misc: add custom role slug in fetch group

misc: add verification pipelines for helm charts

.github/workflows/helm-release-infisical-core.yml

@@ -3,7 +3,62 @@ name: Release Infisical Core Helm chart
 on: [workflow_dispatch]
 
 jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Add Helm repositories
+        run: |
+          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-standalone-postgres
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-standalone-postgres
+
+      - name: Create Infisical secrets
+        run: |
+          kubectl create secret generic infisical-secrets \
+            --namespace infisical-standalone-postgres \
+            --from-literal=AUTH_SECRET=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=SITE_URL=http://localhost:8080
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-standalone-postgres \
+            --helm-extra-args="--timeout=300s" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
+            --namespace infisical-standalone-postgres
+
   release:
+    needs: test-helm
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -19,4 +74,4 @@ jobs:
       - name: Build and push helm package to Cloudsmith
         run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
         env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release-k8-operator-helm.yml

@@ -1,27 +1,59 @@
 name: Release K8 Operator Helm Chart
 on:
-    workflow_dispatch:
+  workflow_dispatch:
 
 jobs:
-    release-helm:
-        name: Release Helm Chart
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v2
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
 
-            - name: Install python
-              uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
 
-            - name: Install Cloudsmith CLI
-              run: pip install --upgrade cloudsmith-cli
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
 
-            - name: Build and push helm package to CloudSmith
-              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/secrets-operator
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml --charts helm-charts/secrets-operator
+
+  release-helm:
+    name: Release Helm Chart
+    needs: test-helm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Install python
+        uses: actions/setup-python@v4
+
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+
+      - name: Build and push helm package to CloudSmith
+        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_helm_gateway.yaml

@@ -1,27 +1,70 @@
 name: Release Gateway Helm Chart
 on:
-    workflow_dispatch:
+  workflow_dispatch:
 
 jobs:
-    release-helm:
-        name: Release Helm Chart
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
 
-            - name: Install python
-              uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
 
-            - name: Install Cloudsmith CLI
-              run: pip install --upgrade cloudsmith-cli
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
 
-            - name: Build and push helm package to CloudSmith
-              run: cd helm-charts && sh upload-gateway-cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-gateway
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-gateway
+
+      - name: Create gateway secret
+        run: kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=my-test-token -n infisical-gateway
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-gateway \
+            --helm-extra-args="--timeout=300s" \
+            --namespace infisical-gateway
+
+  release-helm:
+    name: Release Helm Chart
+    needs: test-helm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Install python
+        uses: actions/setup-python@v4
+
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+
+      - name: Build and push helm package to CloudSmith
+        run: cd helm-charts && sh upload-gateway-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/run-helm-chart-tests-infisical-gateway.yml

@@ -0,0 +1,49 @@
+name: Run Helm Chart Tests for Gateway
+on:
+  pull_request:
+    paths:
+      - "helm-charts/infisical-gateway/**"
+      - ".github/workflows/run-helm-chart-tests-infisical-gateway.yml"
+
+jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-gateway
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-gateway
+
+      - name: Create gateway secret
+        run: kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=my-test-token -n infisical-gateway
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-gateway \
+            --helm-extra-args="--timeout=300s" \
+            --namespace infisical-gateway

.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml

@@ -0,0 +1,61 @@
+name: Run Helm Chart Tests for Infisical Standalone Postgres
+on:
+  pull_request:
+    paths:
+      - "helm-charts/infisical-standalone-postgres/**"
+      - ".github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml"
+
+jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Add Helm repositories
+        run: |
+          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/infisical-standalone-postgres
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Create namespace
+        run: kubectl create namespace infisical-standalone-postgres
+
+      - name: Create Infisical secrets
+        run: |
+          kubectl create secret generic infisical-secrets \
+            --namespace infisical-standalone-postgres \
+            --from-literal=AUTH_SECRET=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
+            --from-literal=SITE_URL=http://localhost:8080
+
+      - name: Run chart-testing (install)
+        run: |
+          ct install \
+            --config ct.yaml \
+            --charts helm-charts/infisical-standalone-postgres \
+            --helm-extra-args="--timeout=300s" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
+            --namespace infisical-standalone-postgres

.github/workflows/run-helm-chart-tests-secret-operator.yml

@@ -0,0 +1,38 @@
+name: Run Helm Chart Tests for Secret Operator
+on:
+  pull_request:
+    paths:
+      - "helm-charts/secrets-operator/**"
+      - ".github/workflows/run-helm-chart-tests-secret-operator.yml"
+
+jobs:
+  test-helm:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.x"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml --charts helm-charts/secrets-operator
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml --charts helm-charts/secrets-operator

.infisicalignore

@@ -40,4 +40,8 @@ cli/detect/config/gitleaks.toml:gcp-api-key:578
 cli/detect/config/gitleaks.toml:gcp-api-key:579
 cli/detect/config/gitleaks.toml:gcp-api-key:581
 cli/detect/config/gitleaks.toml:gcp-api-key:582
+.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml:generic-api-key:51
+.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml:generic-api-key:50
+.github/workflows/helm-release-infisical-core.yml:generic-api-key:48
+.github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79

backend/src/@types/fastify.d.ts

@@ -65,6 +65,7 @@ import { TGroupProjectServiceFactory } from "@app/services/group-project/group-p
 import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
+import { TIdentityAliCloudAuthServiceFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
@@ -218,6 +219,7 @@ declare module "fastify" {
       identityUa: TIdentityUaServiceFactory;
       identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
+      identityAliCloudAuth: TIdentityAliCloudAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
       identityOciAuth: TIdentityOciAuthServiceFactory;

backend/src/@types/knex.d.ts

@@ -125,6 +125,9 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
+  TIdentityAlicloudAuths,
+  TIdentityAlicloudAuthsInsert,
+  TIdentityAlicloudAuthsUpdate,
   TIdentityAwsAuths,
   TIdentityAwsAuthsInsert,
   TIdentityAwsAuthsUpdate,
@@ -786,6 +789,11 @@ declare module "knex/types/tables" {
       TIdentityGcpAuthsInsert,
       TIdentityGcpAuthsUpdate
     >;
+    [TableName.IdentityAliCloudAuth]: KnexOriginal.CompositeTableType<
+      TIdentityAlicloudAuths,
+      TIdentityAlicloudAuthsInsert,
+      TIdentityAlicloudAuthsUpdate
+    >;
     [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
       TIdentityAwsAuths,
       TIdentityAwsAuthsInsert,

backend/src/db/migrations/20250610143920_add-dynamic-secret-lease-config.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasConfigColumn = await knex.schema.hasColumn(TableName.DynamicSecretLease, "config");
+  if (!hasConfigColumn) {
+    await knex.schema.alterTable(TableName.DynamicSecretLease, (table) => {
+      table.jsonb("config");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasConfigColumn = await knex.schema.hasColumn(TableName.DynamicSecretLease, "config");
+  if (hasConfigColumn) {
+    await knex.schema.alterTable(TableName.DynamicSecretLease, (table) => {
+      table.dropColumn("config");
+    });
+  }
+}

backend/src/db/migrations/20250610205158_alicloud-machine-identity.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAliCloudAuth))) {
+    await knex.schema.createTable(TableName.IdentityAliCloudAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+
+      t.string("allowedArns").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAliCloudAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAliCloudAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAliCloudAuth);
+}

backend/src/db/schemas/dynamic-secret-leases.ts

@@ -16,7 +16,8 @@ export const DynamicSecretLeasesSchema = z.object({
   statusDetails: z.string().nullable().optional(),
   dynamicSecretId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  config: z.unknown().nullable().optional()
 });
 
 export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;

backend/src/db/schemas/identity-alicloud-auths.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAlicloudAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  allowedArns: z.string()
+});
+
+export type TIdentityAlicloudAuths = z.infer<typeof IdentityAlicloudAuthsSchema>;
+export type TIdentityAlicloudAuthsInsert = Omit<z.input<typeof IdentityAlicloudAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAlicloudAuthsUpdate = Partial<Omit<z.input<typeof IdentityAlicloudAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -39,6 +39,7 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
+export * from "./identity-alicloud-auths";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";

backend/src/db/schemas/models.ts

@@ -80,6 +80,7 @@ export enum TableName {
   IdentityGcpAuth = "identity_gcp_auths",
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
+  IdentityAliCloudAuth = "identity_alicloud_auths",
   IdentityAwsAuth = "identity_aws_auths",
   IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
@@ -247,6 +248,7 @@ export enum IdentityAuthMethod {
   UNIVERSAL_AUTH = "universal-auth",
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
+  ALICLOUD_AUTH = "alicloud-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
   OCI_AUTH = "oci-auth",

backend/src/ee/routes/v1/app-connection-routers/oracledb-connection-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateOracleDBConnectionSchema,
+  SanitizedOracleDBConnectionSchema,
+  UpdateOracleDBConnectionSchema
+} from "@app/ee/services/app-connections/oracledb";
+import { registerAppConnectionEndpoints } from "@app/server/routes/v1/app-connection-routers/app-connection-endpoints";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const registerOracleDBConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.OracleDB,
+    server,
+    sanitizedResponseSchema: SanitizedOracleDBConnectionSchema,
+    createSchema: CreateOracleDBConnectionSchema,
+    updateSchema: UpdateOracleDBConnectionSchema
+  });
+};

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -36,7 +36,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
               ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
           }),
         path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.environmentSlug),
+        config: z.any().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/dynamic-secret-lease-routers/kubernetes-lease-router.ts

@@ -0,0 +1,67 @@
+import { z } from "zod";
+
+import { DynamicSecretLeasesSchema } from "@app/db/schemas";
+import { ApiDocsTags, DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { daysToMillisecond } from "@app/lib/dates";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
+import { writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerKubernetesDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
+      body: z.object({
+        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
+        ttl: z
+          .string()
+          .optional()
+          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
+          .superRefine((val, ctx) => {
+            if (!val) return;
+            const valMs = ms(val);
+            if (valMs < 60 * 1000)
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be greater than 1min" });
+            if (valMs > daysToMillisecond(1))
+              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+          }),
+        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.environmentSlug),
+        config: z
+          .object({
+            namespace: z.string().min(1).optional().describe(DYNAMIC_SECRET_LEASES.KUBERNETES.CREATE.config.namespace)
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          lease: DynamicSecretLeasesSchema,
+          dynamicSecret: SanitizedDynamicSecretSchema,
+          data: z.unknown()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        name: req.body.dynamicSecretName,
+        ...req.body
+      });
+      return { lease, data, dynamicSecret };
+    }
+  });
+};

backend/src/ee/routes/v1/group-router.ts

@@ -48,7 +48,9 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
         id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
       }),
       response: {
-        200: GroupsSchema
+        200: GroupsSchema.extend({
+          customRoleSlug: z.string().nullable()
+        })
       }
     },
     handler: async (req) => {

backend/src/ee/routes/v1/index.ts

@@ -6,6 +6,7 @@ import { registerAssumePrivilegeRouter } from "./assume-privilege-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerCaCrlRouter } from "./certificate-authority-crl-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
+import { registerKubernetesDynamicSecretLeaseRouter } from "./dynamic-secret-lease-routers/kubernetes-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
 import { registerGatewayRouter } from "./gateway-router";
@@ -71,6 +72,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     async (dynamicSecretRouter) => {
       await dynamicSecretRouter.register(registerDynamicSecretRouter);
       await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
+      await dynamicSecretRouter.register(registerKubernetesDynamicSecretLeaseRouter, { prefix: "/leases/kubernetes" });
     },
     { prefix: "/dynamic-secrets" }
   );

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -6,6 +6,7 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
+import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
 export * from "./secret-rotation-v2-router";
@@ -17,6 +18,7 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
   [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
   [SecretRotation.MySqlCredentials]: registerMySqlCredentialsRotationRouter,
+  [SecretRotation.OracleDBCredentials]: registerOracleDBCredentialsRotationRouter,
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,

backend/src/ee/routes/v2/secret-rotation-v2-routers/oracledb-credentials-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateOracleDBCredentialsRotationSchema,
+  OracleDBCredentialsRotationSchema,
+  UpdateOracleDBCredentialsRotationSchema
+} from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerOracleDBCredentialsRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.OracleDBCredentials,
+    server,
+    responseSchema: OracleDBCredentialsRotationSchema,
+    createSchema: CreateOracleDBCredentialsRotationSchema,
+    updateSchema: UpdateOracleDBCredentialsRotationSchema,
+    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -7,6 +7,7 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
 import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
@@ -18,6 +19,7 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationListItemSchema,
   MsSqlCredentialsRotationListItemSchema,
   MySqlCredentialsRotationListItemSchema,
+  OracleDBCredentialsRotationListItemSchema,
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -187,6 +187,56 @@ export const registerSecretScanningV2Router = async (server: FastifyZodProvider)
     }
   });
 
+  server.route({
+    method: "PATCH",
+    url: "/findings",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "Update one or more Secret Scanning Findings in a batch.",
+      body: z
+        .object({
+          findingId: z.string().trim().min(1, "Finding ID required").describe(SecretScanningFindings.UPDATE.findingId),
+          status: z.nativeEnum(SecretScanningFindingStatus).optional().describe(SecretScanningFindings.UPDATE.status),
+          remarks: z.string().nullish().describe(SecretScanningFindings.UPDATE.remarks)
+        })
+        .array()
+        .max(500),
+      response: {
+        200: z.object({ findings: SecretScanningFindingSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { body, permission } = req;
+
+      const updatedFindingPromises = body.map(async (findingUpdatePayload) => {
+        const { finding, projectId } = await server.services.secretScanningV2.updateSecretScanningFindingById(
+          findingUpdatePayload,
+          permission
+        );
+
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          projectId,
+          event: {
+            type: EventType.SECRET_SCANNING_FINDING_UPDATE,
+            metadata: findingUpdatePayload
+          }
+        });
+
+        return finding;
+      });
+
+      const findings = await Promise.all(updatedFindingPromises);
+
+      return { findings };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/configs",

backend/src/ee/services/app-connections/oracledb/index.ts

@@ -0,0 +1,4 @@
+export * from "./oracledb-connection-enums";
+export * from "./oracledb-connection-fns";
+export * from "./oracledb-connection-schemas";
+export * from "./oracledb-connection-types";

backend/src/ee/services/app-connections/oracledb/oracledb-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum OracleDBConnectionMethod {
+  UsernameAndPassword = "username-and-password"
+}

backend/src/ee/services/app-connections/oracledb/oracledb-connection-fns.ts

@@ -0,0 +1,12 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { OracleDBConnectionMethod } from "./oracledb-connection-enums";
+
+export const getOracleDBConnectionListItem = () => {
+  return {
+    name: "OracleDB" as const,
+    app: AppConnection.OracleDB as const,
+    methods: Object.values(OracleDBConnectionMethod) as [OracleDBConnectionMethod.UsernameAndPassword],
+    supportsPlatformManagement: true as const
+  };
+};

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -0,0 +1,64 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+import { BaseSqlUsernameAndPasswordConnectionSchema } from "@app/services/app-connection/shared/sql";
+
+import { OracleDBConnectionMethod } from "./oracledb-connection-enums";
+
+export const OracleDBConnectionCredentialsSchema = BaseSqlUsernameAndPasswordConnectionSchema;
+
+const BaseOracleDBConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.OracleDB) });
+
+export const OracleDBConnectionSchema = BaseOracleDBConnectionSchema.extend({
+  method: z.literal(OracleDBConnectionMethod.UsernameAndPassword),
+  credentials: OracleDBConnectionCredentialsSchema
+});
+
+export const SanitizedOracleDBConnectionSchema = z.discriminatedUnion("method", [
+  BaseOracleDBConnectionSchema.extend({
+    method: z.literal(OracleDBConnectionMethod.UsernameAndPassword),
+    credentials: OracleDBConnectionCredentialsSchema.pick({
+      host: true,
+      database: true,
+      port: true,
+      username: true,
+      sslEnabled: true,
+      sslRejectUnauthorized: true,
+      sslCertificate: true
+    })
+  })
+]);
+
+export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(OracleDBConnectionMethod.UsernameAndPassword)
+      .describe(AppConnections.CREATE(AppConnection.OracleDB).method),
+    credentials: OracleDBConnectionCredentialsSchema.describe(AppConnections.CREATE(AppConnection.OracleDB).credentials)
+  })
+]);
+
+export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
+);
+
+export const UpdateOracleDBConnectionSchema = z
+  .object({
+    credentials: OracleDBConnectionCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.OracleDB).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
+
+export const OracleDBConnectionListItemSchema = z.object({
+  name: z.literal("OracleDB"),
+  app: z.literal(AppConnection.OracleDB),
+  methods: z.nativeEnum(OracleDBConnectionMethod).array(),
+  supportsPlatformManagement: z.literal(true)
+});

backend/src/ee/services/app-connections/oracledb/oracledb-connection-types.ts

@@ -0,0 +1,17 @@
+import z from "zod";
+
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import {
+  CreateOracleDBConnectionSchema,
+  OracleDBConnectionSchema,
+  ValidateOracleDBConnectionCredentialsSchema
+} from "./oracledb-connection-schemas";
+
+export type TOracleDBConnection = z.infer<typeof OracleDBConnectionSchema>;
+
+export type TOracleDBConnectionInput = z.infer<typeof CreateOracleDBConnectionSchema> & {
+  app: AppConnection.OracleDB;
+};
+
+export type TValidateOracleDBConnectionCredentialsSchema = typeof ValidateOracleDBConnectionCredentialsSchema;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -170,6 +170,12 @@ export enum EventType {
   REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
   GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
 
+  LOGIN_IDENTITY_ALICLOUD_AUTH = "login-identity-alicloud-auth",
+  ADD_IDENTITY_ALICLOUD_AUTH = "add-identity-alicloud-auth",
+  UPDATE_IDENTITY_ALICLOUD_AUTH = "update-identity-alicloud-auth",
+  REVOKE_IDENTITY_ALICLOUD_AUTH = "revoke-identity-alicloud-auth",
+  GET_IDENTITY_ALICLOUD_AUTH = "get-identity-alicloud-auth",
+
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
@@ -1060,6 +1066,53 @@ interface GetIdentityAwsAuthEvent {
   };
 }
 
+interface LoginIdentityAliCloudAuthEvent {
+  type: EventType.LOGIN_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+    identityAliCloudAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAliCloudAuthEvent {
+  type: EventType.ADD_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+    allowedArns: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityAliCloudAuthEvent {
+  type: EventType.REVOKE_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityAliCloudAuthEvent {
+  type: EventType.UPDATE_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+    allowedArns: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityAliCloudAuthEvent {
+  type: EventType.GET_IDENTITY_ALICLOUD_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityOciAuthEvent {
   type: EventType.LOGIN_IDENTITY_OCI_AUTH;
   metadata: {
@@ -3272,6 +3325,11 @@ export type Event =
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
   | DeleteIdentityAwsAuthEvent
+  | LoginIdentityAliCloudAuthEvent
+  | AddIdentityAliCloudAuthEvent
+  | UpdateIdentityAliCloudAuthEvent
+  | GetIdentityAliCloudAuthEvent
+  | DeleteIdentityAliCloudAuthEvent
   | LoginIdentityOciAuthEvent
   | AddIdentityOciAuthEvent
   | UpdateIdentityOciAuthEvent

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts

@@ -10,6 +10,7 @@ import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
 import { DynamicSecretStatus } from "../dynamic-secret/dynamic-secret-types";
 import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
 import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
+import { TDynamicSecretLeaseConfig } from "./dynamic-secret-lease-types";
 
 type TDynamicSecretLeaseQueueServiceFactoryDep = {
   queueService: TQueueServiceFactory;
@@ -134,10 +135,15 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
 
           await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));
           await Promise.all(
-            dynamicSecretLeases.map(({ externalEntityId }) =>
-              selectedProvider.revoke(decryptedStoredInput, externalEntityId, {
-                projectId: folder.projectId
-              })
+            dynamicSecretLeases.map(({ externalEntityId, config }) =>
+              selectedProvider.revoke(
+                decryptedStoredInput,
+                externalEntityId,
+                {
+                  projectId: folder.projectId
+                },
+                config as TDynamicSecretLeaseConfig
+              )
             )
           );
         }

