improvement: address feedback

improvement(frontend): Server admin sidebar improvements

.env.example

@@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP 
+# Mail/SMTP
 SMTP_HOST=
 SMTP_PORT=
 SMTP_FROM_ADDRESS=
@@ -132,3 +132,6 @@ DATADOG_PROFILING_ENABLED=
 DATADOG_ENV=
 DATADOG_SERVICE=
 DATADOG_HOSTNAME=
+
+# kubernetes
+KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

Dockerfile.standalone-infisical

@@ -34,6 +34,7 @@ ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
+ENV NODE_OPTIONS="--max-old-space-size=8192"
 
 # Build
 RUN npm run build
@@ -77,6 +78,7 @@ RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
+ENV NODE_OPTIONS="--max-old-space-size=8192"
 RUN npm run build
 
 # Production stage

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -21,7 +21,7 @@ import { randomUUID } from "crypto";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -81,6 +81,21 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       return client;
     }
 
+    if (providerInputs.method === AwsIamAuthType.IRSA) {
+      // Allow instances to disable automatic service account token fetching (e.g. for shared cloud)
+      if (!appCfg.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN) {
+        throw new UnauthorizedError({
+          message: "Failed to get AWS credentials via IRSA: KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN is not enabled."
+        });
+      }
+
+      // The SDK will automatically pick up credentials from the environment
+      const client = new IAMClient({
+        region: providerInputs.region
+      });
+      return client;
+    }
+
     const client = new IAMClient({
       region: providerInputs.region,
       credentials: {
@@ -101,7 +116,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       .catch((err) => {
         const message = (err as Error)?.message;
         if (
-          providerInputs.method === AwsIamAuthType.AssumeRole &&
+          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
           // assume role will throw an error asking to provider username, but if so this has access in aws correctly
           message.includes("Must specify userName when calling with non-User credentials")
         ) {

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -28,7 +28,8 @@ export enum SqlProviders {
 
 export enum AwsIamAuthType {
   AssumeRole = "assume-role",
-  AccessKey = "access-key"
+  AccessKey = "access-key",
+  IRSA = "irsa"
 }
 
 export enum ElasticSearchAuthTypes {
@@ -221,6 +222,16 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
       userGroups: z.string().trim().optional(),
       policyArns: z.string().trim().optional(),
       tags: ResourceMetadataSchema.optional()
+    }),
+    z.object({
+      method: z.literal(AwsIamAuthType.IRSA),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
     })
   ])
 );

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -37,7 +37,8 @@ import {
   TQueueSecretScanningDataSourceFullScan,
   TQueueSecretScanningResourceDiffScan,
   TQueueSecretScanningSendNotification,
-  TSecretScanningDataSourceWithConnection
+  TSecretScanningDataSourceWithConnection,
+  TSecretScanningFinding
 } from "./secret-scanning-v2-types";
 
 type TSecretRotationV2QueueServiceFactoryDep = {
@@ -459,13 +460,16 @@ export const secretScanningV2QueueServiceFactory = async ({
         const newFindings = allFindings.filter((finding) => finding.scanId === scanId);
 
         if (newFindings.length) {
+          const finding = newFindings[0] as TSecretScanningFinding;
           await queueService.queuePg(QueueJobs.SecretScanningV2SendNotification, {
             status: SecretScanningScanStatus.Completed,
             resourceName: resource.name,
             isDiffScan: true,
             dataSource,
             numberOfSecrets: newFindings.length,
-            scanId
+            scanId,
+            authorName: finding?.details?.author,
+            authorEmail: finding?.details?.email
           });
         }
 
@@ -582,8 +586,8 @@ export const secretScanningV2QueueServiceFactory = async ({
           substitutions:
             payload.status === SecretScanningScanStatus.Completed
               ? {
-                  authorName: "Jim",
-                  authorEmail: "jim@infisical.com",
+                  authorName: payload.authorName,
+                  authorEmail: payload.authorEmail,
                   resourceName,
                   numberOfSecrets: payload.numberOfSecrets,
                   isDiffScan: payload.isDiffScan,

