misc: final doc updates

.gitignore

@@ -1,3 +1,5 @@
+.direnv/
+
 # backend
 node_modules
 .env
@@ -26,8 +28,6 @@ node_modules
 /.pnp
 .pnp.js
 
-.env
-
 # testing
 coverage
 reports
@@ -63,10 +63,12 @@ yarn-error.log*
 
 # Editor specific
 .vscode/*
-.idea/*
+**/.idea/*
 
 frontend-build
 
+# cli
+.go/
 *.tgz
 cli/infisical-merge
 cli/test/infisical-merge

backend/src/@types/fastify-request-context.d.ts

@@ -0,0 +1,7 @@
+import "@fastify/request-context";
+
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    reqId: string;
+  }
+}

backend/src/@types/fastify.d.ts

@@ -100,12 +100,6 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
-    identityAuthInfo?: {
-      identityId: string;
-      oidc?: {
-        claims: Record<string, string>;
-      };
-    };
   }
 }
 

backend/src/db/migrations/20250212191958_create-gateway.ts

@@ -85,7 +85,7 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId");
     await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
       // not setting a foreign constraint so that cascade effects are not triggered
       if (!doesGatewayColExist) {

backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
-  if (!hasMappingField) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.jsonb("claimMetadataMapping");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
-  if (hasMappingField) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.dropColumn("claimMetadataMapping");
-    });
-  }
-}

backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.specificType("adminIdentityIds", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("adminIdentityIds");
+    });
+  }
+}

backend/src/db/schemas/identity-oidc-auths.ts

@@ -26,8 +26,7 @@ export const IdentityOidcAuthsSchema = z.object({
   boundSubject: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional()
+  encryptedCaCertificate: zodBuffer.nullable().optional()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -12,6 +12,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretSharingSchema = z.object({
   id: z.string().uuid(),
   encryptedValue: z.string().nullable().optional(),
+  type: z.string(),
   iv: z.string().nullable().optional(),
   tag: z.string().nullable().optional(),
   hashedHex: z.string().nullable().optional(),
@@ -26,8 +27,7 @@ export const SecretSharingSchema = z.object({
   lastViewedAt: z.date().nullable().optional(),
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
-  identifier: z.string().nullable().optional(),
-  type: z.string().default("share")
+  identifier: z.string().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/db/schemas/super-admin.ts

@@ -25,7 +25,8 @@ export const SuperAdminSchema = z.object({
   encryptedSlackClientId: zodBuffer.nullable().optional(),
   encryptedSlackClientSecret: zodBuffer.nullable().optional(),
   authConsentContent: z.string().nullable().optional(),
-  pageFrameContent: z.string().nullable().optional()
+  pageFrameContent: z.string().nullable().optional(),
+  adminIdentityIds: z.string().array().nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -978,7 +978,6 @@ interface AddIdentityOidcAuthEvent {
     boundIssuer: string;
     boundAudiences: string;
     boundClaims: Record<string, string>;
-    claimMetadataMapping: Record<string, string>;
     boundSubject: string;
     accessTokenTTL: number;
     accessTokenMaxTTL: number;
@@ -1003,7 +1002,6 @@ interface UpdateIdentityOidcAuthEvent {
     boundIssuer?: string;
     boundAudiences?: string;
     boundClaims?: Record<string, string>;
-    claimMetadataMapping?: Record<string, string>;
     boundSubject?: string;
     accessTokenTTL?: number;
     accessTokenMaxTTL?: number;

backend/src/ee/services/permission/permission-service.ts

@@ -1,6 +1,5 @@
 import { createMongoAbility, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, unpackRules } from "@casl/ability/extra";
-import { requestContext } from "@fastify/request-context";
 import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
@@ -318,17 +317,14 @@ export const permissionServiceFactory = ({
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
     const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const identityAuthInfo = requestContext.get("identityAuthInfo");
-    const unescapedMetadata = objectify(
-      identityProjectPermission.metadata,
-      (i) => i.key,
-      (i) => i.value
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    ) as Record<string, any>;
-    if (identityAuthInfo?.identityId === identityId && identityAuthInfo) {
-      unescapedMetadata.auth = identityAuthInfo;
-    }
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(unescapedMetadata);
+    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      objectify(
+        identityProjectPermission.metadata,
+        (i) => i.key,
+        (i) => i.value
+      )
+    );
+
     const interpolateRules = templatedRules(
       {
         identity: {

backend/src/lib/api-docs/constants.ts

@@ -329,7 +329,6 @@ export const OIDC_AUTH = {
     boundIssuer: "The unique identifier of the identity provider issuing the JWT.",
     boundAudiences: "The list of intended recipients.",
     boundClaims: "The attributes that should be present in the JWT for it to be valid.",
-    claimMetadataMapping: "The attributes that should be present in the permission metadata from the JWT.",
     boundSubject: "The expected principal that is the subject of the JWT.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The lifetime for an access token in seconds.",
@@ -343,7 +342,6 @@ export const OIDC_AUTH = {
     boundIssuer: "The new unique identifier of the identity provider issuing the JWT.",
     boundAudiences: "The new list of intended recipients.",
     boundClaims: "The new attributes that should be present in the JWT for it to be valid.",
-    claimMetadataMapping: "The new attributes that should be present in the permission metadata from the JWT.",
     boundSubject: "The new expected principal that is the subject of the JWT.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an access token in seconds.",
@@ -1727,8 +1725,7 @@ export const SecretSyncs = {
   SYNC_OPTIONS: (destination: SecretSync) => {
     const destinationName = SECRET_SYNC_NAME_MAP[destination];
     return {
-      initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
-      disableSecretDeletion: `Enable this flag to prevent removal of secrets from the ${destinationName} destination when syncing.`
+      initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`
     };
   },
   ADDITIONAL_SYNC_OPTIONS: {

backend/src/lib/template/dot-access.ts

@@ -1,34 +0,0 @@
-/**
- * Safely retrieves a value from a nested object using dot notation path
- */
-export const getStringValueByDot = (
-  obj: Record<string, unknown> | null | undefined,
-  path: string,
-  defaultValue?: string
-): string | undefined => {
-  // Handle null or undefined input
-  if (!obj) {
-    return defaultValue;
-  }
-
-  const parts = path.split(".");
-  let current: unknown = obj;
-
-  for (const part of parts) {
-    const isObject = typeof current === "object" && !Array.isArray(current) && current !== null;
-    if (!isObject) {
-      return defaultValue;
-    }
-    if (!Object.hasOwn(current as object, part)) {
-      // Check if the property exists as an own property
-      return defaultValue;
-    }
-    current = (current as Record<string, unknown>)[part];
-  }
-
-  if (typeof current !== "string") {
-    return defaultValue;
-  }
-
-  return current;
-};

backend/src/server/plugins/auth/inject-identity.ts

@@ -1,4 +1,3 @@
-import { requestContext } from "@fastify/request-context";
 import { FastifyRequest } from "fastify";
 import fp from "fastify-plugin";
 import jwt, { JwtPayload } from "jsonwebtoken";
@@ -9,6 +8,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
 export type TAuthMode =
   | {
@@ -44,6 +44,7 @@ export type TAuthMode =
       identityName: string;
       orgId: string;
       authMethod: null;
+      isInstanceAdmin?: boolean;
     }
   | {
       authMode: AuthMode.SCIM_TOKEN;
@@ -130,20 +131,16 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       }
       case AuthMode.IDENTITY_ACCESS_TOKEN: {
         const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
+        const serverCfg = await getServerCfg();
         req.auth = {
           authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
           actor,
           orgId: identity.orgId,
           identityId: identity.identityId,
           identityName: identity.name,
-          authMethod: null
+          authMethod: null,
+          isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId)
         };
-        if (token?.identityAuth?.oidc) {
-          requestContext.set("identityAuthInfo", {
-            identityId: identity.identityId,
-            oidc: token?.identityAuth?.oidc
-          });
-        }
         break;
       }
       case AuthMode.SERVICE_TOKEN: {

backend/src/server/plugins/auth/superAdmin.ts

@@ -1,16 +1,18 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 
 import { ForbiddenRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const verifySuperAdmin = <T extends FastifyRequest>(
   req: T,
   _res: FastifyReply,
   done: HookHandlerDoneFunction
 ) => {
-  if (req.auth.actor !== ActorType.USER || !req.auth.user.superAdmin)
-    throw new ForbiddenRequestError({
-      message: "Requires elevated super admin privileges"
-    });
-  done();
+  if (isSuperAdmin(req.auth)) {
+    return done();
+  }
+
+  throw new ForbiddenRequestError({
+    message: "Requires elevated super admin privileges"
+  });
 };

backend/src/server/routes/index.ts

@@ -637,6 +637,9 @@ export const registerRoutes = async (
     userDAL,
     identityDAL,
     userAliasDAL,
+    identityTokenAuthDAL,
+    identityAccessTokenDAL,
+    identityOrgMembershipDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
     kmsRootConfigDAL,

backend/src/server/routes/v1/admin-router.ts

@@ -98,7 +98,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.API_KEY])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -139,7 +139,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -171,12 +171,16 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
           identities: IdentitiesSchema.pick({
             name: true,
             id: true
-          }).array()
+          })
+            .extend({
+              isInstanceAdmin: z.boolean()
+            })
+            .array()
         })
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -206,7 +210,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -240,7 +244,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -265,7 +269,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       })
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -293,7 +297,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -316,7 +320,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       })
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -394,4 +398,141 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/identity-management/identities/:identityId/super-admin-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identity: IdentitiesSchema.pick({
+            name: true,
+            id: true
+          })
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const identity = await server.services.superAdmin.deleteIdentitySuperAdminAccess(
+        req.params.identityId,
+        req.permission.id
+      );
+
+      return {
+        identity
+      };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/user-management/users/:userId/admin-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        userId: z.string()
+      }),
+      response: {
+        200: z.object({
+          user: UsersSchema.pick({
+            username: true,
+            firstName: true,
+            lastName: true,
+            email: true,
+            id: true
+          })
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const user = await server.services.superAdmin.deleteUserSuperAdminAccess(req.params.userId);
+
+      return {
+        user
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/bootstrap",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        email: z.string().email().trim().min(1),
+        password: z.string().trim().min(1),
+        organization: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          user: UsersSchema.pick({
+            username: true,
+            firstName: true,
+            lastName: true,
+            email: true,
+            id: true,
+            superAdmin: true
+          }),
+          organization: OrganizationsSchema.pick({
+            id: true,
+            name: true,
+            slug: true
+          }),
+          identity: IdentitiesSchema.pick({
+            id: true,
+            name: true
+          }).extend({
+            credentials: z.object({
+              token: z.string()
+            }) // would just be Token AUTH for now
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const { user, organization, machineIdentity } = await server.services.superAdmin.bootstrapInstance({
+        ...req.body,
+        organizationName: req.body.organization
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.AdminInit,
+        distinctId: user.user.username ?? "",
+        properties: {
+          username: user.user.username,
+          email: user.user.email ?? "",
+          lastName: user.user.lastName || "",
+          firstName: user.user.firstName || ""
+        }
+      });
+
+      return {
+        message: "Successfully bootstrapped instance",
+        user: user.user,
+        organization,
+        identity: machineIdentity
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -11,6 +11,7 @@ import {
   validateAccountIds,
   validatePrincipalArns
 } from "@app/services/identity-aws-auth/identity-aws-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -130,7 +131,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -8,8 +8,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
-
-import {} from "../sanitizedSchemas";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -127,7 +126,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -8,6 +8,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -121,7 +122,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-jwt-auth-router.ts

@@ -12,6 +12,7 @@ import {
   validateJwtAuthAudiencesField,
   validateJwtBoundClaimsField
 } from "@app/services/identity-jwt-auth/identity-jwt-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 const IdentityJwtAuthResponseSchema = IdentityJwtAuthsSchema.omit({
   encryptedJwksCaCert: true,
@@ -169,7 +170,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.pick({
   id: true,
@@ -147,7 +148,8 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-oidc-auth-router.ts

@@ -11,6 +11,7 @@ import {
   validateOidcAuthAudiencesField,
   validateOidcBoundClaimsField
 } from "@app/services/identity-oidc-auth/identity-oidc-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.pick({
   id: true,
@@ -23,7 +24,6 @@ const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.pick({
   boundIssuer: true,
   boundAudiences: true,
   boundClaims: true,
-  claimMetadataMapping: true,
   boundSubject: true,
   createdAt: true,
   updatedAt: true
@@ -105,7 +105,6 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
           boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
           boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
           boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
-          claimMetadataMapping: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.claimMetadataMapping).optional(),
           boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
           accessTokenTrustedIps: z
             .object({
@@ -148,7 +147,8 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({
@@ -163,7 +163,6 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
             boundIssuer: identityOidcAuth.boundIssuer,
             boundAudiences: identityOidcAuth.boundAudiences,
             boundClaims: identityOidcAuth.boundClaims as Record<string, string>,
-            claimMetadataMapping: identityOidcAuth.claimMetadataMapping as Record<string, string>,
             boundSubject: identityOidcAuth.boundSubject as string,
             accessTokenTTL: identityOidcAuth.accessTokenTTL,
             accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
@@ -203,7 +202,6 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
           boundIssuer: z.string().min(1).describe(OIDC_AUTH.UPDATE.boundIssuer),
           boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.UPDATE.boundAudiences),
           boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.UPDATE.boundClaims),
-          claimMetadataMapping: validateOidcBoundClaimsField.describe(OIDC_AUTH.UPDATE.claimMetadataMapping).optional(),
           boundSubject: z.string().optional().default("").describe(OIDC_AUTH.UPDATE.boundSubject),
           accessTokenTrustedIps: z
             .object({
@@ -262,7 +260,6 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
             boundIssuer: identityOidcAuth.boundIssuer,
             boundAudiences: identityOidcAuth.boundAudiences,
             boundClaims: identityOidcAuth.boundClaims as Record<string, string>,
-            claimMetadataMapping: identityOidcAuth.claimMetadataMapping as Record<string, string>,
             boundSubject: identityOidcAuth.boundSubject as string,
             accessTokenTTL: identityOidcAuth.accessTokenTTL,
             accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,

backend/src/server/routes/v1/identity-router.ts

@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 import { SanitizedProjectSchema } from "../sanitizedSchemas";
@@ -118,6 +119,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         id: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth),
         ...req.body
       });
 
@@ -166,7 +168,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        id: req.params.identityId
+        id: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-token-auth-router.ts

@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -74,7 +75,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({
@@ -157,7 +159,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({
@@ -257,7 +260,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({
@@ -312,6 +316,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
           actorAuthMethod: req.permission.authMethod,
           actorOrgId: req.permission.orgId,
           identityId: req.params.identityId,
+          isActorSuperAdmin: isSuperAdmin(req.auth),
           ...req.body
         });
 
@@ -370,6 +375,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth),
         ...req.query
       });
 
@@ -421,6 +427,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         tokenId: req.params.tokenId,
+        isActorSuperAdmin: isSuperAdmin(req.auth),
         ...req.body
       });
 
@@ -470,7 +477,8 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        tokenId: req.params.tokenId
+        tokenId: req.params.tokenId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       return {

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const sanitizedClientSecretSchema = IdentityUaClientSecretsSchema.pick({
   id: true,
@@ -142,8 +143,10 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
+
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         orgId: identityUniversalAuth.orgId,

backend/src/services/identity-access-token/identity-access-token-types.ts

@@ -7,9 +7,4 @@ export type TIdentityAccessTokenJwtPayload = {
   clientSecretId: string;
   identityAccessTokenId: string;
   authTokenType: string;
-  identityAuth: {
-    oidc?: {
-      claims: Record<string, string>;
-    };
-  };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -16,6 +16,7 @@ import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
 import { extractPrincipalArn } from "./identity-aws-auth-fns";
 import {
@@ -149,8 +150,11 @@ export const identityAwsAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachAwsAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -16,6 +16,7 @@ export type TAttachAwsAuthDTO = {
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAwsAuthDTO = {

