB` as the client ID and client secret respectively.
 
-In the example below, we set `INFISICAL_TOKEN_FOR_WEB` and `INFISICAL_TOKEN_FOR_API` as the `INFISICAL_TOKEN` for the services.
+    For the API service we set `INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_API` and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_API` as the client ID and client secret respectively.
 
-```yaml
-# Example Docker Compose file
-services:
-  web:
-    build: .
-    image: example-service-1
-    environment:
-      - INFISICAL_TOKEN=${INFISICAL_TOKEN_FOR_WEB}
+    ```yaml
+    # Example Docker Compose file
+    services:
+      web:
+        build: .
+        image: example-service-1
+        environment:
+          - INFISICAL_MACHINE_IDENTITY_CLIENT_ID=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_WEB}
+          - INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_WEB}
 
-  api:
-    build: .
-    image: example-service-2
-    environment:
-      - INFISICAL_TOKEN=${INFISICAL_TOKEN_FOR_API}
-```
+      api:
+        build: .
+        image: example-service-2
+        environment:
+          - INFISICAL_MACHINE_IDENTITY_CLIENT_ID=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_API}
+          - INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_API}
 
-## Export shell variables
+    ```
 
-Next, set the shell variables you defined in your compose file. This can be done manually or via your CI/CD environment. Once done, it will be used to populate the corresponding `INFISICAL_TOKEN`
-in your Docker Compose file.
+    ### Export shell variables
+    Next, set the shell variables you defined in your compose file. This can be done manually or via your CI/CD environment. Once done, it will be used to populate the corresponding `INFISICAL_MACHINE_IDENTITY_CLIENT_ID` and `INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET` in your Docker Compose file.
 
-```bash
-#Example
+    ```bash
+    #Example
 
-# Token refers to the token we generated in step 2 for this service
-export INFISICAL_TOKEN_FOR_WEB=<token>
+    # Token refers to the token we generated in step 2 for this service
+    export INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_WEB=<client_id>
+    export INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_WEB=<client_secret>
 
-# Token refers to the token we generated in step 2 for this service
-export INFISICAL_TOKEN_FOR_API=<token>
+    # Token refers to the token we generated in step 2 for this service
+    export INFISICAL_MACHINE_IDENTITY_CLIENT_ID_FOR_API=<client_id>
+    export INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET_FOR_API=<client_secret>
 
-# Then run your compose file in the same terminal.
-docker-compose ...
-```
+    # Then run your compose file in the same terminal.
+    docker-compose ...
+    ```
+
+  </Tab>
+  <Tab title="Service Token (Deprecated)">
+
+  <Warning>
+  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
+
+They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+
+  </Warning>
+
+    ## Generate service token
+    Generate a unique [Service Token](/documentation/platform/token) for each service.
+
+    ## Feed service token to your Docker Compose file
+
+    For each service you want to inject secrets into, set an environment variable called `INFISICAL_TOKEN` equal to a unique identifier variable.
+
+    In the example below, we set `INFISICAL_TOKEN_FOR_WEB` and `INFISICAL_TOKEN_FOR_API` as the `INFISICAL_TOKEN` for the services.
+
+    ```yaml
+    # Example Docker Compose file
+    services:
+      web:
+        build: .
+        image: example-service-1
+        environment:
+          - INFISICAL_TOKEN=${INFISICAL_TOKEN_FOR_WEB}
+
+      api:
+        build: .
+        image: example-service-2
+        environment:
+          - INFISICAL_TOKEN=${INFISICAL_TOKEN_FOR_API}
+    ```
+
+    ## Export shell variables
+
+    Next, set the shell variables you defined in your compose file. This can be done manually or via your CI/CD environment. Once done, it will be used to populate the corresponding `INFISICAL_TOKEN`
+    in your Docker Compose file.
+
+    ```bash
+    #Example
+
+    # Token refers to the token we generated in step 2 for this service
+    export INFISICAL_TOKEN_FOR_WEB=<token>
+
+    # Token refers to the token we generated in step 2 for this service
+    export INFISICAL_TOKEN_FOR_API=<token>
+
+    # Then run your compose file in the same terminal.
+    docker-compose ...
+    ```
+
+  </Tab>
+</Tabs>

docs/integrations/platforms/docker-pass-envs.mdx

@@ -10,8 +10,11 @@ For this method to function as expected, you must have a bash shell (for process
 
 ## 1. Authentication
 
-If you are already logged in via the CLI you can skip this step. Otherwise, head to your project settings in Infisical Cloud to generate an [Infisical Token](/documentation/platform/token). The service token will allow you to authenticate and fetch secrets from Infisical. 
-Once you have created a service token with the required permissions, you'll need to feed the token to the CLI. 
+If you are already logged in via the CLI you can skip this step. Otherwise, head to your organization settings in Infisical Cloud to create a [Machine Identity](../../documentation/platform/identities/machine-identities). The machine identity will allow you to authenticate and fetch secrets from Infisical. 
+Once you have created a machine identity with the required permissions, you'll need to feed the token to the CLI.
+<Info> 
+  Please note that we highly recommend using `infisical login` for local development.
+</Info>
 
