feat: added project data key

Merge pull request #2137 from Infisical/maidul-dewfewfqwef
Address vanta postcss update
2025-08-24 20:43:19 +00:00 · 2024-07-17 23:19:32 +08:00 · 2024-07-16 21:46:14 -04:00 · 2024-07-16 21:44:33 -04:00 · 2024-07-17 00:51:51 +08:00 · 2024-07-16 12:09:50 -04:00
58 changed files with 567 additions and 255 deletions
--- a/backend/src/db/migrations/20240715113110_org-membership-active-status.ts
+++ b/backend/src/db/migrations/20240715113110_org-membership-active-status.ts
@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.OrgMembership)) {
+    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.boolean("isActive").notNullable().defaultTo(true);
+      if (doesUserIdExist && doesOrgIdExist) t.index(["userId", "orgId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.OrgMembership)) {
+    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.dropColumn("isActive");
+      if (doesUserIdExist && doesOrgIdExist) t.dropIndex(["userId", "orgId"]);
+    });
+  }
+}
--- a/backend/src/db/migrations/20240717114407_add-project-data-key.ts
+++ b/backend/src/db/migrations/20240717114407_add-project-data-key.ts
@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmsSecretManagerEncryptedDataKey = await knex.schema.hasColumn(
+    TableName.Project,
+    "kmsSecretManagerEncryptedDataKey"
+  );
+
+  await knex.schema.alterTable(TableName.Project, (tb) => {
+    if (!hasKmsSecretManagerEncryptedDataKey) {
+      tb.binary("kmsSecretManagerEncryptedDataKey");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmsSecretManagerEncryptedDataKey = await knex.schema.hasColumn(
+    TableName.Project,
+    "kmsSecretManagerEncryptedDataKey"
+  );
+
+  await knex.schema.alterTable(TableName.Project, (t) => {
+    if (hasKmsSecretManagerEncryptedDataKey) {
+      t.dropColumn("kmsSecretManagerEncryptedDataKey");
+    }
+  });
+}
--- a/backend/src/db/schemas/org-memberships.ts
+++ b/backend/src/db/schemas/org-memberships.ts
@@ -17,7 +17,8 @@ export const OrgMembershipsSchema = z.object({
  userId: z.string().uuid().nullable().optional(),
  orgId: z.string().uuid(),
  roleId: z.string().uuid().nullable().optional(),
-  projectFavorites: z.string().array().nullable().optional()
+  projectFavorites: z.string().array().nullable().optional(),
+  isActive: z.boolean()
 });

 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const ProjectsSchema = z.object({
@@ -20,7 +22,8 @@ export const ProjectsSchema = z.object({
  pitVersionLimit: z.number().default(10),
  kmsCertificateKeyId: z.string().uuid().nullable().optional(),
  auditLogsRetentionDays: z.number().nullable().optional(),
-  kmsSecretManagerKeyId: z.string().uuid().nullable().optional()
+  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
+  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional()
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/seeds/2-org.ts
+++ b/backend/src/db/seeds/2-org.ts
@@ -29,7 +29,8 @@ export async function seed(knex: Knex): Promise<void> {
      role: OrgMembershipRole.Admin,
      orgId: org.id,
      status: OrgMembershipStatus.Accepted,
-      userId: user.id
+      userId: user.id,
+      isActive: true
    }
  ]);
 }
--- a/backend/src/ee/routes/v1/external-kms-router.ts
+++ b/backend/src/ee/routes/v1/external-kms-router.ts
@@ -39,7 +39,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        slug: z.string().min(1).trim().optional(),
+        slug: z.string().min(1).trim().toLowerCase().optional(),
        description: z.string().min(1).trim().optional(),
        provider: ExternalKmsInputSchema
      }),
@@ -75,7 +75,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        id: z.string().trim().min(1)
      }),
      body: z.object({
-        slug: z.string().min(1).trim().optional(),
+        slug: z.string().min(1).trim().toLowerCase().optional(),
        description: z.string().min(1).trim().optional(),
        provider: ExternalKmsInputUpdateSchema
      }),
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -186,7 +186,13 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
            })
          ),
          displayName: z.string().trim(),
-          active: z.boolean()
+          active: z.boolean(),
+          groups: z.array(
+            z.object({
+              value: z.string().trim(),
+              display: z.string().trim()
+            })
+          )
        })
      }
    },
@@ -572,7 +578,13 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
            })
          ),
          displayName: z.string().trim(),
-          active: z.boolean()
+          active: z.boolean(),
+          groups: z.array(
+            z.object({
+              value: z.string().trim(),
+              display: z.string().trim()
+            })
+          )
        })
      }
    },
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@@ -52,7 +52,7 @@ export const externalKmsServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
-    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(32));
+    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());