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -14,6 +14,7 @@ import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityAzureAuthDALFactory } from "./identity-azure-auth-dal";
 import { validateAzureIdentity } from "./identity-azure-auth-fns";
 import {
@@ -122,8 +123,11 @@ export const identityAzureAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachAzureAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 

backend/src/services/identity-azure-auth/identity-azure-auth-types.ts

@@ -14,6 +14,7 @@ export type TAttachAzureAuthDTO = {
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAzureAuthDTO = {

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -14,6 +14,7 @@ import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityGcpAuthDALFactory } from "./identity-gcp-auth-dal";
 import { validateIamIdentity, validateIdTokenIdentity } from "./identity-gcp-auth-fns";
 import {
@@ -162,8 +163,11 @@ export const identityGcpAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachGcpAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -15,6 +15,7 @@ export type TAttachGcpAuthDTO = {
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateGcpAuthDTO = {

backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts

@@ -11,7 +11,6 @@ import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-import { getStringValueByDot } from "@app/lib/template/dot-access";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
@@ -19,6 +18,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityJwtAuthDALFactory } from "./identity-jwt-auth-dal";
 import { doesFieldValueMatchJwtPolicy } from "./identity-jwt-auth-fns";
 import {
@@ -178,9 +178,8 @@ export const identityJwtAuthServiceFactory = ({
     if (identityJwtAuth.boundClaims) {
       Object.keys(identityJwtAuth.boundClaims).forEach((claimKey) => {
         const claimValue = (identityJwtAuth.boundClaims as Record<string, string>)[claimKey];
-        const value = getStringValueByDot(tokenData, claimKey) || "";
 
-        if (!value) {
+        if (!tokenData[claimKey]) {
           throw new UnauthorizedError({
             message: `Access denied: token has no ${claimKey} field`
           });
@@ -250,8 +249,11 @@ export const identityJwtAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachJwtAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) {
       if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

backend/src/services/identity-jwt-auth/identity-jwt-auth-types.ts

@@ -19,6 +19,7 @@ export type TAttachJwtAuthDTO = {
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateJwtAuthDTO = {

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -18,6 +18,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityKubernetesAuthDALFactory } from "./identity-kubernetes-auth-dal";
 import { extractK8sUsername } from "./identity-kubernetes-auth-fns";
 import {
@@ -227,8 +228,11 @@ export const identityKubernetesAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachKubernetesAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts

@@ -17,6 +17,7 @@ export type TAttachKubernetesAuthDTO = {
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateKubernetesAuthDTO = {

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -12,7 +12,6 @@ import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-import { getStringValueByDot } from "@app/lib/template/dot-access";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
@@ -20,6 +19,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
 import { doesAudValueMatchOidcPolicy, doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
 import {
@@ -78,7 +78,7 @@ export const identityOidcAuthServiceFactory = ({
     const { data: discoveryDoc } = await axios.get<{ jwks_uri: string }>(
       `${identityOidcAuth.oidcDiscoveryUrl}/.well-known/openid-configuration`,
       {
-        httpsAgent: identityOidcAuth.oidcDiscoveryUrl.includes("https") ? requestAgent : undefined
+        httpsAgent: requestAgent
       }
     );
     const jwksUri = discoveryDoc.jwks_uri;
@@ -92,7 +92,7 @@ export const identityOidcAuthServiceFactory = ({
 
     const client = new JwksClient({
       jwksUri,
-      requestAgent: identityOidcAuth.oidcDiscoveryUrl.includes("https") ? requestAgent : undefined
+      requestAgent
     });
 
     const { kid } = decodedToken.header;
@@ -109,6 +109,7 @@ export const identityOidcAuthServiceFactory = ({
           message: `Access denied: ${error.message}`
         });
       }
+
       throw error;
     }
 
@@ -135,16 +136,10 @@ export const identityOidcAuthServiceFactory = ({
     if (identityOidcAuth.boundClaims) {
       Object.keys(identityOidcAuth.boundClaims).forEach((claimKey) => {
         const claimValue = (identityOidcAuth.boundClaims as Record<string, string>)[claimKey];
-        const value = getStringValueByDot(tokenData, claimKey) || "";
-
-        if (!value) {
-          throw new UnauthorizedError({
-            message: `Access denied: token has no ${claimKey} field`
-          });
-        }
-
         // handle both single and multi-valued claims
-        if (!claimValue.split(", ").some((claimEntry) => doesFieldValueMatchOidcPolicy(value, claimEntry))) {
+        if (
+          !claimValue.split(", ").some((claimEntry) => doesFieldValueMatchOidcPolicy(tokenData[claimKey], claimEntry))
+        ) {
           throw new UnauthorizedError({
             message: "Access denied: OIDC claim not allowed."
           });
@@ -152,20 +147,6 @@ export const identityOidcAuthServiceFactory = ({
       });
     }
 
-    const filteredClaims: Record<string, string> = {};
-    if (identityOidcAuth.claimMetadataMapping) {
-      Object.keys(identityOidcAuth.claimMetadataMapping).forEach((permissionKey) => {
-        const claimKey = (identityOidcAuth.claimMetadataMapping as Record<string, string>)[permissionKey];
-        const value = getStringValueByDot(tokenData, claimKey) || "";
-        if (!value) {
-          throw new UnauthorizedError({
-            message: `Access denied: token has no ${claimKey} field`
-          });
-        }
-        filteredClaims[permissionKey] = value;
-      });
-    }
-
     const identityAccessToken = await identityOidcAuthDAL.transaction(async (tx) => {
       const newToken = await identityAccessTokenDAL.create(
         {
@@ -187,12 +168,7 @@ export const identityOidcAuthServiceFactory = ({
       {
         identityId: identityOidcAuth.identityId,
         identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN,
-        identityAuth: {
-          oidc: {
-            claims: filteredClaims
-          }
-        }
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
       // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
@@ -213,7 +189,6 @@ export const identityOidcAuthServiceFactory = ({
     boundIssuer,
     boundAudiences,
     boundClaims,
-    claimMetadataMapping,
     boundSubject,
     accessTokenTTL,
     accessTokenMaxTTL,
@@ -222,8 +197,10 @@ export const identityOidcAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachOidcAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) {
       if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
@@ -280,7 +257,6 @@ export const identityOidcAuthServiceFactory = ({
           boundIssuer,
           boundAudiences,
           boundClaims,
-          claimMetadataMapping,
           boundSubject,
           accessTokenMaxTTL,
           accessTokenTTL,
@@ -301,7 +277,6 @@ export const identityOidcAuthServiceFactory = ({
     boundIssuer,
     boundAudiences,
     boundClaims,
-    claimMetadataMapping,
     boundSubject,
     accessTokenTTL,
     accessTokenMaxTTL,
@@ -363,7 +338,6 @@ export const identityOidcAuthServiceFactory = ({
       boundIssuer,
       boundAudiences,
       boundClaims,
-      claimMetadataMapping,
       boundSubject,
       accessTokenMaxTTL,
       accessTokenTTL,

backend/src/services/identity-oidc-auth/identity-oidc-auth-types.ts

@@ -7,12 +7,12 @@ export type TAttachOidcAuthDTO = {
   boundIssuer: string;
   boundAudiences: string;
   boundClaims: Record<string, string>;
-  claimMetadataMapping?: Record<string, string>;
   boundSubject: string;
   accessTokenTTL: number;
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateOidcAuthDTO = {
@@ -22,7 +22,6 @@ export type TUpdateOidcAuthDTO = {
   boundIssuer?: string;
   boundAudiences?: string;
   boundClaims?: Record<string, string>;
-  claimMetadataMapping?: Record<string, string>;
   boundSubject?: string;
   accessTokenTTL?: number;
   accessTokenMaxTTL?: number;

backend/src/services/identity-token-auth/identity-token-auth-service.ts

@@ -14,6 +14,7 @@ import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityTokenAuthDALFactory } from "./identity-token-auth-dal";
 import {
   TAttachTokenAuthDTO,
@@ -59,8 +60,11 @@ export const identityTokenAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachTokenAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
@@ -126,8 +130,11 @@ export const identityTokenAuthServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TUpdateTokenAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
@@ -218,8 +225,11 @@ export const identityTokenAuthServiceFactory = ({
     actorId,
     actor,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TRevokeTokenAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
@@ -271,8 +281,11 @@ export const identityTokenAuthServiceFactory = ({
     actor,
     actorAuthMethod,
     actorOrgId,
-    name
+    name,
+    isActorSuperAdmin
   }: TCreateTokenAuthTokenDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
@@ -350,8 +363,11 @@ export const identityTokenAuthServiceFactory = ({
     actorId,
     actor,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TGetTokenAuthTokensDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
@@ -386,7 +402,8 @@ export const identityTokenAuthServiceFactory = ({
     actorId,
     actor,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TUpdateTokenAuthTokenDTO) => {
     const foundToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: tokenId,
@@ -398,6 +415,8 @@ export const identityTokenAuthServiceFactory = ({
     if (!identityMembershipOrg) {
       throw new NotFoundError({ message: `Failed to find identity with ID ${foundToken.identityId}` });
     }
+
+    await validateIdentityUpdateForSuperAdminPrivileges(foundToken.identityId, isActorSuperAdmin);
     if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Token Auth"
@@ -446,18 +465,22 @@ export const identityTokenAuthServiceFactory = ({
     actorId,
     actor,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TRevokeTokenAuthTokenDTO) => {
     const identityAccessToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: tokenId,
       [`${TableName.IdentityAccessToken}.isAccessTokenRevoked` as "isAccessTokenRevoked"]: false,
       [`${TableName.IdentityAccessToken}.authMethod` as "authMethod"]: IdentityAuthMethod.TOKEN_AUTH
     });
+
     if (!identityAccessToken)
       throw new NotFoundError({
         message: `Token with ID ${tokenId} not found or already revoked`
       });
 
+    await validateIdentityUpdateForSuperAdminPrivileges(identityAccessToken.identityId, isActorSuperAdmin);
+
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({
       identityId: identityAccessToken.identityId
     });

backend/src/services/identity-token-auth/identity-token-auth-types.ts

@@ -6,6 +6,7 @@ export type TAttachTokenAuthDTO = {
   accessTokenMaxTTL: number;
   accessTokenNumUsesLimit: number;
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateTokenAuthDTO = {
@@ -14,6 +15,7 @@ export type TUpdateTokenAuthDTO = {
   accessTokenMaxTTL?: number;
   accessTokenNumUsesLimit?: number;
   accessTokenTrustedIps?: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TGetTokenAuthDTO = {
@@ -22,24 +24,29 @@ export type TGetTokenAuthDTO = {
 
 export type TRevokeTokenAuthDTO = {
   identityId: string;
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateTokenAuthTokenDTO = {
   identityId: string;
   name?: string;
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TGetTokenAuthTokensDTO = {
   identityId: string;
   offset: number;
   limit: number;
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateTokenAuthTokenDTO = {
   tokenId: string;
   name?: string;
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TRevokeTokenAuthTokenDTO = {
   tokenId: string;
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-ua/identity-ua-service.ts

@@ -17,6 +17,7 @@ import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityUaClientSecretDALFactory } from "./identity-ua-client-secret-dal";
 import { TIdentityUaDALFactory } from "./identity-ua-dal";
 import {
@@ -150,8 +151,11 @@ export const identityUaServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId
+    actorOrgId,
+    isActorSuperAdmin
   }: TAttachUaDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 

backend/src/services/identity-ua/identity-ua-types.ts

@@ -7,6 +7,7 @@ export type TAttachUaDTO = {
   accessTokenNumUsesLimit: number;
   clientSecretTrustedIps: { ipAddress: string }[];
   accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateUaDTO = {

backend/src/services/identity/identity-service.ts

@@ -9,6 +9,7 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 
 import { ActorType } from "../auth/auth-type";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityDALFactory } from "./identity-dal";
 import { TIdentityMetadataDALFactory } from "./identity-metadata-dal";
 import { TIdentityOrgDALFactory } from "./identity-org-dal";
@@ -112,8 +113,11 @@ export const identityServiceFactory = ({
     actorId,
     actorAuthMethod,
     actorOrgId,
-    metadata
+    metadata,
+    isActorSuperAdmin
   }: TUpdateIdentityDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(id, isActorSuperAdmin);
+
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
     if (!identityOrgMembership) throw new NotFoundError({ message: `Failed to find identity with id ${id}` });
 
@@ -209,7 +213,16 @@ export const identityServiceFactory = ({
     return identity;
   };
 
-  const deleteIdentity = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteIdentityDTO) => {
+  const deleteIdentity = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id,
+    isActorSuperAdmin
+  }: TDeleteIdentityDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(id, isActorSuperAdmin);
+
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
     if (!identityOrgMembership) throw new NotFoundError({ message: `Failed to find identity with id ${id}` });
 

backend/src/services/identity/identity-types.ts

@@ -12,10 +12,12 @@ export type TUpdateIdentityDTO = {
   role?: string;
   name?: string;
   metadata?: { key: string; value: string }[];
+  isActorSuperAdmin?: boolean;
 } & Omit<TOrgPermission, "orgId">;
 
 export type TDeleteIdentityDTO = {
   id: string;
+  isActorSuperAdmin?: boolean;
 } & Omit<TOrgPermission, "orgId">;
 
 export type TGetIdentityByIdDTO = {

backend/src/services/integration-auth/integration-app-list.ts

@@ -923,14 +923,16 @@ const getAppsCodefresh = async ({ accessToken }: { accessToken: string }) => {
 /**
  * Return list of projects for Windmill integration
  */
-const getAppsWindmill = async ({ accessToken, url }: { accessToken: string; url?: string | null }) => {
-  const apiUrl = url ? `${url}/api` : IntegrationUrls.WINDMILL_API_URL;
-  const { data } = await request.get<{ id: string; name: string }[]>(`${apiUrl}/workspaces/list`, {
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      "Accept-Encoding": "application/json"
+const getAppsWindmill = async ({ accessToken }: { accessToken: string }) => {
+  const { data } = await request.get<{ id: string; name: string }[]>(
+    `${IntegrationUrls.WINDMILL_API_URL}/workspaces/list`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      }
     }
-  });
+  );
 
   // check for write access of secrets in windmill workspaces
   const writeAccessCheck = data.map(async (app) => {
@@ -939,7 +941,7 @@ const getAppsWindmill = async ({ accessToken, url }: { accessToken: string; url?
       const folderPath = "f/folder/variable";
 
       const { data: writeUser } = await request.post<object>(
-        `${apiUrl}/w/${app.id}/variables/create`,
+        `${IntegrationUrls.WINDMILL_API_URL}/w/${app.id}/variables/create`,
         {
           path: userPath,
           value: "variable",
@@ -955,7 +957,7 @@ const getAppsWindmill = async ({ accessToken, url }: { accessToken: string; url?
       );
 
       const { data: writeFolder } = await request.post<object>(
-        `${apiUrl}/w/${app.id}/variables/create`,
+        `${IntegrationUrls.WINDMILL_API_URL}/w/${app.id}/variables/create`,
         {
           path: folderPath,
           value: "variable",
@@ -972,14 +974,14 @@ const getAppsWindmill = async ({ accessToken, url }: { accessToken: string; url?
 