 #### Pass as flag
 You may use the --token flag to set the token 
@@ -27,8 +30,14 @@ The CLI is configured to look for an environment variable named `INFISICAL_TOKEN
 export INFISICAL_TOKEN=<>
 ```
 
+You can use the `infisical login --method=universal-auth` command to directly obtain a universal auth access token and set it as an environment variable.
+
+```bash
+  export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --silent --plain)
+```
+
 <Warning>
-  In production scenarios, please to avoid using the `infisical login` command and instead use a [service token](/documentation/platform/token).
+  In production scenarios, please to avoid using the `infisical login` command and instead use a [machine identity](../../documentation/platform/identities/machine-identities).
 </Warning>
 
 ## 2. Run your docker command with Infisical 

docs/integrations/platforms/docker.mdx

@@ -41,6 +41,54 @@ This is achieved by installing the Infisical CLI into your docker image and modi
 
 Starting your service with the Infisical CLI pulls your secrets from Infisical and injects them into your service.
 
+<Tabs>
+  <Tab title="Machine Identity (Recommended)">
+    ```dockerfile
+  CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "[your service start command]"]
+
+# example with single single command
+
+CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "npm", "run", "start"]
+
+# example with multiple commands
+
+CMD ["infisical", "run", "--projectId", "<your-project-id>", "--command", "npm run start && ..."]
+
+````
+
+<Steps>
+  <Step title="Generate a machine identity">
+    Generate a machine identity for your project by following the steps in the [Machine Identity](/documentation/platform/identities/machine-identities) guide. The machine identity will allow you to authenticate and fetch secrets from Infisical.
+  </Step>
+  <Step title="Obtain an access token for the machine identity">
+    Obtain an access token for the machine identity by running the following command:
+    ```bash
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --plain --silent)
+    ```
+
+    <Info>
+     Please note that the access token has a limited lifespan. The `infisical token renew` command can be used to renew the token if needed.
+    </Info>
+  </Step>
+  <Step title="Feed the access token to the docker container">
+    The last step is to give the Infisical CLI installed in your Docker container access to the access token. This will allow the CLI to fetch and inject the secrets into your application.
+
+    To feed the access token to the container, use the INFISICAL_TOKEN environment variable as shown below.
+
+    ```bash
+    docker run --env INFISICAL_TOKEN=$INFISICAL_TOKEN [DOCKER-IMAGE]...
+    ```
+  </Step>
+</Steps>
+
+</Tab>
+<Tab title="Service Token (Deprecated)">
+  <Warning>
+Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
+
+They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+
+</Warning>
 ```dockerfile
 CMD ["infisical", "run", "--", "[your service start command]"]
 
@@ -49,19 +97,24 @@ CMD ["infisical", "run", "--", "npm", "run", "start"]
 
 # example with multiple commands
 CMD ["infisical", "run", "--command", "npm run start && ..."]
-```
+````
 
-## Generate a service token
+  <Steps>
+    <Step title="Generate a service token">
+      Head to your project settings in the Infisical dashboard to generate an [service token](/documentation/platform/token). 
+      This service token will allow you to authenticate and fetch secrets from Infisical. 
+      Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI installed in your docker container.
+    </Step>
+    <Step title="Feed service token to docker container">
+      The last step is to give the Infisical CLI installed in your Docker container access to the service token. This will allow the CLI to fetch and inject the secrets into your application.
 
-Head to your project settings in the Infisical dashboard to generate an [service token](/documentation/platform/token). 
-This service token will allow you to authenticate and fetch secrets from Infisical. 
-Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI installed in your docker container.
+      To feed the service token to the container, use the INFISICAL_TOKEN environment variable as shown below.
 
-## Feed service token to docker container
-The last step is to give the Infisical CLI installed in your Docker container access to the service token. This will allow the CLI to fetch and inject the secrets into your application.
+      ```bash
+      docker run --env INFISICAL_TOKEN=[token] [DOCKER-IMAGE]...
+      ```
+    </Step>
 
-To feed the service token to the container, use the INFISICAL_TOKEN environment variable as shown below.
-
-```bash
- docker run --env INFISICAL_TOKEN=[token] [DOCKER-IMAGE]...
-```
+  </Steps>
+  </Tab>
+</Tabs>

docs/integrations/platforms/kubernetes.mdx

@@ -1,12 +1,11 @@
 ---
-title: 'Kubernetes'
+title: "Kubernetes"
 description: "How to use Infisical to inject secrets into Kubernetes clusters."
 ---
 
 ![title](../../images/k8-diagram.png)
 
-
-The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets from Infisical and stores them in a designated cluster. 
+The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets from Infisical and stores them in a designated cluster.
 It uses an `InfisicalSecret` resource to specify authentication and storage methods.
 The operator continuously updates secrets and can also reload dependent deployments automatically.
 
@@ -26,8 +25,8 @@ The operator can be install via [Helm](https://helm.sh) or [kubectl](https://git
     **Install the Helm chart**
 
     For production deployments, it is highly recommended to set the chart version and the application version during installs and upgrades.
-    This will prevent the operator from being accidentally updated to the latest version and introduce unintended breaking changes. 
-    
+    This will prevent the operator from being accidentally updated to the latest version and introduce unintended breaking changes.
+
     View application versions [here](https://hub.docker.com/r/infisical/kubernetes-operator/tags) and chart versions [here](https://cloudsmith.io/~infisical/repos/helm-charts/packages/detail/helm/secrets-operator/#versions)
 
     ```bash
@@ -42,66 +41,69 @@ The operator can be install via [Helm](https://helm.sh) or [kubectl](https://git
    For production deployments, it is highly recommended to set the version of the Kubernetes operator manually instead of pointing to the latest version.
    Doing so will help you avoid accidental updates to the newest release which may introduce unintended breaking changes. View all application versions [here](https://hub.docker.com/r/infisical/kubernetes-operator/tags).
 
+The command below will install the most recent version of the Kubernetes operator.
+However, to set the version manually, download the manifest and set the image tag version of `infisical/kubernetes-operator` according to your desired version.
 
-  The command below will install the most recent version of the Kubernetes operator. 
-  However, to set the version manually, download the manifest and set the image tag version of `infisical/kubernetes-operator` according to your desired version.
-
-  Once you apply the manifest, the operator will be installed in `infisical-operator-system` namespace. 
+Once you apply the manifest, the operator will be installed in `infisical-operator-system` namespace.
 
     ```
     kubectl apply -f https://raw.githubusercontent.com/Infisical/infisical/main/k8-operator/kubectl-install/install-secrets-operator.yaml
-		```
+    	```
+
    </Tab>
 </Tabs>
 
 ## Sync Infisical Secrets to your cluster
-Once you have installed the operator to your cluster, you'll need to create a `InfisicalSecret` custom resource definition (CRD). 
+
+Once you have installed the operator to your cluster, you'll need to create a `InfisicalSecret` custom resource definition (CRD).
 