    let sanitizedProviderInput = "";
    switch (provider.type) {
--- a/backend/src/ee/services/group/user-group-membership-dal.ts
+++ b/backend/src/ee/services/group/user-group-membership-dal.ts
@@ -162,11 +162,26 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
    }
  };

+  const findUserGroupMembershipsInOrg = async (userId: string, orgId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.UserGroupMembership)
+        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .where(`${TableName.UserGroupMembership}.userId`, userId)
+        .where(`${TableName.Groups}.orgId`, orgId);
+
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findTest" });
+    }
+  };
+
  return {
    ...userGroupMembershipOrm,
    filterProjectsByUserMembership,
    findUserGroupMembershipsInProject,
    findGroupMembersNotInProject,
-    deletePendingUserGroupMembershipsByUserIds
+    deletePendingUserGroupMembershipsByUserIds,
+    findUserGroupMembershipsInOrg
  };
 };
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -449,7 +449,8 @@ export const ldapConfigServiceFactory = ({
              userId: userAlias.userId,
              orgId,
              role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted
+              status: OrgMembershipStatus.Accepted,
+              isActive: true
            },
            tx
          );
@@ -534,7 +535,8 @@ export const ldapConfigServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -193,7 +193,8 @@ export const oidcConfigServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
@@ -266,7 +267,8 @@ export const oidcConfigServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -370,7 +370,8 @@ export const samlConfigServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
@@ -457,7 +458,8 @@ export const samlConfigServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
--- a/backend/src/ee/services/scim/scim-fns.ts
+++ b/backend/src/ee/services/scim/scim-fns.ts
@@ -32,12 +32,19 @@ export const parseScimFilter = (filterToParse: string | undefined) => {
  return { [attributeName]: parsedValue.replace(/"/g, "") };
 };

+export function extractScimValueFromPath(path: string): string | null {
+  const regex = /members\[value eq "([^"]+)"\]/;
+  const match = path.match(regex);
+  return match ? match[1] : null;
+}
+
 export const buildScimUser = ({
  orgMembershipId,
  username,
  email,
  firstName,
  lastName,
+  groups = [],
  active
 }: {
  orgMembershipId: string;
@@ -45,6 +52,10 @@ export const buildScimUser = ({
  email?: string | null;
  firstName: string;
  lastName: string;
+  groups?: {
+    value: string;
+    display: string;
+  }[];
  active: boolean;
 }): TScimUser => {
  const scimUser = {
@@ -67,7 +78,7 @@ export const buildScimUser = ({
        ]
      : [],
    active,
-    groups: [],
+    groups,
    meta: {
      resourceType: "User",
      location: null
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -30,7 +30,14 @@ import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList, parseScimFilter } from "./scim-fns";
+import {
+  buildScimGroup,
+  buildScimGroupList,
+  buildScimUser,
+  buildScimUserList,
+  extractScimValueFromPath,
+  parseScimFilter
+} from "./scim-fns";
 import {
  TCreateScimGroupDTO,
  TCreateScimTokenDTO,
@@ -61,7 +68,7 @@ type TScimServiceFactoryDep = {
    TOrgDALFactory,
    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" | "updateMembershipById"
  >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById" | "findById">;
  projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
  groupDAL: Pick<
@@ -71,7 +78,12 @@ type TScimServiceFactoryDep = {
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  userGroupMembershipDAL: Pick<
    TUserGroupMembershipDALFactory,
-    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
+    | "find"
+    | "transaction"
+    | "insertMany"
+    | "filterProjectsByUserMembership"
+    | "delete"
+    | "findUserGroupMembershipsInOrg"
  >;
  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
@@ -197,14 +209,14 @@ export const scimServiceFactory = ({
      findOpts
    );