       // is write access is allowed then delete the created secrets from workspace
       if (writeUser && writeFolder) {
-        await request.delete(`${apiUrl}/w/${app.id}/variables/delete/${userPath}`, {
+        await request.delete(`${IntegrationUrls.WINDMILL_API_URL}/w/${app.id}/variables/delete/${userPath}`, {
           headers: {
             Authorization: `Bearer ${accessToken}`,
             "Accept-Encoding": "application/json"
           }
         });
 
-        await request.delete(`${apiUrl}/w/${app.id}/variables/delete/${folderPath}`, {
+        await request.delete(`${IntegrationUrls.WINDMILL_API_URL}/w/${app.id}/variables/delete/${folderPath}`, {
           headers: {
             Authorization: `Bearer ${accessToken}`,
             "Accept-Encoding": "application/json"
@@ -1314,8 +1316,7 @@ export const getApps = async ({
 
     case Integrations.WINDMILL:
       return getAppsWindmill({
-        accessToken,
-        url
+        accessToken
       });
 
     case Integrations.DIGITAL_OCEAN_APP_PLATFORM:

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -4127,10 +4127,10 @@ const syncSecretsWindmill = async ({
     is_secret: boolean;
     description?: string;
   }
-  const apiUrl = integration.url ? `${integration.url}/api` : IntegrationUrls.WINDMILL_API_URL;
+
   // get secrets stored in windmill workspace
   const res = (
-    await request.get<WindmillSecret[]>(`${apiUrl}/w/${integration.appId}/variables/list`, {
+    await request.get<WindmillSecret[]>(`${IntegrationUrls.WINDMILL_API_URL}/w/${integration.appId}/variables/list`, {
       headers: {
         Authorization: `Bearer ${accessToken}`,
         "Accept-Encoding": "application/json"
@@ -4146,6 +4146,7 @@ const syncSecretsWindmill = async ({
 
   // eslint-disable-next-line
   const pattern = new RegExp("^(u/|f/)[a-zA-Z0-9_-]+/([a-zA-Z0-9_-]+/)*[a-zA-Z0-9_-]*[^/]$");
+
   for await (const key of Object.keys(secrets)) {
     if ((key.startsWith("u/") || key.startsWith("f/")) && pattern.test(key)) {
       if (!(key in res)) {
@@ -4153,7 +4154,7 @@ const syncSecretsWindmill = async ({
         // -> create secret
 
         await request.post(
-          `${apiUrl}/w/${integration.appId}/variables/create`,
+          `${IntegrationUrls.WINDMILL_API_URL}/w/${integration.appId}/variables/create`,
           {
             path: key,
             value: secrets[key].value,
@@ -4170,7 +4171,7 @@ const syncSecretsWindmill = async ({
       } else {
         // -> update secret
         await request.post(
-          `${apiUrl}/w/${integration.appId}/variables/update/${res[key].path}`,
+          `${IntegrationUrls.WINDMILL_API_URL}/w/${integration.appId}/variables/update/${res[key].path}`,
           {
             path: key,
             value: secrets[key].value,
@@ -4191,13 +4192,16 @@ const syncSecretsWindmill = async ({
   for await (const key of Object.keys(res)) {
     if (!(key in secrets)) {
       // -> delete secret
-      await request.delete(`${apiUrl}/w/${integration.appId}/variables/delete/${res[key].path}`, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Content-Type": "application/json",
-          "Accept-Encoding": "application/json"
+      await request.delete(
+        `${IntegrationUrls.WINDMILL_API_URL}/w/${integration.appId}/variables/delete/${res[key].path}`,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Content-Type": "application/json",
+            "Accept-Encoding": "application/json"
+          }
         }
-      });
+      );
     }
   }
 };

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -382,8 +382,6 @@ export const AwsParameterStoreSyncFns = {
       }
     }
 
-    if (syncOptions.disableSecretDeletion) return;
-
     const parametersToDelete: AWS.SSM.Parameter[] = [];
 
     for (const entry of Object.entries(awsParameterStoreSecretsRecord)) {

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts

@@ -396,8 +396,6 @@ export const AwsSecretsManagerSyncFns = {
         }
       }
 
-      if (syncOptions.disableSecretDeletion) return;
-
       for await (const secretKey of Object.keys(awsSecretsRecord)) {
         if (!(secretKey in secretMap) || !secretMap[secretKey].value) {
           try {

backend/src/services/secret-sync/azure-app-configuration/azure-app-configuration-sync-fns.ts

@@ -136,8 +136,6 @@ export const azureAppConfigurationSyncFactory = ({
       }
     }
 
-    if (secretSync.syncOptions.disableSecretDeletion) return;
-
     for await (const key of Object.keys(azureAppConfigSecrets)) {
       const azureSecret = azureAppConfigSecrets[key];
       if (

backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-fns.ts

@@ -189,8 +189,6 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
       });
     }
 
-    if (secretSync.syncOptions.disableSecretDeletion) return;
-
     for await (const deleteSecretKey of deleteSecrets.filter(
       (secret) => !setSecrets.find((setSecret) => setSecret.key === secret)
     )) {

backend/src/services/secret-sync/databricks/databricks-sync-fns.ts

@@ -112,8 +112,6 @@ export const databricksSyncFactory = ({ kmsService, appConnectionDAL }: TDatabri
       accessToken
     });
 
-    if (secretSync.syncOptions.disableSecretDeletion) return;
-
     for await (const secret of databricksSecretKeys) {
       if (!(secret.key in secretMap)) {
         await deleteDatabricksSecrets({

backend/src/services/secret-sync/gcp/gcp-sync-fns.ts

@@ -71,16 +71,8 @@ const getGcpSecrets = async (accessToken: string, secretSync: TGcpSyncWithCreden
 
       res[key] = Buffer.from(secretLatest.payload.data, "base64").toString("utf-8");
     } catch (error) {
-      // when a secret in GCP has no versions, or is disabled/destroyed, we treat it as if it's a blank value
-      if (
-        error instanceof AxiosError &&
-        (error.response?.status === 404 ||
-          (error.response?.status === 400 &&
-            // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
-            error.response.data.error.status === "FAILED_PRECONDITION" &&
-            // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-call
-            error.response.data.error.message.match(/(?:disabled|destroyed)/i)))
-      ) {
+      // when a secret in GCP has no versions, we treat it as if it's a blank value
+      if (error instanceof AxiosError && error.response?.status === 404) {
         res[key] = "";
       } else {
         throw new SecretSyncError({
@@ -155,9 +147,6 @@ export const GcpSyncFns = {
     for await (const key of Object.keys(gcpSecrets)) {
       try {
         if (!(key in secretMap) || !secretMap[key].value) {
-          // eslint-disable-next-line no-continue
-          if (secretSync.syncOptions.disableSecretDeletion) continue;
-
           // case: delete secret
           await request.delete(
             `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}`,

backend/src/services/secret-sync/github/github-sync-fns.ts

@@ -192,6 +192,12 @@ export const GithubSyncFns = {
 
     const publicKey = await getPublicKey(client, secretSync);
 
+    for await (const encryptedSecret of encryptedSecrets) {
+      if (!(encryptedSecret.name in secretMap)) {
+        await deleteSecret(client, secretSync, encryptedSecret);
+      }
+    }
+
     await sodium.ready.then(async () => {
       for await (const key of Object.keys(secretMap)) {
         // convert secret & base64 key to Uint8Array.
@@ -218,14 +224,6 @@ export const GithubSyncFns = {
         }
       }
     });
-
-    if (secretSync.syncOptions.disableSecretDeletion) return;
-
-    for await (const encryptedSecret of encryptedSecrets) {
-      if (!(encryptedSecret.name in secretMap)) {
-        await deleteSecret(client, secretSync, encryptedSecret);
-      }
-    }
   },
   getSecrets: async (secretSync: TGitHubSyncWithCredentials) => {
     throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);

backend/src/services/secret-sync/humanitec/humanitec-sync-fns.ts

@@ -196,8 +196,6 @@ export const HumanitecSyncFns = {
       }
     }
 
-    if (secretSync.syncOptions.disableSecretDeletion) return;
-
     for await (const humanitecSecret of humanitecSecrets) {
       if (!secretMap[humanitecSecret.key]) {
         await deleteSecret(secretSync, humanitecSecret);

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -23,8 +23,7 @@ const BaseSyncOptionsSchema = <T extends AnyZodObject | undefined = undefined>({
     initialSyncBehavior: (canImportSecrets
       ? z.nativeEnum(SecretSyncInitialSyncBehavior)
       : z.literal(SecretSyncInitialSyncBehavior.OverwriteDestination)
-    ).describe(SecretSyncs.SYNC_OPTIONS(destination).initialSyncBehavior),
-    disableSecretDeletion: z.boolean().optional().describe(SecretSyncs.SYNC_OPTIONS(destination).disableSecretDeletion)
+    ).describe(SecretSyncs.SYNC_OPTIONS(destination).initialSyncBehavior)
   });
 
   const schema = merge ? baseSchema.merge(merge) : baseSchema;

backend/src/services/super-admin/super-admin-fns.ts

@@ -0,0 +1,30 @@
+import { ForbiddenRequestError } from "@app/lib/errors";
+import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
+
+import { ActorType } from "../auth/auth-type";
+import { getServerCfg } from "./super-admin-service";
+
+export const isSuperAdmin = (auth: TAuthMode) => {
+  if (auth.actor === ActorType.USER && auth.user.superAdmin) {
+    return true;
+  }
+
+  if (auth.actor === ActorType.IDENTITY && auth.isInstanceAdmin) {
+    return true;
+  }
+
+  return false;
+};
+
+export const validateIdentityUpdateForSuperAdminPrivileges = async (
+  identityId: string,
+  isActorSuperAdmin?: boolean
+) => {
+  const serverCfg = await getServerCfg();
+  if (serverCfg.adminIdentityIds?.includes(identityId) && !isActorSuperAdmin) {
+    throw new ForbiddenRequestError({
+      message:
+        "You are attempting to modify an instance admin identity. This requires elevated instance admin privileges"
+    });
+  }
+};

backend/src/services/super-admin/super-admin-service.ts

@@ -1,16 +1,21 @@
 import bcrypt from "bcrypt";
+import jwt from "jsonwebtoken";
 
-import { TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
+import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { getUserPrivateKey } from "@app/lib/crypto/srp";
+import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
-import { AuthMethod } from "../auth/auth-type";
+import { AuthMethod, AuthTokenType } from "../auth/auth-type";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityTokenAuthDALFactory } from "../identity-token-auth/identity-token-auth-dal";
 import { KMS_ROOT_CONFIG_UUID } from "../kms/kms-fns";
 import { TKmsRootConfigDALFactory } from "../kms/kms-root-config-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
@@ -20,10 +25,19 @@ import { TUserDALFactory } from "../user/user-dal";
 import { TUserAliasDALFactory } from "../user-alias/user-alias-dal";
 import { UserAliasType } from "../user-alias/user-alias-types";
 import { TSuperAdminDALFactory } from "./super-admin-dal";
-import { LoginMethod, TAdminGetIdentitiesDTO, TAdminGetUsersDTO, TAdminSignUpDTO } from "./super-admin-types";
+import {
+  LoginMethod,
+  TAdminBootstrapInstanceDTO,
+  TAdminGetIdentitiesDTO,
+  TAdminGetUsersDTO,
+  TAdminSignUpDTO
+} from "./super-admin-types";
 
 type TSuperAdminServiceFactoryDep = {
-  identityDAL: Pick<TIdentityDALFactory, "getIdentitiesByFilter">;
+  identityDAL: TIdentityDALFactory;
+  identityTokenAuthDAL: TIdentityTokenAuthDALFactory;
+  identityAccessTokenDAL: TIdentityAccessTokenDALFactory;
+  identityOrgMembershipDAL: TIdentityOrgDALFactory;
   serverCfgDAL: TSuperAdminDALFactory;
   userDAL: TUserDALFactory;
   userAliasDAL: Pick<TUserAliasDALFactory, "findOne">;
@@ -60,7 +74,10 @@ export const superAdminServiceFactory = ({
   keyStore,
   kmsRootConfigDAL,
   kmsService,
-  licenseService
+  licenseService,
+  identityAccessTokenDAL,
+  identityTokenAuthDAL,
+  identityOrgMembershipDAL
 }: TSuperAdminServiceFactoryDep) => {
   const initServerCfg = async () => {
     // TODO(akhilmhdh): bad  pattern time less change this later to me itself
@@ -274,6 +291,137 @@ export const superAdminServiceFactory = ({
     return { token, user: userInfo, organization };
   };
 
+  const bootstrapInstance = async ({ email, password, organizationName }: TAdminBootstrapInstanceDTO) => {
+    const appCfg = getConfig();
+    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
+    if (serverCfg?.initialized) {
+      throw new BadRequestError({ message: "Instance has already been set up" });
+    }
+
+    const existingUser = await userDAL.findOne({ email });
+    if (existingUser) throw new BadRequestError({ name: "Instance initialization", message: "User already exists" });
+
+    const userInfo = await userDAL.transaction(async (tx) => {
+      const newUser = await userDAL.create(
+        {
+          firstName: "Admin",
+          lastName: "User",
+          username: email,
+          email,
+          superAdmin: true,
+          isGhost: false,
+          isAccepted: true,
+          authMethods: [AuthMethod.EMAIL],
+          isEmailVerified: true
+        },
+        tx
+      );
+      const { tag, encoding, ciphertext, iv } = infisicalSymmetricEncypt(password);
+      const encKeys = await generateUserSrpKeys(email, password);
+
+      const userEnc = await userDAL.createUserEncryption(
+        {
+          userId: newUser.id,
+          encryptionVersion: 2,
+          protectedKey: encKeys.protectedKey,
+          protectedKeyIV: encKeys.protectedKeyIV,
+          protectedKeyTag: encKeys.protectedKeyTag,
+          publicKey: encKeys.publicKey,
+          encryptedPrivateKey: encKeys.encryptedPrivateKey,
+          iv: encKeys.encryptedPrivateKeyIV,
+          tag: encKeys.encryptedPrivateKeyTag,
+          salt: encKeys.salt,
+          verifier: encKeys.verifier,
+          serverEncryptedPrivateKeyEncoding: encoding,
+          serverEncryptedPrivateKeyTag: tag,
+          serverEncryptedPrivateKeyIV: iv,
+          serverEncryptedPrivateKey: ciphertext
+        },
+        tx
+      );
+
+      return { user: newUser, enc: userEnc };
+    });
+
+    const initialOrganizationName = organizationName ?? "Admin Org";
+
+    const organization = await orgService.createOrganization({
+      userId: userInfo.user.id,
+      userEmail: userInfo.user.email,
+      orgName: initialOrganizationName
+    });
+
+    const { identity, credentials } = await identityDAL.transaction(async (tx) => {
+      const newIdentity = await identityDAL.create({ name: "Instance Admin Identity" }, tx);
+      await identityOrgMembershipDAL.create(
+        {
+          identityId: newIdentity.id,
+          orgId: organization.id,
+          role: OrgMembershipRole.Admin
+        },
+        tx
+      );
+
+      const tokenAuth = await identityTokenAuthDAL.create(
+        {
+          identityId: newIdentity.id,
+          accessTokenMaxTTL: 0,
+          accessTokenTTL: 0,
+          accessTokenNumUsesLimit: 0,
+          accessTokenTrustedIps: JSON.stringify([
+            {
+              type: "ipv4",
+              prefix: 0,
+              ipAddress: "0.0.0.0"
+            },
+            {
+              type: "ipv6",
+              prefix: 0,
+              ipAddress: "::"
+            }
+          ])
+        },
+        tx
+      );
+
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: newIdentity.id,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: tokenAuth.accessTokenTTL,
+          accessTokenMaxTTL: tokenAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: tokenAuth.accessTokenNumUsesLimit,
+          name: "Instance Admin Token",
+          authMethod: IdentityAuthMethod.TOKEN_AUTH
+        },
+        tx
+      );
+
+      const generatedAccessToken = jwt.sign(
+        {
+          identityId: newIdentity.id,
+          identityAccessTokenId: newToken.id,
+          authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+        } as TIdentityAccessTokenJwtPayload,
+        appCfg.AUTH_SECRET
+      );
+
+      return { identity: newIdentity, auth: tokenAuth, credentials: { token: generatedAccessToken } };
+    });
+
+    await updateServerCfg({ initialized: true, adminIdentityIds: [identity.id] }, userInfo.user.id);
+
+    return {
+      user: userInfo,
+      organization,
+      machineIdentity: {
+        ...identity,
+        credentials
+      }
+    };
+  };
+
   const getUsers = ({ offset, limit, searchTerm, adminsOnly }: TAdminGetUsersDTO) => {
     return userDAL.getUsersByFilter({
       limit,
@@ -289,13 +437,46 @@ export const superAdminServiceFactory = ({
     return user;
   };
 