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -29,6 +29,7 @@ import {
   TCreateDynamicSecretLeaseDTO,
   TDeleteDynamicSecretLeaseDTO,
   TDetailsDynamicSecretLeaseDTO,
+  TDynamicSecretLeaseConfig,
   TListDynamicSecretLeasesDTO,
   TRenewDynamicSecretLeaseDTO
 } from "./dynamic-secret-lease-types";
@@ -77,7 +78,8 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorId,
     actorOrgId,
     actorAuthMethod,
-    ttl
+    ttl,
+    config
   }: TCreateDynamicSecretLeaseDTO) => {
     const appCfg = getConfig();
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
@@ -163,7 +165,8 @@ export const dynamicSecretLeaseServiceFactory = ({
         expireAt: expireAt.getTime(),
         usernameTemplate: dynamicSecretCfg.usernameTemplate,
         identity,
-        metadata: { projectId }
+        metadata: { projectId },
+        config
       });
     } catch (error: unknown) {
       if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
@@ -177,8 +180,10 @@ export const dynamicSecretLeaseServiceFactory = ({
       expireAt,
       version: 1,
       dynamicSecretId: dynamicSecretCfg.id,
-      externalEntityId: entityId
+      externalEntityId: entityId,
+      config
     });
+
     await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
     return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
   };
@@ -259,7 +264,10 @@ export const dynamicSecretLeaseServiceFactory = ({
     const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
     if (maxTTL) {
       const maxExpiryDate = new Date(dynamicSecretLease.createdAt.getTime() + ms(maxTTL));
-      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max ttl" });
+      if (expireAt > maxExpiryDate)
+        throw new BadRequestError({
+          message: "The requested renewal would exceed the maximum allowed lease duration. Please choose a shorter TTL"
+        });
     }
 
     const { entityId } = await selectedProvider.renew(
@@ -342,7 +350,12 @@ export const dynamicSecretLeaseServiceFactory = ({
     ) as object;
 
     const revokeResponse = await selectedProvider
-      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId, { projectId })
+      .revoke(
+        decryptedStoredInput,
+        dynamicSecretLease.externalEntityId,
+        { projectId },
+        dynamicSecretLease.config as TDynamicSecretLeaseConfig
+      )
       .catch(async (err) => {
         // only propogate this error if forced is false
         if (!isForced) return { error: err as Error };

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts

@@ -10,6 +10,7 @@ export type TCreateDynamicSecretLeaseDTO = {
   environmentSlug: string;
   ttl?: string;
   projectSlug: string;
+  config?: TDynamicSecretLeaseConfig;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDetailsDynamicSecretLeaseDTO = {
@@ -41,3 +42,9 @@ export type TRenewDynamicSecretLeaseDTO = {
   ttl?: string;
   projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TDynamicSecretKubernetesLeaseConfig = {
+  namespace?: string;
+};
+
+export type TDynamicSecretLeaseConfig = TDynamicSecretKubernetesLeaseConfig;

backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts

@@ -0,0 +1,105 @@
+import { gaxios, Impersonated, JWT } from "google-auth-library";
+import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth2client";
+
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretGcpIamSchema, TDynamicProviderFns } from "./models";
+
+export const GcpIamProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretGcpIamSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const $getToken = async (serviceAccountEmail: string, ttl: number): Promise<string> => {
+    const appCfg = getConfig();
+    if (!appCfg.INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL) {
+      throw new InternalServerError({
+        message: "Environment variable has not been configured: INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL"
+      });
+    }
+
+    const credJson = JSON.parse(appCfg.INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL) as {
+      client_email: string;
+      private_key: string;
+    };
+
+    const sourceClient = new JWT({
+      email: credJson.client_email,
+      key: credJson.private_key,
+      scopes: ["https://www.googleapis.com/auth/cloud-platform"]
+    });
+
+    const impersonatedCredentials = new Impersonated({
+      sourceClient,
+      targetPrincipal: serviceAccountEmail,
+      lifetime: ttl,
+      delegates: [],
+      targetScopes: ["https://www.googleapis.com/auth/iam", "https://www.googleapis.com/auth/cloud-platform"]
+    });
+
+    let tokenResponse: GetAccessTokenResponse | undefined;
+    try {
+      tokenResponse = await impersonatedCredentials.getAccessToken();
+    } catch (error) {
+      let message = "Unable to validate connection";
+      if (error instanceof gaxios.GaxiosError) {
+        message = error.message;
+      }
+
+      throw new BadRequestError({
+        message
+      });
+    }
+
+    if (!tokenResponse || !tokenResponse.token) {
+      throw new BadRequestError({
+        message: "Unable to validate connection"
+      });
+    }
+
+    return tokenResponse.token;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    await $getToken(providerInputs.serviceAccountEmail, 10);
+    return true;
+  };
+
+  const create = async (data: { inputs: unknown; expireAt: number }) => {
+    const { inputs, expireAt } = data;
+
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
+
+    const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
+    const entityId = alphaNumericNanoId(32);
+
+    return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    // There's no way to revoke GCP IAM access tokens
+    return { entityId };
+  };
+
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
+    // To renew a token it must be re-created
+    const data = await create({ inputs, expireAt });
+
+    return { ...data, entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -6,6 +6,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { GcpIamProvider } from "./gcp-iam";
 import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
@@ -42,5 +43,6 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.Totp]: TotpProvider(),
   [DynamicSecretProviders.SapAse]: SapAseProvider(),
   [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
-  [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService })
+  [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
+  [DynamicSecretProviders.GcpIam]: GcpIamProvider()
 });

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -1,13 +1,14 @@
-import axios from "axios";
+import axios, { AxiosError } from "axios";
 import handlebars from "handlebars";
 import https from "https";
 
-import { InternalServerError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { GatewayHttpProxyActions, GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { TKubernetesTokenRequest } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-types";
 
+import { TDynamicSecretKubernetesLeaseConfig } from "../../dynamic-secret-lease/dynamic-secret-lease-types";
 import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import {
   DynamicSecretKubernetesSchema,
@@ -19,6 +20,9 @@ import {
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
+// This value is just a placeholder. When using gateway auth method, the url is irrelevant.
+const GATEWAY_AUTH_DEFAULT_URL = "https://kubernetes.default.svc.cluster.local";
+
 type TKubernetesProviderDTO = {
   gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
@@ -36,7 +40,7 @@ const generateUsername = (usernameTemplate?: string | null) => {
 export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretKubernetesSchema.parseAsync(inputs);
-    if (!providerInputs.gatewayId) {
+    if (!providerInputs.gatewayId && providerInputs.url) {
       await blockLocalAndPrivateIpAddresses(providerInputs.url);
     }
 
@@ -103,135 +107,173 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       const serviceAccountName = generateUsername();
       const roleBindingName = `${serviceAccountName}-role-binding`;
 
-      // 1. Create a test service account
-      await axios.post(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts`,
-        {
-          metadata: {
-            name: serviceAccountName,
-            namespace: providerInputs.namespace
-          }
-        },
-        {
-          headers: {
-            "Content-Type": "application/json",
-            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
-              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
-        }
-      );
+      const namespaces = providerInputs.namespace.split(",").map((namespace) => namespace.trim());
 
-      // 2. Create a test role binding
-      const roleBindingUrl =
-        providerInputs.roleType === KubernetesRoleType.ClusterRole
-          ? `${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings`
-          : `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${providerInputs.namespace}/rolebindings`;
-
-      const roleBindingMetadata = {
-        name: roleBindingName,
-        ...(providerInputs.roleType !== KubernetesRoleType.ClusterRole && { namespace: providerInputs.namespace })
-      };
-
-      await axios.post(
-        roleBindingUrl,
-        {
-          metadata: roleBindingMetadata,
-          roleRef: {
-            kind: providerInputs.roleType === KubernetesRoleType.ClusterRole ? "ClusterRole" : "Role",
-            name: providerInputs.role,
-            apiGroup: "rbac.authorization.k8s.io"
-          },
-          subjects: [
+      // Test each namespace sequentially instead of in parallel to simplify cleanup
+      for await (const namespace of namespaces) {
+        try {
+          // 1. Create a test service account
+          await axios.post(
+            `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts`,
             {
-              kind: "ServiceAccount",
-              name: serviceAccountName,
-              namespace: providerInputs.namespace
+              metadata: {
+                name: serviceAccountName,
+                namespace
+              }
+            },
+            {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
             }
-          ]
-        },
-        {
-          headers: {
-            "Content-Type": "application/json",
-            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
-              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
-        }
-      );
+          );
 
-      // 3. Request a token for the test service account
-      await axios.post(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${serviceAccountName}/token`,
-        {
-          spec: {
-            expirationSeconds: 600, // 10 minutes
-            ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+          // 2. Create a test role binding
+          const roleBindingUrl =
+            providerInputs.roleType === KubernetesRoleType.ClusterRole
+              ? `${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings`
+              : `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings`;
+
+          const roleBindingMetadata = {
+            name: roleBindingName,
+            ...(providerInputs.roleType !== KubernetesRoleType.ClusterRole && { namespace })
+          };
+
+          await axios.post(
+            roleBindingUrl,
+            {
+              metadata: roleBindingMetadata,
+              roleRef: {
+                kind: providerInputs.roleType === KubernetesRoleType.ClusterRole ? "ClusterRole" : "Role",
+                name: providerInputs.role,
+                apiGroup: "rbac.authorization.k8s.io"
+              },
+              subjects: [
+                {
+                  kind: "ServiceAccount",
+                  name: serviceAccountName,
+                  namespace
+                }
+              ]
+            },
+            {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            }
+          );
+
+          // 3. Request a token for the test service account
+          await axios.post(
+            `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${serviceAccountName}/token`,
+            {
+              spec: {
+                expirationSeconds: 600, // 10 minutes
+                ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+              }
+            },
+            {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            }
+          );
+
+          // 4. Cleanup: delete role binding and service account
+          if (providerInputs.roleType === KubernetesRoleType.Role) {
+            await axios.delete(
+              `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings/${roleBindingName}`,
+              {
+                headers: {
+                  "Content-Type": "application/json",
+                  ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                    ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                    : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+                },
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                  ? {
+                      httpsAgent
+                    }
+                  : {}),
+                signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+                timeout: EXTERNAL_REQUEST_TIMEOUT
+              }
+            );
+          } else {
+            await axios.delete(`${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/${roleBindingName}`, {
+              headers: {
+                "Content-Type": "application/json",
+                ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
+                  ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
+                  : { Authorization: `Bearer ${providerInputs.clusterToken}` })
+              },
+              ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+                ? {
+                    httpsAgent
+                  }
+                : {}),
+              signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+              timeout: EXTERNAL_REQUEST_TIMEOUT
+            });
           }
-        },
-        {
-          headers: {
-            "Content-Type": "application/json",
-            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
-              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
-        }
-      );
 
-      // 4. Cleanup: delete role binding and service account
-      if (providerInputs.roleType === KubernetesRoleType.Role) {
-        await axios.delete(
-          `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${providerInputs.namespace}/rolebindings/${roleBindingName}`,
-          {
+          await axios.delete(`${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${serviceAccountName}`, {
             headers: {
               "Content-Type": "application/json",
               ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-                ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+                ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
                 : { Authorization: `Bearer ${providerInputs.clusterToken}` })
             },
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+              ? {
+                  httpsAgent
+                }
+              : {}),
             signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-            timeout: EXTERNAL_REQUEST_TIMEOUT,
-            httpsAgent
+            timeout: EXTERNAL_REQUEST_TIMEOUT
+          });
+        } catch (error) {
+          const cleanupInfo = `You may need to manually clean up the following resources in namespace "${namespace}": Service Account - ${serviceAccountName}, ${providerInputs.roleType === KubernetesRoleType.Role ? "Role" : "Cluster Role"} Binding - ${roleBindingName}.`;
+          let mainErrorMessage = "Unknown error";
+          if (error instanceof AxiosError) {
+            mainErrorMessage = (error.response?.data as { message: string })?.message;
+          } else if (error instanceof Error) {
+            mainErrorMessage = error.message;
           }
-        );
-      } else {
-        await axios.delete(`${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/${roleBindingName}`, {
-          headers: {
-            "Content-Type": "application/json",
-            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
-              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
-        });
-      }
 
-      await axios.delete(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${serviceAccountName}`,
-        {
-          headers: {
-            "Content-Type": "application/json",
-            ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
-              : { Authorization: `Bearer ${providerInputs.clusterToken}` })
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          throw new Error(`${mainErrorMessage}. ${cleanupInfo}`);
         }
-      );
+      }
     };
 
     const serviceAccountStaticCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
@@ -247,17 +289,23 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           headers: {
             "Content-Type": "application/json",
             ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
               : { Authorization: `Bearer ${providerInputs.clusterToken}` })
           },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
           signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          timeout: EXTERNAL_REQUEST_TIMEOUT
         }
       );
     };
 
-    const url = new URL(providerInputs.url);
+    const rawUrl =
+      providerInputs.authMethod === KubernetesAuthMethod.Gateway ? GATEWAY_AUTH_DEFAULT_URL : providerInputs.url || "";
+    const url = new URL(rawUrl);
     const k8sGatewayHost = url.hostname;
     const k8sPort = url.port ? Number(url.port) : 443;
     const k8sHost = `${url.protocol}//${url.hostname}`;
@@ -315,11 +363,13 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
   const create = async ({
     inputs,
     expireAt,
-    usernameTemplate
+    usernameTemplate,
+    config
   }: {
     inputs: unknown;
     expireAt: number;
     usernameTemplate?: string | null;
+    config?: TDynamicSecretKubernetesLeaseConfig;
   }) => {
     const providerInputs = await validateProviderInputs(inputs);
 
@@ -331,26 +381,44 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       const baseUrl = port ? `${host}:${port}` : host;
       const serviceAccountName = generateUsername(usernameTemplate);
       const roleBindingName = `${serviceAccountName}-role-binding`;
+      const allowedNamespaces = providerInputs.namespace.split(",").map((namespace) => namespace.trim());
+
+      if (config?.namespace && !allowedNamespaces?.includes(config?.namespace)) {
+        throw new BadRequestError({
+          message: `Namespace ${config?.namespace} is not allowed. Allowed namespaces: ${allowedNamespaces?.join(", ")}`
+        });
+      }
+
+      const namespace = config?.namespace || allowedNamespaces[0];
+      if (!namespace) {
+        throw new BadRequestError({
+          message: "No namespace provided"
+        });
+      }
 
       // 1. Create the service account
       await axios.post(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts`,
+        `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts`,
         {
           metadata: {
             name: serviceAccountName,
-            namespace: providerInputs.namespace
+            namespace
           }
         },
         {
           headers: {
             "Content-Type": "application/json",
             ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
               : { Authorization: `Bearer ${providerInputs.clusterToken}` })
           },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
           signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          timeout: EXTERNAL_REQUEST_TIMEOUT
         }
       );
 
@@ -358,11 +426,11 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       const roleBindingUrl =
         providerInputs.roleType === KubernetesRoleType.ClusterRole
           ? `${baseUrl}/apis/rbac.authorization.k8s.io/v1/clusterrolebindings`
-          : `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${providerInputs.namespace}/rolebindings`;
+          : `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings`;
 
       const roleBindingMetadata = {
         name: roleBindingName,
-        ...(providerInputs.roleType !== KubernetesRoleType.ClusterRole && { namespace: providerInputs.namespace })
+        ...(providerInputs.roleType !== KubernetesRoleType.ClusterRole && { namespace })
       };
 
       await axios.post(
@@ -378,7 +446,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
             {
               kind: "ServiceAccount",
               name: serviceAccountName,
-              namespace: providerInputs.namespace
+              namespace
             }
           ]
         },
@@ -386,18 +454,22 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           headers: {
             "Content-Type": "application/json",
             ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
               : { Authorization: `Bearer ${providerInputs.clusterToken}` })
           },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
           signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          timeout: EXTERNAL_REQUEST_TIMEOUT
         }
       );
 
       // 3. Request a token for the service account
       const res = await axios.post<TKubernetesTokenRequest>(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${serviceAccountName}/token`,
+        `${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${serviceAccountName}/token`,
         {
           spec: {
             expirationSeconds: Math.floor((expireAt - Date.now()) / 1000),
@@ -408,12 +480,16 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           headers: {
             "Content-Type": "application/json",
             ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
               : { Authorization: `Bearer ${providerInputs.clusterToken}` })
           },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
           signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          timeout: EXTERNAL_REQUEST_TIMEOUT
         }
       );
 
@@ -425,6 +501,12 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
         throw new Error("invalid callback");
       }
 
+      if (config?.namespace && config.namespace !== providerInputs.namespace) {
+        throw new BadRequestError({
+          message: `Namespace ${config?.namespace} is not allowed. Allowed namespace: ${providerInputs.namespace}.`
+        });
+      }
+
       const baseUrl = port ? `${host}:${port}` : host;
 
       const res = await axios.post<TKubernetesTokenRequest>(
@@ -439,19 +521,25 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           headers: {
             "Content-Type": "application/json",
             ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
               : { Authorization: `Bearer ${providerInputs.clusterToken}` })
           },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
           signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          timeout: EXTERNAL_REQUEST_TIMEOUT
         }
       );
 
       return { ...res.data, serviceAccountName: providerInputs.serviceAccountName };
     };
 
-    const url = new URL(providerInputs.url);
+    const rawUrl =
+      providerInputs.authMethod === KubernetesAuthMethod.Gateway ? GATEWAY_AUTH_DEFAULT_URL : providerInputs.url || "";
+    const url = new URL(rawUrl);
     const k8sHost = `${url.protocol}//${url.hostname}`;
     const k8sGatewayHost = url.hostname;
     const k8sPort = url.port ? Number(url.port) : 443;
@@ -511,7 +599,13 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
     }
   };
 
-  const revoke = async (inputs: unknown, entityId: string) => {
+  const revoke = async (
+    inputs: unknown,
+    entityId: string,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _metadata: { projectId: string },
+    config?: TDynamicSecretKubernetesLeaseConfig
+  ) => {
     const providerInputs = await validateProviderInputs(inputs);
 
     const serviceAccountDynamicCallback = async (host: string, port: number, httpsAgent?: https.Agent) => {
@@ -522,19 +616,25 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
       const baseUrl = port ? `${host}:${port}` : host;
       const roleBindingName = `${entityId}-role-binding`;
 
+      const namespace = config?.namespace ?? providerInputs.namespace.split(",")[0].trim();
+
       if (providerInputs.roleType === KubernetesRoleType.Role) {
         await axios.delete(
-          `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${providerInputs.namespace}/rolebindings/${roleBindingName}`,
+          `${baseUrl}/apis/rbac.authorization.k8s.io/v1/namespaces/${namespace}/rolebindings/${roleBindingName}`,
           {
             headers: {
               "Content-Type": "application/json",
               ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-                ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+                ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
                 : { Authorization: `Bearer ${providerInputs.clusterToken}` })
             },
+            ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+              ? {
+                  httpsAgent
+                }
+              : {}),
             signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-            timeout: EXTERNAL_REQUEST_TIMEOUT,
-            httpsAgent
+            timeout: EXTERNAL_REQUEST_TIMEOUT
           }
         );
       } else {
@@ -542,31 +642,44 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
           headers: {
             "Content-Type": "application/json",
             ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-              ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+              ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
               : { Authorization: `Bearer ${providerInputs.clusterToken}` })
           },
+          ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+            ? {
+                httpsAgent
+              }
+            : {}),
           signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent
+          timeout: EXTERNAL_REQUEST_TIMEOUT
         });
       }
 
       // Delete the service account
-      await axios.delete(`${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${entityId}`, {
+      await axios.delete(`${baseUrl}/api/v1/namespaces/${namespace}/serviceaccounts/${entityId}`, {
         headers: {
           "Content-Type": "application/json",
           ...(providerInputs.authMethod === KubernetesAuthMethod.Gateway
-            ? { "x-infisical-action": GatewayHttpProxyActions.InjectGatewayK8sServiceAccountToken }
+            ? { "x-infisical-action": GatewayHttpProxyActions.UseGatewayK8sServiceAccount }
             : { Authorization: `Bearer ${providerInputs.clusterToken}` })
         },
+        ...(providerInputs.authMethod === KubernetesAuthMethod.Api
+          ? {
+              httpsAgent
+            }
+          : {}),
         signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-        timeout: EXTERNAL_REQUEST_TIMEOUT,
-        httpsAgent
+        timeout: EXTERNAL_REQUEST_TIMEOUT
       });
     };
 
     if (providerInputs.credentialType === KubernetesCredentialType.Dynamic) {
-      const url = new URL(providerInputs.url);
+      const rawUrl =
+        providerInputs.authMethod === KubernetesAuthMethod.Gateway
+          ? GATEWAY_AUTH_DEFAULT_URL
+          : providerInputs.url || "";
+
+      const url = new URL(rawUrl);
       const k8sGatewayHost = url.hostname;
       const k8sPort = url.port ? Number(url.port) : 443;
       const k8sHost = `${url.protocol}//${url.hostname}`;