-    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email, isActive }) =>
      buildScimUser({
        orgMembershipId: id ?? "",
        username: externalId ?? username,
        firstName: firstName ?? "",
        lastName: lastName ?? "",
        email,
-        active: true
+        active: isActive
      })
    );

@@ -240,13 +252,19 @@ export const scimServiceFactory = ({
        status: 403
      });

+    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
+
    return buildScimUser({
      orgMembershipId: membership.id,
      username: membership.externalId ?? membership.username,
      email: membership.email ?? "",
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
-      active: true
+      active: membership.isActive,
+      groups: groupMembershipsInOrg.map((group) => ({
+        value: group.groupId,
+        display: group.name
+      }))
    });
  };

@@ -296,7 +314,8 @@ export const scimServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
@@ -364,7 +383,8 @@ export const scimServiceFactory = ({
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
            },
            tx
          );
@@ -401,7 +421,7 @@ export const scimServiceFactory = ({
      firstName: createdUser.firstName as string,
      lastName: createdUser.lastName as string,
      email: createdUser.email ?? "",
-      active: true
+      active: createdOrgMembership.isActive
    });
  };

@@ -445,14 +465,8 @@ export const scimServiceFactory = ({
    });

    if (!active) {
-      await deleteOrgMembershipFn({
-        orgMembershipId: membership.id,
-        orgId: membership.orgId,
-        orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
+      await orgMembershipDAL.updateById(membership.id, {
+        isActive: false
      });
    }

@@ -491,17 +505,11 @@ export const scimServiceFactory = ({
        status: 403
      });

-    if (!active) {
-      await deleteOrgMembershipFn({
-        orgMembershipId: membership.id,
-        orgId: membership.orgId,
-        orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
-      });
-    }
+    await orgMembershipDAL.updateById(membership.id, {
+      isActive: active
+    });
+
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);

    return buildScimUser({
      orgMembershipId: membership.id,
@@ -509,7 +517,11 @@ export const scimServiceFactory = ({
      email: membership.email,
      firstName: membership.firstName as string,
      lastName: membership.lastName as string,
-      active
+      active,
+      groups: groupMembershipsInOrg.map((group) => ({
+        value: group.groupId,
+        display: group.name
+      }))
    });
  };

@@ -881,7 +893,18 @@ export const scimServiceFactory = ({
          break;
        }
        case "remove": {
-          // TODO
+          const orgMembershipId = extractScimValueFromPath(operation.path);
+          if (!orgMembershipId) throw new ScimRequestError({ detail: "Invalid path value", status: 400 });
+          const orgMembership = await orgMembershipDAL.findById(orgMembershipId);
+          if (!orgMembership) throw new ScimRequestError({ detail: "Org Membership Not Found", status: 400 });
+          await removeUsersFromGroupByUserIds({
+            group,
+            userIds: [orgMembership.userId as string],
+            userDAL,
+            userGroupMembershipDAL,
+            groupProjectDAL,
+            projectKeyDAL
+          });
          break;
        }
        default: {
--- a/backend/src/ee/services/scim/scim-types.ts
+++ b/backend/src/ee/services/scim/scim-types.ts
@@ -158,7 +158,10 @@ export type TScimUser = {
    type: string;
  }[];
  active: boolean;
-  groups: string[];
+  groups: {
+    value: string;
+    display: string;
+  }[];
  meta: {
    resourceType: string;
    location: null;
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -6,7 +6,11 @@ export type TKeyStoreFactory = ReturnType<typeof keyStoreFactory>;