-  const getIdentities = ({ offset, limit, searchTerm }: TAdminGetIdentitiesDTO) => {
-    return identityDAL.getIdentitiesByFilter({
+  const deleteIdentitySuperAdminAccess = async (identityId: string, actorId: string) => {
+    const identity = await identityDAL.findById(identityId);
+    if (!identity) {
+      throw new NotFoundError({ name: "Identity", message: "Identity not found" });
+    }
+
+    const currentAdminIdentityIds = (await getServerCfg()).adminIdentityIds ?? [];
+    if (!currentAdminIdentityIds?.includes(identityId)) {
+      throw new BadRequestError({ name: "Identity", message: "Identity does not have super admin access" });
+    }
+
+    await updateServerCfg({ adminIdentityIds: currentAdminIdentityIds.filter((id) => id !== identityId) }, actorId);
+
+    return identity;
+  };
+
+  const deleteUserSuperAdminAccess = async (userId: string) => {
+    const user = await userDAL.findById(userId);
+    if (!user) {
+      throw new NotFoundError({ name: "User", message: "User not found" });
+    }
+
+    const updatedUser = userDAL.updateById(userId, { superAdmin: false });
+
+    return updatedUser;
+  };
+
+  const getIdentities = async ({ offset, limit, searchTerm }: TAdminGetIdentitiesDTO) => {
+    const identities = await identityDAL.getIdentitiesByFilter({
       limit,
       offset,
       searchTerm,
       sortBy: "name"
     });
+    const serverCfg = await getServerCfg();
+
+    return identities.map((identity) => ({
+      ...identity,
+      isInstanceAdmin: Boolean(serverCfg?.adminIdentityIds?.includes(identity.id))
+    }));
   };
 
   const grantServerAdminAccessToUser = async (userId: string) => {
@@ -393,12 +574,15 @@ export const superAdminServiceFactory = ({
     initServerCfg,
     updateServerCfg,
     adminSignUp,
+    bootstrapInstance,
     getUsers,
     deleteUser,
     getIdentities,
     getAdminSlackConfig,
     updateRootEncryptionStrategy,
     getConfiguredEncryptionStrategies,
-    grantServerAdminAccessToUser
+    grantServerAdminAccessToUser,
+    deleteIdentitySuperAdminAccess,
+    deleteUserSuperAdminAccess
   };
 };

backend/src/services/super-admin/super-admin-types.ts

@@ -16,6 +16,12 @@ export type TAdminSignUpDTO = {
   userAgent: string;
 };
 
+export type TAdminBootstrapInstanceDTO = {
+  email: string;
+  password: string;
+  organizationName: string;
+};
+
 export type TAdminGetUsersDTO = {
   offset: number;
   limit: number;

cli/packages/api/api.go

@@ -600,3 +600,23 @@ func CallGatewayHeartBeatV1(httpClient *resty.Client) error {
 
 	return nil
 }
+
+func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRequest) (map[string]interface{}, error) {
+	var resBody map[string]interface{}
+	response, err := httpClient.
+		R().
+		SetResult(&resBody).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v1/admin/bootstrap", request.Domain))
+
+	if err != nil {
+		return nil, fmt.Errorf("CallBootstrapInstance: Unable to complete api request [err=%w]", err)
+	}
+
+	if response.IsError() {
+		return nil, fmt.Errorf("CallBootstrapInstance: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+	}
+
+	return resBody, nil
+}

cli/packages/api/model.go

@@ -2,6 +2,12 @@ package api
 
 import "time"
 
+type Environment struct {
+	Name string `json:"name"`
+	Slug string `json:"slug"`
+	ID   string `json:"id"`
+}
+
 // Stores info for login one
 type LoginOneRequest struct {
 	Email           string `json:"email"`
@@ -14,7 +20,6 @@ type LoginOneResponse struct {
 }
 
 // Stores info for login two
-
 type LoginTwoRequest struct {
 	Email       string `json:"email"`
 	ClientProof string `json:"clientProof"`
@@ -168,9 +173,10 @@ type Secret struct {
 }
 
 type Project struct {
-	ID   string `json:"id"`
-	Name string `json:"name"`
-	Slug string `json:"slug"`
+	ID           string        `json:"id"`
+	Name         string        `json:"name"`
+	Slug         string        `json:"slug"`
+	Environments []Environment `json:"environments"`
 }
 
 type RawSecret struct {
@@ -648,3 +654,10 @@ type ExchangeRelayCertResponseV1 struct {
 	Certificate      string `json:"certificate"`
 	CertificateChain string `json:"certificateChain"`
 }
+
+type BootstrapInstanceRequest struct {
+	Email        string `json:"email"`
+	Password     string `json:"password"`
+	Organization string `json:"organization"`
+	Domain       string `json:"domain"`
+}

cli/packages/cmd/bootstrap.go

@@ -0,0 +1,104 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/Infisical/infisical-merge/packages/util"
+	"github.com/go-resty/resty/v2"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+var bootstrapCmd = &cobra.Command{
+	Use:                   "bootstrap",
+	Short:                 "Used to bootstrap your Infisical instance",
+	DisableFlagsInUseLine: true,
+	Example:               "infisical bootstrap",
+	Args:                  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		email, _ := cmd.Flags().GetString("email")
+		if email == "" {
+			if envEmail, ok := os.LookupEnv("INFISICAL_ADMIN_EMAIL"); ok {
+				email = envEmail
+			}
+		}
+
+		if email == "" {
+			log.Error().Msg("email is required")
+			return
+		}
+
+		password, _ := cmd.Flags().GetString("password")
+		if password == "" {
+			if envPassword, ok := os.LookupEnv("INFISICAL_ADMIN_PASSWORD"); ok {
+				password = envPassword
+			}
+		}
+
+		if password == "" {
+			log.Error().Msg("password is required")
+			return
+		}
+
+		organization, _ := cmd.Flags().GetString("organization")
+		if organization == "" {
+			if envOrganization, ok := os.LookupEnv("INFISICAL_ADMIN_ORGANIZATION"); ok {
+				organization = envOrganization
+			}
+		}
+
+		if organization == "" {
+			log.Error().Msg("organization is required")
+			return
+		}
+
+		domain, _ := cmd.Flags().GetString("domain")
+		if domain == "" {
+			if envDomain, ok := os.LookupEnv("INFISICAL_API_URL"); ok {
+				domain = envDomain
+			}
+		}
+
+		if domain == "" {
+			log.Error().Msg("domain is required")
+			return
+		}
+
+		httpClient := resty.New().
+			SetHeader("Accept", "application/json")
+
+		bootstrapResponse, err := api.CallBootstrapInstance(httpClient, api.BootstrapInstanceRequest{
+			Domain:       util.AppendAPIEndpoint(domain),
+			Email:        email,
+			Password:     password,
+			Organization: organization,
+		})
+
+		if err != nil {
+			log.Error().Msgf("Failed to bootstrap instance: %v", err)
+			return
+		}
+
+		responseJSON, err := json.MarshalIndent(bootstrapResponse, "", "  ")
+		if err != nil {
+			log.Fatal().Msgf("Failed to convert response to JSON: %v", err)
+			return
+		}
+		fmt.Println(string(responseJSON))
+	},
+}
+
+func init() {
+	bootstrapCmd.Flags().String("domain", "", "The domain of your self-hosted Infisical instance")
+	bootstrapCmd.Flags().String("email", "", "The desired email address of the instance admin")
+	bootstrapCmd.Flags().String("password", "", "The desired password of the instance admin")
+	bootstrapCmd.Flags().String("organization", "", "The name of the organization to create for the instance")
+
+	rootCmd.AddCommand(bootstrapCmd)
+}

cli/packages/cmd/run.go

@@ -15,6 +15,9 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/go-resty/resty/v2"
+
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/fatih/color"
@@ -59,11 +62,11 @@ var runCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		environmentName, _ := cmd.Flags().GetString("env")
+		environmentSlug, _ := cmd.Flags().GetString("env")
 		if !cmd.Flags().Changed("env") {
 			environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
 			if environmentFromWorkspace != "" {
-				environmentName = environmentFromWorkspace
+				environmentSlug = environmentFromWorkspace
 			}
 		}
 
@@ -136,8 +139,20 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
+		log.Debug().Msgf("Confirming selected environment is valid: %s", environmentSlug)
+
+		hasEnvironment, err := confirmProjectHasEnvironment(environmentSlug, projectId, token)
+		if err != nil {
+			util.HandleError(err, "Could not confirm project has environment")
+		}
+		if !hasEnvironment {
+			util.HandleError(fmt.Errorf("project does not have environment '%s'", environmentSlug))
+		}
+
+		log.Debug().Msgf("Project '%s' has environment '%s'", projectId, environmentSlug)
+
 		request := models.GetAllSecretsParameters{
-			Environment:            environmentName,
+			Environment:            environmentSlug,
 			WorkspaceId:            projectId,
 			TagSlugs:               tagSlugs,
 			SecretsPath:            secretsPath,
@@ -308,7 +323,6 @@ func waitForExitCommand(cmd *exec.Cmd) (int, error) {
 }
 
 func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInterval int, request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) {
-
 	var cmd *exec.Cmd
 	var err error
 	var lastSecretsFetch time.Time
@@ -439,8 +453,53 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 	}
 }
 
-func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) (models.InjectableEnvironmentResult, error) {
+func confirmProjectHasEnvironment(environmentSlug, projectId string, token *models.TokenDetails) (bool, error) {
+	var accessToken string
 
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		accessToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		accessToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	httpClient := resty.New()
+	httpClient.SetAuthToken(accessToken).
+		SetHeader("Accept", "application/json")
+
+	project, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		return false, err
+	}
+
+	for _, env := range project.Environments {
+		if env.Slug == environmentSlug {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) (models.InjectableEnvironmentResult, error) {
 	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
 		request.InfisicalToken = token.Token
 	} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {

cli/packages/util/secrets.go

@@ -232,7 +232,6 @@ func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tag
 
 func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
 	var secretsToReturn []models.SingleEnvironmentVariable
-	// var serviceTokenDetails api.GetServiceTokenDetailsResponse
 	var errorToReturn error
 
 	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {

cli/test/secrets_test.go

@@ -76,7 +76,6 @@ func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
 	if err != nil {
 		t.Fatalf("snapshot failed: %v", err)
 	}
-
 }
 
 func TestUserAuth_SecretsGetAll(t *testing.T) {

docs/cli/commands/bootstrap.mdx

@@ -0,0 +1,132 @@
+---
+title: "infisical bootstrap"
+description: "Automate the initial setup of a new Infisical instance for headless deployment and infrastructure-as-code workflows"
+---
+
+```bash
+infisical bootstrap --domain=<domain> --email=<email> --password=<password> --organization=<organization>
+```
+
+## Description
+
+The `infisical bootstrap` command is used when deploying Infisical in automated environments where manual UI setup is not feasible. It's ideal for:
+
+- Containerized deployments in Kubernetes or Docker environments
+- Infrastructure-as-code pipelines with Terraform or similar tools
+- Continuous deployment workflows
+- DevOps automation scenarios
+
+The command initializes a fresh Infisical instance by creating an admin user, organization, and instance admin machine identity, enabling subsequent programmatic configuration without human intervention.
+
+<Warning>
+  This command creates an instance admin machine identity with the highest level
+  of privileges. The returned token should be treated with the utmost security,
+  similar to a root credential. Unauthorized access to this token could
+  compromise your entire Infisical instance.
+</Warning>
+
+## Flags
+
+<Accordion title="--domain" defaultOpen="true">
+  The URL of your Infisical instance. This can be set using the `INFISICAL_API_URL` environment variable.
+
+```bash
+# Example
+infisical bootstrap --domain=https://your-infisical-instance.com
+```
+
+This flag is required.
+
+</Accordion>
+
+<Accordion title="--email">
+  Email address for the admin user account that will be created. This can be set using the `INFISICAL_ADMIN_EMAIL` environment variable.
+
+```bash
+# Example
+infisical bootstrap --email=admin@example.com
+```
+
+This flag is required.
+
+</Accordion>
+
+<Accordion title="--password">
+  Password for the admin user account. This can be set using the `INFISICAL_ADMIN_PASSWORD` environment variable.
+
+```bash
+# Example
+infisical bootstrap --password=your-secure-password
+```
+
+This flag is required.
+
+</Accordion>
+
+<Accordion title="--organization">
+  Name of the organization that will be created within the instance. This can be set using the `INFISICAL_ADMIN_ORGANIZATION` environment variable.
+
+```bash
+# Example
+infisical bootstrap --organization=your-org-name
+```
+
+This flag is required.
+
+</Accordion>
+
+## Response
+
+The command returns a JSON response with details about the created user, organization, and machine identity:
+
+```json
+{
+  "identity": {
+    "credentials": {
+      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eUlkIjoiZGIyMjQ3OTItZWQxOC00Mjc3LTlkYWUtNTdlNzUyMzE1ODU0IiwiaWRlbnRpdHlBY2Nlc3NUb2tlbklkIjoiZmVkZmZmMGEtYmU3Yy00NjViLWEwZWEtZjM5OTNjMTg4OGRlIiwiYXV0aFRva2VuVHlwZSI6ImlkZW50aXR5QWNjZXNzVG9rZW4iLCJpYXQiOjE3NDIzMjI0ODl9.mqcZZqIFqER1e9ubrQXp8FbzGYi8nqqZwfMvz09g-8Y"
+    },
+    "id": "db224792-ed18-4277-9dae-57e752315854",
+    "name": "Instance Admin Identity"
+  },
+  "message": "Successfully bootstrapped instance",
+  "organization": {
+    "id": "b56bece0-42f5-4262-b25e-be7bf5f84957",
+    "name": "dog",
+    "slug": "dog-v-e5l"
+  },
+  "user": {
+    "email": "admin@example.com",
+    "firstName": "Admin",
+    "id": "a418f355-c8da-453c-bbc8-6c07208eeb3c",
+    "lastName": "User",
+    "superAdmin": true,
+    "username": "admin@example.com"
+  }
+}
+```
+
+## Usage with Automation
+
+For automation purposes, you can extract just the machine identity token from the response:
+
+```bash
+infisical bootstrap --domain=https://your-infisical-instance.com --email=admin@example.com --password=your-secure-password --organization=your-org-name | jq ".identity.credentials.token"
+```
+
+This extracts only the token, which can be captured in a variable or piped to other commands.
+
+## Example: Capture Token in a Variable
+
+```bash
+TOKEN=$(infisical bootstrap --domain=https://your-infisical-instance.com --email=admin@example.com --password=your-secure-password --organization=your-org-name | jq -r ".identity.credentials.token")
+
+# Now use the token for further automation
+echo "Token has been captured and can be used for authentication"
+```
+
+## Notes
+
+- The bootstrap process can only be performed once on a fresh Infisical instance
+- All flags are required for the bootstrap process to complete successfully
+- Security controls prevent privilege escalation: instance admin identities cannot be managed by non-instance admin users and identities
+- The generated admin user account can be used to log in via the UI if needed

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -43,11 +43,8 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
             - **KMS Key**: The AWS KMS key ID or alias to encrypt parameters with.
             - **Tags**: Optional resource tags to add to parameters synced by Infisical.
             - **Sync Secret Metadata as Resource Tags**: If enabled, metadata attached to secrets will be added as resource tags to parameters synced by Infisical.
-            <Note>
-                Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.
-            </Note>
+        <Note>Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.</Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your Parameter Store Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/aws-parameter-store/aws-parameter-store-details.png)

docs/integrations/secret-syncs/aws-secrets-manager.mdx

@@ -46,11 +46,7 @@ description: "Learn how to configure an AWS Secrets Manager Sync for Infisical."
             - **KMS Key**: The AWS KMS key ID or alias to encrypt secrets with.
             - **Tags**: Optional tags to add to secrets synced by Infisical.
             - **Sync Secret Metadata as Tags**: If enabled, metadata attached to secrets will be added as tags to secrets synced by Infisical.
-            <Note>
-                Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.
-            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your Secrets Manager Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/aws-secrets-manager/aws-secrets-manager-details.png)

docs/integrations/secret-syncs/azure-app-configuration.mdx

@@ -6,7 +6,7 @@ description: "Learn how to configure an Azure App Configuration Sync for Infisic
 **Prerequisites:**
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
-        - Create an [Azure App Configuration Connection](/integrations/app-connections/azure-app-configuration)
+        - Create a [Azure Connection](/integrations/app-connections/azure), configured for Azure App Configuration.
 