 ```yaml example-infisical-secret-crd.yaml
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-    name: infisicalsecret-sample
-    labels:
-        label-to-be-passed-to-managed-secret: sample-value
-    annotations:
-        example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+  name: infisicalsecret-sample
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
 spec:
-    hostAPI: https://app.infisical.com/api
-    resyncInterval: 10
-    authentication:
-        # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
-        # If you have multiple authentication methods defined, it may cause issues.
-        universalAuth:
-            secretsScope:
-                projectSlug: <project-slug>
-                envSlug: <env-slug> # "dev", "staging", "prod", etc..
-                secretsPath: "<secrets-path>" # Root is "/"
-            credentialsRef:
-                secretName: universal-auth-credentials
-                secretNamespace: default
-
-        serviceToken:
-            serviceTokenSecretReference:
-                secretName: service-token
-                secretNamespace: default
-            secretsScope:
-                envSlug: <env-slug>
-                secretsPath: <secrets-path> # Root is "/"
-
-    managedSecretReference:
-        secretName: managed-secret
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
+    # If you have multiple authentication methods defined, it may cause issues.
+    universalAuth:
+      secretsScope:
+        projectSlug: <project-slug>
+        envSlug: <env-slug> # "dev", "staging", "prod", etc..
+        secretsPath: "<secrets-path>" # Root is "/"
+      credentialsRef:
+        secretName: universal-auth-credentials
         secretNamespace: default
-        creationPolicy: "Orphan" ## Owner | Orphan (default)
-        # secretType: kubernetes.io/dockerconfigjson
+
+      # Service tokens are deprecated and will be removed in the near future. Please use Machine Identities for authenticating with Infisical.
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: service-token
+        secretNamespace: default
+      secretsScope:
+        envSlug: <env-slug>
+        secretsPath: <secrets-path> # Root is "/"
+
+  managedSecretReference:
+    secretName: managed-secret
+    secretNamespace: default
+    creationPolicy: "Orphan" ## Owner | Orphan (default)
+    # secretType: kubernetes.io/dockerconfigjson
 ```
+
 ### InfisicalSecret CRD properties
 
 <Accordion title="hostAPI">
   If you are fetching secrets from a self hosted instance of Infisical set the value of `hostAPI` to 
   ` https://your-self-hosted-instace.com/api`
 
-  When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud. 
+When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
 
   <Accordion title="Advanced use case">
     If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend's service directly without having to route through the public internet. 
@@ -112,16 +114,19 @@ spec:
     ```
 
     Make sure to replace `<backend-svc-name>` and `<namespace>` with the appropriate values for your backend service and namespace.
+
   </Accordion>
 </Accordion>
 
 <Accordion title="resyncInterval">
-This property defines the time in seconds between each secret re-sync from Infisical. Shorter time between re-syncs will require higher rate limits only available on paid plans.
-Default re-sync interval is every 1 minute.
+  This property defines the time in seconds between each secret re-sync from
+  Infisical. Shorter time between re-syncs will require higher rate limits only
+  available on paid plans. Default re-sync interval is every 1 minute.
 </Accordion>
 
 <Accordion title="authentication">
-  This block defines the method that will be used to authenticate with Infisical so that secrets can be fetched
+  This block defines the method that will be used to authenticate with Infisical
+  so that secrets can be fetched
 </Accordion>
 
 <Accordion title="authentication.universalAuth">
@@ -145,76 +150,95 @@ Default re-sync interval is every 1 minute.
     <Step title="Add reference for the Kubernetes secret containing the identity credentials">
       Once the secret is created, add the `secretName` and `secretNamespace` of the secret that was just created under `authentication.universalAuth.credentialsRef` field in the InfisicalSecret resource.
     </Step>
+
   </Steps>
 
+{" "}
 
+<Info>
+  Make sure to also populate the `secretsScope` field with the project slug
+  _`projectSlug`_, environment slug _`envSlug`_, and secrets path
+  _`secretsPath`_ that you want to fetch secrets from. Please see the example
+  below.
+</Info>
 
-  <Info>
-    Make sure to also populate the `secretsScope` field with the project slug _`projectSlug`_, environment slug _`envSlug`_, and secrets path _`secretsPath`_ that you want to fetch secrets from. Please see the example below.
-  </Info>
+## Example
+
+```yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+      universalAuth:
+          secretsScope:
+              projectSlug: <project-slug> # <-- project slug
+              envSlug: <env-slug> # "dev", "staging", "prod", etc..
+              secretsPath: "<secrets-path>" # Root is "/"
+          credentialsRef:
+              secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
+              secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials
+  ...
+```
 
-  ## Example
-  ```yaml
-  apiVersion: secrets.infisical.com/v1alpha1
-  kind: InfisicalSecret
-  metadata:
-    name: infisicalsecret-sample-crd
-  spec:
-    authentication:
-        universalAuth:
-            secretsScope:
-                projectSlug: <project-slug> # <-- project slug
-                envSlug: <env-slug> # "dev", "staging", "prod", etc..
-                secretsPath: "<secrets-path>" # Root is "/"
-            credentialsRef:
-                secretName: universal-auth-credentials # <-- name of the Kubernetes secret that stores our machine identity credentials
-                secretNamespace: default # <-- namespace of the Kubernetes secret that stores our machine identity credentials
-    ...
-  ```
 </Accordion>
 
 <Accordion title="authentication.serviceToken">
-  The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token. 
-  Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
+  <Warning>
+  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
 
-  #### 1. Generate service token 
+They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
 
-  You can generate a [service token](../../documentation/platform/token) for an Infisical project by heading over to the Infisical dashboard then to Project Settings.
+  </Warning>
 
-  #### 2. Create Kubernetes secret containing service token 
+The service token required to authenticate with Infisical needs to be stored in a Kubernetes secret. This block defines the reference to the name and namespace of secret that stores this service token.
+Follow the instructions below to create and store the service token in a Kubernetes secrets and reference it in your CRD.
 
-  Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated. 
-  To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace `<your-service-token-here>` with your service token.
+#### 1. Generate service token
 