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-types.ts

@@ -119,7 +119,14 @@ export type TQueueSecretScanningSendNotification = {
   resourceName: string;
 } & (
   | { status: SecretScanningScanStatus.Failed; errorMessage: string }
-  | { status: SecretScanningScanStatus.Completed; numberOfSecrets: number; scanId: string; isDiffScan: boolean }
+  | {
+      status: SecretScanningScanStatus.Completed;
+      numberOfSecrets: number;
+      scanId: string;
+      isDiffScan: boolean;
+      authorName?: string;
+      authorEmail?: string;
+    }
 );
 
 export type TCloneRepository = {

backend/src/lib/config/env.ts

@@ -28,6 +28,7 @@ const databaseReadReplicaSchema = z
 const envSchema = z
   .object({
     INFISICAL_PLATFORM_VERSION: zpStr(z.string().optional()),
+    KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN: zodStrBool.default("false"),
     PORT: z.coerce.number().default(IS_PACKAGED ? 8080 : 4000),
     DISABLE_SECRET_SCANNING: z
       .enum(["true", "false"])

backend/src/server/routes/v1/admin-router.ts

@@ -49,7 +49,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             defaultAuthOrgSlug: z.string().nullable(),
             defaultAuthOrgAuthEnforced: z.boolean().nullish(),
             defaultAuthOrgAuthMethod: z.string().nullish(),
-            isSecretScanningDisabled: z.boolean()
+            isSecretScanningDisabled: z.boolean(),
+            kubernetesAutoFetchServiceAccountToken: z.boolean()
           })
         })
       }
@@ -61,7 +62,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         config: {
           ...config,
           isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
-          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
+          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
+          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN
         }
       };
     }

backend/src/services/secret-folder/secret-folder-service.ts

@@ -214,7 +214,7 @@ export const secretFolderServiceFactory = ({
             }
           },
           message: "Folder created",
-          folderId: doc.id,
+          folderId: parentFolder.id,
           changes: [
             {
               type: CommitType.ADD,

docs/documentation/platform/dynamic-secrets/aws-iam.mdx

@@ -3,13 +3,13 @@ title: "AWS IAM"
 description: "Learn how to dynamically generate AWS IAM Users."
 ---
 
-The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on configured AWS policy.
+The Infisical AWS IAM dynamic secret allows you to generate AWS IAM Users on demand based on a configured AWS policy. Infisical supports several authentication methods to connect to your AWS account, including assuming an IAM Role, using IAM Roles for Service Accounts (IRSA) on EKS, or static Access Keys.
 
 ## Prerequisite
 
-Infisical needs an initial AWS IAM user with the required permissions to create sub IAM users. This IAM user will be responsible for managing the lifecycle of new IAM users.
+Infisical needs an AWS IAM principal (a user or a role) with the required permissions to create and manage other IAM users. This principal will be responsible for the lifecycle of the dynamically generated users.
 