 <Note>
   The Azure App Configuration Secret Sync requires the following permissions to be set on the user / service principal
@@ -50,7 +50,6 @@ description: "Learn how to configure an Azure App Configuration Sync for Infisic
                 - **Import Secrets (Prioritize Azure App Configuration)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
 
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your Azure App Configuration Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/azure-app-configuration/app-config-details.png)

docs/integrations/secret-syncs/azure-key-vault.mdx

@@ -6,7 +6,7 @@ description: "Learn how to configure a Azure Key Vault Sync for Infisical."
 **Prerequisites:**
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
-        - Create an [Azure Key Vault Connection](/integrations/app-connections/azure-key-vault)
+        - Create a [Azure Connection](/integrations/app-connections/azure), configured for Azure Key Vault.
 
 <Note>
   The Azure Key Vault Secret Sync requires the following secrets permissions to be set on the user / service principal
@@ -52,7 +52,6 @@ description: "Learn how to configure a Azure Key Vault Sync for Infisical."
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize Azure Key Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your Azure Key Vault Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/azure-key-vault/vault-details.png)

docs/integrations/secret-syncs/databricks.mdx

@@ -47,7 +47,6 @@ description: "Learn how to configure a Databricks Sync for Infisical."
                     Databricks does not support importing secrets.
                 </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your Databricks Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/databricks/databricks-details.png)

docs/integrations/secret-syncs/gcp-secret-manager.mdx

@@ -43,7 +43,6 @@ description: "Learn how to configure a GCP Secret Manager Sync for Infisical."
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over GCP Secret Manager when keys conflict.
                 - **Import Secrets (Prioritize GCP Secret Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from GCP Secret Manager over Infisical when keys conflict.
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your GCP Secret Manager Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-details.png)

docs/integrations/secret-syncs/github.mdx

@@ -63,7 +63,6 @@ description: "Learn how to configure a GitHub Sync for Infisical."
                     GitHub does not support importing secrets.
                 </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your GitHub Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/github/github-details.png)

docs/integrations/secret-syncs/humanitec.mdx

@@ -56,7 +56,6 @@ description: "Learn how to configure a Humanitec Sync for Infisical."
                     Humanitec does not support importing secrets.
                 </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
-            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 
         6. Configure the **Details** of your Humanitec Sync, then click **Next**.
         ![Configure Details](/images/secret-syncs/humanitec/humanitec-details.png)

docs/mint.json

@@ -311,7 +311,8 @@
           "group": "Guides",
           "pages": [
             "self-hosting/guides/mongo-to-postgres",
-            "self-hosting/guides/custom-certificates"
+            "self-hosting/guides/custom-certificates",
+            "self-hosting/guides/automated-bootstrapping"
           ]
         },
         {
@@ -341,6 +342,7 @@
             "cli/commands/dynamic-secrets",
             "cli/commands/ssh",
             "cli/commands/gateway",
+            "cli/commands/bootstrap",
             "cli/commands/export",
             "cli/commands/token",
             "cli/commands/service-token",

docs/self-hosting/guides/automated-bootstrapping.mdx

@@ -0,0 +1,150 @@
+---
+title: "Programmatic Provisioning"
+description: "Learn how to provision and configure Infisical instances programmatically without UI interaction"
+---
+
+Infisical's Automated Bootstrapping feature enables you to provision and configure an Infisical instance without using the UI, allowing for complete automation through static configuration files, API calls, or CLI commands. This is especially valuable for enterprise environments where automated deployment and infrastructure-as-code practices are essential.
+
+## Overview
+
+The Automated Bootstrapping workflow automates the following processes:
+- Creating an admin user account
+- Initializing an organization for the entire instance
+- Establishing an **instance admin machine identity** with full administrative permissions
+- Returning the machine identity credentials for further automation
+
+## Key Concepts
+
+- **Instance Initialization**: Infisical requires [configuration variables](/self-hosting/configuration/envars) to be set during launch, after which the bootstrap process can be triggered.
+- **Instance Admin Machine Identity**: The bootstrapping process creates a machine identity with instance-level admin privileges, which can be used to programmatically manage all aspects of the Infisical instance.
+  ![Instance Admin Identity](/images/self-hosting/guides/automated-bootstrapping/identity-instance-admin.png)
+- **Token Auth**: The instance admin machine identity uses [Token Auth](/documentation/platform/identities/token-auth), providing a JWT token that can be used directly to make authenticated requests to the Infisical API.
+
+## Prerequisites
+
+- An Infisical instance launched with all required configuration variables
+- Access to the Infisical CLI or the ability to make API calls to the instance
+- Network connectivity to the Infisical instance
+
+## Bootstrap Methods
+
+You can bootstrap an Infisical instance using either the API or the CLI.
+
+<Tabs>
+  <Tab title="Using the API">
+    Make a POST request to the bootstrap endpoint:
+
+    ```
+    POST: http://your-infisical-instance.com/api/v1/admin/bootstrap
+    {
+        "email": "admin@example.com",
+        "password": "your-secure-password",
+        "organization": "your-org-name"
+    }
+    ```
+
+    Example using curl:
+
+    ```bash
+    curl -X POST \
+      -H "Content-Type: application/json" \
+      -d '{"email":"admin@example.com","password":"your-secure-password","organization":"your-org-name"}' \
+      http://your-infisical-instance.com/api/v1/admin/bootstrap
+    ```
+  </Tab>
+  <Tab title="Using the CLI">
+    Use the [Infisical CLI](/cli/commands/bootstrap) to bootstrap the instance and extract the token for immediate use in automation:
+
+    ```bash
+    infisical bootstrap --domain="http://localhost:8080" --email="admin@example.com" --password="your-secure-password" --organization="your-org-name" | jq ".identity.credentials.token"
+    ```
+
+    This example command pipes the output through `jq` to extract only the machine identity token, making it easy to capture and use directly in automation scripts or export as an environment variable for tools like Terraform.
+  </Tab>
+</Tabs>
+
+## API Response Structure
+
+The bootstrap process returns a JSON response with details about the created user, organization, and machine identity:
+
+```json
+{
+  "identity": {
+    "credentials": {
+      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eUlkIjoiZGIyMjQ3OTItZWQxOC00Mjc3LTlkYWUtNTdlNzUyMzE1ODU0IiwiaWRlbnRpdHlBY2Nlc3NUb2tlbklkIjoiZmVkZmZmMGEtYmU3Yy00NjViLWEwZWEtZjM5OTNjMTg4OGRlIiwiYXV0aFRva2VuVHlwZSI6ImlkZW50aXR5QWNjZXNzVG9rZW4iLCJpYXQiOjE3NDIzMjI0ODl9.mqcZZqIFqER1e9ubrQXp8FbzGYi8nqqZwfMvz09g-8Y"
+    },
+    "id": "db224792-ed18-4277-9dae-57e752315854",
+    "name": "Instance Admin Identity"
+  },
+  "message": "Successfully bootstrapped instance",
+  "organization": {
+    "id": "b56bece0-42f5-4262-b25e-be7bf5f84957",
+    "name": "dog",
+    "slug": "dog-v-e5l"
+  },
+  "user": {
+    "email": "admin@example.com",
+    "firstName": "Admin",
+    "id": "a418f355-c8da-453c-bbc8-6c07208eeb3c",
+    "lastName": "User",
+    "superAdmin": true,
+    "username": "admin@example.com"
+  }
+}
+```
+
+## Using the Instance Admin Machine Identity Token
+
+The bootstrap process automatically creates a machine identity with Token Auth configured. The returned token has instance-level admin privileges (the highest level of access) and should be treated with the same security considerations as a root credential.
+
+The token enables full programmatic control of your Infisical instance and can be used in the following ways:
+
+### 1. Infrastructure Automation
+
+Store the token securely for use with infrastructure automation tools. Due to the sensitive nature of this token, ensure it's protected using appropriate secret management practices:
+
+#### Kubernetes Secret (with appropriate RBAC restrictions)
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: infisical-admin-credentials
+type: Opaque
+data:
+  token: <base64-encoded-token>
+```
+
+#### Environment Variable for Terraform
+
+```bash
+export INFISICAL_TOKEN=your-access-token
+terraform apply
+```
+
+### 2. Programmatic Resource Management
+
+Use the token to authenticate API calls for creating and managing Infisical resources. The token works exactly like any other Token Auth access token in the Infisical API:
+
+```bash
+curl -X POST \
+  -H "Authorization: Bearer ${INFISICAL_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "projectName": "New Project",
+    "projectDescription": "A project created via API",
+    "slug": "new-project-slug",
+    "template": "default",
+    "type": "SECRET_MANAGER"
+  }' \
+  https://your-infisical-instance.com/api/v2/projects
+```
+
+## Important Notes
+
+- **Security Warning**: The instance admin machine identity has the highest level of privileges in your Infisical deployment. The token should be treated with the utmost security and handled like a root credential. Unauthorized access to this token could compromise your entire Infisical instance.
+- Security controls prevent privilege escalation: instance admin identities cannot be managed by non-instance admin users and identities
+- The instance admin permission of the generated identity can be revoked later in the server admin panel if needed
+- The generated admin user account can still be used for UI access if needed, or can be removed if you prefer to manage everything through the machine identity
+- This process is designed to work with future Crossplane providers and the existing Terraform provider for full infrastructure-as-code capabilities
+- All necessary configuration variables should be set during the initial launch of the Infisical instance

flake.nix

@@ -14,11 +14,21 @@
           git
           lazygit
 
+          go
           python312Full
           nodejs_20
           nodePackages.prettier
           infisical
         ];
+
+        env = {
+          GOROOT = "${pkgs.go}/share/go";
+        };
+
+        shellHook = ''
+          export GOPATH="$(pwd)/.go"
+          mkdir -p "$GOPATH"
+        '';
       };
   };
 }

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -1,9 +1,9 @@
 import { ReactNode } from "react";
 import { Controller, useFormContext } from "react-hook-form";
-import { faQuestionCircle, faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
+import { faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
-import { FormControl, Select, SelectItem, Switch, Tooltip } from "@app/components/v2";
+import { FormControl, Select, SelectItem } from "@app/components/v2";
 import { SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP, SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import { SecretSync, useSecretSyncOption } from "@app/hooks/api/secretSyncs";
 
@@ -116,44 +116,6 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
         </>
       )}
       {AdditionalSyncOptionsFieldsComponent}
-      <Controller
-        control={control}
-        name="syncOptions.disableSecretDeletion"
-        render={({ field: { value, onChange }, fieldState: { error } }) => {
-          return (
-            <FormControl isError={Boolean(error)} errorText={error?.message}>
-              <Switch
-                className="bg-mineshaft-400/80 shadow-inner data-[state=checked]:bg-green/80"
-                id="auto-sync-enabled"
-                thumbClassName="bg-mineshaft-800"
-                onCheckedChange={onChange}
-                isChecked={value}
-              >
-                <p className="w-[11rem]">
-                  Disable Secret Deletion{" "}
-                  <Tooltip
-                    className="max-w-md"
-                    content={
-                      <>
-                        <p>
-                          When enabled, Infisical will <span className="font-semibold">not</span>{" "}
-                          remove secrets from the destination during a sync.
-                        </p>
-                        <p className="mt-4">
-                          Enable this option if you intend to manage some secrets manually outside
-                          of Infisical.
-                        </p>
-                      </>
-                    }
-                  >
-                    <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
-                  </Tooltip>
-                </p>
-              </Switch>
-            </FormControl>
-          );
-        }}
-      />
       {/* <Controller
         render={({ field: { value, onChange }, fieldState: { error } }) => (
           <FormControl

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -36,7 +36,6 @@ export const SecretSyncReviewFields = () => {
     secretPath,
     syncOptions: {
       // appendSuffix, prependPrefix,
-      disableSecretDeletion,
       initialSyncBehavior
     },
     destination,
@@ -112,11 +111,6 @@ export const SecretSyncReviewFields = () => {
           {/* <SecretSyncLabel label="Prepend Prefix">{prependPrefix}</SecretSyncLabel>
           <SecretSyncLabel label="Append Suffix">{appendSuffix}</SecretSyncLabel> */}
           {AdditionalSyncOptionsFieldsComponent}
-          {disableSecretDeletion && (
-            <SecretSyncLabel label="Secret Deletion">
-              <Badge variant="primary">Disabled</Badge>
-            </SecretSyncLabel>
-          )}
         </div>
       </div>
       <div className="flex flex-col gap-3">

frontend/src/components/secret-syncs/forms/schemas/base-secret-sync-schema.ts

@@ -7,8 +7,7 @@ export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefi
   additionalSyncOptions?: T
 ) => {
   const baseSyncOptionsSchema = z.object({
-    initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior),
-    disableSecretDeletion: z.boolean().optional().default(false)
+    initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior)
     // scott: removed temporarily for evaluation of template formatting
     // prependPrefix: z
     //   .string()

frontend/src/hooks/api/admin/index.ts

@@ -1,7 +1,9 @@
 export {
   useAdminDeleteUser,
   useAdminGrantServerAdminAccess,
+  useAdminRemoveIdentitySuperAdminAccess,
   useCreateAdminUser,
+  useRemoveUserServerAdminAccess,
   useUpdateAdminSlackConfig,
   useUpdateServerConfig,
   useUpdateServerEncryptionStrategy

frontend/src/hooks/api/admin/mutation.ts

@@ -70,6 +70,40 @@ export const useAdminDeleteUser = () => {
   });
 };
 