-  ``` bash
-  kubectl create secret generic service-token --from-literal=infisicalToken="<your-service-token-here>"
-  ```
+You can generate a [service token](../../documentation/platform/token) for an Infisical project by heading over to the Infisical dashboard then to Project Settings.
 
-  #### 3. Add reference for the Kubernetes secret containing service token 
+#### 2. Create Kubernetes secret containing service token
 
-  Once the secret is created, add the name and namespace of the secret that was just created under `authentication.serviceToken.serviceTokenSecretReference` field in the InfisicalSecret resource.
+Once you have generated the service token, you will need to create a Kubernetes secret containing the service token you generated.
+To quickly create a Kubernetes secret containing the generated service token, you can run the command below. Make sure you replace `<your-service-token-here>` with your service token.
 
-  <Info>
-    Make sure to also populate the `secretsScope` field with the, environment slug _`envSlug`_, and secrets path _`secretsPath`_ that you want to fetch secrets from. Please see the example below.
-  </Info>
+```bash
+kubectl create secret generic service-token --from-literal=infisicalToken="<your-service-token-here>"
+```
+
+#### 3. Add reference for the Kubernetes secret containing service token
+
+Once the secret is created, add the name and namespace of the secret that was just created under `authentication.serviceToken.serviceTokenSecretReference` field in the InfisicalSecret resource.
+
+{" "}
+
+<Info>
+  Make sure to also populate the `secretsScope` field with the, environment slug
+  _`envSlug`_, and secrets path _`secretsPath`_ that you want to fetch secrets
+  from. Please see the example below.
+</Info>
+
+## Example
+
+```yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample-crd
+spec:
+  authentication:
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: service-token # <-- name of the Kubernetes secret that stores our service token
+        secretNamespace: option # <-- namespace of the Kubernetes secret that stores our service token
+      secretsScope:
+        envSlug: <env-slug> # "dev", "staging", "prod", etc..
+        secretsPath: <secrets-path> # Root is "/"
+  ...
+```
 
-  ## Example
-  ```yaml
-  apiVersion: secrets.infisical.com/v1alpha1
-  kind: InfisicalSecret
-  metadata:
-    name: infisicalsecret-sample-crd
-  spec:
-    authentication:
-      serviceToken: 
-        serviceTokenSecretReference:
-          secretName: service-token # <-- name of the Kubernetes secret that stores our service token
-          secretNamespace: option # <-- namespace of the Kubernetes secret that stores our service token
-        secretsScope:
-          envSlug: <env-slug> # "dev", "staging", "prod", etc..
-          secretsPath: <secrets-path> # Root is "/"
-    ...
-  ```
 </Accordion>
 
 <Accordion title="managedSecretReference">
@@ -238,19 +262,21 @@ Override the default Opaque type for managed secrets with this field. Useful for
 Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. 
 This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
 
-#### Available options 
+#### Available options
+
 - `Orphan` (default)
 - `Owner`
 
 <Tip>
-  When creation policy is set to `Owner`, the `InfisicalSecret` CRD must be in the same namespace as where the managed kubernetes secret. 
+  When creation policy is set to `Owner`, the `InfisicalSecret` CRD must be in
+  the same namespace as where the managed kubernetes secret.
 </Tip>
 
 </Accordion>
 
-### Propagating labels & annotations 
+### Propagating labels & annotations
 
-The operator will transfer all labels & annotations present on the `InfisicalSecret` CRD to the managed Kubernetes secret to be created. 
+The operator will transfer all labels & annotations present on the `InfisicalSecret` CRD to the managed Kubernetes secret to be created.
 Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
 
 <Accordion title="Example propagation">
@@ -275,8 +301,7 @@ This would result in the following managed secret to be created:
 