-<Accordion title="Managing AWS IAM User minimum permission policy">
+<Accordion title="Required IAM Permissions">
 
 ```json
 {
@@ -235,7 +235,169 @@ Replace **\<account id\>** with your AWS account id and **\<aws-scope-path\>** w
         ![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
       </Step>
     </Steps>
+  </Tab>
+  <Tab title="IRSA (EKS)">
+    This method is recommended for self-hosted Infisical instances running on AWS EKS. It uses [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to securely grant permissions to the Infisical pods without managing static credentials.
 
+    <Warning type="warning" title="IRSA Configuration Prerequisite">
+        In order to use IRSA, the `KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN` environment variable must be set to `true` for your self-hosted Infisical instance.
+    </Warning>
+
+    <Steps>
+        <Step title="Create an IAM OIDC provider for your cluster">
+            If you don't already have one, you need to create an IAM OIDC provider for your EKS cluster. This allows IAM to trust authentication tokens from your Kubernetes cluster.
+            1. Find your cluster's OIDC provider URL from the EKS console or by using the AWS CLI:
+               `aws eks describe-cluster --name <your-cluster-name> --query "cluster.identity.oidc.issuer" --output text`
+            2. Navigate to the [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers) page in your AWS Console and create a new OpenID Connect provider with the URL and `sts.amazonaws.com` as the audience.
+
+            ![Create OIDC Provider Placeholder](/images/integrations/aws/irsa-create-oidc-provider.png)
+        </Step>
+        <Step title="Create the Managing User IAM Role for Infisical">
+            1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
+            2. Select **Web identity** as the **Trusted Entity Type**.
+            3. Choose the OIDC provider you created in the previous step.
+            4. For the **Audience**, select `sts.amazonaws.com`.
+            ![IAM Role Creation for IRSA](/images/integrations/aws/irsa-iam-role-creation.png)
+            5. Attach the permission policy detailed in the **Prerequisite** section at the top of this page.
+            6. After creating the role, edit its **Trust relationship** to specify the service account Infisical is using in your cluster. This ensures only the Infisical pod can assume this role.
+
+            ```json
+            {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Principal": {
+                            "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
+                        },
+                        "Action": "sts:AssumeRoleWithWebIdentity",
+                        "Condition": {
+                            "StringEquals": {
+                                "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<K8S_NAMESPACE>:<INFISICAL_SERVICE_ACCOUNT_NAME>",
+                                "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
+                            }
+                        }
+                    }
+                ]
+            }
+            ```
+            Replace `<ACCOUNT_ID>`, `<REGION>`, `<OIDC_ID>`, `<K8S_NAMESPACE>`, and `<INFISICAL_SERVICE_ACCOUNT_NAME>` with your specific values.
+        </Step>
+        <Step title="Annotate the Infisical Kubernetes Service Account">
+            For the IRSA mechanism to work, the Infisical service account in your Kubernetes cluster must be annotated with the ARN of the IAM role you just created.
+
+            Run the following command, replacing the placeholders with your values:
+            ```bash
+            kubectl annotate serviceaccount -n <infisical-namespace> <infisical-service-account> \
+            eks.amazonaws.com/role-arn=arn:aws:iam::<account-id>:role/<iam-role-name>
+            ```
+            This annotation tells the EKS Pod Identity Webhook to inject the necessary environment variables and tokens into the Infisical pod, allowing it to assume the specified IAM role.
+        </Step>
+        <Step title="Secret Overview Dashboard">
+            Navigate to the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret to.
+        </Step>
+        <Step title="Click on the 'Add Dynamic Secret' button">
+            ![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+        </Step>
+        <Step title="Select AWS IAM">
+            ![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-aws-iam.png)
+        </Step>
+        <Step title="Provide the inputs for dynamic secret parameters">
+            ![Dynamic Secret Setup Modal for IRSA](/images/platform/dynamic-secrets/dynamic-secret-setup-modal-aws-iam-irsa.png)
+            <ParamField path="Secret Name" type="string" required>
+                Name by which you want the secret to be referenced
+            </ParamField>
+            <ParamField path="Default TTL" type="string" required>
+                Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
+            </ParamField>
+            <ParamField path="Max TTL" type="string" required>
+                Maximum time-to-live for a generated secret
+            </ParamField>
+            <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+                Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+
+                Allowed template variables are
+                - `{{randomUsername}}`: Random username string
+                - `{{unixTimestamp}}`: Current Unix timestamp
+                - `{{identity.name}}`: Name of the identity that is generating the secret
+                - `{{random N}}`: Random string of N characters
+