+export const useAdminRemoveIdentitySuperAdminAccess = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async (identityId: string) => {
+      await apiRequest.delete(
+        `/api/v1/admin/identity-management/identities/${identityId}/super-admin-access`
+      );
+
+      return {};
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({
+        queryKey: [adminStandaloneKeys.getIdentities]
+      });
+    }
+  });
+};
+
+export const useRemoveUserServerAdminAccess = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async (userId: string) => {
+      await apiRequest.delete(`/api/v1/admin/user-management/users/${userId}/admin-access`);
+
+      return {};
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({
+        queryKey: [adminStandaloneKeys.getUsers]
+      });
+    }
+  });
+};
+
 export const useAdminGrantServerAdminAccess = () => {
   const queryClient = useQueryClient();
   return useMutation({

frontend/src/hooks/api/identities/mutations.tsx

@@ -462,7 +462,6 @@ export const useUpdateIdentityOidcAuth = () => {
       boundIssuer,
       boundAudiences,
       boundClaims,
-      claimMetadataMapping,
       boundSubject
     }) => {
       const {
@@ -479,8 +478,7 @@ export const useUpdateIdentityOidcAuth = () => {
           accessTokenTTL,
           accessTokenMaxTTL,
           accessTokenNumUsesLimit,
-          accessTokenTrustedIps,
-          claimMetadataMapping
+          accessTokenTrustedIps
         }
       );
 
@@ -506,7 +504,6 @@ export const useAddIdentityOidcAuth = () => {
       boundIssuer,
       boundAudiences,
       boundClaims,
-      claimMetadataMapping,
       boundSubject,
       accessTokenTTL,
       accessTokenMaxTTL,
@@ -527,8 +524,7 @@ export const useAddIdentityOidcAuth = () => {
           accessTokenTTL,
           accessTokenMaxTTL,
           accessTokenNumUsesLimit,
-          accessTokenTrustedIps,
-          claimMetadataMapping
+          accessTokenTrustedIps
         }
       );
 

frontend/src/hooks/api/identities/types.ts

@@ -15,6 +15,7 @@ export type Identity = {
   authMethods: IdentityAuthMethod[];
   createdAt: string;
   updatedAt: string;
+  isInstanceAdmin?: boolean;
 };
 
 export type IdentityAccessToken = {
@@ -193,7 +194,6 @@ export type IdentityOidcAuth = {
   boundIssuer: string;
   boundAudiences: string;
   boundClaims: Record<string, string>;
-  claimMetadataMapping?: Record<string, string>;
   boundSubject: string;
   accessTokenTTL: number;
   accessTokenMaxTTL: number;
@@ -209,7 +209,6 @@ export type AddIdentityOidcAuthDTO = {
   boundIssuer: string;
   boundAudiences: string;
   boundClaims: Record<string, string>;
-  claimMetadataMapping?: Record<string, string>;
   boundSubject: string;
   accessTokenTTL: number;
   accessTokenMaxTTL: number;
@@ -227,7 +226,6 @@ export type UpdateIdentityOidcAuthDTO = {
   boundIssuer?: string;
   boundAudiences?: string;
   boundClaims?: Record<string, string>;
-  claimMetadataMapping?: Record<string, string>;
   boundSubject?: string;
   accessTokenTTL?: number;
   accessTokenMaxTTL?: number;

frontend/src/hooks/api/secretSyncs/types/root-sync.ts

@@ -3,7 +3,6 @@ import { SecretSyncInitialSyncBehavior, SecretSyncStatus } from "@app/hooks/api/
 
 export type RootSyncOptions = {
   initialSyncBehavior: SecretSyncInitialSyncBehavior;
-  disableSecretDeletion?: boolean;
   // prependPrefix?: string;
   // appendSuffix?: string;
 };

frontend/src/pages/admin/OverviewPage/OverviewPage.tsx

@@ -59,8 +59,8 @@ const formSchema = z.object({
   trustLdapEmails: z.boolean(),
   trustOidcEmails: z.boolean(),
   defaultAuthOrgId: z.string(),
-  authConsentContent: z.string().optional(),
-  pageFrameContent: z.string().optional()
+  authConsentContent: z.string().optional().default(""),
+  pageFrameContent: z.string().optional().default("")
 });
 
 type TDashboardForm = z.infer<typeof formSchema>;
@@ -86,8 +86,8 @@ export const OverviewPage = () => {
       trustLdapEmails: config.trustLdapEmails,
       trustOidcEmails: config.trustOidcEmails,
       defaultAuthOrgId: config.defaultAuthOrgId ?? "",
-      authConsentContent: config.authConsentContent,
-      pageFrameContent: config.pageFrameContent
+      authConsentContent: config.authConsentContent ?? "",
+      pageFrameContent: config.pageFrameContent ?? ""
     }
   });
 
@@ -165,8 +165,8 @@ export const OverviewPage = () => {
                     <Tab value={TabSections.Auth}>Authentication</Tab>
                     <Tab value={TabSections.RateLimit}>Rate Limit</Tab>
                     <Tab value={TabSections.Integrations}>Integrations</Tab>
-                    <Tab value={TabSections.Users}>Users</Tab>
-                    <Tab value={TabSections.Identities}>Identities</Tab>
+                    <Tab value={TabSections.Users}>User Identities</Tab>
+                    <Tab value={TabSections.Identities}>Machine Identities</Tab>
                   </div>
                 </TabList>
                 <TabPanel value={TabSections.Settings}>

frontend/src/pages/admin/OverviewPage/components/IdentityPanel.tsx

@@ -1,9 +1,16 @@
 import { useState } from "react";
-import { faMagnifyingGlass, faServer } from "@fortawesome/free-solid-svg-icons";
+import { faEllipsis, faMagnifyingGlass, faServer } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
+import { createNotification } from "@app/components/notifications";
 import {
+  Badge,
   Button,
+  DeleteActionModal,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
   EmptyState,
   Input,
   Table,
@@ -15,10 +22,22 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { useDebounce } from "@app/hooks";
+import { useDebounce, usePopUp } from "@app/hooks";
+import { useAdminRemoveIdentitySuperAdminAccess } from "@app/hooks/api/admin";
 import { useAdminGetIdentities } from "@app/hooks/api/admin/queries";
+import { UsePopUpState } from "@app/hooks/usePopUp";
 
-const IdentityPanelTable = () => {
+const IdentityPanelTable = ({
+  handlePopUpOpen
+}: {
+  handlePopUpOpen: (
+    popUpName: keyof UsePopUpState<["removeServerAdmin"]>,
+    data?: {
+      name: string;
+      id: string;
+    }
+  ) => void;
+}) => {
   const [searchIdentityFilter, setSearchIdentityFilter] = useState("");
   const [debouncedSearchTerm] = useDebounce(searchIdentityFilter, 500);
 
@@ -48,15 +67,48 @@ const IdentityPanelTable = () => {
             <THead>
               <Tr>
                 <Th>Name</Th>
+                <Th className="w-5" />
               </Tr>
             </THead>
             <TBody>
               {isPending && <TableSkeleton columns={2} innerKey="identities" />}
               {!isPending &&
                 data?.pages?.map((identities) =>
-                  identities.map(({ name, id }) => (
+                  identities.map(({ name, id, isInstanceAdmin }) => (
                     <Tr key={`identity-${id}`} className="w-full">
-                      <Td>{name}</Td>
+                      <Td>
+                        {name}
+                        {isInstanceAdmin && (
+                          <Badge variant="primary" className="ml-2">
+                            Server Admin
+                          </Badge>
+                        )}
+                      </Td>
+                      <Td>
+                        {isInstanceAdmin && (
+                          <div className="flex justify-end">
+                            <DropdownMenu>
+                              <DropdownMenuTrigger asChild className="rounded-lg">
+                                <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
+                                  <FontAwesomeIcon size="sm" icon={faEllipsis} />
+                                </div>
+                              </DropdownMenuTrigger>
+                              <DropdownMenuContent align="start" className="p-1">
+                                {isInstanceAdmin && (
+                                  <DropdownMenuItem
+                                    onClick={(e) => {
+                                      e.stopPropagation();
+                                      handlePopUpOpen("removeServerAdmin", { name, id });
+                                    }}
+                                  >
+                                    Remove Server Admin
+                                  </DropdownMenuItem>
+                                )}
+                              </DropdownMenuContent>
+                            </DropdownMenu>
+                          </div>
+                        )}
+                      </Td>
                     </Tr>
                   ))
                 )}
@@ -81,11 +133,49 @@ const IdentityPanelTable = () => {
   );
 };
 
-export const IdentityPanel = () => (
-  <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
-    <div className="mb-4">
-      <p className="text-xl font-semibold text-mineshaft-100">Identities</p>
+export const IdentityPanel = () => {
+  const { handlePopUpToggle, popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
+    "removeServerAdmin"
+  ] as const);
+
+  const { mutate: deleteIdentitySuperAdminAccess } = useAdminRemoveIdentitySuperAdminAccess();
+
+  const handleRemoveServerAdmin = async () => {
+    const { id } = popUp?.removeServerAdmin?.data as { id: string; name: string };
+
+    try {
+      await deleteIdentitySuperAdminAccess(id);
+      createNotification({
+        type: "success",
+        text: "Successfully removed server admin permissions"
+      });
+    } catch {
+      createNotification({
+        type: "error",
+        text: "Error removing server admin permissions"
+      });
+    }
+
+    handlePopUpClose("removeServerAdmin");
+  };
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="mb-4">
+        <p className="text-xl font-semibold text-mineshaft-100">Identities</p>
+      </div>
+      <IdentityPanelTable handlePopUpOpen={handlePopUpOpen} />
+      <DeleteActionModal
+        isOpen={popUp.removeServerAdmin.isOpen}
+        title={`Are you sure want to remove Server Admin permissions from ${
+          (popUp?.removeServerAdmin?.data as { name: string })?.name || ""
+        }?`}
+        subTitle=""
+        onChange={(isOpen) => handlePopUpToggle("removeServerAdmin", isOpen)}
+        deleteKey="confirm"
+        onDeleteApproved={handleRemoveServerAdmin}
+        buttonText="Remove Access"
+      />
     </div>
-    <IdentityPanelTable />
-  </div>
-);
+  );
+};

frontend/src/pages/admin/OverviewPage/components/UserPanel.tsx

@@ -33,22 +33,26 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { useSubscription, useUser } from "@app/context";
+import { useSubscription } from "@app/context";
 import { useDebounce, usePopUp } from "@app/hooks";
 import {
   useAdminDeleteUser,
   useAdminGetUsers,
-  useAdminGrantServerAdminAccess
+  useAdminGrantServerAdminAccess,
+  useRemoveUserServerAdminAccess
 } from "@app/hooks/api";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
 const addServerAdminUpgradePlanMessage = "Granting another user Server Admin permissions";
+const removeServerAdminUpgradePlanMessage = "Removing Server Admin permissions from user";
 
 const UserPanelTable = ({
   handlePopUpOpen
 }: {
   handlePopUpOpen: (
-    popUpName: keyof UsePopUpState<["removeUser", "upgradePlan", "upgradeToServerAdmin"]>,
+    popUpName: keyof UsePopUpState<
+      ["removeUser", "upgradePlan", "upgradeToServerAdmin", "removeServerAdmin"]
+    >,
     data?: {
       username: string;
       id: string;
@@ -58,8 +62,6 @@ const UserPanelTable = ({
 }) => {
   const [searchUserFilter, setSearchUserFilter] = useState("");
   const [adminsOnly, setAdminsOnly] = useState(false);
-  const { user } = useUser();
-  const userId = user?.id || "";
   const [debouncedSearchTerm] = useDebounce(searchUserFilter, 500);
   const { subscription } = useSubscription();
 
@@ -143,45 +145,61 @@ const UserPanelTable = ({
                         </Td>
                         <Td className="w-5/12">{email}</Td>
                         <Td>
-                          {userId !== id && (
-                            <div className="flex justify-end">
-                              <DropdownMenu>
-                                <DropdownMenuTrigger asChild className="rounded-lg">
-                                  <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
-                                    <FontAwesomeIcon size="sm" icon={faEllipsis} />
-                                  </div>
-                                </DropdownMenuTrigger>
-                                <DropdownMenuContent align="start" className="p-1">
+                          <div className="flex justify-end">
+                            <DropdownMenu>
+                              <DropdownMenuTrigger asChild className="rounded-lg">
+                                <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
+                                  <FontAwesomeIcon size="sm" icon={faEllipsis} />
+                                </div>
+                              </DropdownMenuTrigger>
+                              <DropdownMenuContent align="start" className="p-1">
+                                <DropdownMenuItem
+                                  onClick={(e) => {
+                                    e.stopPropagation();
+                                    handlePopUpOpen("removeUser", { username, id });
+                                  }}
+                                >
+                                  Remove User
+                                </DropdownMenuItem>
+                                {!superAdmin && (
                                   <DropdownMenuItem
                                     onClick={(e) => {
                                       e.stopPropagation();
-                                      handlePopUpOpen("removeUser", { username, id });
+                                      if (!subscription?.instanceUserManagement) {
+                                        handlePopUpOpen("upgradePlan", {
+                                          username,
+                                          id,
+                                          message: addServerAdminUpgradePlanMessage
+                                        });
+                                        return;
+                                      }
+                                      handlePopUpOpen("upgradeToServerAdmin", { username, id });
                                     }}
                                   >
-                                    Remove User
+                                    Make User Server Admin
                                   </DropdownMenuItem>
-                                  {!superAdmin && (
-                                    <DropdownMenuItem
-                                      onClick={(e) => {
-                                        e.stopPropagation();
-                                        if (!subscription?.instanceUserManagement) {
-                                          handlePopUpOpen("upgradePlan", {
-                                            username,
-                                            id,
-                                            message: addServerAdminUpgradePlanMessage
-                                          });
-                                          return;
-                                        }
-                                        handlePopUpOpen("upgradeToServerAdmin", { username, id });
-                                      }}
-                                    >
-                                      Make User Server Admin
-                                    </DropdownMenuItem>
-                                  )}
-                                </DropdownMenuContent>
-                              </DropdownMenu>
-                            </div>
-                          )}
+                                )}
+                                {superAdmin && (
+                                  <DropdownMenuItem
+                                    onClick={(e) => {
+                                      e.stopPropagation();
+                                      if (!subscription?.instanceUserManagement) {
+                                        handlePopUpOpen("upgradePlan", {
+                                          username,
+                                          id,
+                                          message: removeServerAdminUpgradePlanMessage
+                                        });
+                                        return;
+                                      }
+                                      handlePopUpOpen("removeServerAdmin", { username, id });
+                                    }}
+                                  >
+                                    Remove Server Admin
+                                  </DropdownMenuItem>
+                                )}
+                              </DropdownMenuContent>
+                            </DropdownMenu>
+                          </div>
                         </Td>
                       </Tr>
                     );
@@ -212,11 +230,13 @@ export const UserPanel = () => {
   const { handlePopUpToggle, popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
     "removeUser",
     "upgradePlan",
-    "upgradeToServerAdmin"
+    "upgradeToServerAdmin",
+    "removeServerAdmin"
   ] as const);
 
   const { mutateAsync: deleteUser } = useAdminDeleteUser();
   const { mutateAsync: grantAdminAccess } = useAdminGrantServerAdminAccess();
+  const { mutateAsync: removeAdminAccess } = useRemoveUserServerAdminAccess();
 
   const handleRemoveUser = async () => {
     const { id } = popUp?.removeUser?.data as { id: string; username: string };
@@ -256,6 +276,25 @@ export const UserPanel = () => {
     handlePopUpClose("upgradeToServerAdmin");
   };
 