 ```yaml
 apiVersion: v1
-data:
- ...
+data: ...
 kind: Secret
 metadata:
   annotations:
@@ -288,20 +313,21 @@ metadata:
   namespace: default
 type: Opaque
 ```
+
 </Accordion>
 
+### Apply the Infisical CRD to your cluster
 
-### Apply the Infisical CRD to your cluster 
-Once you have configured the Infisical CRD with the required fields, you can apply it to your cluster. 
+Once you have configured the Infisical CRD with the required fields, you can apply it to your cluster.
 After applying, you should notice that the managed secret has been created in the desired namespace your specified.
 
 ```
 kubectl apply -f example-infisical-secret-crd.yaml
 ```
 
-### Verify managed secret creation 
+### Verify managed secret creation
 
-To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified. 
+To verify that the operator has successfully created the managed secret, you can check the secrets in the namespace that was specified.
 
 ```bash
 # Verify managed secret is created
@@ -313,48 +339,49 @@ kubectl get secrets -n <namespace of managed secret>
   1 minutes.
 </Info>
 
-### Using managed secret in your deployment 
-Incorporating the managed secret created by the operator into your deployment can be achieved through several methods. 
+### Using managed secret in your deployment
+
+Incorporating the managed secret created by the operator into your deployment can be achieved through several methods.
 Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets [here](https://kubernetes.io/docs/concepts/configuration/secret/)
 
 <Accordion title="envFrom">
-  This will take all the secrets from your managed secret and expose them to your container 
+  This will take all the secrets from your managed secret and expose them to your container
 
-  ```yaml
-    envFrom:
-      - secretRef:
-          name: managed-secret # managed secret name
-    ```
-
-    Example usage in a deployment
-    ```yaml 
-    apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
-      app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
-        app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-        - name: nginx
-          image: nginx:1.14.2
-          envFrom:
-          - secretRef:
-              name: managed-secret # <- name of managed secret
-          ports:
-          - containerPort: 80
+````yaml
+  envFrom:
+    - secretRef:
+        name: managed-secret # managed secret name
   ```
-</Accordion>
 