+                Allowed template functions are
+                - `truncate`: Truncates a string to a specified length
+                - `replace`: Replaces a substring with another value
+
+                Examples:
+                ```
+                {{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+                {{unixTimestamp}}                               // 17490641580
+                {{identity.name}}                               // testuser
+                {{random-5}}                                    // x9k2m
+                {{truncate identity.name 4}}                    // test
+                {{replace identity.name 'user' 'replace'}}      // testreplace
+                ```
+            </ParamField>
+            <ParamField path="Tags" type="map<string, string>[]">
+                Tags to be added to the created IAM User resource.
+            </ParamField>
+            <ParamField path="Method" type="string" required>
+                Select *IRSA* method.
+            </ParamField>
+            <ParamField path="Aws Role ARN" type="string" required>
+                The ARN of the AWS IAM Role for the service account to assume.
+            </ParamField>
+            <ParamField path="AWS IAM Path" type="string">
+                [IAM AWS Path](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) to scope created IAM User resource access.
+            </ParamField>
+            <ParamField path="AWS Region" type="string" required>
+                The AWS data center region.
+            </ParamField>
+            <ParamField path="IAM User Permission Boundary" type="string" required>
+                The IAM Policy ARN of the [AWS Permissions Boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to attach to IAM users created in the role.
+            </ParamField>
+            <ParamField path="AWS IAM Groups" type="string">
+                The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
+            </ParamField>
+            <ParamField path="AWS Policy ARNs" type="string">
+                The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
+            </ParamField>
+            <ParamField path="AWS IAM Policy Document" type="string">
+                The AWS IAM inline policy that should be attached to the created users.
+                Multiple values can be provided by separating them with commas
+            </ParamField>
+            <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+                Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+
+                Allowed template variables are
+
+                - `{{randomUsername}}`: Random username string
+                - `{{unixTimestamp}}`: Current Unix timestamp
+            </ParamField>
+        </Step>
+        <Step title="Click 'Submit'">
+            After submitting the form, you will see a dynamic secret created in the dashboard.
+            ![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
+        </Step>
+        <Step title="Generate dynamic secrets">
+            Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
+            To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+            Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+            ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+            ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+            When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+            ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+            <Tip>
+                Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
+            </Tip>
+
+            Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+
+            ![Provision Lease](/images/platform/dynamic-secrets/lease-values-aws-iam.png)
+        </Step>
+    </Steps>
   </Tab>
   <Tab title="Access Key">
         Infisical will use the provided **Access Key ID** and **Secret Key** to connect to your AWS instance.
@@ -263,9 +425,9 @@ Replace **\<account id\>** with your AWS account id and **\<aws-scope-path\>** w
           Maximum time-to-live for a generated secret
         </ParamField>
 
-    			<ParamField path="Method" type="string" required>
-    			   Select *Access Key* method.
-    			</ParamField>
+       <ParamField path="Method" type="string" required>
+          Select *Access Key* method.
+       </ParamField>
 
         <ParamField path="AWS Access Key" type="string" required>
           The managing AWS IAM User Access Key

docs/self-hosting/configuration/envars.mdx

@@ -59,6 +59,15 @@ Example values:
   connect with internal/private IP addresses.
 </ParamField>
 
+<ParamField
+  query="KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN"
+  type="bool"
+  default="false"
+  optional
+>
+  Determines whether your Infisical instance can automatically read the service account token of the pod it's running on. Used for features such as the IRSA auth method.
+</ParamField>
+
 ## CORS
 
 Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain.

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -4,17 +4,20 @@ description: "Read how to run Infisical with Docker Compose template."
 ---
 This self-hosting guide will walk you through the steps to self-host Infisical using Docker Compose.
 
-## Prerequisites
-- [Docker](https://docs.docker.com/engine/install/)
-- [Docker compose](https://docs.docker.com/compose/install/)
 
-<Warning>
-This Docker Compose configuration is not designed for high-availability production scenarios. 
-It includes just the essential components needed to set up an Infisical proof of concept (POC). 
-To run Infisical in a highly available manner, give the [Docker Swarm guide](/self-hosting/deployment-options/docker-swarm).