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -1,5 +1,10 @@
+import RE2 from "re2";
 import { z } from "zod";
 
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
+
+import { TDynamicSecretLeaseConfig } from "../../dynamic-secret-lease/dynamic-secret-lease-types";
+
 export type PasswordRequirements = {
   length: number;
   required: {
@@ -323,24 +328,54 @@ export const LdapSchema = z.union([
 export const DynamicSecretKubernetesSchema = z
   .discriminatedUnion("credentialType", [
     z.object({
-      url: z.string().url().trim().min(1),
+      url: z
+        .string()
+        .optional()
+        .refine((val: string | undefined) => !val || new RE2(/^https?:\/\/.+/).test(val), {
+          message: "Invalid URL. Must start with http:// or https:// (e.g. https://example.com)"
+        }),
       clusterToken: z.string().trim().optional(),
       ca: z.string().optional(),
       sslEnabled: z.boolean().default(false),
       credentialType: z.literal(KubernetesCredentialType.Static),
       serviceAccountName: z.string().trim().min(1),
-      namespace: z.string().trim().min(1),
+      namespace: z
+        .string()
+        .trim()
+        .min(1)
+        .refine((val) => !val.includes(","), "Namespace must be a single value, not a comma-separated list")
+        .refine(
+          (val) => characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])(val),
+          "Invalid namespace format"
+        ),
       gatewayId: z.string().optional(),
       audiences: z.array(z.string().trim().min(1)),
       authMethod: z.nativeEnum(KubernetesAuthMethod).default(KubernetesAuthMethod.Api)
     }),
     z.object({
-      url: z.string().url().trim().min(1),
+      url: z
+        .string()
+        .url()
+        .optional()
+        .refine((val: string | undefined) => !val || new RE2(/^https?:\/\/.+/).test(val), {
+          message: "Invalid URL. Must start with http:// or https:// (e.g. https://example.com)"
+        }),
       clusterToken: z.string().trim().optional(),
       ca: z.string().optional(),
       sslEnabled: z.boolean().default(false),
       credentialType: z.literal(KubernetesCredentialType.Dynamic),
-      namespace: z.string().trim().min(1),
+      namespace: z
+        .string()
+        .trim()
+        .min(1)
+        .refine((val) => {
+          const namespaces = val.split(",").map((ns) => ns.trim());
+          return (
+            namespaces.length > 0 &&
+            namespaces.every((ns) => ns.length > 0) &&
+            namespaces.every((ns) => characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])(ns))
+          );
+        }, "Must be a valid comma-separated list of namespace values"),
       gatewayId: z.string().optional(),
       audiences: z.array(z.string().trim().min(1)),
       roleType: z.nativeEnum(KubernetesRoleType),
@@ -356,12 +391,21 @@ export const DynamicSecretKubernetesSchema = z
         message: "When auth method is set to Gateway, a gateway must be selected"
       });
     }
-    if ((data.authMethod === KubernetesAuthMethod.Api || !data.authMethod) && !data.clusterToken) {
-      ctx.addIssue({
-        path: ["clusterToken"],
-        code: z.ZodIssueCode.custom,
-        message: "When auth method is set to Manual Token, a cluster token must be provided"
-      });
+    if (data.authMethod === KubernetesAuthMethod.Api || !data.authMethod) {
+      if (!data.clusterToken) {
+        ctx.addIssue({
+          path: ["clusterToken"],
+          code: z.ZodIssueCode.custom,
+          message: "When auth method is set to Token, a cluster token must be provided"
+        });
+      }
+      if (!data.url) {
+        ctx.addIssue({
+          path: ["url"],
+          code: z.ZodIssueCode.custom,
+          message: "When auth method is set to Token, a cluster URL must be provided"
+        });
+      }
     }
   });
 
@@ -426,6 +470,10 @@ export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
   })
 ]);
 
+export const DynamicSecretGcpIamSchema = z.object({
+  serviceAccountEmail: z.string().email().trim().min(1, "Service account email required").max(128)
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -443,7 +491,8 @@ export enum DynamicSecretProviders {
   Totp = "totp",
   SapAse = "sap-ase",
   Kubernetes = "kubernetes",
-  Vertica = "vertica"
+  Vertica = "vertica",
+  GcpIam = "gcp-iam"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -463,7 +512,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema })
 ]);
 
 export type TDynamicProviderFns = {
@@ -475,10 +525,16 @@ export type TDynamicProviderFns = {
       name: string;
     };
     metadata: { projectId: string };
+    config?: TDynamicSecretLeaseConfig;
   }) => Promise<{ entityId: string; data: unknown }>;
   validateConnection: (inputs: unknown, metadata: { projectId: string }) => Promise<boolean>;
   validateProviderInputs: (inputs: object, metadata: { projectId: string }) => Promise<unknown>;
-  revoke: (inputs: unknown, entityId: string, metadata: { projectId: string }) => Promise<{ entityId: string }>;
+  revoke: (
+    inputs: unknown,
+    entityId: string,
+    metadata: { projectId: string },
+    config?: TDynamicSecretLeaseConfig
+  ) => Promise<{ entityId: string }>;
   renew: (
     inputs: unknown,
     entityId: string,

backend/src/ee/services/group/group-dal.ts

@@ -169,11 +169,29 @@ export const groupDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const doc = await (tx || db.replicaNode())(TableName.Groups)
+        .leftJoin(TableName.OrgRoles, `${TableName.Groups}.roleId`, `${TableName.OrgRoles}.id`)
+        .where(`${TableName.Groups}.id`, id)
+        .select(
+          selectAllTableCols(TableName.Groups),
+          db.ref("slug").as("customRoleSlug").withSchema(TableName.OrgRoles)
+        )
+        .first();
+
+      return doc;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by id" });
+    }
+  };
+
   return {
+    ...groupOrm,
     findGroups,
     findByOrgId,
     findAllGroupPossibleMembers,
     findGroupsByProjectId,
-    ...groupOrm
+    findById
   };
 };

backend/src/ee/services/secret-rotation-v2/azure-client-secret/azure-client-secret-rotation-fns.ts

@@ -101,10 +101,56 @@ export const azureClientSecretRotationFactory: TRotationFactory<
     }
   };
 
+  /**
+   * Checks if a credential with the given keyId exists.
+   */
+  const credentialExists = async (keyId: string): Promise<boolean> => {
+    const accessToken = await getAzureConnectionAccessToken(connection.id, appConnectionDAL, kmsService);
+    const endpoint = `${GRAPH_API_BASE}/applications/${objectId}/passwordCredentials`;
+
+    try {
+      const { data } = await request.get<{ value: Array<{ keyId: string }> }>(endpoint, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json"
+        }
+      });
+
+      return data.value?.some((credential) => credential.keyId === keyId) || false;
+    } catch (error: unknown) {
+      if (error instanceof AxiosError) {
+        let message;
+        if (
+          error.response?.data &&
+          typeof error.response.data === "object" &&
+          "error" in error.response.data &&
+          typeof (error.response.data as AzureErrorResponse).error.message === "string"
+        ) {
+          message = (error.response.data as AzureErrorResponse).error.message;
+        }
+        throw new BadRequestError({
+          message: `Failed to check credential existence for app ${objectId}: ${
+            message || error.message || "Unknown error"
+          }`
+        });
+      }
+      throw new BadRequestError({
+        message: "Unable to validate connection: verify credentials"
+      });
+    }
+  };
+
   /**
    * Revokes a client secret from the Azure app using its keyId.
+   * First checks if the credential exists before attempting revocation.
    */
   const revokeCredential = async (keyId: string) => {
+    // Check if credential exists before attempting revocation
+    const exists = await credentialExists(keyId);
+    if (!exists) {
+      return; // Credential doesn't exist, nothing to revoke
+    }
+
     const accessToken = await getAzureConnectionAccessToken(connection.id, appConnectionDAL, kmsService);
     const endpoint = `${GRAPH_API_BASE}/applications/${objectId}/removePassword`;
 

backend/src/ee/services/secret-rotation-v2/oracledb-credentials/index.ts

@@ -0,0 +1,3 @@
+export * from "./oracledb-credentials-rotation-constants";
+export * from "./oracledb-credentials-rotation-schemas";
+export * from "./oracledb-credentials-rotation-types";

backend/src/ee/services/secret-rotation-v2/oracledb-credentials/oracledb-credentials-rotation-constants.ts

@@ -0,0 +1,20 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "OracleDB Credentials",
+  type: SecretRotation.OracleDBCredentials,
+  connection: AppConnection.OracleDB,
+  template: {
+    createUserStatement: `-- create user
+CREATE USER INFISICAL_USER IDENTIFIED BY "temporary_password";
+
+-- grant all privileges
+GRANT ALL PRIVILEGES TO INFISICAL_USER;`,
+    secretsMapping: {
+      username: "ORACLEDB_USERNAME",
+      password: "ORACLEDB_PASSWORD"
+    }
+  }
+};

backend/src/ee/services/secret-rotation-v2/oracledb-credentials/oracledb-credentials-rotation-schemas.ts

@@ -0,0 +1,41 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import {
+  SqlCredentialsRotationParametersSchema,
+  SqlCredentialsRotationSecretsMappingSchema,
+  SqlCredentialsRotationTemplateSchema
+} from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OracleDBCredentialsRotationSchema = BaseSecretRotationSchema(SecretRotation.OracleDBCredentials).extend({
+  type: z.literal(SecretRotation.OracleDBCredentials),
+  parameters: SqlCredentialsRotationParametersSchema,
+  secretsMapping: SqlCredentialsRotationSecretsMappingSchema
+});
+
+export const CreateOracleDBCredentialsRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.OracleDBCredentials
+).extend({
+  parameters: SqlCredentialsRotationParametersSchema,
+  secretsMapping: SqlCredentialsRotationSecretsMappingSchema
+});
+
+export const UpdateOracleDBCredentialsRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.OracleDBCredentials
+).extend({
+  parameters: SqlCredentialsRotationParametersSchema.optional(),
+  secretsMapping: SqlCredentialsRotationSecretsMappingSchema.optional()
+});
+
+export const OracleDBCredentialsRotationListItemSchema = z.object({
+  name: z.literal("OracleDB Credentials"),
+  connection: z.literal(AppConnection.OracleDB),
+  type: z.literal(SecretRotation.OracleDBCredentials),
+  template: SqlCredentialsRotationTemplateSchema
+});

backend/src/ee/services/secret-rotation-v2/oracledb-credentials/oracledb-credentials-rotation-types.ts

@@ -0,0 +1,18 @@
+import { z } from "zod";
+
+import { TOracleDBConnection } from "../../app-connections/oracledb";
+import {
+  CreateOracleDBCredentialsRotationSchema,
+  OracleDBCredentialsRotationListItemSchema,
+  OracleDBCredentialsRotationSchema
+} from "./oracledb-credentials-rotation-schemas";
+
+export type TOracleDBCredentialsRotation = z.infer<typeof OracleDBCredentialsRotationSchema>;
+
+export type TOracleDBCredentialsRotationInput = z.infer<typeof CreateOracleDBCredentialsRotationSchema>;
+
+export type TOracleDBCredentialsRotationListItem = z.infer<typeof OracleDBCredentialsRotationListItemSchema>;
+
+export type TOracleDBCredentialsRotationWithConnection = TOracleDBCredentialsRotation & {
+  connection: TOracleDBConnection;
+};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -2,6 +2,7 @@ export enum SecretRotation {
   PostgresCredentials = "postgres-credentials",
   MsSqlCredentials = "mssql-credentials",
   MySqlCredentials = "mysql-credentials",
+  OracleDBCredentials = "oracledb-credentials",
   Auth0ClientSecret = "auth0-client-secret",
   AzureClientSecret = "azure-client-secret",
   AwsIamUserSecret = "aws-iam-user-secret",

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -10,6 +10,7 @@ import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret"
 import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
+import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
 import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
@@ -25,6 +26,7 @@ const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2List
   [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.MySqlCredentials]: MYSQL_CREDENTIALS_ROTATION_LIST_OPTION,
+  [SecretRotation.OracleDBCredentials]: ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AzureClientSecret]: AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -5,6 +5,7 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
   [SecretRotation.MsSqlCredentials]: "Microsoft SQL Server Credentials",
   [SecretRotation.MySqlCredentials]: "MySQL Credentials",
+  [SecretRotation.OracleDBCredentials]: "OracleDB Credentials",
   [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
   [SecretRotation.AzureClientSecret]: "Azure Client Secret",
   [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
@@ -15,6 +16,7 @@ export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnectio
   [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
   [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
   [SecretRotation.MySqlCredentials]: AppConnection.MySql,
+  [SecretRotation.OracleDBCredentials]: AppConnection.OracleDB,
   [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
   [SecretRotation.AzureClientSecret]: AppConnection.AzureClientSecrets,
   [SecretRotation.AwsIamUserSecret]: AppConnection.AWS,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -123,6 +123,7 @@ const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplem
   [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.MySqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.OracleDBCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AzureClientSecret]: azureClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -45,6 +45,12 @@ import {
   TMySqlCredentialsRotationListItem,
   TMySqlCredentialsRotationWithConnection
 } from "./mysql-credentials";
+import {
+  TOracleDBCredentialsRotation,
+  TOracleDBCredentialsRotationInput,
+  TOracleDBCredentialsRotationListItem,
+  TOracleDBCredentialsRotationWithConnection
+} from "./oracledb-credentials";
 import {
   TPostgresCredentialsRotation,
   TPostgresCredentialsRotationInput,
@@ -58,6 +64,7 @@ export type TSecretRotationV2 =
   | TPostgresCredentialsRotation
   | TMsSqlCredentialsRotation
   | TMySqlCredentialsRotation
+  | TOracleDBCredentialsRotation
   | TAuth0ClientSecretRotation
   | TAzureClientSecretRotation
   | TLdapPasswordRotation
@@ -67,6 +74,7 @@ export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
   | TMsSqlCredentialsRotationWithConnection
   | TMySqlCredentialsRotationWithConnection
+  | TOracleDBCredentialsRotationWithConnection
   | TAuth0ClientSecretRotationWithConnection
   | TAzureClientSecretRotationWithConnection
   | TLdapPasswordRotationWithConnection
@@ -83,6 +91,7 @@ export type TSecretRotationV2Input =
   | TPostgresCredentialsRotationInput
   | TMsSqlCredentialsRotationInput
   | TMySqlCredentialsRotationInput
+  | TOracleDBCredentialsRotationInput
   | TAuth0ClientSecretRotationInput
   | TAzureClientSecretRotationInput
   | TLdapPasswordRotationInput
@@ -92,6 +101,7 @@ export type TSecretRotationV2ListItem =
   | TPostgresCredentialsRotationListItem
   | TMsSqlCredentialsRotationListItem
   | TMySqlCredentialsRotationListItem
+  | TOracleDBCredentialsRotationListItem
   | TAuth0ClientSecretRotationListItem
   | TAzureClientSecretRotationListItem
   | TLdapPasswordRotationListItem

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -1,18 +1,19 @@
 import { z } from "zod";
 
 import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
+import { AwsIamUserSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
 import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
 import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OracleDBCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
-import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
-
 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationSchema,
   MsSqlCredentialsRotationSchema,
   MySqlCredentialsRotationSchema,
+  OracleDBCredentialsRotationSchema,
   Auth0ClientSecretRotationSchema,
   AzureClientSecretRotationSchema,
   LdapPasswordRotationSchema,

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types.ts

@@ -2,14 +2,15 @@ import { z } from "zod";
 
 import { TMsSqlCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { TMySqlCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { TOracleDBCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { TPostgresCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
-
-import { SqlCredentialsRotationGeneratedCredentialsSchema } from "./sql-credentials-rotation-schemas";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-schemas";
 
 export type TSqlCredentialsRotationWithConnection =
   | TPostgresCredentialsRotationWithConnection
   | TMsSqlCredentialsRotationWithConnection
-  | TMySqlCredentialsRotationWithConnection;
+  | TMySqlCredentialsRotationWithConnection
+  | TOracleDBCredentialsRotationWithConnection;
 
 export type TSqlCredentialsRotationGeneratedCredentials = z.infer<
   typeof SqlCredentialsRotationGeneratedCredentialsSchema

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -178,6 +178,13 @@ export const getDbSetQuery = (db: TDbProviderClients, variables: { username: str
     };
   }
 
+  if (db === TDbProviderClients.OracleDB) {
+    return {
+      query: `ALTER USER ?? IDENTIFIED BY "${variables.password}"`,
+      variables: [variables.username]
+    };
+  }
+
   // add more based on client
   return {
     query: `ALTER USER ?? IDENTIFIED BY '${variables.password}'`,

backend/src/ee/services/secret-rotation/templates/types.ts

@@ -10,7 +10,8 @@ export enum TDbProviderClients {
   // mysql and maria db
   MySql = "mysql",
 
-  MsSqlServer = "mssql"
+  MsSqlServer = "mssql",
+  OracleDB = "oracledb"
 }
 
 export enum TAwsProviderSystems {

backend/src/lib/api-docs/constants.ts

@@ -21,6 +21,7 @@ export enum ApiDocsTags {
   TokenAuth = "Token Auth",
   UniversalAuth = "Universal Auth",
   GcpAuth = "GCP Auth",
+  AliCloudAuth = "Alibaba Cloud Auth",
   AwsAuth = "AWS Auth",
   OciAuth = "OCI Auth",
   AzureAuth = "Azure Auth",
@@ -243,6 +244,43 @@ export const LDAP_AUTH = {
   }
 } as const;
 