+  Example usage in a deployment
+  ```yaml
+  apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        envFrom:
+        - secretRef:
+            name: managed-secret # <- name of managed secret
+        ports:
+        - containerPort: 80
+````
+
+</Accordion>
 
 <Accordion title="env"> 
   This will allow you to select individual secrets by key name from your managed secret and expose them to your container 
@@ -368,95 +395,101 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
           key: SOME_SECRET_KEY # The name of the key which  exists in the managed secret
   ```
 
-  Example usage in a deployment
-    ```yaml 
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
-      app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
-        app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-        - name: nginx
-          image: nginx:1.14.2
-          env:
-            - name: STRIPE_API_SECRET 
-              valueFrom:
-                secretKeyRef:
-                  name: managed-secret # <- name of managed secret
-                  key: STRIPE_API_SECRET
-          ports:
-          - containerPort: 80
-  ```
+Example usage in a deployment
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+name: nginx-deployment
+labels:
+app: nginx
+spec:
+replicas: 1
+selector:
+matchLabels:
+app: nginx
+template:
+metadata:
+labels:
+app: nginx
+spec:
+containers: - name: nginx
+image: nginx:1.14.2
+env: - name: STRIPE_API_SECRET
+valueFrom:
+secretKeyRef:
+name: managed-secret # <- name of managed secret
+key: STRIPE_API_SECRET
+ports: - containerPort: 80
+
+```
+
 </Accordion>
 
 <Accordion title="volumes">
-  This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
-  ```yaml
-  volumes:
-    - name: secrets-volume-name # The name of the volume under which secrets will be stored
-      secret:
-        secretName: managed-secret # managed secret name
-  ```
+This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
+```yaml
+volumes:
+  - name: secrets-volume-name # The name of the volume under which secrets will be stored
+    secret:
+      secretName: managed-secret # managed secret name
+````
 
-  You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
-  ```yaml
-  volumeMounts:
-    - name: secrets-volume-name
-      mountPath: /etc/secrets
-      readOnly: true
-  ```
+You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
 
-  Example usage in a deployment
-  ```yaml 
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+```yaml
+volumeMounts:
+  - name: secrets-volume-name
+    mountPath: /etc/secrets
+    readOnly: true
+```
+
+Example usage in a deployment
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
+    spec:
+      containers:
         - name: nginx
           image: nginx:1.14.2
           volumeMounts:
-          - name: secrets-volume-name
-            mountPath: /etc/secrets
-            readOnly: true
+            - name: secrets-volume-name
+              mountPath: /etc/secrets
+              readOnly: true
           ports:
-          - containerPort: 80
-        volumes:
+            - containerPort: 80
+      volumes:
         - name: secrets-volume-name
           secret:
             secretName: managed-secret # <- managed secrets
-  ```
+```
+
 </Accordion>
 
-## Auto redeployment 
-Deployments using managed secrets don't reload automatically on updates, so they may use outdated secrets unless manually redeployed. 
+## Auto redeployment
+
+Deployments using managed secrets don't reload automatically on updates, so they may use outdated secrets unless manually redeployed.
 To address this, we added functionality to automatically redeploy your deployment when its managed secret updates.
 
-### Enabling auto redeploy 
+### Enabling auto redeploy
+
 To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret
+
 ```yaml
 secrets.infisical.com/auto-reload: "true"
 ```
@@ -492,18 +525,20 @@ spec:
 ```
 </Accordion>
 
-## Global configuration 
-To configure global settings that will apply to all instances of `InfisicalSecret`, you can define these configurations in a Kubernetes ConfigMap. 
+## Global configuration
+
+To configure global settings that will apply to all instances of `InfisicalSecret`, you can define these configurations in a Kubernetes ConfigMap.
 For example, you can configure all `InfisicalSecret` instances to fetch secrets from a single backend API without specifying the `hostAPI` parameter for each instance.
 
 ### Available global properties
-| Property | Description                           | Default value
-| -------- | ------------------------------------- |------------------------
-| hostAPI  | If `hostAPI` in `InfisicalSecret` instance is left empty, this value will be used                    | https://app.infisical.com/api
 
+| Property | Description                                                                       | Default value                 |
+| -------- | --------------------------------------------------------------------------------- | ----------------------------- |
+| hostAPI  | If `hostAPI` in `InfisicalSecret` instance is left empty, this value will be used | https://app.infisical.com/api |
 
 ### Applying global configurations
-All global configurations must reside in a Kubernetes ConfigMap named `infisical-config` in the namespace `infisical-operator-system`. 
+
+All global configurations must reside in a Kubernetes ConfigMap named `infisical-config` in the namespace `infisical-operator-system`.
 To apply global configuration to the operator, copy the following yaml into `infisical-config.yaml` file.
 