 // all the key prefixes used must be set here to avoid conflict
 export enum KeyStorePrefixes {
-  SecretReplication = "secret-replication-import-lock"
+  SecretReplication = "secret-replication-import-lock",
+  KmsProjectDataKeyCreation = "kms-project-data-key-creation-lock",
+  KmsProjectKeyCreation = "kms-project-key-creation-lock",
+  WaitUntilReadyKmsProjectDataKeyCreation = "wait-until-ready-kms-project-data-key-creation-",
+  WaitUntilReadyKmsProjectKeyCreation = "wait-until-ready-kms-project-key-creation-"
 }

 type TWaitTillReady = {
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -515,6 +515,9 @@ export const FOLDERS = {
    path: "The path to list folders from.",
    directory: "The directory to list folders from. (Deprecated in favor of path)"
  },
+  GET_BY_ID: {
+    folderId: "The id of the folder to get details."
+  },
  CREATE: {
    workspaceId: "The ID of the project to create the folder in.",
    environment: "The slug of the environment to create the folder in.",
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -345,7 +345,7 @@ export const registerRoutes = async (
    permissionService,
    secretApprovalPolicyDAL
  });
-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });

  const samlService = samlConfigServiceFactory({
    permissionService,
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -292,4 +292,39 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      return { folders };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get folder by id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().trim().describe(FOLDERS.GET_BY_ID.folderId)
+      }),
+      response: {
+        200: z.object({
+          folder: SecretFoldersSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const folder = await server.services.folder.getFolderById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { folder };
+    }
+  });
 };
--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@@ -4,7 +4,8 @@ import bcrypt from "bcrypt";

 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";

 import { AuthModeJwtTokenPayload } from "../auth/auth-type";
 import { TUserDALFactory } from "../user/user-dal";
@@ -14,6 +15,7 @@ import { TCreateTokenForUserDTO, TIssueAuthTokenDTO, TokenType, TValidateTokenFo
 type TAuthTokenServiceFactoryDep = {
  tokenDAL: TTokenDALFactory;
  userDAL: Pick<TUserDALFactory, "findById" | "transaction">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOne">;
 };

 export type TAuthTokenServiceFactory = ReturnType<typeof tokenServiceFactory>;
@@ -67,7 +69,7 @@ export const getTokenConfig = (tokenType: TokenType) => {
  }
 };

-export const tokenServiceFactory = ({ tokenDAL, userDAL }: TAuthTokenServiceFactoryDep) => {
+export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAuthTokenServiceFactoryDep) => {
  const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
    const { token, ...tkCfg } = getTokenConfig(type);
    const appCfg = getConfig();
@@ -154,6 +156,16 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL }: TAuthTokenServiceFact
    const user = await userDAL.findById(session.userId);
    if (!user || !user.isAccepted) throw new UnauthorizedError({ name: "Token user not found" });

+    if (token.organizationId) {
+      const orgMembership = await orgMembershipDAL.findOne({
+        userId: user.id,
+        orgId: token.organizationId
+      });
+
+      if (!orgMembership) throw new ForbiddenRequestError({ message: "User not member of organization" });
+      if (!orgMembership.isActive) throw new ForbiddenRequestError({ message: "User not active in organization" });
+    }
+
    return { user, tokenVersionId: token.tokenVersionId, orgId: token.organizationId };
  };

--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -78,7 +78,10 @@ export const identityAwsAuthServiceFactory = ({
        .map((accountId) => accountId.trim())
        .some((accountId) => accountId === Account);

-      if (!isAccountAllowed) throw new UnauthorizedError();
+      if (!isAccountAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: AWS account ID not allowed."
+        });
    }

    if (identityAwsAuth.allowedPrincipalArns) {
@@ -94,7 +97,10 @@ export const identityAwsAuthServiceFactory = ({
          return regex.test(extractPrincipalArn(Arn));
        });

-      if (!isArnAllowed) throw new UnauthorizedError();
+      if (!isArnAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: AWS principal ARN not allowed."
+        });
    }

    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts
@@ -17,6 +17,7 @@ export const validateAzureIdentity = async ({
  const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/keys`;

  const decodedJwt = jwt.decode(azureJwt, { complete: true }) as TDecodedAzureAuthJwt;
+
  const { kid } = decodedJwt.header;

  const { data }: { data: TAzureJwksUriResponse } = await axios.get(jwksUri);
@@ -27,6 +28,13 @@ export const validateAzureIdentity = async ({

  const publicKey = `-----BEGIN CERTIFICATE-----\n${signingKey.x5c[0]}\n-----END CERTIFICATE-----`;