+  const handleRemoveServerAdminAccess = async () => {
+    const { id } = popUp?.removeServerAdmin?.data as { id: string; username: string };
+
+    try {
+      await removeAdminAccess(id);
+      createNotification({
+        type: "success",
+        text: "Successfully removed server admin access from user"
+      });
+    } catch {
+      createNotification({
+        type: "error",
+        text: "Error removing server admin access from user"
+      });
+    }
+
+    handlePopUpClose("removeServerAdmin");
+  };
+
   return (
     <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
       <div className="mb-4">
@@ -282,6 +321,17 @@ export const UserPanel = () => {
         onDeleteApproved={handleGrantServerAdminAccess}
         buttonText="Grant Access"
       />
+      <DeleteActionModal
+        isOpen={popUp.removeServerAdmin.isOpen}
+        title={`Are you sure want to remove Server Admin permissions from ${
+          (popUp?.removeServerAdmin?.data as { id: string; username: string })?.username || ""
+        }?`}
+        subTitle=""
+        onChange={(isOpen) => handlePopUpToggle("removeServerAdmin", isOpen)}
+        deleteKey="confirm"
+        onDeleteApproved={handleRemoveServerAdminAccess}
+        buttonText="Remove Access"
+      />
       <UpgradePlanModal
         isOpen={popUp.upgradePlan.isOpen}
         onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}

frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityOidcAuthForm.tsx

@@ -52,15 +52,6 @@ const schema = z.object({
       value: z.string()
     })
   ),
-  claimMetadataMapping: z
-    .array(
-      z.object({
-        key: z.string(),
-        value: z.string()
-      })
-    )
-    .optional()
-    .nullable(),
   boundSubject: z.string().optional().default("")
 });
 
@@ -108,6 +99,7 @@ export const IdentityOidcAuthForm = ({
       accessTokenTrustedIps: [{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]
     }
   });
+
   const {
     fields: boundClaimsFields,
     append: appendBoundClaimField,
@@ -117,15 +109,6 @@ export const IdentityOidcAuthForm = ({
     name: "boundClaims"
   });
 
-  const {
-    fields: claimMetadataMappingFields,
-    append: appendClaimMetadataMappingField,
-    remove: removeClaimMetadataMappingField
-  } = useFieldArray({
-    control,
-    name: "claimMetadataMapping"
-  });
-
   const {
     fields: accessTokenTrustedIpsFields,
     append: appendAccessTokenTrustedIp,
@@ -143,12 +126,6 @@ export const IdentityOidcAuthForm = ({
           key,
           value
         })),
-        claimMetadataMapping: data?.claimMetadataMapping
-          ? Object.entries(data.claimMetadataMapping).map(([key, value]) => ({
-              key,
-              value
-            }))
-          : undefined,
         boundSubject: data.boundSubject,
         accessTokenTTL: String(data.accessTokenTTL),
         accessTokenMaxTTL: String(data.accessTokenMaxTTL),
@@ -187,7 +164,6 @@ export const IdentityOidcAuthForm = ({
     boundIssuer,
     boundAudiences,
     boundClaims,
-    claimMetadataMapping,
     boundSubject
   }: FormData) => {
     try {
@@ -204,9 +180,6 @@ export const IdentityOidcAuthForm = ({
           boundIssuer,
           boundAudiences,
           boundClaims: Object.fromEntries(boundClaims.map((entry) => [entry.key, entry.value])),
-          claimMetadataMapping: claimMetadataMapping
-            ? Object.fromEntries(claimMetadataMapping.map((entry) => [entry.key, entry.value]))
-            : undefined,
           boundSubject,
           accessTokenTTL: Number(accessTokenTTL),
           accessTokenMaxTTL: Number(accessTokenMaxTTL),
@@ -221,9 +194,6 @@ export const IdentityOidcAuthForm = ({
           boundIssuer,
           boundAudiences,
           boundClaims: Object.fromEntries(boundClaims.map((entry) => [entry.key, entry.value])),
-          claimMetadataMapping: claimMetadataMapping
-            ? Object.fromEntries(claimMetadataMapping.map((entry) => [entry.key, entry.value]))
-            : undefined,
           boundSubject,
           organizationId: orgId,
           accessTokenTTL: Number(accessTokenTTL),
@@ -479,84 +449,6 @@ export const IdentityOidcAuthForm = ({
               Add Claims
             </Button>
           </div>
-          {claimMetadataMappingFields.map(({ id }, index) => (
-            <div className="mb-3 flex items-end space-x-2" key={id}>
-              <Controller
-                control={control}
-                name={`claimMetadataMapping.${index}.key`}
-                render={({ field, fieldState: { error } }) => {
-                  return (
-                    <FormControl
-                      className="mb-0 flex-grow"
-                      label={index === 0 ? "Claim Metadata Mapping" : undefined}
-                      icon={
-                        index === 0 ? (
-                          <Tooltip
-                            className="text-center"
-                            content="Map token claims to metadata. This can later be accessed in attribute based permission as identity.metadata.oidc.claims.<>."
-                          >
-                            <FontAwesomeIcon icon={faQuestionCircle} size="sm" />
-                          </Tooltip>
-                        ) : undefined
-                      }
-                      isError={Boolean(error)}
-                      errorText={error?.message}
-                    >
-                      <Input
-                        value={field.value}
-                        onChange={(e) => field.onChange(e)}
-                        placeholder="property"
-                      />
-                    </FormControl>
-                  );
-                }}
-              />
-              <Controller
-                control={control}
-                name={`claimMetadataMapping.${index}.value`}
-                render={({ field, fieldState: { error } }) => {
-                  return (
-                    <FormControl
-                      className="mb-0 flex-grow"
-                      isError={Boolean(error)}
-                      errorText={error?.message}
-                    >
-                      <Input
-                        value={field.value}
-                        onChange={(e) => field.onChange(e)}
-                        placeholder="key1.nested-key2"
-                      />
-                    </FormControl>
-                  );
-                }}
-              />
-              <IconButton
-                onClick={() => removeClaimMetadataMappingField(index)}
-                size="lg"
-                colorSchema="danger"
-                variant="plain"
-                ariaLabel="update"
-                className="p-3"
-              >
-                <FontAwesomeIcon icon={faXmark} />
-              </IconButton>
-            </div>
-          ))}
-          <div className="my-4 ml-1">
-            <Button
-              variant="outline_bg"
-              onClick={() =>
-                appendClaimMetadataMappingField({
-                  key: "",
-                  value: ""
-                })
-              }
-              leftIcon={<FontAwesomeIcon icon={faPlus} />}
-              size="xs"
-            >
-              Add Mapping
-            </Button>
-          </div>
           {accessTokenTrustedIpsFields.map(({ id }, index) => (
             <div className="mb-3 flex items-end space-x-2" key={id}>
               <Controller

frontend/src/pages/organization/IdentityDetailsByIDPage/components/ViewIdentityAuthModal/ViewIdentityOidcAuthContent.tsx

@@ -111,26 +111,6 @@ export const ViewIdentityOidcAuthContent = ({
           </Tooltip>
         )}
       </IdentityAuthFieldDisplay>
-      <IdentityAuthFieldDisplay className="col-span-2" label="Claim Metadata Mapping">
-        {data.claimMetadataMapping && Object.keys(data.claimMetadataMapping).length && (
-          <Tooltip
-            side="right"
-            className="max-w-xl p-2"
-            content={
-              <pre className="whitespace-pre-wrap rounded bg-mineshaft-600 p-2">
-                {JSON.stringify(data.claimMetadataMapping, null, 2)}
-              </pre>
-            }
-          >
-            <div className="w-min">
-              <Badge className="flex h-5 w-min items-center gap-1.5 whitespace-nowrap bg-mineshaft-400/50 text-bunker-300">
-                <FontAwesomeIcon icon={faEye} />
-                <span>Reveal</span>
-              </Badge>
-            </div>
-          </Tooltip>
-        )}
-      </IdentityAuthFieldDisplay>
     </ViewIdentityContentWrapper>
   );
 };

frontend/src/pages/secret-manager/IntegrationsDetailsByIDPage/components/IntegrationConnectionSection.tsx

@@ -192,15 +192,6 @@ export const IntegrationConnectionSection = ({ integration }: Props) => {
       );
     }
 
-    if (integration.integration === "windmill" && integration.url) {
-      return (
-        <div>
-          <FormLabel className="text-sm font-semibold text-mineshaft-300" label="Instance URL" />
-          <div className="text-sm text-mineshaft-300">{integration.url}</div>
-        </div>
-      );
-    }
-
     return null;
   };
 

frontend/src/pages/secret-manager/OverviewPage/OverviewPage.tsx

@@ -19,7 +19,6 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Link, useNavigate, useRouter, useSearch } from "@tanstack/react-router";
 import { twMerge } from "tailwind-merge";
 
-import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
@@ -50,10 +49,8 @@ import {
 import { ROUTE_PATHS } from "@app/const/routes";
 import {
   ProjectPermissionActions,
-  ProjectPermissionDynamicSecretActions,
   ProjectPermissionSub,
   useProjectPermission,
-  useSubscription,
   useWorkspace
 } from "@app/context";
 import { useDebounce, usePagination, usePopUp, useResetPageHelper } from "@app/hooks";
@@ -74,7 +71,6 @@ import { SecretType, SecretV3RawSanitized, TSecretFolder } from "@app/hooks/api/
 import { ProjectType, ProjectVersion } from "@app/hooks/api/workspace/types";
 import { useDynamicSecretOverview, useFolderOverview, useSecretOverview } from "@app/hooks/utils";
 
-import { CreateDynamicSecretForm } from "../SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm";
 import { FolderForm } from "../SecretDashboardPage/components/ActionBar/FolderForm";
 import { CreateSecretForm } from "./components/CreateSecretForm";
 import { FolderBreadCrumbs } from "./components/FolderBreadCrumbs";
@@ -135,7 +131,6 @@ export const OverviewPage = () => {
   const [searchFilter, setSearchFilter] = useState("");
   const [debouncedSearchFilter, setDebouncedSearchFilter] = useDebounce(searchFilter);
   const secretPath = (routerSearch?.secretPath as string) || "/";
-  const { subscription } = useSubscription();
 
   const [filter, setFilter] = useState<Filter>(DEFAULT_FILTER_STATE);
   const [filterHistory, setFilterHistory] = useState<
@@ -183,15 +178,6 @@ export const OverviewPage = () => {
   }, []);
 
   const userAvailableEnvs = currentWorkspace?.environments || [];
-  const userAvailableDynamicSecretEnvs = userAvailableEnvs.filter((env) =>
-    permission.can(
-      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: env.slug,
-        secretPath
-      })
-    )
-  );
 
   const [visibleEnvs, setVisibleEnvs] = useState(userAvailableEnvs);
 
@@ -263,9 +249,7 @@ export const OverviewPage = () => {
     "addSecretsInAllEnvs",
     "addFolder",
     "misc",
-    "updateFolder",
-    "addDynamicSecret",
-    "upgradePlan"
+    "updateFolder"
   ] as const);
 
   const handleFolderCreate = async (folderName: string, description: string | null) => {
@@ -867,43 +851,20 @@ export const OverviewPage = () => {
                       >
                         {(isAllowed) => (
                           <Button
-                            leftIcon={<FontAwesomeIcon icon={faFolderPlus} className="pr-2" />}
+                            leftIcon={<FontAwesomeIcon icon={faFolderPlus} />}
                             onClick={() => {
                               handlePopUpOpen("addFolder");
                               handlePopUpClose("misc");
                             }}
                             isDisabled={!isAllowed}
                             variant="outline_bg"
-                            className="h-10 text-left"
+                            className="h-10"
                             isFullWidth
                           >
                             Add Folder
                           </Button>
                         )}
                       </ProjectPermissionCan>
-                      <Tooltip
-                        content={
-                          userAvailableDynamicSecretEnvs.length === 0 ? "Access restricted" : ""
-                        }
-                      >
-                        <Button
-                          leftIcon={<FontAwesomeIcon icon={faFingerprint} className="pr-2" />}
-                          onClick={() => {
-                            if (subscription?.dynamicSecret) {
-                              handlePopUpOpen("addDynamicSecret");
-                              handlePopUpClose("misc");
-                              return;
-                            }
-                            handlePopUpOpen("upgradePlan");
-                          }}
-                          isDisabled={userAvailableDynamicSecretEnvs.length === 0}
-                          variant="outline_bg"
-                          className="h-10 text-left"
-                          isFullWidth
-                        >
-                          Add Dynamic Secret
-                        </Button>
-                      </Tooltip>
                     </div>
                   </DropdownMenuContent>
                 </DropdownMenu>
@@ -1209,24 +1170,6 @@ export const OverviewPage = () => {
           />
         </ModalContent>
       </Modal>
-      <CreateDynamicSecretForm
-        isOpen={popUp.addDynamicSecret.isOpen}
-        onToggle={(isOpen) => handlePopUpToggle("addDynamicSecret", isOpen)}
-        projectSlug={projectSlug}
-        environments={userAvailableDynamicSecretEnvs}
-        secretPath={secretPath}
-      />
-      {subscription && (
-        <UpgradePlanModal
-          isOpen={popUp.upgradePlan.isOpen}
-          onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
-          text={
-            subscription.slug === null
-              ? "You can perform this action under an Enterprise license"
-              : "You can perform this action if you switch to Infisical's Team plan"
-          }
-        />
-      )}
     </div>
   );
 };

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/ActionBar.tsx

@@ -655,9 +655,8 @@ export const ActionBar = ({
         isOpen={popUp.addDynamicSecret.isOpen}
         onToggle={(isOpen) => handlePopUpToggle("addDynamicSecret", isOpen)}
         projectSlug={projectSlug}
-        environments={[{ slug: environment, name: environment, id: "not-used" }]}
+        environment={environment}
         secretPath={secretPath}
-        isSingleEnvironmentMode
       />
       <Modal
         isOpen={popUp.addFolder.isOpen}

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/AwsElastiCacheInputForm.tsx

@@ -11,7 +11,6 @@ import {
   AccordionItem,
   AccordionTrigger,
   Button,
-  FilterableSelect,
   FormControl,
   Input,
   SecretInput,
@@ -19,7 +18,6 @@ import {
 } from "@app/components/v2";
 import { useCreateDynamicSecret } from "@app/hooks/api";
 import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
-import { WorkspaceEnv } from "@app/hooks/api/types";
 
 const formSchema = z.object({
   provider: z.object({
@@ -52,8 +50,7 @@ const formSchema = z.object({
       if (valMs > 24 * 60 * 60 * 1000)
         ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
     }),
-  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase"),
-  environment: z.object({ name: z.string(), slug: z.string() })
+  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase")
 });
 type TForm = z.infer<typeof formSchema>;
 
@@ -62,17 +59,15 @@ type Props = {
   onCancel: () => void;
   secretPath: string;
   projectSlug: string;
-  environments: WorkspaceEnv[];
-  isSingleEnvironmentMode?: boolean;
+  environment: string;
 };
 
 export const AwsElastiCacheInputForm = ({
   onCompleted,
   onCancel,
-  environments,
+  environment,
   secretPath,
-  projectSlug,
-  isSingleEnvironmentMode
+  projectSlug
 }: Props) => {
   const {
     control,
@@ -92,20 +87,13 @@ export const AwsElastiCacheInputForm = ({
         revocationStatement: `{
         "UserId": "{{username}}"
 }`
-      },
-      environment: isSingleEnvironmentMode ? environments[0] : undefined
+      }
     }
   });
 
   const createDynamicSecret = useCreateDynamicSecret();
 
-  const handleCreateDynamicSecret = async ({
-    name,
-    maxTTL,
-    provider,
-    defaultTTL,
-    environment
-  }: TForm) => {
+  const handleCreateDynamicSecret = async ({ name, maxTTL, provider, defaultTTL }: TForm) => {
     // wait till previous request is finished
     if (createDynamicSecret.isPending) return;
     try {
@@ -116,7 +104,7 @@ export const AwsElastiCacheInputForm = ({
         path: secretPath,
         defaultTTL,
         projectSlug,
-        environmentSlug: environment.slug
+        environmentSlug: environment
       });
       onCompleted();
     } catch {
@@ -311,28 +299,6 @@ export const AwsElastiCacheInputForm = ({
                     </AccordionContent>
                   </AccordionItem>
                 </Accordion>
-                {!isSingleEnvironmentMode && (
-                  <Controller
-                    control={control}
-                    name="environment"
-                    render={({ field: { value, onChange }, fieldState: { error } }) => (
-                      <FormControl
-                        label="Environment"
-                        isError={Boolean(error)}
-                        errorText={error?.message}
-                      >
-                        <FilterableSelect
-                          options={environments}
-                          value={value}
-                          onChange={onChange}
-                          placeholder="Select the environment to create secret in..."
-                          getOptionLabel={(option) => option.name}
-                          getOptionValue={(option) => option.slug}
-                        />
-                      </FormControl>
-                    )}
-                  />
-                )}
               </div>
             </div>
           </div>