+export const ALICLOUD_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login.",
+    Action: "The Alibaba Cloud API action. For STS GetCallerIdentity, this should be 'GetCallerIdentity'.",
+    Format: "The response format. For STS GetCallerIdentity, this should be 'JSON'.",
+    Version: "The API version. This should be in 'YYYY-MM-DD' format (e.g., '2015-04-01').",
+    AccessKeyId: "The AccessKey ID of the RAM user or STS token.",
+    SignatureMethod: "The signature algorithm. For STS GetCallerIdentity, this should be 'HMAC-SHA1'.",
+    Timestamp: "The timestamp of the request in UTC, formatted as 'YYYY-MM-DDTHH:mm:ssZ'.",
+    SignatureVersion: "The signature version. For STS GetCallerIdentity, this should be '1.0'.",
+    SignatureNonce: "A unique random string to prevent replay attacks.",
+    Signature: "The signature string calculated based on the request parameters and AccessKey Secret."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    allowedArns: "The comma-separated list of trusted ARNs that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    allowedArns: "The comma-separated list of trusted ARNs that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
+  }
+} as const;
+
 export const AWS_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login.",
@@ -1113,6 +1151,14 @@ export const DYNAMIC_SECRET_LEASES = {
     leaseId: "The ID of the dynamic secret lease.",
     isForced:
       "A boolean flag to delete the the dynamic secret from Infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
+  },
+  KUBERNETES: {
+    CREATE: {
+      config: {
+        namespace:
+          "The Kubernetes namespace to create the lease in. If not specified, the first namespace defined in the configuration will be used."
+      }
+    }
   }
 } as const;
 export const SECRET_TAGS = {
@@ -2162,6 +2208,11 @@ export const AppConnections = {
       code: "The OAuth code to use to connect with Azure Client Secrets.",
       tenantId: "The Tenant ID to use to connect with Azure Client Secrets."
     },
+    AZURE_DEVOPS: {
+      code: "The OAuth code to use to connect with Azure DevOps.",
+      tenantId: "The Tenant ID to use to connect with Azure DevOps.",
+      orgName: "The Organization name to use to connect with Azure DevOps."
+    },
     OCI: {
       userOcid: "The OCID (Oracle Cloud Identifier) of the user making the request.",
       tenancyOcid: "The OCID (Oracle Cloud Identifier) of the tenancy in Oracle Cloud Infrastructure.",
@@ -2276,6 +2327,10 @@ export const SecretSyncs = {
         "The URL of the Azure App Configuration to sync secrets to. Example: https://example.azconfig.io/",
       label: "An optional label to assign to secrets created in Azure App Configuration."
     },
+    AZURE_DEVOPS: {
+      devopsProjectId: "The ID of the Azure DevOps project to sync secrets to.",
+      devopsProjectName: "The name of the Azure DevOps project to sync secrets to."
+    },
     GCP: {
       scope: "The Google project scope that secrets should be synced to.",
       projectId: "The ID of the Google project secrets should be synced to.",

backend/src/server/routes/index.ts

@@ -172,6 +172,8 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
+import { identityAliCloudAuthDALFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-dal";
+import { identityAliCloudAuthServiceFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-service";
 import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
 import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { identityAzureAuthDALFactory } from "@app/services/identity-azure-auth/identity-azure-auth-dal";
@@ -383,6 +385,7 @@ export const registerRoutes = async (
   const identityUaDAL = identityUaDALFactory(db);
   const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
+  const identityAliCloudAuthDAL = identityAliCloudAuthDALFactory(db);
   const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
   const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
   const identityOciAuthDAL = identityOciAuthDALFactory(db);
@@ -1482,6 +1485,14 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const identityAliCloudAuthService = identityAliCloudAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityAliCloudAuthDAL,
+    identityOrgMembershipDAL,
+    licenseService,
+    permissionService
+  });
+
   const identityAwsAuthService = identityAwsAuthServiceFactory({
     identityAccessTokenDAL,
     identityAwsAuthDAL,
@@ -1931,6 +1942,7 @@ export const registerRoutes = async (
     identityUa: identityUaService,
     identityKubernetesAuth: identityKubernetesAuthService,
     identityGcpAuth: identityGcpAuthService,
+    identityAliCloudAuth: identityAliCloudAuthService,
     identityAwsAuth: identityAwsAuthService,
     identityAzureAuth: identityAzureAuthService,
     identityOciAuth: identityOciAuthService,

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -1,6 +1,10 @@
 import { z } from "zod";
 
 import { OCIConnectionListItemSchema, SanitizedOCIConnectionSchema } from "@app/ee/services/app-connections/oci";
+import {
+  OracleDBConnectionListItemSchema,
+  SanitizedOracleDBConnectionSchema
+} from "@app/ee/services/app-connections/oracledb";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -19,6 +23,10 @@ import {
   AzureClientSecretsConnectionListItemSchema,
   SanitizedAzureClientSecretsConnectionSchema
 } from "@app/services/app-connection/azure-client-secrets";
+import {
+  AzureDevOpsConnectionListItemSchema,
+  SanitizedAzureDevOpsConnectionSchema
+} from "@app/services/app-connection/azure-devops/azure-devops-schemas";
 import {
   AzureKeyVaultConnectionListItemSchema,
   SanitizedAzureKeyVaultConnectionSchema
@@ -75,6 +83,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedGcpConnectionSchema.options,
   ...SanitizedAzureKeyVaultConnectionSchema.options,
   ...SanitizedAzureAppConfigurationConnectionSchema.options,
+  ...SanitizedAzureDevOpsConnectionSchema.options,
   ...SanitizedDatabricksConnectionSchema.options,
   ...SanitizedHumanitecConnectionSchema.options,
   ...SanitizedTerraformCloudConnectionSchema.options,
@@ -90,6 +99,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedLdapConnectionSchema.options,
   ...SanitizedTeamCityConnectionSchema.options,
   ...SanitizedOCIConnectionSchema.options,
+  ...SanitizedOracleDBConnectionSchema.options,
   ...SanitizedOnePassConnectionSchema.options
 ]);
 
@@ -100,6 +110,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   GcpConnectionListItemSchema,
   AzureKeyVaultConnectionListItemSchema,
   AzureAppConfigurationConnectionListItemSchema,
+  AzureDevOpsConnectionListItemSchema,
   DatabricksConnectionListItemSchema,
   HumanitecConnectionListItemSchema,
   TerraformCloudConnectionListItemSchema,
@@ -115,6 +126,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   LdapConnectionListItemSchema,
   TeamCityConnectionListItemSchema,
   OCIConnectionListItemSchema,
+  OracleDBConnectionListItemSchema,
   OnePassConnectionListItemSchema
 ]);
 

backend/src/server/routes/v1/app-connection-routers/azure-devops-connection-router.ts

@@ -0,0 +1,49 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateAzureDevOpsConnectionSchema,
+  SanitizedAzureDevOpsConnectionSchema,
+  UpdateAzureDevOpsConnectionSchema
+} from "@app/services/app-connection/azure-devops/azure-devops-schemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerAzureDevOpsConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.AzureDevOps,
+    server,
+    sanitizedResponseSchema: SanitizedAzureDevOpsConnectionSchema,
+    createSchema: CreateAzureDevOpsConnectionSchema,
+    updateSchema: UpdateAzureDevOpsConnectionSchema
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          projects: z.object({ name: z.string(), id: z.string(), appId: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects = await server.services.appConnection.azureDevOps.listProjects(connectionId, req.permission);
+
+      return { projects };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,4 +1,5 @@
 import { registerOCIConnectionRouter } from "@app/ee/routes/v1/app-connection-routers/oci-connection-router";
+import { registerOracleDBConnectionRouter } from "@app/ee/routes/v1/app-connection-routers/oracledb-connection-router";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
 import { registerOnePassConnectionRouter } from "./1password-connection-router";
@@ -6,6 +7,7 @@ import { registerAuth0ConnectionRouter } from "./auth0-connection-router";
 import { registerAwsConnectionRouter } from "./aws-connection-router";
 import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
 import { registerAzureClientSecretsConnectionRouter } from "./azure-client-secrets-connection-router";
+import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-router";
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
@@ -34,6 +36,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.AzureKeyVault]: registerAzureKeyVaultConnectionRouter,
     [AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter,
     [AppConnection.AzureClientSecrets]: registerAzureClientSecretsConnectionRouter,
+    [AppConnection.AzureDevOps]: registerAzureDevOpsConnectionRouter,
     [AppConnection.Databricks]: registerDatabricksConnectionRouter,
     [AppConnection.Humanitec]: registerHumanitecConnectionRouter,
     [AppConnection.TerraformCloud]: registerTerraformCloudConnectionRouter,
@@ -48,5 +51,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.LDAP]: registerLdapConnectionRouter,
     [AppConnection.TeamCity]: registerTeamCityConnectionRouter,
     [AppConnection.OCI]: registerOCIConnectionRouter,
+    [AppConnection.OracleDB]: registerOracleDBConnectionRouter,
     [AppConnection.OnePass]: registerOnePassConnectionRouter
   };

backend/src/server/routes/v1/identity-alicloud-auth-router.ts

@@ -0,0 +1,381 @@
+import RE2 from "re2";
+import { z } from "zod";
+
+import { IdentityAlicloudAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ALICLOUD_AUTH, ApiDocsTags } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateArns } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
+
+export const registerIdentityAliCloudAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/alicloud-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AliCloudAuth],
+      description: "Login with Alibaba Cloud Auth",
+      body: z.object({
+        identityId: z.string().trim().describe(ALICLOUD_AUTH.LOGIN.identityId),
+        Action: z.enum(["GetCallerIdentity"]).describe(ALICLOUD_AUTH.LOGIN.Action),
+        Format: z.enum(["JSON"]).describe(ALICLOUD_AUTH.LOGIN.Format),
+        Version: z
+          .string()
+          .refine((val) => new RE2("^\\d{4}-\\d{2}-\\d{2}$").test(val), {
+            message: "Version must be in YYYY-MM-DD format"
+          })
+          .describe(ALICLOUD_AUTH.LOGIN.Version),
+        AccessKeyId: z
+          .string()
+          .refine((val) => new RE2("^[A-Za-z0-9]+$").test(val), {
+            message: "AccessKeyId must be alphanumeric"
+          })
+          .describe(ALICLOUD_AUTH.LOGIN.AccessKeyId),
+        SignatureMethod: z.enum(["HMAC-SHA1"]).describe(ALICLOUD_AUTH.LOGIN.SignatureMethod),
+        Timestamp: z
+          .string()
+          .datetime({
+            message: "Timestamp must be in YYYY-MM-DDTHH:mm:ssZ format"
+          })
+          .refine((val) => val.endsWith("Z"), {
+            message: "Timestamp must be in YYYY-MM-DDTHH:mm:ssZ format"
+          })
+          .describe(ALICLOUD_AUTH.LOGIN.Timestamp),
+        SignatureVersion: z.enum(["1.0"]).describe(ALICLOUD_AUTH.LOGIN.SignatureVersion),
+        SignatureNonce: z
+          .string()
+          .refine((val) => new RE2("^[a-zA-Z0-9-_.]+$").test(val), {
+            message:
+              "SignatureNonce must be at least 1 character long and contain only URL-safe characters (alphanumeric, -, _, .)"
+          })
+          .describe(ALICLOUD_AUTH.LOGIN.SignatureNonce),
+        Signature: z
+          .string()
+          .refine((val) => new RE2("^[A-Za-z0-9+/=]+$").test(val), {
+            message: "Signature must be base64 characters"
+          })
+          .describe(ALICLOUD_AUTH.LOGIN.Signature)
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityAliCloudAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAliCloudAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_ALICLOUD_AUTH,
+          metadata: {
+            identityId: identityAliCloudAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityAliCloudAuthId: identityAliCloudAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityAliCloudAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAliCloudAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/alicloud-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AliCloudAuth],
+      description: "Attach Alibaba Cloud Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(ALICLOUD_AUTH.ATTACH.identityId)
+      }),
+      body: z
+        .object({
+          allowedArns: validateArns.describe(ALICLOUD_AUTH.ATTACH.allowedArns),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(ALICLOUD_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(ALICLOUD_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .default(2592000)
+            .describe(ALICLOUD_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .default(0)
+            .describe(ALICLOUD_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityAliCloudAuth: IdentityAlicloudAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAliCloudAuth = await server.services.identityAliCloudAuth.attachAliCloudAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAliCloudAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_ALICLOUD_AUTH,
+          metadata: {
+            identityId: identityAliCloudAuth.identityId,
+            allowedArns: identityAliCloudAuth.allowedArns,
+            accessTokenTTL: identityAliCloudAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAliCloudAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAliCloudAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAliCloudAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAliCloudAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/alicloud-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AliCloudAuth],
+      description: "Update Alibaba Cloud Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(ALICLOUD_AUTH.UPDATE.identityId)
+      }),
+      body: z
+        .object({
+          allowedArns: validateArns.describe(ALICLOUD_AUTH.UPDATE.allowedArns),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(ALICLOUD_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(ALICLOUD_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(ALICLOUD_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(ALICLOUD_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityAliCloudAuth: IdentityAlicloudAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAliCloudAuth = await server.services.identityAliCloudAuth.updateAliCloudAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        allowedArns: req.body.allowedArns
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAliCloudAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_ALICLOUD_AUTH,
+          metadata: {
+            identityId: identityAliCloudAuth.identityId,
+            allowedArns: identityAliCloudAuth.allowedArns,
+            accessTokenTTL: identityAliCloudAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAliCloudAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAliCloudAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAliCloudAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAliCloudAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/alicloud-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AliCloudAuth],
+      description: "Retrieve Alibaba Cloud Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(ALICLOUD_AUTH.RETRIEVE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAliCloudAuth: IdentityAlicloudAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAliCloudAuth = await server.services.identityAliCloudAuth.getAliCloudAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAliCloudAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_ALICLOUD_AUTH,
+          metadata: {
+            identityId: identityAliCloudAuth.identityId
+          }
+        }
+      });
+      return { identityAliCloudAuth };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/alicloud-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.AliCloudAuth],
+      description: "Delete Alibaba Cloud Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(ALICLOUD_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAliCloudAuth: IdentityAlicloudAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAliCloudAuth = await server.services.identityAliCloudAuth.revokeIdentityAliCloudAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAliCloudAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_ALICLOUD_AUTH,
+          metadata: {
+            identityId: identityAliCloudAuth.identityId
+          }
+        }
+      });
+
+      return { identityAliCloudAuth };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -15,6 +15,7 @@ import { registerCertRouter } from "./certificate-router";
 import { registerCertificateTemplateRouter } from "./certificate-template-router";
 import { registerExternalGroupOrgRoleMappingRouter } from "./external-group-org-role-mapping-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
+import { registerIdentityAliCloudAuthRouter } from "./identity-alicloud-auth-router";
 import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
@@ -63,6 +64,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerIdentityKubernetesRouter);
       await authRouter.register(registerIdentityGcpAuthRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
+      await authRouter.register(registerIdentityAliCloudAuthRouter);
       await authRouter.register(registerIdentityAwsAuthRouter);
       await authRouter.register(registerIdentityAzureAuthRouter);
       await authRouter.register(registerIdentityOciAuthRouter);

backend/src/server/routes/v1/secret-sync-routers/azure-devops-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  AzureDevOpsSyncSchema,
+  CreateAzureDevOpsSyncSchema,
+  UpdateAzureDevOpsSyncSchema
+} from "@app/services/secret-sync/azure-devops";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerAzureDevOpsSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.AzureDevOps,
+    server,
+    responseSchema: AzureDevOpsSyncSchema,
+    createSchema: CreateAzureDevOpsSyncSchema,
+    updateSchema: UpdateAzureDevOpsSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -5,6 +5,7 @@ import { registerOnePassSyncRouter } from "./1password-sync-router";
 import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
 import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-router";
 import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
+import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
@@ -26,6 +27,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.GCPSecretManager]: registerGcpSyncRouter,
   [SecretSync.AzureKeyVault]: registerAzureKeyVaultSyncRouter,
   [SecretSync.AzureAppConfiguration]: registerAzureAppConfigurationSyncRouter,
+  [SecretSync.AzureDevOps]: registerAzureDevOpsSyncRouter,
   [SecretSync.Databricks]: registerDatabricksSyncRouter,
   [SecretSync.Humanitec]: registerHumanitecSyncRouter,
   [SecretSync.TerraformCloud]: registerTerraformCloudSyncRouter,

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -19,6 +19,7 @@ import {
   AzureAppConfigurationSyncListItemSchema,
   AzureAppConfigurationSyncSchema
 } from "@app/services/secret-sync/azure-app-configuration";
+import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
@@ -38,6 +39,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   GcpSyncSchema,
   AzureKeyVaultSyncSchema,
   AzureAppConfigurationSyncSchema,
+  AzureDevOpsSyncSchema,
   DatabricksSyncSchema,
   HumanitecSyncSchema,
   TerraformCloudSyncSchema,
@@ -57,6 +59,7 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   GcpSyncListItemSchema,
   AzureKeyVaultSyncListItemSchema,
   AzureAppConfigurationSyncListItemSchema,
+  AzureDevOpsSyncListItemSchema,
   DatabricksSyncListItemSchema,
   HumanitecSyncListItemSchema,
   TerraformCloudSyncListItemSchema,

backend/src/services/app-connection/app-connection-enums.ts

@@ -7,6 +7,7 @@ export enum AppConnection {
   AzureKeyVault = "azure-key-vault",
   AzureAppConfiguration = "azure-app-configuration",
   AzureClientSecrets = "azure-client-secrets",
+  AzureDevOps = "azure-devops",
   Humanitec = "humanitec",
   TerraformCloud = "terraform-cloud",
   Vercel = "vercel",
@@ -20,6 +21,7 @@ export enum AppConnection {
   LDAP = "ldap",
   TeamCity = "teamcity",
   OCI = "oci",
+  OracleDB = "oracledb",
   OnePass = "1password"
 }
 

backend/src/services/app-connection/app-connection-fns.ts

@@ -4,6 +4,7 @@ import {
   OCIConnectionMethod,
   validateOCIConnectionCredentials
 } from "@app/ee/services/app-connections/oci";
+import { getOracleDBConnectionListItem, OracleDBConnectionMethod } from "@app/ee/services/app-connections/oracledb";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
@@ -39,6 +40,11 @@ import {
   getAzureClientSecretsConnectionListItem,
   validateAzureClientSecretsConnectionCredentials
 } from "./azure-client-secrets";
+import { AzureDevOpsConnectionMethod } from "./azure-devops/azure-devops-enums";
+import {
+  getAzureDevopsConnectionListItem,
+  validateAzureDevOpsConnectionCredentials
+} from "./azure-devops/azure-devops-fns";
 import {
   AzureKeyVaultConnectionMethod,
   getAzureKeyVaultConnectionListItem,
@@ -98,6 +104,7 @@ export const listAppConnectionOptions = () => {
     getGcpConnectionListItem(),
     getAzureKeyVaultConnectionListItem(),
     getAzureAppConfigurationConnectionListItem(),
+    getAzureDevopsConnectionListItem(),
     getDatabricksConnectionListItem(),
     getHumanitecConnectionListItem(),
     getTerraformCloudConnectionListItem(),
@@ -113,6 +120,7 @@ export const listAppConnectionOptions = () => {
     getLdapConnectionListItem(),
     getTeamCityConnectionListItem(),
     getOCIConnectionListItem(),
+    getOracleDBConnectionListItem(),
     getOnePassConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -173,6 +181,7 @@ export const validateAppConnectionCredentials = async (
       validateAzureAppConfigurationConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.AzureClientSecrets]:
       validateAzureClientSecretsConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.AzureDevOps]: validateAzureDevOpsConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Humanitec]: validateHumanitecConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Postgres]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.MsSql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
@@ -186,6 +195,7 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.LDAP]: validateLdapConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.TeamCity]: validateTeamCityConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.OCI]: validateOCIConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.OracleDB]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
@@ -201,6 +211,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case AzureAppConfigurationConnectionMethod.OAuth:
     case AzureClientSecretsConnectionMethod.OAuth:
     case GitHubConnectionMethod.OAuth:
+    case AzureDevOpsConnectionMethod.OAuth:
       return "OAuth";
     case AwsConnectionMethod.AccessKey:
     case OCIConnectionMethod.AccessKey:
@@ -221,10 +232,12 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
     case MySqlConnectionMethod.UsernameAndPassword:
+    case OracleDBConnectionMethod.UsernameAndPassword:
       return "Username & Password";
     case WindmillConnectionMethod.AccessToken:
     case HCVaultConnectionMethod.AccessToken:
     case TeamCityConnectionMethod.AccessToken:
+    case AzureDevOpsConnectionMethod.AccessToken:
       return "Access Token";
     case Auth0ConnectionMethod.ClientCredentials:
       return "Client Credentials";
@@ -270,6 +283,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.GCP]: platformManagedCredentialsNotSupported,
   [AppConnection.AzureKeyVault]: platformManagedCredentialsNotSupported,
   [AppConnection.AzureAppConfiguration]: platformManagedCredentialsNotSupported,
+  [AppConnection.AzureDevOps]: platformManagedCredentialsNotSupported,
   [AppConnection.Humanitec]: platformManagedCredentialsNotSupported,
   [AppConnection.Postgres]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
   [AppConnection.MsSql]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
@@ -284,6 +298,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.LDAP]: platformManagedCredentialsNotSupported, // we could support this in the future
   [AppConnection.TeamCity]: platformManagedCredentialsNotSupported,
   [AppConnection.OCI]: platformManagedCredentialsNotSupported,
+  [AppConnection.OracleDB]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
   [AppConnection.OnePass]: platformManagedCredentialsNotSupported
 };
 

backend/src/services/app-connection/app-connection-maps.ts

@@ -8,6 +8,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.AzureKeyVault]: "Azure Key Vault",
   [AppConnection.AzureAppConfiguration]: "Azure App Configuration",
   [AppConnection.AzureClientSecrets]: "Azure Client Secrets",
+  [AppConnection.AzureDevOps]: "Azure DevOps",
   [AppConnection.Databricks]: "Databricks",
   [AppConnection.Humanitec]: "Humanitec",
   [AppConnection.TerraformCloud]: "Terraform Cloud",
@@ -22,6 +23,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.LDAP]: "LDAP",
   [AppConnection.TeamCity]: "TeamCity",
   [AppConnection.OCI]: "OCI",
+  [AppConnection.OracleDB]: "OracleDB",
   [AppConnection.OnePass]: "1Password"
 };
 