+  // Case: This can happen when the user uses a custom resource (such as https://management.azure.com&client_id=value).
+  // In this case, the audience in the decoded JWT will not have a trailing slash, but the resource will.
+  if (!decodedJwt.payload.aud.endsWith("/") && resource.endsWith("/")) {
+    // eslint-disable-next-line no-param-reassign
+    resource = resource.slice(0, -1);
+  }
+
  return jwt.verify(azureJwt, publicKey, {
    audience: resource,
    issuer: `https://sts.windows.net/${tenantId}/`
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -81,7 +81,10 @@ export const identityGcpAuthServiceFactory = ({
        .map((serviceAccount) => serviceAccount.trim())
        .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);

-      if (!isServiceAccountAllowed) throw new UnauthorizedError();
+      if (!isServiceAccountAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP service account not allowed."
+        });
    }

    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
@@ -92,7 +95,10 @@ export const identityGcpAuthServiceFactory = ({
        .map((project) => project.trim())
        .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);

-      if (!isProjectAllowed) throw new UnauthorizedError();
+      if (!isProjectAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP project not allowed."
+        });
    }

    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
@@ -101,7 +107,10 @@ export const identityGcpAuthServiceFactory = ({
        .map((zone) => zone.trim())
        .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);

-      if (!isZoneAllowed) throw new UnauthorizedError();
+      if (!isZoneAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP zone not allowed."
+        });
    }

    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -139,7 +139,10 @@ export const identityKubernetesAuthServiceFactory = ({
        .map((namespace) => namespace.trim())
        .some((namespace) => namespace === targetNamespace);

-      if (!isNamespaceAllowed) throw new UnauthorizedError();
+      if (!isNamespaceAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s namespace not allowed."
+        });
    }

    if (identityKubernetesAuth.allowedNames) {
@@ -150,7 +153,10 @@ export const identityKubernetesAuthServiceFactory = ({
        .map((name) => name.trim())
        .some((name) => name === targetName);

-      if (!isNameAllowed) throw new UnauthorizedError();
+      if (!isNameAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s name not allowed."
+        });
    }

    if (identityKubernetesAuth.allowedAudience) {
@@ -159,7 +165,10 @@ export const identityKubernetesAuthServiceFactory = ({
        (audience) => audience === identityKubernetesAuth.allowedAudience
      );

-      if (!isAudienceAllowed) throw new UnauthorizedError();
+      if (!isAudienceAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s audience not allowed."
+        });
    }

    const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@@ -124,13 +124,17 @@ export const identityOidcAuthServiceFactory = ({

    if (identityOidcAuth.boundSubject) {
      if (tokenData.sub !== identityOidcAuth.boundSubject) {
-        throw new UnauthorizedError();
+        throw new ForbiddenRequestError({
+          message: "Access denied: OIDC subject not allowed."
+        });
      }
    }

    if (identityOidcAuth.boundAudiences) {
      if (!identityOidcAuth.boundAudiences.split(", ").includes(tokenData.aud)) {
-        throw new UnauthorizedError();
+        throw new ForbiddenRequestError({
+          message: "Access denied: OIDC audience not allowed."
+        });
      }
    }

@@ -139,7 +143,9 @@ export const identityOidcAuthServiceFactory = ({
        const claimValue = (identityOidcAuth.boundClaims as Record<string, string>)[claimKey];
        // handle both single and multi-valued claims
        if (!claimValue.split(", ").some((claimEntry) => tokenData[claimKey] === claimEntry)) {
-          throw new UnauthorizedError();
+          throw new ForbiddenRequestError({
+            message: "Access denied: OIDC claim not allowed."
+          });
        }
      });
    }
--- a/backend/src/services/kms/kms-service.ts
+++ b/backend/src/services/kms/kms-service.ts
@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import { Knex } from "knex";