 ```yaml infisical-config.yaml
@@ -521,13 +556,12 @@ data:
   hostAPI: https://example.com/api # <-- global hostAPI
 ```
 
-Then apply this change via kubectl by running the following 
+Then apply this change via kubectl by running the following
 
-```bash 
-kubectl apply -f infisical-config.yaml 
+```bash
+kubectl apply -f infisical-config.yaml
 ```
 
-
 ## Troubleshoot operator
 
 If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
@@ -576,7 +610,6 @@ The managed secret created by the operator will not be deleted when the operator
    </Tab>
 </Tabs>
 
-
 ## Useful Articles
 
 - [Managing secrets in OpenShift with Infisical](https://xphyr.net/post/infisical_ocp/)

docs/internals/overview.mdx

@@ -32,6 +32,6 @@ This section covers the internals of Infisical including its technical underpinn
     icon="ticket"
     color="#000000"
   >
-    Learn best practices for utilizing Infisical service tokens.
+    Learn best practices for utilizing Infisical service tokens. Please note that service tokens are now deprecated and will be removed entirely in the future.
   </Card>
 </CardGroup>

docs/internals/service-tokens.mdx

@@ -2,12 +2,19 @@
 title: "Service tokens"
 description: "Understanding service tokens and their best practices."
 ---
+
+<Warning>
+  Service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities).
+
+They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
+
+</Warning>
 ​
 Many clients use service tokens to authenticate and read/write secrets from/to Infisical; they can be created in your project settings.
 
 ## Anatomy
 
-A service token in Infisical consists of the token itself, a `string`, and a corresponding document in the storage backend containing its 
+A service token in Infisical consists of the token itself, a `string`, and a corresponding document in the storage backend containing its
 properties and metadata.
 
 ### Database model
@@ -22,12 +29,13 @@ The storage backend model for a token contains the following information:
 
 ### Token
 
-A service token itself consist of two parts used for authentication and decryption, separated by the delimiter `.`. 
+A service token itself consist of two parts used for authentication and decryption, separated by the delimiter `.`.
 
 Consider the token `st.abc.def.ghi`. Here, `st.abc.def` can be used to authenticate with the API, by including it in the `Authorization` header under `Bearer st.abc.def`, and retrieve (encrypted) secrets as well as a project key back. Meanwhile, `ghi`, a hex-string, can be used to decrypt the project key used to decrypt the secrets.
 
 Note that when using service tokens via select client methods like SDK or CLI, cryptographic operations are abstracted for you that is the token is parsed and encryption/decryption operations are handled. If using service tokens with the REST API and end-to-end encryption enabled, then you will have to handle the encryption/decryption operations yourself.
 ​
+
 ## Recommendations
 
 ### Issuance
@@ -46,4 +54,4 @@ Since service tokens grant access to your secrets, we recommend storing them sec
 
 We recommend periodically rotating the service token, even in the absence of compromise. Since service tokens are capable of decrypting project keys used to decrypt secrets, all of which use AES-256-GCM encryption, they should be rotated before approximately 2^32 encryptions have been performed; this follows the guidance set forth by [NIST publication 800-38D](https://csrc.nist.gov/pubs/sp/800/38/d/final).
 
-Note that Infisical keeps track of the number of times that service tokens are used and will alert you when you have reached 90% of the recommended capacity.
+Note that Infisical keeps track of the number of times that service tokens are used and will alert you when you have reached 90% of the recommended capacity.