@@ -33,6 +35,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.AzureKeyVault]: AppConnectionPlanType.Regular,
   [AppConnection.AzureAppConfiguration]: AppConnectionPlanType.Regular,
   [AppConnection.AzureClientSecrets]: AppConnectionPlanType.Regular,
+  [AppConnection.AzureDevOps]: AppConnectionPlanType.Regular,
   [AppConnection.Databricks]: AppConnectionPlanType.Regular,
   [AppConnection.Humanitec]: AppConnectionPlanType.Regular,
   [AppConnection.TerraformCloud]: AppConnectionPlanType.Regular,
@@ -46,6 +49,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.LDAP]: AppConnectionPlanType.Regular,
   [AppConnection.TeamCity]: AppConnectionPlanType.Regular,
   [AppConnection.OCI]: AppConnectionPlanType.Enterprise,
+  [AppConnection.OracleDB]: AppConnectionPlanType.Enterprise,
   [AppConnection.OnePass]: AppConnectionPlanType.Regular,
   [AppConnection.MySql]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -2,6 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 
 import { ValidateOCIConnectionCredentialsSchema } from "@app/ee/services/app-connections/oci";
 import { ociConnectionService } from "@app/ee/services/app-connections/oci/oci-connection-service";
+import { ValidateOracleDBConnectionCredentialsSchema } from "@app/ee/services/app-connections/oracledb";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -41,6 +42,8 @@ import { awsConnectionService } from "./aws/aws-connection-service";
 import { ValidateAzureAppConfigurationConnectionCredentialsSchema } from "./azure-app-configuration";
 import { ValidateAzureClientSecretsConnectionCredentialsSchema } from "./azure-client-secrets";
 import { azureClientSecretsConnectionService } from "./azure-client-secrets/azure-client-secrets-service";
+import { ValidateAzureDevOpsConnectionCredentialsSchema } from "./azure-devops/azure-devops-schemas";
+import { azureDevOpsConnectionService } from "./azure-devops/azure-devops-service";
 import { ValidateAzureKeyVaultConnectionCredentialsSchema } from "./azure-key-vault";
 import { ValidateCamundaConnectionCredentialsSchema } from "./camunda";
 import { camundaConnectionService } from "./camunda/camunda-connection-service";
@@ -84,6 +87,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.GCP]: ValidateGcpConnectionCredentialsSchema,
   [AppConnection.AzureKeyVault]: ValidateAzureKeyVaultConnectionCredentialsSchema,
   [AppConnection.AzureAppConfiguration]: ValidateAzureAppConfigurationConnectionCredentialsSchema,
+  [AppConnection.AzureDevOps]: ValidateAzureDevOpsConnectionCredentialsSchema,
   [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema,
   [AppConnection.Humanitec]: ValidateHumanitecConnectionCredentialsSchema,
   [AppConnection.TerraformCloud]: ValidateTerraformCloudConnectionCredentialsSchema,
@@ -99,6 +103,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.LDAP]: ValidateLdapConnectionCredentialsSchema,
   [AppConnection.TeamCity]: ValidateTeamCityConnectionCredentialsSchema,
   [AppConnection.OCI]: ValidateOCIConnectionCredentialsSchema,
+  [AppConnection.OracleDB]: ValidateOracleDBConnectionCredentialsSchema,
   [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema
 };
 
@@ -498,6 +503,7 @@ export const appConnectionServiceFactory = ({
     camunda: camundaConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     vercel: vercelConnectionService(connectAppConnectionById),
     azureClientSecrets: azureClientSecretsConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
+    azureDevOps: azureDevOpsConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     hcvault: hcVaultConnectionService(connectAppConnectionById),
     windmill: windmillConnectionService(connectAppConnectionById),

backend/src/services/app-connection/app-connection-types.ts

@@ -4,6 +4,11 @@ import {
   TOCIConnectionInput,
   TValidateOCIConnectionCredentialsSchema
 } from "@app/ee/services/app-connections/oci";
+import {
+  TOracleDBConnection,
+  TOracleDBConnectionInput,
+  TValidateOracleDBConnectionCredentialsSchema
+} from "@app/ee/services/app-connections/oracledb";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { TSqlConnectionConfig } from "@app/services/app-connection/shared/sql/sql-connection-types";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
@@ -39,6 +44,12 @@ import {
   TAzureClientSecretsConnectionInput,
   TValidateAzureClientSecretsConnectionCredentialsSchema
 } from "./azure-client-secrets";
+import {
+  TAzureDevOpsConnection,
+  TAzureDevOpsConnectionConfig,
+  TAzureDevOpsConnectionInput,
+  TValidateAzureDevOpsConnectionCredentialsSchema
+} from "./azure-devops/azure-devops-types";
 import {
   TAzureKeyVaultConnection,
   TAzureKeyVaultConnectionConfig,
@@ -132,6 +143,7 @@ export type TAppConnection = { id: string } & (
   | TGcpConnection
   | TAzureKeyVaultConnection
   | TAzureAppConfigurationConnection
+  | TAzureDevOpsConnection
   | TDatabricksConnection
   | THumanitecConnection
   | TTerraformCloudConnection
@@ -147,12 +159,13 @@ export type TAppConnection = { id: string } & (
   | TLdapConnection
   | TTeamCityConnection
   | TOCIConnection
+  | TOracleDBConnection
   | TOnePassConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
 
-export type TSqlConnection = TPostgresConnection | TMsSqlConnection | TMySqlConnection;
+export type TSqlConnection = TPostgresConnection | TMsSqlConnection | TMySqlConnection | TOracleDBConnection;
 
 export type TAppConnectionInput = { id: string } & (
   | TAwsConnectionInput
@@ -161,6 +174,7 @@ export type TAppConnectionInput = { id: string } & (
   | TGcpConnectionInput
   | TAzureKeyVaultConnectionInput
   | TAzureAppConfigurationConnectionInput
+  | TAzureDevOpsConnectionInput
   | TDatabricksConnectionInput
   | THumanitecConnectionInput
   | TTerraformCloudConnectionInput
@@ -176,10 +190,15 @@ export type TAppConnectionInput = { id: string } & (
   | TLdapConnectionInput
   | TTeamCityConnectionInput
   | TOCIConnectionInput
+  | TOracleDBConnectionInput
   | TOnePassConnectionInput
 );
 
-export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput | TMySqlConnectionInput;
+export type TSqlConnectionInput =
+  | TPostgresConnectionInput
+  | TMsSqlConnectionInput
+  | TMySqlConnectionInput
+  | TOracleDBConnectionInput;
 
 export type TCreateAppConnectionDTO = Pick<
   TAppConnectionInput,
@@ -197,6 +216,7 @@ export type TAppConnectionConfig =
   | TGcpConnectionConfig
   | TAzureKeyVaultConnectionConfig
   | TAzureAppConfigurationConnectionConfig
+  | TAzureDevOpsConnectionConfig
   | TAzureClientSecretsConnectionConfig
   | TDatabricksConnectionConfig
   | THumanitecConnectionConfig
@@ -220,6 +240,7 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateAzureKeyVaultConnectionCredentialsSchema
   | TValidateAzureAppConfigurationConnectionCredentialsSchema
   | TValidateAzureClientSecretsConnectionCredentialsSchema
+  | TValidateAzureDevOpsConnectionCredentialsSchema
   | TValidateDatabricksConnectionCredentialsSchema
   | TValidateHumanitecConnectionCredentialsSchema
   | TValidatePostgresConnectionCredentialsSchema
@@ -234,6 +255,7 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateLdapConnectionCredentialsSchema
   | TValidateTeamCityConnectionCredentialsSchema
   | TValidateOCIConnectionCredentialsSchema
+  | TValidateOracleDBConnectionCredentialsSchema
   | TValidateOnePassConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {

backend/src/services/app-connection/azure-devops/azure-devops-enums.ts

@@ -0,0 +1,4 @@
+export enum AzureDevOpsConnectionMethod {
+  OAuth = "oauth",
+  AccessToken = "access-token"
+}

backend/src/services/app-connection/azure-devops/azure-devops-fns.ts

@@ -0,0 +1,269 @@
+/* eslint-disable no-case-declarations */
+import { AxiosError, AxiosResponse } from "axios";
+
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import {
+  decryptAppConnectionCredentials,
+  encryptAppConnectionCredentials,
+  getAppConnectionMethodName
+} from "@app/services/app-connection/app-connection-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { AppConnection } from "../app-connection-enums";
+import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
+import {
+  ExchangeCodeAzureResponse,
+  TAzureDevOpsConnectionConfig,
+  TAzureDevOpsConnectionCredentials
+} from "./azure-devops-types";
+
+export const getAzureDevopsConnectionListItem = () => {
+  const { INF_APP_CONNECTION_AZURE_CLIENT_ID } = getConfig();
+
+  return {
+    name: "Azure DevOps" as const,
+    app: AppConnection.AzureDevOps as const,
+    methods: Object.values(AzureDevOpsConnectionMethod) as [
+      AzureDevOpsConnectionMethod.OAuth,
+      AzureDevOpsConnectionMethod.AccessToken
+    ],
+    oauthClientId: INF_APP_CONNECTION_AZURE_CLIENT_ID
+  };
+};
+
+export const getAzureDevopsConnection = async (
+  connectionId: string,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const appConnection = await appConnectionDAL.findById(connectionId);
+
+  if (!appConnection) {
+    throw new NotFoundError({ message: `Connection with ID '${connectionId}' not found` });
+  }
+
+  if (appConnection.app !== AppConnection.AzureDevOps) {
+    throw new BadRequestError({
+      message: `Connection with ID '${connectionId}' is not an Azure DevOps connection`
+    });
+  }
+
+  const credentials = (await decryptAppConnectionCredentials({
+    orgId: appConnection.orgId,
+    kmsService,
+    encryptedCredentials: appConnection.encryptedCredentials
+  })) as TAzureDevOpsConnectionCredentials;
+
+  // Handle different connection methods
+  switch (appConnection.method) {
+    case AzureDevOpsConnectionMethod.OAuth:
+      const appCfg = getConfig();
+      if (!appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID || !appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
+        throw new BadRequestError({
+          message: `Azure environment variables have not been configured`
+        });
+      }
+
+      if (!("refreshToken" in credentials)) {
+        throw new BadRequestError({ message: "Invalid OAuth credentials" });
+      }
+
+      const { refreshToken, tenantId } = credentials;
+      const currentTime = Date.now();
+
+      const { data } = await request.post<ExchangeCodeAzureResponse>(
+        IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
+        new URLSearchParams({
+          grant_type: "refresh_token",
+          scope: `https://app.vssps.visualstudio.com/.default`,
+          client_id: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID,
+          client_secret: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
+          refresh_token: refreshToken
+        })
+      );
+
+      const updatedCredentials = {
+        ...credentials,
+        accessToken: data.access_token,
+        expiresAt: currentTime + data.expires_in * 1000,
+        refreshToken: data.refresh_token
+      };
+
+      const encryptedCredentials = await encryptAppConnectionCredentials({
+        credentials: updatedCredentials,
+        orgId: appConnection.orgId,
+        kmsService
+      });
+
+      await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials });
+
+      return data.access_token;
+
+    case AzureDevOpsConnectionMethod.AccessToken:
+      if (!("accessToken" in credentials)) {
+        throw new BadRequestError({ message: "Invalid API token credentials" });
+      }
+      // For access token, return the basic auth token directly
+      return credentials.accessToken;
+
+    default:
+      throw new BadRequestError({ message: `Unsupported connection method` });
+  }
+};
+
+export const validateAzureDevOpsConnectionCredentials = async (config: TAzureDevOpsConnectionConfig) => {
+  const { credentials: inputCredentials, method } = config;
+
+  const { INF_APP_CONNECTION_AZURE_CLIENT_ID, INF_APP_CONNECTION_AZURE_CLIENT_SECRET, SITE_URL } = getConfig();
+
+  switch (method) {
+    case AzureDevOpsConnectionMethod.OAuth:
+      if (!SITE_URL) {
+        throw new InternalServerError({ message: "SITE_URL env var is required to complete Azure OAuth flow" });
+      }
+
+      if (!INF_APP_CONNECTION_AZURE_CLIENT_ID || !INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
+        throw new InternalServerError({
+          message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
+        });
+      }
+
+      let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
+      let tokenError: AxiosError | null = null;
+
+      try {
+        const oauthCredentials = inputCredentials as { code: string; tenantId: string };
+        tokenResp = await request.post<ExchangeCodeAzureResponse>(
+          IntegrationUrls.AZURE_TOKEN_URL.replace("common", oauthCredentials.tenantId || "common"),
+          new URLSearchParams({
+            grant_type: "authorization_code",
+            code: oauthCredentials.code,
+            scope: `https://app.vssps.visualstudio.com/.default`,
+            client_id: INF_APP_CONNECTION_AZURE_CLIENT_ID,
+            client_secret: INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
+            redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
+          })
+        );
+      } catch (e: unknown) {
+        if (e instanceof AxiosError) {
+          tokenError = e;
+        } else {
+          throw new BadRequestError({
+            message: `Unable to validate connection: verify credentials`
+          });
+        }
+      }
+
+      if (tokenError) {
+        if (tokenError instanceof AxiosError) {
+          throw new BadRequestError({
+            message: `Failed to get access token: ${
+              (tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
+            }`
+          });
+        } else {
+          throw new InternalServerError({
+            message: "Failed to get access token"
+          });
+        }
+      }
+
+      if (!tokenResp) {
+        throw new InternalServerError({
+          message: `Failed to get access token: Token was empty with no error`
+        });
+      }
+
+      const oauthCredentials = inputCredentials as { code: string; tenantId: string; orgName: string };
+      return {
+        tenantId: oauthCredentials.tenantId,
+        orgName: oauthCredentials.orgName,
+        accessToken: tokenResp.data.access_token,
+        refreshToken: tokenResp.data.refresh_token,
+        expiresAt: Date.now() + tokenResp.data.expires_in * 1000
+      };
+
+    case AzureDevOpsConnectionMethod.AccessToken:
+      const accessTokenCredentials = inputCredentials as { accessToken: string; orgName?: string };
+
+      try {
+        if (accessTokenCredentials.orgName) {
+          // Validate against specific organization
+          const response = await request.get(
+            `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(accessTokenCredentials.orgName)}/_apis/projects?api-version=7.2-preview.2&$top=1`,
+            {
+              headers: {
+                Authorization: `Basic ${Buffer.from(`:${accessTokenCredentials.accessToken}`).toString("base64")}`
+              }
+            }
+          );
+
+          if (response.status !== 200) {
+            throw new BadRequestError({
+              message: `Failed to validate connection: ${response.status}`
+            });
+          }
+
+          return {
+            accessToken: accessTokenCredentials.accessToken,
+            orgName: accessTokenCredentials.orgName
+          };
+        }
+        // Validate via profile and discover organizations
+        const profileResponse = await request.get<{ displayName: string }>(
+          `https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.1`,
+          {
+            headers: {
+              Authorization: `Basic ${Buffer.from(`:${accessTokenCredentials.accessToken}`).toString("base64")}`
+            }
+          }
+        );
+
+        let organizations: Array<{ accountId: string; accountName: string; accountUri: string }> = [];
+        try {
+          const orgsResponse = await request.get<{
+            value: Array<{ accountId: string; accountName: string; accountUri: string }>;
+          }>(`https://app.vssps.visualstudio.com/_apis/accounts?api-version=7.1`, {
+            headers: {
+              Authorization: `Basic ${Buffer.from(`:${accessTokenCredentials.accessToken}`).toString("base64")}`
+            }
+          });
+          organizations = orgsResponse.data.value || [];
+        } catch (orgError) {
+          logger.warn(orgError, "Could not fetch organizations automatically:");
+        }
+
+        return {
+          accessToken: accessTokenCredentials.accessToken,
+          userDisplayName: profileResponse.data.displayName,
+          organizations: organizations.map((org) => ({
+            accountId: org.accountId,
+            accountName: org.accountName,
+            accountUri: org.accountUri
+          }))
+        };
+      } catch (error) {
+        if (error instanceof AxiosError) {
+          const errorMessage = accessTokenCredentials.orgName
+            ? // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+              `Failed to validate access token for organization '${accessTokenCredentials.orgName}': ${error.response?.data?.message || error.message}`
+            : `Invalid Azure DevOps Personal Access Token: ${error.response?.status === 401 ? "Token is invalid or expired" : error.message}`;
+
+          throw new BadRequestError({ message: errorMessage });
+        }
+        throw new BadRequestError({
+          message: `Unable to validate Azure DevOps token`
+        });
+      }
+
+    default:
+      throw new InternalServerError({
+        message: `Unhandled Azure connection method: ${method as AzureDevOpsConnectionMethod}`
+      });
+  }
+};

backend/src/services/app-connection/azure-devops/azure-devops-schemas.ts

@@ -0,0 +1,112 @@
+import { z } from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
+
+export const AzureDevOpsConnectionOAuthInputCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "OAuth code required").describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.code),
+  tenantId: z.string().trim().min(1, "Tenant ID required").describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.tenantId),
+  orgName: z
+    .string()
+    .trim()
+    .min(1, "Organization name required")
+    .describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.orgName)
+});
+
+export const AzureDevOpsConnectionOAuthOutputCredentialsSchema = z.object({
+  tenantId: z.string(),
+  orgName: z.string(),
+  accessToken: z.string(),
+  refreshToken: z.string(),
+  expiresAt: z.number()
+});
+
+export const AzureDevOpsConnectionAccessTokenInputCredentialsSchema = z.object({
+  accessToken: z.string().trim().min(1, "Access Token required"),
+  orgName: z.string().trim().min(1, "Organization name required")
+});
+
+export const AzureDevOpsConnectionAccessTokenOutputCredentialsSchema = z.object({
+  accessToken: z.string(),
+  orgName: z.string()
+});
+
+export const ValidateAzureDevOpsConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(AzureDevOpsConnectionMethod.OAuth)
+      .describe(AppConnections.CREATE(AppConnection.AzureDevOps).method),
+    credentials: AzureDevOpsConnectionOAuthInputCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.AzureDevOps).credentials
+    )
+  }),
+  z.object({
+    method: z
+      .literal(AzureDevOpsConnectionMethod.AccessToken)
+      .describe(AppConnections.CREATE(AppConnection.AzureDevOps).method),
+    credentials: AzureDevOpsConnectionAccessTokenInputCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.AzureDevOps).credentials
+    )
+  })
+]);
+
+export const CreateAzureDevOpsConnectionSchema = ValidateAzureDevOpsConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.AzureDevOps)
+);
+
+export const UpdateAzureDevOpsConnectionSchema = z
+  .object({
+    credentials: z
+      .union([AzureDevOpsConnectionOAuthInputCredentialsSchema, AzureDevOpsConnectionAccessTokenInputCredentialsSchema])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.AzureDevOps).credentials)
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureDevOps));
+
+const BaseAzureDevOpsConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.AzureDevOps)
+});
+
+export const AzureDevOpsConnectionSchema = z.intersection(
+  BaseAzureDevOpsConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(AzureDevOpsConnectionMethod.OAuth),
+      credentials: AzureDevOpsConnectionOAuthOutputCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
+      credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedAzureDevOpsConnectionSchema = z.discriminatedUnion("method", [
+  BaseAzureDevOpsConnectionSchema.extend({
+    method: z.literal(AzureDevOpsConnectionMethod.OAuth),
+    credentials: AzureDevOpsConnectionOAuthOutputCredentialsSchema.pick({
+      tenantId: true,
+      orgName: true
+    })
+  }),
+  BaseAzureDevOpsConnectionSchema.extend({
+    method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
+    credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema.pick({
+      orgName: true
+    })
+  })
+]);
+
+export const AzureDevOpsConnectionListItemSchema = z.object({
+  name: z.literal("Azure DevOps"),
+  app: z.literal(AppConnection.AzureDevOps),
+  methods: z.nativeEnum(AzureDevOpsConnectionMethod).array(),
+  oauthClientId: z.string().optional()
+});