-import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { randomSecureBytes } from "@app/lib/crypto";
 import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
@@ -56,15 +56,18 @@ export const kmsServiceFactory = ({
    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
    const kmsKeyMaterial = randomSecureBytes(32);
    const encryptedKeyMaterial = cipher.encrypt(kmsKeyMaterial, ROOT_ENCRYPTION_KEY);
-    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(32));
+    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
    const dbQuery = async (db: Knex) => {
-      const kmsDoc = await kmsDAL.create({
-        slug: sanitizedSlug,
-        orgId,
-        isReserved
-      });
+      const kmsDoc = await kmsDAL.create(
+        {
+          slug: sanitizedSlug,
+          orgId,
+          isReserved
+        },
+        db
+      );

-      const { encryptedKey, ...doc } = await internalKmsDAL.create(
+      await internalKmsDAL.create(
        {
          version: 1,
          encryptedKey: encryptedKeyMaterial,
@@ -73,7 +76,7 @@ export const kmsServiceFactory = ({
        },
        db
      );
-      return doc;
+      return kmsDoc;
    };
    if (tx) return dbQuery(tx);
    const doc = await kmsDAL.transaction(async (tx2) => dbQuery(tx2));
@@ -164,35 +167,120 @@ export const kmsServiceFactory = ({
  };

  const getProjectSecretManagerKmsKeyId = async (projectId: string) => {
-    const keyId = await projectDAL.transaction(async (tx) => {
-      const project = await projectDAL.findById(projectId, tx);
-      if (!project) {
-        throw new BadRequestError({ message: "Project not found" });
+    let project = await projectDAL.findById(projectId);
+    if (!project) {
+      throw new BadRequestError({ message: "Project not found" });
+    }
+
+    if (!project.kmsSecretManagerKeyId) {
+      // create default kms key for certificate service
+      const lock = await keyStore
+        .acquireLock([KeyStorePrefixes.KmsProjectKeyCreation, projectId], 3000, { retryCount: 3 })
+        .catch(() => null);
+
+      try {
+        if (!lock) {
+          await keyStore.waitTillReady({
+            key: `${KeyStorePrefixes.WaitUntilReadyKmsProjectKeyCreation}${projectId}`,
+            keyCheckCb: (val) => val === "true",
+            waitingCb: () => logger.info("KMS. Waiting for project key to be created")
+          });
+
+          project = await projectDAL.findById(projectId);
+        } else {
+          const kmsKeyId = await projectDAL.transaction(async (tx) => {
+            const key = await generateKmsKey({
+              isReserved: true,
+              orgId: project.orgId,
+              tx
+            });
+
+            await projectDAL.updateById(
+              projectId,
+              {
+                kmsSecretManagerKeyId: key.id
+              },
+              tx
+            );
+
+            return key.id;
+          });
+
+          await keyStore.setItemWithExpiry(
+            `${KeyStorePrefixes.WaitUntilReadyKmsProjectKeyCreation}${projectId}`,
+            10,
+            "true"
+          );
+
+          return kmsKeyId;
+        }
+      } finally {
+        await lock?.release();
      }
+    }

-      if (!project.kmsSecretManagerKeyId) {
-        // create default kms key for certificate service
-        const key = await generateKmsKey({
-          isReserved: true,
-          orgId: project.orgId,
-          tx
-        });
+    if (!project.kmsSecretManagerKeyId) {
+      throw new Error("Missing project KMS key ID");
+    }

-        await projectDAL.updateById(
-          projectId,
-          {
-            kmsSecretManagerKeyId: key.id
-          },
-          tx
-        );
+    return project.kmsSecretManagerKeyId;
+  };

-        return key.id;
+  const getProjectSecretManagerKmsDataKey = async (projectId: string) => {
+    const kmsKeyId = await getProjectSecretManagerKmsKeyId(projectId);
+    let project = await projectDAL.findById(projectId);
+
+    if (!project.kmsSecretManagerEncryptedDataKey) {
+      const lock = await keyStore
+        .acquireLock([KeyStorePrefixes.KmsProjectDataKeyCreation, projectId], 3000, { retryCount: 3 })
+        .catch(() => null);
+
+      try {
+        if (!lock) {
+          await keyStore.waitTillReady({
+            key: `${KeyStorePrefixes.WaitUntilReadyKmsProjectDataKeyCreation}${projectId}`,
+            keyCheckCb: (val) => val === "true",
+            waitingCb: () => logger.info("KMS. Waiting for project data key to be created")
+          });
+
+          project = await projectDAL.findById(projectId);
+        } else {
+          const dataKey = randomSecureBytes();
+          const kmsEncryptor = await encryptWithKmsKey({
+            kmsId: kmsKeyId
+          });
+
+          const { cipherTextBlob } = kmsEncryptor({
+            plainText: dataKey
+          });
+
+          await projectDAL.updateById(projectId, {
+            kmsSecretManagerEncryptedDataKey: cipherTextBlob
+          });
+
+          await keyStore.setItemWithExpiry(
+            `${KeyStorePrefixes.WaitUntilReadyKmsProjectDataKeyCreation}${projectId}`,
+            10,
+            "true"
+          );
+          return dataKey;
+        }
+      } finally {
+        await lock?.release();
      }
+    }