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/AwsIamInputForm.tsx

@@ -5,10 +5,9 @@ import { z } from "zod";
 
 import { TtlFormLabel } from "@app/components/features";
 import { createNotification } from "@app/components/notifications";
-import { Button, FilterableSelect, FormControl, Input, TextArea } from "@app/components/v2";
+import { Button, FormControl, Input, TextArea } from "@app/components/v2";
 import { useCreateDynamicSecret } from "@app/hooks/api";
 import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
-import { WorkspaceEnv } from "@app/hooks/api/types";
 
 const formSchema = z.object({
   provider: z.object({
@@ -41,8 +40,7 @@ const formSchema = z.object({
       if (valMs > 24 * 60 * 60 * 1000)
         ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
     }),
-  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase"),
-  environment: z.object({ name: z.string(), slug: z.string() })
+  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase")
 });
 type TForm = z.infer<typeof formSchema>;
 
@@ -51,41 +49,29 @@ type Props = {
   onCancel: () => void;
   secretPath: string;
   projectSlug: string;
-  environments: WorkspaceEnv[];
-  isSingleEnvironmentMode?: boolean;
+  environment: string;
 };
 
 export const AwsIamInputForm = ({
   onCompleted,
   onCancel,
-  environments,
+  environment,
   secretPath,
-  projectSlug,
-  isSingleEnvironmentMode
+  projectSlug
 }: Props) => {
   const {
     control,
     formState: { isSubmitting },
     handleSubmit
   } = useForm<TForm>({
-    resolver: zodResolver(formSchema),
-    defaultValues: {
-      environment: isSingleEnvironmentMode ? environments[0] : undefined
-    }
+    resolver: zodResolver(formSchema)
   });
 
   const createDynamicSecret = useCreateDynamicSecret();
 
-  const handleCreateDynamicSecret = async ({
-    name,
-    maxTTL,
-    provider,
-    defaultTTL,
-    environment
-  }: TForm) => {
+  const handleCreateDynamicSecret = async ({ name, maxTTL, provider, defaultTTL }: TForm) => {
     // wait till previous request is finished
     if (createDynamicSecret.isPending) return;
-
     try {
       await createDynamicSecret.mutateAsync({
         provider: { type: DynamicSecretProviders.AwsIam, inputs: provider },
@@ -94,7 +80,7 @@ export const AwsIamInputForm = ({
         path: secretPath,
         defaultTTL,
         projectSlug,
-        environmentSlug: environment.slug
+        environmentSlug: environment
       });
       onCompleted();
     } catch {
@@ -300,29 +286,6 @@ export const AwsIamInputForm = ({
                   </FormControl>
                 )}
               />
-              {!isSingleEnvironmentMode && (
-                <Controller
-                  control={control}
-                  name="environment"
-                  render={({ field: { value, onChange }, fieldState: { error } }) => (
-                    <FormControl
-                      label="Environment"
-                      isError={Boolean(error)}
-                      errorText={error?.message}
-                    >
-                      <FilterableSelect
-                        options={environments}
-                        value={value}
-                        onChange={onChange}
-                        placeholder="Select the environment to create secret in..."
-                        getOptionLabel={(option) => option.name}
-                        getOptionValue={(option) => option.slug}
-                        menuPlacement="top"
-                      />
-                    </FormControl>
-                  )}
-                />
-              )}
             </div>
           </div>
         </div>

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/AzureEntraIdInputForm.tsx

@@ -12,7 +12,7 @@ import { z } from "zod";
 
 import { TtlFormLabel } from "@app/components/features";
 import { createNotification } from "@app/components/notifications";
-import { Button, FilterableSelect, FormControl, Input } from "@app/components/v2";
+import { Button, FormControl, Input } from "@app/components/v2";
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -23,7 +23,6 @@ import { Tooltip } from "@app/components/v2/Tooltip";
 import { useCreateDynamicSecret } from "@app/hooks/api";
 import { useGetDynamicSecretProviderData } from "@app/hooks/api/dynamicSecret/queries";
 import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
-import { WorkspaceEnv } from "@app/hooks/api/types";
 
 const formSchema = z.object({
   selectedUsers: z.array(
@@ -61,8 +60,7 @@ const formSchema = z.object({
   name: z
     .string()
     .min(1)
-    .refine((val) => val.toLowerCase() === val, "Must be lowercase"),
-  environment: z.object({ name: z.string(), slug: z.string() })
+    .refine((val) => val.toLowerCase() === val, "Must be lowercase")
 });
 type TForm = z.infer<typeof formSchema>;
 
@@ -71,17 +69,15 @@ type Props = {
   onCancel: () => void;
   secretPath: string;
   projectSlug: string;
-  environments: WorkspaceEnv[];
-  isSingleEnvironmentMode?: boolean;
+  environment: string;
 };
 
 export const AzureEntraIdInputForm = ({
   onCompleted,
   onCancel,
-  environments,
+  environment,
   secretPath,
-  projectSlug,
-  isSingleEnvironmentMode
+  projectSlug
 }: Props) => {
   const {
     control,
@@ -89,10 +85,7 @@ export const AzureEntraIdInputForm = ({
     watch,
     handleSubmit
   } = useForm<TForm>({
-    resolver: zodResolver(formSchema),
-    defaultValues: {
-      environment: isSingleEnvironmentMode ? environments[0] : undefined
-    }
+    resolver: zodResolver(formSchema)
   });
   const tenantId = watch("provider.tenantId");
   const applicationId = watch("provider.applicationId");
@@ -114,8 +107,7 @@ export const AzureEntraIdInputForm = ({
     selectedUsers,
     provider,
     maxTTL,
-    defaultTTL,
-    environment
+    defaultTTL
   }: TForm) => {
     // wait till previous request is finished
     if (createDynamicSecret.isPending) return;
@@ -137,7 +129,7 @@ export const AzureEntraIdInputForm = ({
           path: secretPath,
           defaultTTL,
           projectSlug,
-          environmentSlug: environment.slug
+          environmentSlug: environment
         });
       });
       onCompleted();
@@ -381,29 +373,6 @@ export const AzureEntraIdInputForm = ({
               </div>
             </div>
           </div>
-          {!isSingleEnvironmentMode && (
-            <Controller
-              control={control}
-              name="environment"
-              render={({ field: { value, onChange }, fieldState: { error } }) => (
-                <FormControl
-                  label="Environment"
-                  isError={Boolean(error)}
-                  errorText={error?.message}
-                >
-                  <FilterableSelect
-                    options={environments}
-                    value={value}
-                    onChange={onChange}
-                    placeholder="Select the environment to create secret in..."
-                    getOptionLabel={(option) => option.name}
-                    getOptionValue={(option) => option.slug}
-                    menuPlacement="top"
-                  />
-                </FormControl>
-              )}
-            />
-          )}
         </div>
         <div className="mt-4 flex items-center space-x-4">
           <Button type="submit" isLoading={isSubmitting} isDisabled={isLoading || isError}>

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/CassandraInputForm.tsx

@@ -11,7 +11,6 @@ import {
   AccordionItem,
   AccordionTrigger,
   Button,
-  FilterableSelect,
   FormControl,
   Input,
   SecretInput,
@@ -19,7 +18,6 @@ import {
 } from "@app/components/v2";
 import { useCreateDynamicSecret } from "@app/hooks/api";
 import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
-import { WorkspaceEnv } from "@app/hooks/api/types";
 
 const formSchema = z.object({
   provider: z.object({
@@ -54,8 +52,7 @@ const formSchema = z.object({
       if (valMs > 24 * 60 * 60 * 1000)
         ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
     }),
-  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase"),
-  environment: z.object({ name: z.string(), slug: z.string() })
+  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase")
 });
 type TForm = z.infer<typeof formSchema>;
 
@@ -64,8 +61,7 @@ type Props = {
   onCancel: () => void;
   secretPath: string;
   projectSlug: string;
-  environments: WorkspaceEnv[];
-  isSingleEnvironmentMode?: boolean;
+  environment: string;
 };
 
 const getSqlStatements = () => {
@@ -80,10 +76,9 @@ const getSqlStatements = () => {
 export const CassandraInputForm = ({
   onCompleted,
   onCancel,
-  environments,
+  environment,
   secretPath,
-  projectSlug,
-  isSingleEnvironmentMode
+  projectSlug
 }: Props) => {
   const {
     control,
@@ -92,23 +87,15 @@ export const CassandraInputForm = ({
   } = useForm<TForm>({
     resolver: zodResolver(formSchema),
     defaultValues: {
-      provider: getSqlStatements(),
-      environment: isSingleEnvironmentMode ? environments[0] : undefined
+      provider: getSqlStatements()
     }
   });
 
   const createDynamicSecret = useCreateDynamicSecret();
 
-  const handleCreateDynamicSecret = async ({
-    name,
-    maxTTL,
-    provider,
-    defaultTTL,
-    environment
-  }: TForm) => {
+  const handleCreateDynamicSecret = async ({ name, maxTTL, provider, defaultTTL }: TForm) => {
     // wait till previous request is finished
     if (createDynamicSecret.isPending) return;
-
     try {
       await createDynamicSecret.mutateAsync({
         provider: { type: DynamicSecretProviders.Cassandra, inputs: provider },
@@ -117,7 +104,7 @@ export const CassandraInputForm = ({
         path: secretPath,
         defaultTTL,
         projectSlug,
-        environmentSlug: environment.slug
+        environmentSlug: environment
       });
       onCompleted();
     } catch {
@@ -358,29 +345,6 @@ export const CassandraInputForm = ({
                     </AccordionContent>
                   </AccordionItem>
                 </Accordion>
-                {!isSingleEnvironmentMode && (
-                  <Controller
-                    control={control}
-                    name="environment"
-                    render={({ field: { value, onChange }, fieldState: { error } }) => (
-                      <FormControl
-                        label="Environment"
-                        isError={Boolean(error)}
-                        errorText={error?.message}
-                      >
-                        <FilterableSelect
-                          options={environments}
-                          value={value}
-                          onChange={onChange}
-                          placeholder="Select the environment to create secret in..."
-                          getOptionLabel={(option) => option.name}
-                          getOptionValue={(option) => option.slug}
-                          menuPlacement="top"
-                        />
-                      </FormControl>
-                    )}
-                  />
-                )}
               </div>
             </div>
           </div>

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/CreateDynamicSecretForm.tsx

@@ -17,7 +17,6 @@ import { AnimatePresence, motion } from "framer-motion";
 
 import { Modal, ModalContent } from "@app/components/v2";
 import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
-import { WorkspaceEnv } from "@app/hooks/api/types";
 
 import { AwsElastiCacheInputForm } from "./AwsElastiCacheInputForm";
 import { AwsIamInputForm } from "./AwsIamInputForm";
@@ -39,9 +38,8 @@ type Props = {
   isOpen?: boolean;
   onToggle: (isOpen: boolean) => void;
   projectSlug: string;
-  environments: WorkspaceEnv[];
+  environment: string;
   secretPath: string;
-  isSingleEnvironmentMode?: boolean;
 };
 
 enum WizardSteps {
@@ -131,9 +129,8 @@ export const CreateDynamicSecretForm = ({
   isOpen,
   onToggle,
   projectSlug,
-  environments,
-  secretPath,
-  isSingleEnvironmentMode
+  environment,
+  secretPath
 }: Props) => {
   const [wizardStep, setWizardStep] = useState(WizardSteps.SelectProvider);
   const [selectedProvider, setSelectedProvider] = useState<DynamicSecretProviders | null>(null);
@@ -200,8 +197,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -219,8 +215,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -238,8 +233,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -257,8 +251,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -276,8 +269,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -295,8 +287,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -314,8 +305,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -333,8 +323,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -352,8 +341,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -371,8 +359,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -390,8 +377,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -409,8 +395,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -428,8 +413,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -448,8 +432,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}
@@ -467,8 +450,7 @@ export const CreateDynamicSecretForm = ({
                   onCancel={handleFormReset}
                   projectSlug={projectSlug}
                   secretPath={secretPath}
-                  environments={environments}
-                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                  environment={environment}
                 />
               </motion.div>
             )}

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/ElasticSearchInputForm.tsx

@@ -9,7 +9,6 @@ import { TtlFormLabel } from "@app/components/features";
 import { createNotification } from "@app/components/notifications";
 import {
   Button,
-  FilterableSelect,
   FormControl,
   FormLabel,
   IconButton,
@@ -20,7 +19,6 @@ import {
 } from "@app/components/v2";
 import { useCreateDynamicSecret } from "@app/hooks/api";
 import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
-import { WorkspaceEnv } from "@app/hooks/api/types";
 
 const authMethods = [
   {
@@ -75,8 +73,7 @@ const formSchema = z.object({
       if (valMs > 24 * 60 * 60 * 1000)
         ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
     }),
-  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase"),
-  environment: z.object({ name: z.string(), slug: z.string() })
+  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase")
 });
 type TForm = z.infer<typeof formSchema>;
 
@@ -85,17 +82,15 @@ type Props = {
   onCancel: () => void;
   secretPath: string;
   projectSlug: string;
-  environments: WorkspaceEnv[];
-  isSingleEnvironmentMode?: boolean;
+  environment: string;
 };
 
 export const ElasticSearchInputForm = ({
   onCompleted,
   onCancel,
-  environments,
+  environment,
   secretPath,
-  projectSlug,
-  isSingleEnvironmentMode
+  projectSlug
 }: Props) => {
   const {
     control,
@@ -112,20 +107,13 @@ export const ElasticSearchInputForm = ({
         },
         roles: ["superuser"],
         port: 443
-      },
-      environment: isSingleEnvironmentMode ? environments[0] : undefined
+      }
     }
   });
 
   const createDynamicSecret = useCreateDynamicSecret();
 
-  const handleCreateDynamicSecret = async ({
-    name,
-    maxTTL,
-    provider,
-    defaultTTL,
-    environment
-  }: TForm) => {
+  const handleCreateDynamicSecret = async ({ name, maxTTL, provider, defaultTTL }: TForm) => {
     // wait till previous request is finished
     if (createDynamicSecret.isPending) return;
     try {
@@ -136,7 +124,7 @@ export const ElasticSearchInputForm = ({
         path: secretPath,
         defaultTTL,
         projectSlug,
-        environmentSlug: environment.slug
+        environmentSlug: environment
       });
       onCompleted();
     } catch {
@@ -418,29 +406,6 @@ export const ElasticSearchInputForm = ({
                   )}
                 />
               </div>
-              {!isSingleEnvironmentMode && (
-                <Controller
-                  control={control}
-                  name="environment"
-                  render={({ field: { value, onChange }, fieldState: { error } }) => (
-                    <FormControl
-                      label="Environment"
-                      isError={Boolean(error)}
-                      errorText={error?.message}
-                    >
-                      <FilterableSelect
-                        options={environments}
-                        value={value}
-                        onChange={onChange}
-                        placeholder="Select the environment to create secret in..."
-                        getOptionLabel={(option) => option.name}
-                        getOptionValue={(option) => option.slug}
-                        menuPlacement="top"
-                      />
-                    </FormControl>
-                  )}
-                />
-              )}
             </div>
           </div>
         </div>