backend/src/services/app-connection/azure-devops/azure-devops-service.ts

@@ -0,0 +1,127 @@
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable no-case-declarations */
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { OrgServiceActor } from "@app/lib/types";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
+import { getAzureDevopsConnection } from "./azure-devops-fns";
+import { TAzureDevOpsConnection } from "./azure-devops-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TAzureDevOpsConnection>;
+
+type TAzureDevOpsProject = {
+  id: string;
+  name: string;
+  description?: string;
+  url?: string;
+  state?: string;
+  visibility?: string;
+  lastUpdateTime?: string;
+  revision?: number;
+  abbreviation?: string;
+  defaultTeamImageUrl?: string;
+};
+
+type TAzureDevOpsProjectsResponse = {
+  count: number;
+  value: TAzureDevOpsProject[];
+};
+
+const getAuthHeaders = (appConnection: TAzureDevOpsConnection, accessToken: string) => {
+  switch (appConnection.method) {
+    case AzureDevOpsConnectionMethod.OAuth:
+      return {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
+      };
+    case AzureDevOpsConnectionMethod.AccessToken:
+      // For access token, create Basic auth header
+      const basicAuthToken = Buffer.from(`user:${accessToken}`).toString("base64");
+      return {
+        Authorization: `Basic ${basicAuthToken}`,
+        Accept: "application/json"
+      };
+    default:
+      throw new BadRequestError({ message: "Unsupported connection method" });
+  }
+};
+
+const listAzureDevOpsProjects = async (
+  appConnection: TAzureDevOpsConnection,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+): Promise<TAzureDevOpsProject[]> => {
+  const accessToken = await getAzureDevopsConnection(appConnection.id, appConnectionDAL, kmsService);
+
+  // Both OAuth and access Token methods use organization name from credentials
+  const credentials = appConnection.credentials as { orgName: string };
+  const { orgName } = credentials;
+
+  // Use the standard Azure DevOps Projects API endpoint
+  // This endpoint returns only projects that the authenticated user has access to
+  const devOpsEndpoint = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/projects?api-version=7.1`;
+  try {
+    const { data } = await request.get<TAzureDevOpsProjectsResponse>(devOpsEndpoint, {
+      headers: getAuthHeaders(appConnection, accessToken)
+    });
+
+    return data.value || [];
+  } catch (error) {
+    if (error instanceof AxiosError) {
+      // Provide more specific error messages based on the response
+      if (error?.response?.status === 401) {
+        throw new Error(
+          `Authentication failed for Azure DevOps organization: ${orgName}. Please check your credentials and ensure the token has the required scopes (vso.project or vso.profile).`
+        );
+      } else if (error?.response?.status === 403) {
+        throw new Error(
+          `Access denied to Azure DevOps organization: ${orgName}. Please ensure the user has access to the organization.`
+        );
+      } else if (error?.response?.status === 404) {
+        throw new Error(`Azure DevOps organization not found: ${orgName}. Please verify the organization name.`);
+      }
+    }
+    throw error;
+  }
+};
+
+export const azureDevOpsConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.AzureDevOps, connectionId, actor);
+
+    const projects = await listAzureDevOpsProjects(appConnection, appConnectionDAL, kmsService);
+
+    return projects.map((project) => ({
+      id: project.id,
+      name: project.name,
+      appId: project.id,
+      description: project.description,
+      url: project.url,
+      state: project.state,
+      visibility: project.visibility,
+      lastUpdateTime: project.lastUpdateTime,
+      revision: project.revision,
+      abbreviation: project.abbreviation,
+      defaultTeamImageUrl: project.defaultTeamImageUrl
+    }));
+  };
+
+  return {
+    listProjects
+  };
+};

backend/src/services/app-connection/azure-devops/azure-devops-types.ts

@@ -0,0 +1,54 @@
+import { z } from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  AzureDevOpsConnectionOAuthOutputCredentialsSchema,
+  AzureDevOpsConnectionSchema,
+  CreateAzureDevOpsConnectionSchema,
+  ValidateAzureDevOpsConnectionCredentialsSchema
+} from "./azure-devops-schemas";
+
+export type TAzureDevOpsConnection = z.infer<typeof AzureDevOpsConnectionSchema>;
+
+export type TAzureDevOpsConnectionInput = z.infer<typeof CreateAzureDevOpsConnectionSchema> & {
+  app: AppConnection.AzureDevOps;
+};
+
+export type TValidateAzureDevOpsConnectionCredentialsSchema = typeof ValidateAzureDevOpsConnectionCredentialsSchema;
+
+export type TAzureDevOpsConnectionConfig = DiscriminativePick<
+  TAzureDevOpsConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TAzureDevOpsConnectionCredentials = z.infer<typeof AzureDevOpsConnectionOAuthOutputCredentialsSchema>;
+
+export interface ExchangeCodeAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: number;
+  access_token: string;
+  refresh_token: string;
+  id_token: string;
+}
+
+export interface TAzureRegisteredApp {
+  id: string;
+  appId: string;
+  displayName: string;
+  description?: string;
+  createdDateTime: string;
+  identifierUris?: string[];
+  signInAudience?: string;
+}
+
+export interface TAzureListRegisteredAppsResponse {
+  "@odata.context": string;
+  "@odata.nextLink"?: string;
+  value: TAzureRegisteredApp[];
+}

backend/src/services/app-connection/shared/sql/sql-connection-fns.ts

@@ -16,7 +16,8 @@ const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 const SQL_CONNECTION_CLIENT_MAP = {
   [AppConnection.Postgres]: "pg",
   [AppConnection.MsSql]: "mssql",
-  [AppConnection.MySql]: "mysql2"
+  [AppConnection.MySql]: "mysql2",
+  [AppConnection.OracleDB]: "oracledb"
 };
 
 const getConnectionConfig = ({
@@ -57,6 +58,17 @@ const getConnectionConfig = ({
           : false
       };
     }
+
+    case AppConnection.OracleDB: {
+      return {
+        ssl: sslEnabled
+          ? {
+              sslCA: sslCertificate,
+              sslServerDNMatch: sslRejectUnauthorized
+            }
+          : false
+      };
+    }
     default:
       throw new Error(`Unhandled SQL Connection Config: ${app as AppConnection}`);
   }
@@ -114,7 +126,8 @@ export const SQL_CONNECTION_ALTER_LOGIN_STATEMENT: Record<
 > = {
   [AppConnection.Postgres]: ({ username, password }) => [`ALTER USER ?? WITH PASSWORD '${password}';`, [username]],
   [AppConnection.MsSql]: ({ username, password }) => [`ALTER LOGIN ?? WITH PASSWORD = '${password}';`, [username]],
-  [AppConnection.MySql]: ({ username, password }) => [`ALTER USER ??@'%' IDENTIFIED BY '${password}';`, [username]]
+  [AppConnection.MySql]: ({ username, password }) => [`ALTER USER ??@'%' IDENTIFIED BY '${password}';`, [username]],
+  [AppConnection.OracleDB]: ({ username, password }) => [`ALTER USER ?? IDENTIFIED BY "${password}"`, [username]]
 };
 
 export const transferSqlConnectionCredentialsToPlatform = async (

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -28,6 +28,11 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
           `${TableName.IdentityUniversalAuth}.id`
         )
         .leftJoin(TableName.IdentityGcpAuth, `${TableName.Identity}.id`, `${TableName.IdentityGcpAuth}.identityId`)
+        .leftJoin(
+          TableName.IdentityAliCloudAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityAliCloudAuth}.identityId`
+        )
         .leftJoin(TableName.IdentityAwsAuth, `${TableName.Identity}.id`, `${TableName.IdentityAwsAuth}.identityId`)
         .leftJoin(TableName.IdentityAzureAuth, `${TableName.Identity}.id`, `${TableName.IdentityAzureAuth}.identityId`)
         .leftJoin(TableName.IdentityLdapAuth, `${TableName.Identity}.id`, `${TableName.IdentityLdapAuth}.identityId`)
@@ -44,6 +49,10 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
         .select(
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityGcpAuth).as("accessTokenTrustedIpsGcp"),
+          db
+            .ref("accessTokenTrustedIps")
+            .withSchema(TableName.IdentityAliCloudAuth)
+            .as("accessTokenTrustedIpsAliCloud"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAzureAuth).as("accessTokenTrustedIpsAzure"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
@@ -62,6 +71,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
         ...doc,
         trustedIpsUniversalAuth: doc.accessTokenTrustedIpsUa,
         trustedIpsGcpAuth: doc.accessTokenTrustedIpsGcp,
+        trustedIpsAliCloudAuth: doc.accessTokenTrustedIpsAliCloud,
         trustedIpsAwsAuth: doc.accessTokenTrustedIpsAws,
         trustedIpsAzureAuth: doc.accessTokenTrustedIpsAzure,
         trustedIpsKubernetesAuth: doc.accessTokenTrustedIpsK8s,

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -193,6 +193,7 @@ export const identityAccessTokenServiceFactory = ({
     const trustedIpsMap: Record<IdentityAuthMethod, unknown> = {
       [IdentityAuthMethod.UNIVERSAL_AUTH]: identityAccessToken.trustedIpsUniversalAuth,
       [IdentityAuthMethod.GCP_AUTH]: identityAccessToken.trustedIpsGcpAuth,
+      [IdentityAuthMethod.ALICLOUD_AUTH]: identityAccessToken.trustedIpsAliCloudAuth,
       [IdentityAuthMethod.AWS_AUTH]: identityAccessToken.trustedIpsAwsAuth,
       [IdentityAuthMethod.OCI_AUTH]: identityAccessToken.trustedIpsOciAuth,
       [IdentityAuthMethod.AZURE_AUTH]: identityAccessToken.trustedIpsAzureAuth,

backend/src/services/identity-alicloud-auth/identity-alicloud-auth-dal.ts

@@ -0,0 +1,9 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAliCloudAuthDALFactory = ReturnType<typeof identityAliCloudAuthDALFactory>;
+
+export const identityAliCloudAuthDALFactory = (db: TDbClient) => {
+  return ormify(db, TableName.IdentityAliCloudAuth);
+};

backend/src/services/identity-alicloud-auth/identity-alicloud-auth-service.ts

@@ -0,0 +1,361 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+import { ForbiddenError } from "@casl/ability";
+import { AxiosError } from "axios";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+import { logger } from "@app/lib/logger";
+
+import { ActorType, AuthTokenType } from "../auth/auth-type";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
+import { TIdentityAliCloudAuthDALFactory } from "./identity-alicloud-auth-dal";
+import {
+  TAliCloudGetUserResponse,
+  TAttachAliCloudAuthDTO,
+  TGetAliCloudAuthDTO,
+  TLoginAliCloudAuthDTO,
+  TRevokeAliCloudAuthDTO,
+  TUpdateAliCloudAuthDTO
+} from "./identity-alicloud-auth-types";
+
+type TIdentityAliCloudAuthServiceFactoryDep = {
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
+  identityAliCloudAuthDAL: Pick<
+    TIdentityAliCloudAuthDALFactory,
+    "findOne" | "transaction" | "create" | "updateById" | "delete"
+  >;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TIdentityAliCloudAuthServiceFactory = ReturnType<typeof identityAliCloudAuthServiceFactory>;
+
+export const identityAliCloudAuthServiceFactory = ({
+  identityAccessTokenDAL,
+  identityAliCloudAuthDAL,
+  identityOrgMembershipDAL,
+  licenseService,
+  permissionService
+}: TIdentityAliCloudAuthServiceFactoryDep) => {
+  const login = async ({ identityId, ...params }: TLoginAliCloudAuthDTO) => {
+    const identityAliCloudAuth = await identityAliCloudAuthDAL.findOne({ identityId });
+    if (!identityAliCloudAuth) {
+      throw new NotFoundError({
+        message: "Alibaba Cloud auth method not found for identity, did you configure Alibaba Cloud auth?"
+      });
+    }
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({
+      identityId: identityAliCloudAuth.identityId
+    });
+
+    const requestUrl = new URL("https://sts.aliyuncs.com");
+
+    for (const key of Object.keys(params)) {
+      requestUrl.searchParams.set(key, (params as Record<string, string>)[key]);
+    }
+
+    const { data } = await request.get<TAliCloudGetUserResponse>(requestUrl.toString()).catch((err: AxiosError) => {
+      logger.error(err.response, "AliCloudIdentityLogin: Failed to authenticate with Alibaba Cloud");
+      throw err;
+    });
+
+    if (identityAliCloudAuth.allowedArns) {
+      // In the future we could do partial checks for role ARNs
+      const isAccountAllowed = identityAliCloudAuth.allowedArns.split(",").some((arn) => arn.trim() === data.Arn);
+
+      if (!isAccountAllowed)
+        throw new UnauthorizedError({
+          message: "Access denied: Alibaba Cloud account ARN not allowed."
+        });
+    }
+
+    // Generate the token
+    const identityAccessToken = await identityAliCloudAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityAliCloudAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityAliCloudAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAliCloudAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityAliCloudAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.ALICLOUD_AUTH
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityAliCloudAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
+    );
+
+    return {
+      identityAliCloudAuth,
+      accessToken,
+      identityAccessToken,
+      identityMembershipOrg
+    };
+  };
+
+  const attachAliCloudAuth = async ({
+    identityId,
+    allowedArns,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId,
+    isActorSuperAdmin
+  }: TAttachAliCloudAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.ALICLOUD_AUTH)) {
+      throw new BadRequestError({
+        message: "Failed to add Alibaba Cloud Auth to already configured identity"
+      });
+    }
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityAliCloudAuth = await identityAliCloudAuthDAL.transaction(async (tx) => {
+      const doc = await identityAliCloudAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          type: "iam",
+          allowedArns,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityAliCloudAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateAliCloudAuth = async ({
+    identityId,
+    allowedArns,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateAliCloudAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.ALICLOUD_AUTH)) {
+      throw new NotFoundError({
+        message: "The identity does not have Alibaba Cloud Auth attached"
+      });
+    }
+
+    const identityAliCloudAuth = await identityAliCloudAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityAliCloudAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityAliCloudAuth.accessTokenTTL) >
+        (accessTokenMaxTTL || identityAliCloudAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedAliCloudAuth = await identityAliCloudAuthDAL.updateById(identityAliCloudAuth.id, {
+      allowedArns,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return { ...updatedAliCloudAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const getAliCloudAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAliCloudAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.ALICLOUD_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have Alibaba Cloud Auth attached"
+      });
+    }
+
+    const alicloudIdentityAuth = await identityAliCloudAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    return { ...alicloudIdentityAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const revokeIdentityAliCloudAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAliCloudAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.ALICLOUD_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have Alibaba Cloud auth"
+      });
+    }
+    const { permission, membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
+
+    if (!permissionBoundary.isValid)
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke Alibaba Cloud auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
+
+    const revokedIdentityAliCloudAuth = await identityAliCloudAuthDAL.transaction(async (tx) => {
+      const deletedAliCloudAuth = await identityAliCloudAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.ALICLOUD_AUTH }, tx);
+
+      return { ...deletedAliCloudAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAliCloudAuth;
+  };
+
+  return {
+    login,
+    attachAliCloudAuth,
+    updateAliCloudAuth,
+    getAliCloudAuth,
+    revokeIdentityAliCloudAuth
+  };
+};

backend/src/services/identity-alicloud-auth/identity-alicloud-auth-types.ts

@@ -0,0 +1,45 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginAliCloudAuthDTO = {
+  identityId: string;
+  Action: string;
+  Format: string;
+  Version: string;
+  AccessKeyId: string;
+  SignatureMethod: string;
+  Timestamp: string;
+  SignatureVersion: string;
+  SignatureNonce: string;
+  Signature: string;
+};
+
+export type TAttachAliCloudAuthDTO = {
+  identityId: string;
+  allowedArns: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateAliCloudAuthDTO = {
+  identityId: string;
+  allowedArns: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetAliCloudAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TRevokeAliCloudAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TAliCloudGetUserResponse = {
+  Arn: string;
+};

backend/src/services/identity-alicloud-auth/identity-alicloud-auth-validators.ts

@@ -0,0 +1,25 @@
+import RE2 from "re2";
+import { z } from "zod";
+
+const arnSchema = z
+  .string()
+  .refine(
+    (val) => new RE2("^acs:ram::[0-9]{16}:(user|role)/.*$").test(val),
+    "Invalid ARN format. Expected format: acs:ram::[0-9]{16}:(user|role)/*"
+  );
+export const validateArns = z
+  .string()
+  .trim()
+  .min(1, "Allowed ARNs required")
+  .max(500, "Input exceeds the maximum limit of 500 characters")
+  .transform((val) => {
+    if (!val) return [];
+    return val
+      .split(",")
+      .map((s) => s.trim())
+      .filter(Boolean);
+  })
+  .refine((arr) => arr.every((name) => arnSchema.safeParse(name).success), {
+    message: "One or more ARNs are invalid"
+  })
+  .transform((arr) => arr.join(", "));

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -94,7 +94,9 @@ export const identityAwsAuthServiceFactory = ({
 
     const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
     const body: string = Buffer.from(iamRequestBody, "base64").toString();
-    const region = headers.Authorization ? awsRegionFromHeader(headers.Authorization) : null;
+
+    const authHeader = headers.Authorization || headers.authorization;
+    const region = authHeader ? awsRegionFromHeader(authHeader) : null;
 
     if (!isValidAwsRegion(region)) {
       throw new BadRequestError({ message: "Invalid AWS region" });

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -40,7 +40,8 @@ export type TAwsGetCallerIdentityHeaders = {
   "X-Amz-Date": string;
   "Content-Length": number;
   "x-amz-security-token": string;
-  Authorization: string;
+  Authorization?: string;
+  authorization?: string;
 };
 
 export type TGetCallerIdentityResponse = {

backend/src/services/identity-project/identity-project-dal.ts

@@ -4,6 +4,7 @@ import { TDbClient } from "@app/db";
 import {
   TableName,
   TIdentities,
+  TIdentityAlicloudAuths,
   TIdentityAwsAuths,
   TIdentityAzureAuths,
   TIdentityGcpAuths,
@@ -57,6 +58,11 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembership}.identityId`,
           `${TableName.IdentityGcpAuth}.identityId`
         )
+        .leftJoin(
+          TableName.IdentityAliCloudAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityAliCloudAuth}.identityId`
+        )
         .leftJoin(
           TableName.IdentityAwsAuth,
           `${TableName.IdentityProjectMembership}.identityId`,
@@ -111,6 +117,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("type").as("projectType").withSchema(TableName.Project),
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("alicloudId").withSchema(TableName.IdentityAliCloudAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
           db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
@@ -267,6 +274,11 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           `${TableName.Identity}.id`,
           `${TableName.IdentityGcpAuth}.identityId`
         )
+        .leftJoin<TIdentityAlicloudAuths>(
+          TableName.IdentityAliCloudAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityAliCloudAuth}.identityId`
+        )
         .leftJoin<TIdentityAwsAuths>(
           TableName.IdentityAwsAuth,
           `${TableName.Identity}.id`,
@@ -319,6 +331,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("name").as("projectName").withSchema(TableName.Project),
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("alicloudId").withSchema(TableName.IdentityAliCloudAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
           db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
@@ -346,6 +359,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           identityId,
           identityName,
           uaId,
+          alicloudId,
           awsId,
           gcpId,
           kubernetesId,
@@ -367,6 +381,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
             name: identityName,
             authMethods: buildAuthMethods({
               uaId,
+              alicloudId,
               awsId,
               gcpId,
               kubernetesId,

backend/src/services/identity-ua/identity-ua-service.ts

@@ -122,9 +122,9 @@ export const identityUaServiceFactory = ({
           }
         : {
             accessTokenTTL: identityUa.accessTokenPeriod,
-            // Setting Max TTL to 2 × period ensures that clients can always renew their token
-            // at least once, and matches client logic that checks if renewing would exceed Max TTL.
-            accessTokenMaxTTL: 2 * identityUa.accessTokenPeriod
+            // We set a very large Max TTL for periodic tokens to ensure that clients (even outdated ones) can always renew their token
+            // without them having to update their SDKs, CLIs, etc. This workaround sets it to 30 years to emulate "forever"
+            accessTokenMaxTTL: 1000000000
           };
 
     const identityAccessToken = await identityUaDAL.transaction(async (tx) => {

backend/src/services/identity/identity-fns.ts

@@ -3,6 +3,7 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 export const buildAuthMethods = ({
   uaId,
   gcpId,
+  alicloudId,
   awsId,
   kubernetesId,
   ociId,
@@ -14,6 +15,7 @@ export const buildAuthMethods = ({
 }: {
   uaId?: string;
   gcpId?: string;
+  alicloudId?: string;
   awsId?: string;
   kubernetesId?: string;
   ociId?: string;
@@ -26,6 +28,7 @@ export const buildAuthMethods = ({
   return [
     ...[uaId ? IdentityAuthMethod.UNIVERSAL_AUTH : null],
     ...[gcpId ? IdentityAuthMethod.GCP_AUTH : null],
+    ...[alicloudId ? IdentityAuthMethod.ALICLOUD_AUTH : null],
     ...[awsId ? IdentityAuthMethod.AWS_AUTH : null],
     ...[kubernetesId ? IdentityAuthMethod.KUBERNETES_AUTH : null],
     ...[ociId ? IdentityAuthMethod.OCI_AUTH : null],

backend/src/services/identity/identity-org-dal.ts

@@ -3,6 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import {
   TableName,
+  TIdentityAlicloudAuths,
   TIdentityAwsAuths,
   TIdentityAzureAuths,
   TIdentityGcpAuths,
@@ -53,6 +54,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           `${TableName.IdentityOrgMembership}.identityId`,
           `${TableName.IdentityGcpAuth}.identityId`
         )
+        .leftJoin<TIdentityAlicloudAuths>(
+          TableName.IdentityAliCloudAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityAliCloudAuth}.identityId`
+        )
         .leftJoin<TIdentityAwsAuths>(
           TableName.IdentityAwsAuth,
           `${TableName.IdentityOrgMembership}.identityId`,
@@ -99,6 +105,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
 