-      return project.kmsSecretManagerKeyId;
+    if (!project.kmsSecretManagerEncryptedDataKey) {
+      throw new Error("Missing project data key");
+    }
+
+    const kmsDecryptor = await decryptWithKmsKey({
+      kmsId: kmsKeyId
    });

-    return keyId;
+    return kmsDecryptor({
+      cipherTextBlob: project.kmsSecretManagerEncryptedDataKey
+    });
  };

  const startService = async () => {
@@ -248,6 +336,7 @@ export const kmsServiceFactory = ({
    decryptWithKmsKey,
    decryptWithInputKey,
    getOrgKmsKeyId,
-    getProjectSecretManagerKmsKeyId
+    getProjectSecretManagerKmsKeyId,
+    getProjectSecretManagerKmsDataKey
  };
 };
--- a/backend/src/services/org/org-dal.ts
+++ b/backend/src/services/org/org-dal.ts
@@ -74,6 +74,7 @@ export const orgDALFactory = (db: TDbClient) => {
          db.ref("role").withSchema(TableName.OrgMembership),
          db.ref("roleId").withSchema(TableName.OrgMembership),
          db.ref("status").withSchema(TableName.OrgMembership),
+          db.ref("isActive").withSchema(TableName.OrgMembership),
          db.ref("email").withSchema(TableName.Users),
          db.ref("username").withSchema(TableName.Users),
          db.ref("firstName").withSchema(TableName.Users),
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -204,7 +204,8 @@ export const orgServiceFactory = ({
      orgId,
      userId: user.id,
      role: OrgMembershipRole.Admin,
-      status: OrgMembershipStatus.Accepted
+      status: OrgMembershipStatus.Accepted,
+      isActive: true
    };

    await orgDAL.createMembership(createMembershipData, tx);
@@ -308,7 +309,8 @@ export const orgServiceFactory = ({
          userId,
          orgId: org.id,
          role: OrgMembershipRole.Admin,
-          status: OrgMembershipStatus.Accepted
+          status: OrgMembershipStatus.Accepted,
+          isActive: true
        },
        tx
      );
@@ -457,7 +459,8 @@ export const orgServiceFactory = ({
              inviteEmail: inviteeEmail,
              orgId,
              role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Invited
+              status: OrgMembershipStatus.Invited,
+              isActive: true
            },
            tx
          );
@@ -488,7 +491,8 @@ export const orgServiceFactory = ({
          orgId,
          userId: user.id,
          role: OrgMembershipRole.Member,
-          status: OrgMembershipStatus.Invited
+          status: OrgMembershipStatus.Invited,
+          isActive: true
        },
        tx
      );
--- a/backend/src/services/secret-folder/secret-folder-dal.ts
+++ b/backend/src/services/secret-folder/secret-folder-dal.ts
@@ -322,7 +322,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
        .first();
      if (folder) {
        const { envId, envName, envSlug, ...el } = folder;
-        return { ...el, environment: { envId, envName, envSlug } };
+        return { ...el, environment: { envId, envName, envSlug }, envId };
      }
    } catch (error) {
      throw new DatabaseError({ error, name: "Find by id" });
--- a/backend/src/services/secret-folder/secret-folder-service.ts
+++ b/backend/src/services/secret-folder/secret-folder-service.ts
@@ -6,7 +6,7 @@ import { TSecretFoldersInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";