-</Warning>
+<Tabs>
+  <Tab title="Docker Compose">
+    ## Prerequisites
+    - [Docker](https://docs.docker.com/engine/install/)
+    - [Docker compose](https://docs.docker.com/compose/install/)
 
-## Verify prerequisites
+    <Warning>
+      This Docker Compose configuration is not designed for high-availability production scenarios. 
+      It includes just the essential components needed to set up an Infisical proof of concept (POC). 
+      To run Infisical in a highly available manner, give the [Docker Swarm guide](/self-hosting/deployment-options/docker-swarm).
+    </Warning>
+
+    ## Verify prerequisites
     To verify that Docker compose and Docker are installed on the machine where you plan to install Infisical, run the following commands.
 
     Check for docker installation
@@ -27,55 +30,145 @@ To run Infisical in a highly available manner, give the [Docker Swarm guide](/se
     docker-compose 
     ```
 
-## Download docker compose file
-You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
-If your system doesn't have either of these, you can use a equivalent command that works with your machine.
+    ## Download docker compose file
+    You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
+    If your system doesn't have either of these, you can use a equivalent command that works with your machine.
+
+    <Tabs>
+      <Tab title="curl">
+        ```bash
+        curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+        ```
+      </Tab>
+      <Tab title="wget">
+        ```bash 
+        wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+        ```
+      </Tab>
+    </Tabs>
+
+    ## Configure instance credentials
+    Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
+    The default credentials can be downloaded using the one of the commands listed below. 
+
+    <Tabs>
+      <Tab title="curl">
+        ```bash
+          curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+        ```
+      </Tab>
+      <Tab title="wget">
+        ```bash 
+          wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+        ```
+      </Tab>
+    </Tabs>
+
+    Once downloaded, the credentials file will be saved to your working directly as `.env` file.
+    View all available configurations [here](/self-hosting/configuration/envars).
+
+    <Warning>
+      The default .env file contains credentials that are intended solely for testing purposes.
+      Please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET` for use outside of testing. 
+      Instructions to do so, can be found [here](/self-hosting/configuration/envars).
+    </Warning>
+
+    ## Start Infisical
+    Run the command below to start Infisical and all related services. 
 
-<Tabs>
-  <Tab title="curl">
     ```bash
-    curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+    docker-compose -f docker-compose.prod.yml up
     ```
+
   </Tab>
-  <Tab title="wget">
-    ```bash 
-    wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+  <Tab title="Podman Compose">
+  Podman Compose is an alternative way to run Infisical using Podman as a replacement for Docker. Podman is backwards compatible with Docker Compose files.
+
+      ## Prerequisites
+    - [Podman](https://podman-desktop.io/docs/installation)
+    - [Podman Compose](https://podman-desktop.io/docs/compose)
+
+    <Warning>
+      This Docker Compose configuration is not designed for high-availability production scenarios. 
+      It includes just the essential components needed to set up an Infisical proof of concept (POC). 
+      To run Infisical in a highly available manner, give the [Docker Swarm guide](/self-hosting/deployment-options/docker-swarm).
+    </Warning>
+
+
+    ## Verify prerequisites
+    To verify that Podman compose and Podman are installed on the machine where you plan to install Infisical, run the following commands.
+
+    Check for podman installation
+    ```bash
+    podman version 
+    ```
+
+    Check for podman compose installation
+    ```bash
+    podman-compose version
+    ```
+
+    ## Download Docker Compose file
+    You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
+    If your system doesn't have either of these, you can use a equivalent command that works with your machine.
+
+    <Tabs>
+      <Tab title="curl">
+        ```bash
+        curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+        ```
+      </Tab>
+      <Tab title="wget">
+        ```bash 
+        wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+        ```
+      </Tab>
+    </Tabs>
+
+    ## Configure instance credentials
+    Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
+    The default credentials can be downloaded using the one of the commands listed below. 
+
+    <Tabs>
+      <Tab title="curl">
+        ```bash
+          curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+        ```
+      </Tab>
+      <Tab title="wget">
+        ```bash 
+          wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+        ```
+      </Tab>
+    </Tabs>
+
+    <Note>
+      Make sure to rename the `.env.example` file to `.env` before starting Infisical. Additionally it's important that the `.env` file is in the same directory as the `docker-compose.prod.yml` file.
+    </Note>
+
+    ## Setup Podman
+    Run the commands below to setup Podman for first time use.
+    ```bash
+    podman machine init --now
+    podman machine set --rootful
+    podman machine start
+    ``` 
+
+    <Note>
+      If you are using a rootless podman installation, you can skip the `podman machine set --rootful` command.
+    </Note>
+
+    ## Start Infisical