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("alicloudId").withSchema(TableName.IdentityAliCloudAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
           db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
@@ -183,6 +190,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           "paginatedIdentity.identityId",
           `${TableName.IdentityGcpAuth}.identityId`
         )
+        .leftJoin<TIdentityAlicloudAuths>(
+          TableName.IdentityAliCloudAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityAliCloudAuth}.identityId`
+        )
         .leftJoin<TIdentityAwsAuths>(
           TableName.IdentityAwsAuth,
           "paginatedIdentity.identityId",
@@ -236,6 +248,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
 
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("alicloudId").withSchema(TableName.IdentityAliCloudAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
           db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
@@ -278,6 +291,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           id,
           orgId,
           uaId,
+          alicloudId,
           awsId,
           gcpId,
           jwtId,
@@ -312,6 +326,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
             name: identityName,
             authMethods: buildAuthMethods({
               uaId,
+              alicloudId,
               awsId,
               gcpId,
               kubernetesId,
@@ -459,6 +474,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
 
           db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("alicloudId").withSchema(TableName.IdentityAliCloudAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
           db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
@@ -502,6 +518,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           total_count,
           id,
           uaId,
+          alicloudId,
           awsId,
           gcpId,
           jwtId,
@@ -536,6 +553,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
             name: identityName,
             authMethods: buildAuthMethods({
               uaId,
+              alicloudId,
               awsId,
               gcpId,
               kubernetesId,

backend/src/services/org/org-service.ts

@@ -1211,8 +1211,8 @@ export const orgServiceFactory = ({
           subjectLine: "Infisical organization invitation",
           recipients: [el.email],
           substitutions: {
-            inviterFirstName: invitingUser.firstName,
-            inviterUsername: invitingUser.email,
+            inviterFirstName: invitingUser?.firstName,
+            inviterUsername: invitingUser?.email,
             organizationName: org?.name,
             email: el.email,
             organizationId: org?.id.toString(),

backend/src/services/secret-sync/azure-devops/azure-devops-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const AZURE_DEVOPS_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Azure DevOps",
+  destination: SecretSync.AzureDevOps,
+  connection: AppConnection.AzureDevOps,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/azure-devops/azure-devops-sync-fns.ts

@@ -0,0 +1,233 @@
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { AzureDevOpsConnectionMethod } from "@app/services/app-connection/azure-devops/azure-devops-enums";
+import { getAzureDevopsConnection } from "@app/services/app-connection/azure-devops/azure-devops-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { TAzureDevOpsSyncWithCredentials } from "./azure-devops-sync-types";
+
+type TAzureDevOpsSyncFactoryDeps = {
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+};
+
+interface AzureDevOpsVariableGroup {
+  id: number;
+  name: string;
+  description: string;
+  type: string;
+  variables: Record<string, { value: string; isSecret: boolean }>;
+  variableGroupProjectReferences: Array<{
+    description: string;
+    name: string;
+    projectReference: { id: string; name: string };
+  }>;
+}
+
+interface AzureDevOpsVariableGroupList {
+  count: number;
+  value: AzureDevOpsVariableGroup[];
+}
+
+export const azureDevOpsSyncFactory = ({ kmsService, appConnectionDAL }: TAzureDevOpsSyncFactoryDeps) => {
+  const getConnectionAuth = async (secretSync: TAzureDevOpsSyncWithCredentials) => {
+    const { credentials } = secretSync.connection;
+    const isOAuth = secretSync.connection.method === AzureDevOpsConnectionMethod.OAuth;
+
+    const { orgName } = credentials;
+    if (!orgName) {
+      throw new BadRequestError({
+        message: "Azure DevOps: organization name is required"
+      });
+    }
+
+    const accessToken = await getAzureDevopsConnection(secretSync.connectionId, appConnectionDAL, kmsService);
+
+    return { accessToken, orgName, isOAuth };
+  };
+
+  const getAuthHeader = (accessToken: string, isOAuth: boolean) => {
+    if (isOAuth) {
+      return `Bearer ${accessToken}`;
+    }
+    const basicAuth = Buffer.from(`:${accessToken}`).toString("base64");
+    return `Basic ${basicAuth}`;
+  };
+
+  const $getEnvGroupId = async (
+    accessToken: string,
+    orgName: string,
+    projectId: string,
+    environmentName: string,
+    isOAuth: boolean
+  ) => {
+    const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/${encodeURIComponent(projectId)}/_apis/distributedtask/variablegroups?api-version=7.1`;
+    const response = await request.get<AzureDevOpsVariableGroupList>(url, {
+      headers: {
+        Authorization: getAuthHeader(accessToken, isOAuth)
+      }
+    });
+
+    for (const group of response.data.value) {
+      if (group.name === environmentName) {
+        return { groupId: group.id.toString(), groupName: group.name };
+      }
+    }
+    return { groupId: "", groupName: "" };
+  };
+
+  const syncSecrets = async (secretSync: TAzureDevOpsSyncWithCredentials, secretMap: TSecretMap) => {
+    if (!secretSync.destinationConfig.devopsProjectId) {
+      throw new BadRequestError({
+        message: "Azure DevOps: project ID is required"
+      });
+    }
+
+    if (!secretSync.environment?.name) {
+      throw new BadRequestError({
+        message: "Azure DevOps: environment name is required"
+      });
+    }
+
+    const { accessToken, orgName, isOAuth } = await getConnectionAuth(secretSync);
+
+    const { groupId, groupName } = await $getEnvGroupId(
+      accessToken,
+      orgName,
+      secretSync.destinationConfig.devopsProjectId,
+      secretSync.environment.name,
+      isOAuth
+    );
+
+    const variables: Record<string, { value: string; isSecret: boolean }> = {};
+    for (const [key, secret] of Object.entries(secretMap)) {
+      if (secret?.value !== undefined) {
+        variables[key] = { value: secret.value, isSecret: true };
+      }
+    }
+
+    if (!groupId) {
+      // Create new variable group - API endpoint is organization-level
+      const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/distributedtask/variablegroups?api-version=7.1`;
+
+      await request.post(
+        url,
+        {
+          name: secretSync.environment.name,
+          description: secretSync.environment.name,
+          type: "Vsts",
+          variables,
+          variableGroupProjectReferences: [
+            {
+              description: secretSync.environment.name,
+              name: secretSync.environment.name,
+              projectReference: {
+                id: secretSync.destinationConfig.devopsProjectId,
+                name: secretSync.destinationConfig.devopsProjectId
+              }
+            }
+          ]
+        },
+        {
+          headers: {
+            Authorization: getAuthHeader(accessToken, isOAuth),
+            "Content-Type": "application/json"
+          }
+        }
+      );
+    } else {
+      const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/distributedtask/variablegroups/${groupId}?api-version=7.1`;
+
+      await request.put(
+        url,
+        {
+          name: groupName,
+          description: groupName,
+          type: "Vsts",
+          variables,
+          variableGroupProjectReferences: [
+            {
+              description: groupName,
+              name: groupName,
+              projectReference: {
+                id: secretSync.destinationConfig.devopsProjectId,
+                name: secretSync.destinationConfig.devopsProjectId
+              }
+            }
+          ]
+        },
+        {
+          headers: {
+            Authorization: getAuthHeader(accessToken, isOAuth),
+            "Content-Type": "application/json"
+          }
+        }
+      );
+    }
+  };
+
+  const removeSecrets = async (secretSync: TAzureDevOpsSyncWithCredentials) => {
+    const { accessToken, orgName, isOAuth } = await getConnectionAuth(secretSync);
+
+    const { groupId } = await $getEnvGroupId(
+      accessToken,
+      orgName,
+      secretSync.destinationConfig.devopsProjectId,
+      secretSync.environment?.name || "",
+      isOAuth
+    );
+
+    if (groupId) {
+      // Delete the variable group entirely using the DELETE API
+      const deleteUrl = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/distributedtask/variablegroups/${groupId}?projectIds=${secretSync.destinationConfig.devopsProjectId}&api-version=7.1`;
+
+      await request.delete(deleteUrl, {
+        headers: {
+          Authorization: getAuthHeader(accessToken, isOAuth)
+        }
+      });
+    }
+  };
+
+  const getSecrets = async (secretSync: TAzureDevOpsSyncWithCredentials) => {
+    const { accessToken, orgName, isOAuth } = await getConnectionAuth(secretSync);
+
+    const { groupId } = await $getEnvGroupId(
+      accessToken,
+      orgName,
+      secretSync.destinationConfig.devopsProjectId,
+      secretSync.environment?.name || "",
+      isOAuth
+    );
+
+    const secretMap: TSecretMap = {};
+
+    if (groupId) {
+      const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${orgName}/_apis/distributedtask/variablegroups/${groupId}?api-version=7.1`;
+      const response = await request.get<AzureDevOpsVariableGroup>(url, {
+        headers: {
+          Authorization: getAuthHeader(accessToken, isOAuth)
+        }
+      });
+
+      if (response?.data?.variables) {
+        Object.entries(response.data.variables).forEach(([key, variable]) => {
+          secretMap[key] = {
+            value: variable.value || ""
+          };
+        });
+      }
+    }
+
+    return secretMap;
+  };
+
+  return {
+    syncSecrets,
+    removeSecrets,
+    getSecrets
+  };
+};

backend/src/services/secret-sync/azure-devops/azure-devops-sync-schemas.ts

@@ -0,0 +1,50 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+export const AzureDevOpsSyncDestinationConfigSchema = z.object({
+  devopsProjectId: z
+    .string()
+    .min(1, "Project ID required")
+    .describe(SecretSyncs.DESTINATION_CONFIG.AZURE_DEVOPS?.devopsProjectId || "Azure DevOps Project ID"),
+  devopsProjectName: z
+    .string()
+    .min(1, "Project name required")
+    .describe(SecretSyncs.DESTINATION_CONFIG.AZURE_DEVOPS?.devopsProjectName || "Azure DevOps Project Name")
+});
+
+const AzureDevOpsSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const AzureDevOpsSyncSchema = BaseSecretSyncSchema(SecretSync.AzureDevOps, AzureDevOpsSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.AzureDevOps),
+  destinationConfig: AzureDevOpsSyncDestinationConfigSchema
+});
+
+export const CreateAzureDevOpsSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.AzureDevOps,
+  AzureDevOpsSyncOptionsConfig
+).extend({
+  destinationConfig: AzureDevOpsSyncDestinationConfigSchema
+});
+
+export const UpdateAzureDevOpsSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.AzureDevOps,
+  AzureDevOpsSyncOptionsConfig
+).extend({
+  destinationConfig: AzureDevOpsSyncDestinationConfigSchema.optional()
+});
+
+export const AzureDevOpsSyncListItemSchema = z.object({
+  name: z.literal("Azure DevOps"),
+  connection: z.literal(AppConnection.AzureDevOps),
+  destination: z.literal(SecretSync.AzureDevOps),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/azure-devops/azure-devops-sync-types.ts

@@ -0,0 +1,22 @@
+import { z } from "zod";
+
+import { TAzureDevOpsConnection } from "@app/services/app-connection/azure-devops/azure-devops-types";
+
+import {
+  AzureDevOpsSyncDestinationConfigSchema,
+  AzureDevOpsSyncListItemSchema,
+  AzureDevOpsSyncSchema,
+  CreateAzureDevOpsSyncSchema
+} from "./azure-devops-sync-schemas";
+
+export type TAzureDevOpsSync = z.infer<typeof AzureDevOpsSyncSchema>;
+
+export type TAzureDevOpsSyncInput = z.infer<typeof CreateAzureDevOpsSyncSchema>;
+
+export type TAzureDevOpsSyncListItem = z.infer<typeof AzureDevOpsSyncListItemSchema>;
+
+export type TAzureDevOpsSyncDestinationConfig = z.infer<typeof AzureDevOpsSyncDestinationConfigSchema>;
+
+export type TAzureDevOpsSyncWithCredentials = TAzureDevOpsSync & {
+  connection: TAzureDevOpsConnection;
+};

backend/src/services/secret-sync/azure-devops/index.ts

@@ -0,0 +1,4 @@
+export * from "./azure-devops-sync-constants";
+export * from "./azure-devops-sync-fns";
+export * from "./azure-devops-sync-schemas";
+export * from "./azure-devops-sync-types";

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -5,6 +5,7 @@ export enum SecretSync {
   GCPSecretManager = "gcp-secret-manager",
   AzureKeyVault = "azure-key-vault",
   AzureAppConfiguration = "azure-app-configuration",
+  AzureDevOps = "azure-devops",
   Databricks = "databricks",
   Humanitec = "humanitec",
   TerraformCloud = "terraform-cloud",

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -26,6 +26,7 @@ import { TAppConnectionDALFactory } from "../app-connection/app-connection-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { ONEPASS_SYNC_LIST_OPTION, OnePassSyncFns } from "./1password";
 import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFactory } from "./azure-app-configuration";
+import { AZURE_DEVOPS_SYNC_LIST_OPTION, azureDevOpsSyncFactory } from "./azure-devops";
 import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
@@ -45,6 +46,7 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.GitHub]: GITHUB_SYNC_LIST_OPTION,
   [SecretSync.GCPSecretManager]: GCP_SYNC_LIST_OPTION,
   [SecretSync.AzureKeyVault]: AZURE_KEY_VAULT_SYNC_LIST_OPTION,
+  [SecretSync.AzureDevOps]: AZURE_DEVOPS_SYNC_LIST_OPTION,
   [SecretSync.AzureAppConfiguration]: AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION,
   [SecretSync.Databricks]: DATABRICKS_SYNC_LIST_OPTION,
   [SecretSync.Humanitec]: HUMANITEC_SYNC_LIST_OPTION,
@@ -182,6 +184,11 @@ export const SecretSyncFns = {
           appConnectionDAL,
           kmsService
         }).syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.AzureDevOps:
+        return azureDevOpsSyncFactory({
+          appConnectionDAL,
+          kmsService
+        }).syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Databricks:
         return databricksSyncFactory({
           appConnectionDAL,
@@ -244,6 +251,12 @@ export const SecretSyncFns = {
           kmsService
         }).getSecrets(secretSync);
         break;
+      case SecretSync.AzureDevOps:
+        secretMap = await azureDevOpsSyncFactory({
+          appConnectionDAL,
+          kmsService
+        }).getSecrets(secretSync);
+        break;
       case SecretSync.Databricks:
         return databricksSyncFactory({
           appConnectionDAL,
@@ -315,6 +328,11 @@ export const SecretSyncFns = {
           appConnectionDAL,
           kmsService
         }).removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.AzureDevOps:
+        return azureDevOpsSyncFactory({
+          appConnectionDAL,
+          kmsService
+        }).removeSecrets(secretSync);
       case SecretSync.Databricks:
         return databricksSyncFactory({
           appConnectionDAL,

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -8,6 +8,7 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.GCPSecretManager]: "GCP Secret Manager",
   [SecretSync.AzureKeyVault]: "Azure Key Vault",
   [SecretSync.AzureAppConfiguration]: "Azure App Configuration",
+  [SecretSync.AzureDevOps]: "Azure DevOps",
   [SecretSync.Databricks]: "Databricks",
   [SecretSync.Humanitec]: "Humanitec",
   [SecretSync.TerraformCloud]: "Terraform Cloud",
@@ -27,6 +28,7 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.GCPSecretManager]: AppConnection.GCP,
   [SecretSync.AzureKeyVault]: AppConnection.AzureKeyVault,
   [SecretSync.AzureAppConfiguration]: AppConnection.AzureAppConfiguration,
+  [SecretSync.AzureDevOps]: AppConnection.AzureDevOps,
   [SecretSync.Databricks]: AppConnection.Databricks,
   [SecretSync.Humanitec]: AppConnection.Humanitec,
   [SecretSync.TerraformCloud]: AppConnection.TerraformCloud,
@@ -46,6 +48,7 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.GCPSecretManager]: SecretSyncPlanType.Regular,
   [SecretSync.AzureKeyVault]: SecretSyncPlanType.Regular,
   [SecretSync.AzureAppConfiguration]: SecretSyncPlanType.Regular,
+  [SecretSync.AzureDevOps]: SecretSyncPlanType.Regular,
   [SecretSync.Databricks]: SecretSyncPlanType.Regular,
   [SecretSync.Humanitec]: SecretSyncPlanType.Regular,
   [SecretSync.TerraformCloud]: SecretSyncPlanType.Regular,

backend/src/services/secret-sync/secret-sync-types.ts

@@ -60,6 +60,12 @@ import {
   TAzureAppConfigurationSyncListItem,
   TAzureAppConfigurationSyncWithCredentials
 } from "./azure-app-configuration";
+import {
+  TAzureDevOpsSync,
+  TAzureDevOpsSyncInput,
+  TAzureDevOpsSyncListItem,
+  TAzureDevOpsSyncWithCredentials
+} from "./azure-devops";
 import {
   TAzureKeyVaultSync,
   TAzureKeyVaultSyncInput,
@@ -100,6 +106,7 @@ export type TSecretSync =
   | TGcpSync
   | TAzureKeyVaultSync
   | TAzureAppConfigurationSync
+  | TAzureDevOpsSync
   | TDatabricksSync
   | THumanitecSync
   | TTerraformCloudSync
@@ -118,6 +125,7 @@ export type TSecretSyncWithCredentials =
   | TGcpSyncWithCredentials
   | TAzureKeyVaultSyncWithCredentials
   | TAzureAppConfigurationSyncWithCredentials
+  | TAzureDevOpsSyncWithCredentials
   | TDatabricksSyncWithCredentials
   | THumanitecSyncWithCredentials
   | TTerraformCloudSyncWithCredentials
@@ -136,6 +144,7 @@ export type TSecretSyncInput =
   | TGcpSyncInput
   | TAzureKeyVaultSyncInput
   | TAzureAppConfigurationSyncInput
+  | TAzureDevOpsSyncInput
   | TDatabricksSyncInput
   | THumanitecSyncInput
   | TTerraformCloudSyncInput
@@ -154,6 +163,7 @@ export type TSecretSyncListItem =
   | TGcpSyncListItem
   | TAzureKeyVaultSyncListItem
   | TAzureAppConfigurationSyncListItem
+  | TAzureDevOpsSyncListItem
   | TDatabricksSyncListItem
   | THumanitecSyncListItem
   | TTerraformCloudSyncListItem

backend/src/services/smtp/emails/OrganizationInvitationTemplate.tsx

@@ -5,8 +5,8 @@ import { BaseEmailWrapper, BaseEmailWrapperProps } from "./BaseEmailWrapper";
 