docs/mint.json

@@ -32,10 +32,7 @@
     "thumbsRating": true
   },
   "api": {
-    "baseUrl": [
-      "https://app.infisical.com",
-      "http://localhost:8080"
-    ]
+    "baseUrl": ["https://app.infisical.com", "http://localhost:8080"]
   },
   "topbarLinks": [
     {
@@ -76,11 +73,7 @@
         "documentation/getting-started/introduction",
         {
           "group": "Quickstart",
-          "pages": [
-            "documentation/guides/local-development",
-            "documentation/guides/staging",
-            "documentation/guides/production"
-          ]
+          "pages": ["documentation/guides/local-development"]
         },
         {
           "group": "Guides",
@@ -146,7 +139,8 @@
             "documentation/platform/dynamic-secrets/postgresql",
             "documentation/platform/dynamic-secrets/mysql",
             "documentation/platform/dynamic-secrets/oracle",
-            "documentation/platform/dynamic-secrets/cassandra"
+            "documentation/platform/dynamic-secrets/cassandra",
+            "documentation/platform/dynamic-secrets/aws-iam"
           ]
         },
         "documentation/platform/groups"
@@ -201,7 +195,7 @@
           "group": "Installation methods",
           "pages": [
             "self-hosting/deployment-options/standalone-infisical",
-            "self-hosting/deployment-options//docker-swarm",
+            "self-hosting/deployment-options/docker-swarm",
             "self-hosting/deployment-options/docker-compose",
             "self-hosting/deployment-options/kubernetes-helm"
           ]
@@ -374,15 +368,11 @@
     },
     {
       "group": "Build Tool Integrations",
-      "pages": [
-        "integrations/build-tools/gradle"
-      ]
+      "pages": ["integrations/build-tools/gradle"]
     },
     {
       "group": "",
-      "pages": [
-        "sdks/overview"
-      ]
+      "pages": ["sdks/overview"]
     },
     {
       "group": "SDK's",
@@ -400,9 +390,7 @@
         "api-reference/overview/authentication",
         {
           "group": "Examples",
-          "pages": [
-            "api-reference/overview/examples/integration"
-          ]
+          "pages": ["api-reference/overview/examples/integration"]
         }
       ]
     },
@@ -531,15 +519,11 @@
         },
         {
           "group": "Service Tokens",
-          "pages": [
-            "api-reference/endpoints/service-tokens/get"
-          ]
+          "pages": ["api-reference/endpoints/service-tokens/get"]
         },
         {
           "group": "Audit Logs",
-          "pages": [
-            "api-reference/endpoints/audit-logs/export-audit-log"
-          ]
+          "pages": ["api-reference/endpoints/audit-logs/export-audit-log"]
         }
       ]
     },
@@ -555,9 +539,7 @@
     },
     {
       "group": "",
-      "pages": [
-        "changelog/overview"
-      ]
+      "pages": ["changelog/overview"]
     },
     {
       "group": "Contributing",
@@ -581,9 +563,7 @@
         },
         {
           "group": "Contributing to SDK",
-          "pages": [
-            "contributing/sdk/developing"
-          ]
+          "pages": ["contributing/sdk/developing"]
         }
       ]
     }

docs/self-hosting/deployment-options/kubernetes-helm.mdx

@@ -22,7 +22,7 @@ description: "Learn how to use Helm chart to install Infisical on your Kubernete
   </Step>
   <Step title="Select Infisical version">
     By default, the Infisical version set in your helm chart will likely be outdated. 
-    Choose the latest Infisical docker image tag from here [here](https://hub.docker.com/r/infisical/infisical/tags).
+    Choose the latest Infisical docker image tag from [here](https://hub.docker.com/r/infisical/infisical/tags).
     
 
     ```yaml values.yaml

frontend/package-lock.json

@@ -38,6 +38,7 @@
         "@radix-ui/react-toast": "^1.1.5",
         "@radix-ui/react-tooltip": "^1.0.7",
         "@reduxjs/toolkit": "^1.8.3",
+        "@sindresorhus/slugify": "^2.2.1",
         "@stripe/react-stripe-js": "^1.16.3",
         "@stripe/stripe-js": "^1.46.0",
         "@tanstack/react-query": "^4.23.0",
@@ -5776,6 +5777,57 @@
       "integrity": "sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==",
       "dev": true
     },
+    "node_modules/@sindresorhus/slugify": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/slugify/-/slugify-2.2.1.tgz",
+      "integrity": "sha512-MkngSCRZ8JdSOCHRaYd+D01XhvU3Hjy6MGl06zhOk614hp9EOAp5gIkBeQg7wtmxpitU6eAL4kdiRMcJa2dlrw==",
+      "dependencies": {
+        "@sindresorhus/transliterate": "^1.0.0",
+        "escape-string-regexp": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@sindresorhus/slugify/node_modules/escape-string-regexp": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz",
+      "integrity": "sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@sindresorhus/transliterate": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/transliterate/-/transliterate-1.6.0.tgz",
+      "integrity": "sha512-doH1gimEu3A46VX6aVxpHTeHrytJAG6HgdxntYnCFiIFHEM/ZGpG8KiZGBChchjQmG0XFIBL552kBTjVcMZXwQ==",
+      "dependencies": {
+        "escape-string-regexp": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@sindresorhus/transliterate/node_modules/escape-string-regexp": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz",
+      "integrity": "sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/@storybook/addon-actions": {
       "version": "7.6.8",
       "resolved": "https://registry.npmjs.org/@storybook/addon-actions/-/addon-actions-7.6.8.tgz",

frontend/package.json

@@ -46,6 +46,7 @@
     "@radix-ui/react-toast": "^1.1.5",
     "@radix-ui/react-tooltip": "^1.0.7",
     "@reduxjs/toolkit": "^1.8.3",
+    "@sindresorhus/slugify": "^2.2.1",
     "@stripe/react-stripe-js": "^1.16.3",
     "@stripe/stripe-js": "^1.46.0",
     "@tanstack/react-query": "^4.23.0",