+    Run the command below to start Infisical and all related services. 
+
+    ```bash
+    podman-compose -f docker-compose.prod.yml up
     ```
   </Tab>
 </Tabs>
 
-## Configure instance credentials
-Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
-The default credentials can be downloaded using the one of the commands listed below. 
 
-<Tabs>
-  <Tab title="curl">
-    ```bash
-      curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
-    ```
-  </Tab>
-  <Tab title="wget">
-    ```bash 
-      wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
-    ```
-  </Tab>
-</Tabs>
 
-Once downloaded, the credentials file will be saved to your working directly as `.env` file.
-View all available configurations [here](/self-hosting/configuration/envars).
-
-<Warning>
-  The default .env file contains credentials that are intended solely for testing purposes.
-  Please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET` for use outside of testing. 
-  Instructions to do so, can be found [here](/self-hosting/configuration/envars).
-</Warning>
-
-## Start Infisical
-Run the command below to start Infisical and all related services. 
-
-```bash
-docker-compose -f docker-compose.prod.yml up
-```
 
 Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.
 

frontend/src/config/env.ts

@@ -26,6 +26,7 @@ export const envConfig = {
       import.meta.env.VITE_TELEMETRY_CAPTURING_ENABLED === true
     );
   },
+
   get PLATFORM_VERSION() {
     return import.meta.env.VITE_INFISICAL_PLATFORM_VERSION;
   }

frontend/src/hooks/api/admin/types.ts

@@ -40,6 +40,7 @@ export type TServerConfig = {
   trustLdapEmails: boolean;
   trustOidcEmails: boolean;
   isSecretScanningDisabled: boolean;
+  kubernetesAutoFetchServiceAccountToken: boolean;
   defaultAuthOrgSlug: string | null;
   defaultAuthOrgId: string | null;
   defaultAuthOrgAuthMethod?: string | null;

frontend/src/hooks/api/dynamicSecret/types.ts

@@ -54,7 +54,8 @@ export enum SqlProviders {
 
 export enum DynamicSecretAwsIamAuth {
   AssumeRole = "assume-role",
-  AccessKey = "access-key"
+  AccessKey = "access-key",
+  IRSA = "irsa"
 }
 
 export type TDynamicSecretProvider =
@@ -111,6 +112,14 @@ export type TDynamicSecretProvider =
             policyDocument?: string;
             userGroups?: string;
             policyArns?: string;
+          }
+        | {
+            method: DynamicSecretAwsIamAuth.IRSA;
+            region: string;
+            awsPath?: string;
+            policyDocument?: string;
+            userGroups?: string;
+            policyArns?: string;
           };
     }
   | {

frontend/src/layouts/AdminLayout/Sidebar.tsx

@@ -2,7 +2,7 @@ import { faChevronLeft } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Link, useMatchRoute } from "@tanstack/react-router";
 
-import { Menu, MenuGroup, MenuItem } from "@app/components/v2";
+import { Lottie, Menu, MenuGroup, MenuItem } from "@app/components/v2";
 
 const generalTabs = [
   {
@@ -50,7 +50,7 @@ const resourceTabs = [
   },
   {
     label: "Machine Identities",
-    icon: "key-user",
+    icon: "wrench",
     link: "/admin/resources/machine-identities"
   }
 ];
@@ -61,30 +61,6 @@ export const AdminSidebar = () => {
   return (
     <aside className="dark w-full border-r border-mineshaft-600 bg-gradient-to-tr from-mineshaft-700 via-mineshaft-800 to-mineshaft-900 md:w-60">
       <nav className="items-between flex h-full flex-col justify-between overflow-y-auto dark:[color-scheme:dark]">
-        <div className="flex-grow">
-          <Menu>
-            <MenuGroup title="General">
-              {generalTabs.map((tab) => {
-                const isActive = matchRoute({ to: tab.link, fuzzy: false });
-                return (
-                  <Link key={tab.link} to={tab.link}>
-                    <MenuItem isSelected={Boolean(isActive)}>{tab.label}</MenuItem>
-                  </Link>
-                );
-              })}
-            </MenuGroup>
-            <MenuGroup title="Resources">
-              {resourceTabs.map((tab) => {
-                const isActive = matchRoute({ to: tab.link, fuzzy: false });
-                return (
-                  <Link key={tab.link} to={tab.link}>
-                    <MenuItem isSelected={Boolean(isActive)}>{tab.label}</MenuItem>
-                  </Link>
-                );
-              })}
-            </MenuGroup>
-          </Menu>
-        </div>
         <Menu>
           <Link to="/organization/projects">
             <MenuItem
@@ -101,6 +77,46 @@ export const AdminSidebar = () => {
             </MenuItem>
           </Link>
         </Menu>
+        <div className="flex-grow">
+          <Menu>
+            <MenuGroup title="General">
+              {generalTabs.map((tab) => {
+                const isActive = matchRoute({ to: tab.link, fuzzy: false });
+                return (
+                  <Link key={tab.link} to={tab.link}>
+                    <MenuItem
+                      className="relative flex items-center gap-2 overflow-hidden rounded-none"
+                      leftIcon={
+                        <Lottie className="inline-block h-6 w-6 shrink-0" icon={tab.icon} />
+                      }
+                      isSelected={Boolean(isActive)}
+                    >
+                      {tab.label}
+                    </MenuItem>
+                  </Link>
+                );
+              })}
+            </MenuGroup>
+            <MenuGroup title="Resources">
+              {resourceTabs.map((tab) => {
+                const isActive = matchRoute({ to: tab.link, fuzzy: false });
+                return (
+                  <Link key={tab.link} to={tab.link}>
+                    <MenuItem