 interface OrganizationInvitationTemplateProps extends Omit<BaseEmailWrapperProps, "preview" | "title"> {
   metadata?: string;
-  inviterFirstName: string;
-  inviterUsername: string;
+  inviterFirstName?: string;
+  inviterUsername?: string;
   organizationName: string;
   email: string;
   organizationId: string;
@@ -38,11 +38,19 @@ export const OrganizationInvitationTemplate = ({
       </Heading>
       <Section className="px-[24px] mt-[36px] pt-[12px] pb-[8px] border text-center border-solid border-gray-200 rounded-md bg-gray-50">
         <Text className="text-black text-[14px] leading-[24px]">
-          <strong>{inviterFirstName}</strong> (
-          <Link href={`mailto:${inviterUsername}`} className="text-slate-700 no-underline">
-            {inviterUsername}
-          </Link>
-          ) has invited you to collaborate on <strong>{organizationName}</strong>.
+          {inviterFirstName && inviterUsername ? (
+            <>
+              <strong>{inviterFirstName}</strong> (
+              <Link href={`mailto:${inviterUsername}`} className="text-slate-700 no-underline">
+                {inviterUsername}
+              </Link>
+              ) has invited you to collaborate on <strong>{organizationName}</strong>.
+            </>
+          ) : (
+            <>
+              You have been invited to collaborate on <strong>{organizationName}</strong>.
+            </>
+          )}
         </Text>
       </Section>
       <Section className="text-center mt-[28px]">

cli/go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.9.1
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.5.95
+	github.com/infisical/go-sdk v0.5.96
 	github.com/infisical/infisical-kmip v0.3.5
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
@@ -25,6 +25,7 @@ require (
 	github.com/pion/logging v0.2.3
 	github.com/pion/turn/v4 v4.0.0
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
+	github.com/pkg/errors v0.9.1
 	github.com/posthog/posthog-go v0.0.0-20221221115252-24dfed35d71a
 	github.com/quic-go/quic-go v0.50.0
 	github.com/rs/cors v1.11.0
@@ -106,7 +107,6 @@ require (
 	github.com/pion/randutil v0.1.0 // indirect
 	github.com/pion/stun/v3 v3.0.0 // indirect
 	github.com/pion/transport/v3 v3.0.7 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect

cli/go.sum

@@ -292,12 +292,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.5.92 h1:PoCnVndrd6Dbkipuxl9fFiwlD5vCKsabtQo09mo8lUE=
-github.com/infisical/go-sdk v0.5.92/go.mod h1:ExjqFLRz7LSpZpGluqDLvFl6dFBLq5LKyLW7GBaMAIs=
-github.com/infisical/go-sdk v0.5.94 h1:wKBj+KpJEe+ZzOJ7koXQZDR0dLL9bt0Kqgf/1q+7tG4=
-github.com/infisical/go-sdk v0.5.94/go.mod h1:ExjqFLRz7LSpZpGluqDLvFl6dFBLq5LKyLW7GBaMAIs=
-github.com/infisical/go-sdk v0.5.95 h1:so0YwPofbT7j6Ao8Xcxee/o3ia33meuEVDU2vWr9yfs=
-github.com/infisical/go-sdk v0.5.95/go.mod h1:ExjqFLRz7LSpZpGluqDLvFl6dFBLq5LKyLW7GBaMAIs=
+github.com/infisical/go-sdk v0.5.96 h1:huky6bQ1Y3oRdPb5MO3Ru868qZaPHUxZ7kP7FPNRn48=
+github.com/infisical/go-sdk v0.5.96/go.mod h1:ExjqFLRz7LSpZpGluqDLvFl6dFBLq5LKyLW7GBaMAIs=
 github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BAJM2scIeiE=
 github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=

cli/packages/cmd/agent.go

@@ -576,7 +576,7 @@ func (tm *AgentManager) FetchUniversalAuthAccessToken() (credential infisicalSdk
 	}
 
 	tm.cachedUniversalAuthClientSecret = clientSecret
-	if tm.removeUniversalAuthClientSecretOnRead {
+	if universalAuthConfig.RemoveClientSecretOnRead {
 		defer os.Remove(universalAuthConfig.ClientSecretPath)
 	}
 
@@ -718,7 +718,7 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 }
 
 // Refreshes the existing access token
-func (tm *AgentManager) RefreshAccessToken() error {
+func (tm *AgentManager) RefreshAccessToken(accessToken string) error {
 	httpClient, err := util.GetRestyClientWithCustomHeaders()
 	if err != nil {
 		return err
@@ -728,7 +728,6 @@ func (tm *AgentManager) RefreshAccessToken() error {
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)
 
-	accessToken := tm.GetToken()
 	response, err := api.CallMachineIdentityRefreshAccessToken(httpClient, api.UniversalAuthRefreshRequest{AccessToken: accessToken})
 	if err != nil {
 		return err
@@ -752,18 +751,37 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 			accessTokenRefreshedTime = tm.accessTokenFetchedTime
 		}
 
-		nextAccessTokenExpiresInTime := accessTokenRefreshedTime.Add(tm.accessTokenTTL - (5 * time.Second))
+		// Calculate next expiry time at 2/3 of the TTL
+		nextAccessTokenExpiresInTime := accessTokenRefreshedTime.Add(tm.accessTokenTTL * 2 / 3)
 
 		if tm.accessTokenFetchedTime.IsZero() && tm.accessTokenRefreshedTime.IsZero() {
-			// case: init login to get access token
-			log.Info().Msg("attempting to authenticate...")
-			err := tm.FetchNewAccessToken()
-			if err != nil {
-				log.Error().Msgf("unable to authenticate because %v. Will retry in 30 seconds", err)
+			// try to fetch token from sink files first
+			// if token is found, refresh the token right away and continue from there
+			isSavedTokenValid := false
+			token := tm.FetchTokenFromFiles()
+			if token != "" {
+				log.Info().Msg("found existing token in file, attempting to refresh...")
+				err := tm.RefreshAccessToken(token)
+				isSavedTokenValid = err == nil
+				if isSavedTokenValid {
+					log.Info().Msg("token refreshed successfully from saved file")
+					tm.accessTokenFetchedTime = time.Now()
+				} else {
+					log.Error().Msg("unable to refresh token from saved file")
+				}
+			}
 
-				// wait a bit before trying again
-				time.Sleep((30 * time.Second))
-				continue
+			if !isSavedTokenValid {
+				// case: init login to get access token
+				log.Info().Msg("attempting to authenticate...")
+				err := tm.FetchNewAccessToken()
+				if err != nil {
+					log.Error().Msgf("unable to authenticate because %v. Will retry in 30 seconds", err)
+
+					// wait a bit before trying again
+					time.Sleep((30 * time.Second))
+					continue
+				}
 			}
 		} else if time.Now().After(accessTokenMaxTTLExpiresInTime) {
 			// case: token has reached max ttl and we should re-authenticate entirely (cannot refresh)
@@ -779,7 +797,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 		} else {
 			// case: token ttl has expired, but the token is still within max ttl, so we can refresh
 			log.Info().Msgf("attempting to refresh existing token...")
-			err := tm.RefreshAccessToken()
+			err := tm.RefreshAccessToken(tm.GetToken())
 			if err != nil {
 				log.Error().Msgf("unable to refresh token because %v. Will retry in 30 seconds", err)
 
@@ -800,15 +818,18 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 			accessTokenRefreshedTime = tm.accessTokenRefreshedTime
 		}
 
-		nextAccessTokenExpiresInTime = accessTokenRefreshedTime.Add(tm.accessTokenTTL - (5 * time.Second))
+		// Recalculate next expiry time at 2/3 of the TTL
+		nextAccessTokenExpiresInTime = accessTokenRefreshedTime.Add(tm.accessTokenTTL * 2 / 3)
 		accessTokenMaxTTLExpiresInTime = tm.accessTokenFetchedTime.Add(tm.accessTokenMaxTTL - (5 * time.Second))
 
 		if nextAccessTokenExpiresInTime.After(accessTokenMaxTTLExpiresInTime) {
-			// case: Refreshed so close that the next refresh would occur beyond max ttl (this is because currently, token renew tries to add +access-token-ttl amount of time)
-			// example: access token ttl is 11 sec and max ttl is 30 sec. So it will start with 11 seconds, then 22 seconds but the next time you call refresh it would try to extend it to 33 but max ttl only allows 30, so the token will be valid until 30 before we need to reauth
-			time.Sleep(tm.accessTokenTTL - nextAccessTokenExpiresInTime.Sub(accessTokenMaxTTLExpiresInTime))
+			// case: Refreshed so close that the next refresh would occur beyond max ttl
+			// Sleep until we're at 2/3 of the remaining time to max TTL
+			remainingTime := accessTokenMaxTTLExpiresInTime.Sub(time.Now())
+			time.Sleep(remainingTime * 2 / 3)
 		} else {
-			time.Sleep(tm.accessTokenTTL - (5 * time.Second))
+			// Sleep until we're at 2/3 of the TTL
+			time.Sleep(tm.accessTokenTTL * 2 / 3)
 		}
 	}
 }
@@ -830,6 +851,24 @@ func (tm *AgentManager) WriteTokenToFiles() {
 	}
 }
 
+func (tm *AgentManager) FetchTokenFromFiles() string {
+	for _, sinkFile := range tm.filePaths {
+		if sinkFile.Type == "file" {
+			tokenBytes, err := ioutil.ReadFile(sinkFile.Config.Path)
+			if err != nil {
+				log.Debug().Msgf("unable to read token from file '%s' because %v", sinkFile.Config.Path, err)
+				continue
+			}
+
+			token := string(tokenBytes)
+			if token != "" {
+				return token
+			}
+		}
+	}
+	return ""
+}
+
 func (tm *AgentManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Template) {
 	if err := WriteBytesToFile(bytes, template.DestinationPath); err != nil {
 		log.Error().Msgf("template engine: unable to write secrets to path because %s. Will try again on next cycle", err)

cli/packages/cmd/dynamic_secrets.go

@@ -49,6 +49,11 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
+	projectSlug, err := cmd.Flags().GetString("project-slug")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	secretsPath, err := cmd.Flags().GetString("path")
 	if err != nil {
 		util.HandleError(err, "Unable to parse path flag")
@@ -60,10 +65,10 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to get resty client with custom headers")
 	}
 
-	if projectId == "" {
+	if projectId == "" && projectSlug == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
 		if err != nil {
-			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project or pass in project id with --projectId flag")
+			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project, pass in project slug with --project-slug flag, or pass in project id with --projectId flag")
 		}
 		projectId = workspaceFile.WorkspaceId
 	}
@@ -100,13 +105,16 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
-	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
-	if err != nil {
-		util.HandleError(err, "To fetch project details")
+	if projectSlug == "" {
+		projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+		if err != nil {
+			util.HandleError(err, "To fetch project details")
+		}
+		projectSlug = projectDetails.Slug
 	}
 
 	dynamicSecretRootCredentials, err := infisicalClient.DynamicSecrets().List(infisicalSdk.ListDynamicSecretsRootCredentialsOptions{
-		ProjectSlug:     projectDetails.Slug,
+		ProjectSlug:     projectSlug,
 		SecretPath:      secretsPath,
 		EnvironmentSlug: environmentName,
 	})
@@ -156,6 +164,11 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
+	projectSlug, err := cmd.Flags().GetString("project-slug")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	ttl, err := cmd.Flags().GetString("ttl")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
@@ -177,10 +190,10 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to get resty client with custom headers")
 	}
 
-	if projectId == "" {
+	if projectId == "" && projectSlug == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
 		if err != nil {
-			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project or pass in project id with --projectId flag")
+			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project, pass in project id with --projectId flag, or pass in project slug with --project-slug flag")
 		}
 		projectId = workspaceFile.WorkspaceId
 	}
@@ -216,14 +229,17 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
-	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
-	if err != nil {
-		util.HandleError(err, "To fetch project details")
+	if projectSlug == "" {
+		projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+		if err != nil {
+			util.HandleError(err, "To fetch project details")
+		}
+		projectSlug = projectDetails.Slug
 	}
 
 	dynamicSecretRootCredential, err := infisicalClient.DynamicSecrets().GetByName(infisicalSdk.GetDynamicSecretRootCredentialByNameOptions{
 		DynamicSecretName: dynamicSecretRootCredentialName,
-		ProjectSlug:       projectDetails.Slug,
+		ProjectSlug:       projectSlug,
 		SecretPath:        secretsPath,
 		EnvironmentSlug:   environmentName,
 	})
@@ -232,13 +248,26 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "To fetch dynamic secret root credentials details")
 	}
 
+	// for Kubernetes dynamic secrets only
+	kubernetesNamespace, err := cmd.Flags().GetString("kubernetes-namespace")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	config := map[string]any{}
+	if kubernetesNamespace != "" {
+		config["namespace"] = kubernetesNamespace
+	}
+
 	leaseCredentials, _, leaseDetails, err := infisicalClient.DynamicSecrets().Leases().Create(infisicalSdk.CreateDynamicSecretLeaseOptions{
 		DynamicSecretName: dynamicSecretRootCredential.Name,
-		ProjectSlug:       projectDetails.Slug,
+		ProjectSlug:       projectSlug,
 		TTL:               ttl,
 		SecretPath:        secretsPath,
 		EnvironmentSlug:   environmentName,
+		Config:            config,
 	})
+
 	if err != nil {
 		util.HandleError(err, "To lease dynamic secret")
 	}
@@ -291,6 +320,11 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
+	projectSlug, err := cmd.Flags().GetString("project-slug")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	ttl, err := cmd.Flags().GetString("ttl")
 	if err != nil {
 		util.HandleError(err, "Unable to parse flag")
@@ -307,10 +341,10 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to get resty client with custom headers")
 	}
 
-	if projectId == "" {
+	if projectId == "" && projectSlug == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
 		if err != nil {
-			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project or pass in project id with --projectId flag")
+			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project, pass in project slug with --project-slug flag, or pass in project id with --projectId flag")
 		}
 		projectId = workspaceFile.WorkspaceId
 	}
@@ -347,9 +381,12 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
-	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
-	if err != nil {
-		util.HandleError(err, "To fetch project details")
+	if projectSlug == "" {
+		projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+		if err != nil {
+			util.HandleError(err, "To fetch project details")
+		}
+		projectSlug = projectDetails.Slug
 	}
 
 	if err != nil {
@@ -357,7 +394,7 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	leaseDetails, err := infisicalClient.DynamicSecrets().Leases().RenewById(infisicalSdk.RenewDynamicSecretLeaseOptions{
-		ProjectSlug:     projectDetails.Slug,
+		ProjectSlug:     projectSlug,
 		TTL:             ttl,
 		SecretPath:      secretsPath,
 		EnvironmentSlug: environmentName,
@@ -403,6 +440,11 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
+	projectSlug, err := cmd.Flags().GetString("project-slug")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	secretsPath, err := cmd.Flags().GetString("path")
 	if err != nil {
 		util.HandleError(err, "Unable to parse path flag")
@@ -414,10 +456,10 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to get resty client with custom headers")
 	}
 
-	if projectId == "" {
+	if projectId == "" && projectSlug == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
 		if err != nil {
-			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project or pass in project id with --projectId flag")
+			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project, pass in project slug with --project-slug flag, or pass in project id with --projectId flag")
 		}
 		projectId = workspaceFile.WorkspaceId
 	}
@@ -454,9 +496,12 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
-	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
-	if err != nil {
-		util.HandleError(err, "To fetch project details")
+	if projectSlug == "" {
+		projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+		if err != nil {
+			util.HandleError(err, "To fetch project details")
+		}
+		projectSlug = projectDetails.Slug
 	}
 
 	if err != nil {
@@ -464,11 +509,12 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	leaseDetails, err := infisicalClient.DynamicSecrets().Leases().DeleteById(infisicalSdk.DeleteDynamicSecretLeaseOptions{
-		ProjectSlug:     projectDetails.Slug,
+		ProjectSlug:     projectSlug,
 		SecretPath:      secretsPath,
 		EnvironmentSlug: environmentName,
 		LeaseId:         dynamicSecretLeaseId,
 	})
+
 	if err != nil {
 		util.HandleError(err, "To revoke  dynamic secret lease")
 	}
@@ -509,6 +555,11 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
+	projectSlug, err := cmd.Flags().GetString("project-slug")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	secretsPath, err := cmd.Flags().GetString("path")
 	if err != nil {
 		util.HandleError(err, "Unable to parse path flag")
@@ -520,10 +571,10 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to get resty client with custom headers")
 	}
 
-	if projectId == "" {
+	if projectId == "" && projectSlug == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
 		if err != nil {
-			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project or pass in project id with --projectId flag")
+			util.PrintErrorMessageAndExit("Please either run infisical init to connect to a project, pass in project slug with --project-slug flag, or pass in project id with --projectId flag")
 		}
 		projectId = workspaceFile.WorkspaceId
 	}
@@ -559,14 +610,17 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
-	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
-	if err != nil {
-		util.HandleError(err, "To fetch project details")
+	if projectSlug == "" {
+		projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+		if err != nil {
+			util.HandleError(err, "To fetch project details")
+		}
+		projectSlug = projectDetails.Slug
 	}
 
 	dynamicSecretLeases, err := infisicalClient.DynamicSecrets().Leases().List(infisicalSdk.ListDynamicSecretLeasesOptions{
 		DynamicSecretName: dynamicSecretRootCredentialName,
-		ProjectSlug:       projectDetails.Slug,
+		ProjectSlug:       projectSlug,
 		SecretPath:        secretsPath,
 		EnvironmentSlug:   environmentName,
 	})
@@ -583,30 +637,39 @@ func init() {
 	dynamicSecretLeaseCreateCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
 	dynamicSecretLeaseCreateCmd.Flags().String("token", "", "Create dynamic secret leases using machine identity access token")
 	dynamicSecretLeaseCreateCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseCreateCmd.Flags().String("project-slug", "", "Manually set the project-slug to create lease in")
 	dynamicSecretLeaseCreateCmd.Flags().String("ttl", "", "The lease lifetime TTL. If not provided the default TTL of dynamic secret will be used.")
 	dynamicSecretLeaseCreateCmd.Flags().Bool("plain", false, "Print leased credentials without formatting, one per line")
+
+	// Kubernetes specific flags
+	dynamicSecretLeaseCreateCmd.Flags().String("kubernetes-namespace", "", "The namespace to create the lease in. Only used for Kubernetes dynamic secrets.")
+
 	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseCreateCmd)
 
 	dynamicSecretLeaseListCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
 	dynamicSecretLeaseListCmd.Flags().String("token", "", "Fetch dynamic secret leases machine identity access token")
 	dynamicSecretLeaseListCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseListCmd.Flags().String("project-slug", "", "Manually set the project-slug to list leases from")
 	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseListCmd)
 
 	dynamicSecretLeaseRenewCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
 	dynamicSecretLeaseRenewCmd.Flags().String("token", "", "Renew dynamic secrets machine identity access token")
 	dynamicSecretLeaseRenewCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseRenewCmd.Flags().String("project-slug", "", "Manually set the project-slug to renew lease in")
 	dynamicSecretLeaseRenewCmd.Flags().String("ttl", "", "The lease lifetime TTL. If not provided the default TTL of dynamic secret will be used.")
 	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseRenewCmd)
 
 	dynamicSecretLeaseRevokeCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
 	dynamicSecretLeaseRevokeCmd.Flags().String("token", "", "Delete dynamic secrets using machine identity access token")
 	dynamicSecretLeaseRevokeCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseRevokeCmd.Flags().String("project-slug", "", "Manually set the project-slug to revoke lease from")
 	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseRevokeCmd)
 
 	dynamicSecretCmd.AddCommand(dynamicSecretLeaseCmd)
 
 	dynamicSecretCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
 	dynamicSecretCmd.Flags().String("projectId", "", "Manually set the projectId to fetch dynamic-secret when using machine identity based auth")
+	dynamicSecretCmd.Flags().String("project-slug", "", "Manually set the project-slug to fetch dynamic-secret from")
 	dynamicSecretCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
 	dynamicSecretCmd.Flags().String("path", "/", "get dynamic secret within a folder path")
 	rootCmd.AddCommand(dynamicSecretCmd)