+                      className="relative flex items-center gap-2 overflow-hidden rounded-none"
+                      leftIcon={
+                        <Lottie className="inline-block h-6 w-6 shrink-0" icon={tab.icon} />
+                      }
+                      isSelected={Boolean(isActive)}
+                    >
+                      {tab.label}
+                    </MenuItem>
+                  </Link>
+                );
+              })}
+            </MenuGroup>
+          </Menu>
+        </div>
       </nav>
     </aside>
   );

frontend/src/pages/organization/AuditLogsPage/components/LogFilterItem.tsx

@@ -1,3 +1,5 @@
+import { faInfoCircle } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { twMerge } from "tailwind-merge";
 
 import { Button, Tooltip } from "@app/components/v2";
@@ -8,25 +10,41 @@ type Props = {
   label: string;
   onClear: () => void;
   children: React.ReactNode;
+  tooltipText?: string;
 };
 
-export const LogFilterItem = ({ label, onClear, hoverTooltip, children, className }: Props) => {
+export const LogFilterItem = ({
+  label,
+  onClear,
+  hoverTooltip,
+  children,
+  className,
+  tooltipText
+}: Props) => {
   return (
-    <Tooltip className="relative top-4" content={hoverTooltip} isDisabled={!hoverTooltip}>
-      <div className={twMerge("flex flex-col justify-between", className)}>
-        <div className="flex items-center justify-between pr-1">
-          <p className="text-xs opacity-60">{label}</p>
-          <Button
-            onClick={() => onClear()}
-            variant="link"
-            className="font-normal text-mineshaft-400 transition-all duration-75 hover:text-mineshaft-300"
-            size="xs"
-          >
-            Clear
-          </Button>
-        </div>
-        {children}
+    <div className={twMerge("flex flex-col justify-between", className)}>
+      <div className="flex items-center pr-1">
+        <p className="text-xs opacity-60">{label}</p>
+        {tooltipText && (
+          <Tooltip content={tooltipText} className="max-w-sm">
+            <FontAwesomeIcon
+              icon={faInfoCircle}
+              className="-mt-[0.05rem] ml-1 text-[11px] text-mineshaft-400"
+            />
+          </Tooltip>
+        )}
+        <Button
+          onClick={() => onClear()}
+          variant="link"
+          className="ml-auto font-normal text-mineshaft-400 transition-all duration-75 hover:text-mineshaft-300"
+          size="xs"
+        >
+          Clear
+        </Button>
       </div>
-    </Tooltip>
+      <Tooltip className="relative top-4" content={hoverTooltip} isDisabled={!hoverTooltip}>
+        <div>{children}</div>
+      </Tooltip>
+    </div>
   );
 };

frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx

@@ -366,6 +366,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
                     </LogFilterItem>
                     <LogFilterItem
                       label="Secret Path"
+                      tooltipText="Enter the exact secret path (wildcards like * are not supported)"
                       hoverTooltip={
                         !selectedProject
                           ? "Select a project before filtering by secret path."
@@ -380,10 +381,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
                         control={control}
                         name="secretPath"
                         render={({ field: { onChange, value, ...field } }) => (
-                          <FormControl
-                            tooltipText="Filter audit logs related to events that occurred on a specific secret path."
-                            className="w-full"
-                          >
+                          <FormControl className="w-full">
                             <Input
                               placeholder="Enter secret path"
                               className="disabled:cursor-not-allowed"
@@ -403,6 +401,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
                           ? "Select a project before filtering by secret key."
                           : undefined
                       }
+                      tooltipText="Enter the exact secret key name (wildcards like * are not supported)"
                       className={twMerge(!selectedProject && "opacity-50")}
                       label="Secret Key"
                       onClear={() => {
@@ -413,10 +412,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
                         control={control}
                         name="secretKey"
                         render={({ field: { onChange, value, ...field } }) => (
-                          <FormControl
-                            tooltipText="Filter audit logs related to a specific secret."
-                            className="w-full"
-                          >
+                          <FormControl className="w-full">
                             <Input
                               isDisabled={!selectedProject}
                               {...field}

frontend/src/pages/secret-manager/SecretApprovalsPage/components/ApprovalPolicyList/components/AccessPolicyModal.tsx

@@ -21,6 +21,7 @@ import {
   Tag,
   Tooltip
 } from "@app/components/v2";
+import { SecretPathInput } from "@app/components/v2/SecretPathInput";
 import { useWorkspace } from "@app/context";
 import { getMemberLabel } from "@app/helpers/members";
 import { policyDetails } from "@app/helpers/policies";
@@ -202,6 +203,7 @@ const Form = ({
 
   const formUserBypassers = watch("userBypassers");
   const formGroupBypassers = watch("groupBypassers");
+  const formEnvironment = watch("environment")?.slug;
   const bypasserCount = (formUserBypassers || []).length + (formGroupBypassers || []).length;
 
   const handleCreatePolicy = async ({
@@ -469,7 +471,11 @@ const Form = ({
                 errorText={error?.message}
                 className="flex-1"
               >
-                <Input {...field} value={field.value || ""} />
+                <SecretPathInput
+                  {...field}
+                  value={field.value || ""}
+                  environment={formEnvironment}
+                />
               </FormControl>
             )}
           />

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/AwsIamInputForm.tsx

@@ -15,6 +15,7 @@ import {
   TextArea
 } from "@app/components/v2";
 import { useCreateDynamicSecret } from "@app/hooks/api";
+import { useGetServerConfig } from "@app/hooks/api/admin";
 import {
   DynamicSecretAwsIamAuth,
   DynamicSecretProviders
@@ -61,6 +62,23 @@ const formSchema = z.object({
           })
         )
         .optional()
+    }),
+    z.object({
+      method: z.literal(DynamicSecretAwsIamAuth.IRSA),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: z
+        .array(
+          z.object({
+            key: z.string().trim().min(1).max(128),
+            value: z.string().trim().min(1).max(256)
+          })
+        )
+        .optional()
     })
   ]),
   defaultTTL: z.string().superRefine((val, ctx) => {
@@ -106,6 +124,8 @@ export const AwsIamInputForm = ({
   projectSlug,
   isSingleEnvironmentMode
 }: Props) => {
+  const { data: serverConfig } = useGetServerConfig();
+
   const {
     control,
     formState: { isSubmitting },
@@ -123,7 +143,7 @@ export const AwsIamInputForm = ({
   });
 
   const createDynamicSecret = useCreateDynamicSecret();
-  const isAccessKeyMethod = watch("provider.method") === DynamicSecretAwsIamAuth.AccessKey;
+  const method = watch("provider.method");
 
   const handleCreateDynamicSecret = async ({
     name,
@@ -237,11 +257,14 @@ export const AwsIamInputForm = ({
                         Assume Role (Recommended)
                       </SelectItem>
                       <SelectItem value={DynamicSecretAwsIamAuth.AccessKey}>Access Key</SelectItem>
+                      {serverConfig?.kubernetesAutoFetchServiceAccountToken && (
+                        <SelectItem value={DynamicSecretAwsIamAuth.IRSA}>IRSA (EKS)</SelectItem>
+                      )}
                     </Select>
                   </FormControl>
                 )}
               />
-              {isAccessKeyMethod ? (
+              {method === DynamicSecretAwsIamAuth.AccessKey && (
                 <div className="flex items-center space-x-2">
                   <Controller
                     control={control}
@@ -274,7 +297,8 @@ export const AwsIamInputForm = ({
                     )}
                   />
                 </div>
-              ) : (
+              )}
+              {method === DynamicSecretAwsIamAuth.AssumeRole && (
                 <div className="flex items-center space-x-2">
                   <Controller
                     control={control}

frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretAwsIamForm.tsx

@@ -6,7 +6,7 @@ import { z } from "zod";
 import { TtlFormLabel } from "@app/components/features";
 import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, Input, Select, SelectItem, TextArea } from "@app/components/v2";
-import { useUpdateDynamicSecret } from "@app/hooks/api";
+import { useGetServerConfig, useUpdateDynamicSecret } from "@app/hooks/api";
 import { DynamicSecretAwsIamAuth, TDynamicSecret } from "@app/hooks/api/dynamicSecret/types";
 import { slugSchema } from "@app/lib/schemas";
 
@@ -40,6 +40,18 @@ const formSchema = z.object({
       tags: z
         .array(z.object({ key: z.string().trim().min(1), value: z.string().trim().min(1) }))
         .optional()
+    }),
+    z.object({
+      method: z.literal(DynamicSecretAwsIamAuth.IRSA),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: z
+        .array(z.object({ key: z.string().trim().min(1), value: z.string().trim().min(1) }))
+        .optional()
     })
   ]),
   defaultTTL: z.string().superRefine((val, ctx) => {
@@ -83,6 +95,8 @@ export const EditDynamicSecretAwsIamForm = ({
   secretPath,
   projectSlug
 }: Props) => {
+  const { data: serverConfig } = useGetServerConfig();
+
   const {
     control,
     watch,
@@ -100,7 +114,7 @@ export const EditDynamicSecretAwsIamForm = ({
       }
     }
   });
-  const isAccessKeyMethod = watch("inputs.method") === DynamicSecretAwsIamAuth.AccessKey;
+  const method = watch("inputs.method");
 
   const updateDynamicSecret = useUpdateDynamicSecret();
 
@@ -214,11 +228,14 @@ export const EditDynamicSecretAwsIamForm = ({
                       Assume Role (Recommended)
                     </SelectItem>
                     <SelectItem value={DynamicSecretAwsIamAuth.AccessKey}>Access Key</SelectItem>
+                    {serverConfig?.kubernetesAutoFetchServiceAccountToken && (
+                      <SelectItem value={DynamicSecretAwsIamAuth.IRSA}>IRSA (EKS)</SelectItem>
+                    )}
                   </Select>
                 </FormControl>
               )}
             />
-            {isAccessKeyMethod ? (
+            {method === DynamicSecretAwsIamAuth.AccessKey && (
               <div className="flex items-center space-x-2">
                 <Controller
                   control={control}
@@ -251,7 +268,8 @@ export const EditDynamicSecretAwsIamForm = ({
                   )}
                 />
               </div>
-            ) : (
+            )}
+            {method === DynamicSecretAwsIamAuth.AssumeRole && (
               <div className="flex items-center space-x-2">
                 <Controller
                   control={control}