 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
@@ -14,6 +14,7 @@ import { TSecretFolderDALFactory } from "./secret-folder-dal";
 import {
  TCreateFolderDTO,
  TDeleteFolderDTO,
+  TGetFolderByIdDTO,
  TGetFolderDTO,
  TUpdateFolderDTO,
  TUpdateManyFoldersDTO
@@ -368,11 +369,22 @@ export const secretFolderServiceFactory = ({
    return folders;
  };

+  const getFolderById = async ({ actor, actorId, actorOrgId, actorAuthMethod, id }: TGetFolderByIdDTO) => {
+    const folder = await folderDAL.findById(id);
+    if (!folder) throw new NotFoundError({ message: "folder not found" });
+    // folder list is allowed to be read by anyone
+    // permission to check does user has access
+    await permissionService.getProjectPermission(actor, actorId, folder.projectId, actorAuthMethod, actorOrgId);
+
+    return folder;
+  };
+
  return {
    createFolder,
    updateFolder,
    updateManyFolders,
    deleteFolder,
-    getFolders
+    getFolders,
+    getFolderById
  };
 };
--- a/backend/src/services/secret-folder/secret-folder-types.ts
+++ b/backend/src/services/secret-folder/secret-folder-types.ts
@@ -37,3 +37,7 @@ export type TGetFolderDTO = {
  environment: string;
  path: string;
 } & TProjectPermission;
+
+export type TGetFolderByIdDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/cli/go.mod
+++ b/cli/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.2.0
+	github.com/infisical/go-sdk v0.3.0
 	github.com/mattn/go-isatty v0.0.14
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
--- a/cli/go.sum
+++ b/cli/go.sum
@@ -263,8 +263,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.2.0 h1:n1/KNdYpeQavSqVwC9BfeV8VRzf3N2X9zO1tzQOSj5Q=
-github.com/infisical/go-sdk v0.2.0/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
+github.com/infisical/go-sdk v0.3.0 h1:Ls71t227F4CWVQWdStcwv8WDyfHe8eRlyAuMRNHsmlQ=
+github.com/infisical/go-sdk v0.3.0/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
--- a/cli/packages/cmd/login.go
+++ b/cli/packages/cmd/login.go
@@ -122,6 +122,21 @@ func handleAwsIamAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.Infi
 	return infisicalClient.Auth().AwsIamAuthLogin(identityId)
 }

+func handleOidcAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	identityId, err := util.GetCmdFlagOrEnv(cmd, "machine-identity-id", util.INFISICAL_MACHINE_IDENTITY_ID_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	jwt, err := util.GetCmdFlagOrEnv(cmd, "oidc-jwt", util.INFISICAL_OIDC_AUTH_JWT_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().OidcAuthLogin(identityId, jwt)
+}
+
 func formatAuthMethod(authMethod string) string {
 	return strings.ReplaceAll(authMethod, "-", " ")
 }
@@ -257,6 +272,7 @@ var loginCmd = &cobra.Command{
 				util.AuthStrategy.GCP_ID_TOKEN_AUTH: handleGcpIdTokenAuthLogin,
 				util.AuthStrategy.GCP_IAM_AUTH:      handleGcpIamAuthLogin,
 				util.AuthStrategy.AWS_IAM_AUTH:      handleAwsIamAuthLogin,
+				util.AuthStrategy.OIDC_AUTH:         handleOidcAuthLogin,
 			}

 			credential, err := authStrategies[strategy](cmd, infisicalClient)
@@ -456,6 +472,7 @@ func init() {
 	loginCmd.Flags().String("machine-identity-id", "", "machine identity id for kubernetes, azure, gcp-id-token, gcp-iam, and aws-iam auth methods")
 	loginCmd.Flags().String("service-account-token-path", "", "service account token path for kubernetes auth")
 	loginCmd.Flags().String("service-account-key-file-path", "", "service account key file path for GCP IAM auth")
+	loginCmd.Flags().String("oidc-jwt", "", "JWT for OIDC authentication")
 }

 func DomainOverridePrompt() (bool, error) {
@@ -616,7 +633,7 @@ func getFreshUserCredentials(email string, password string) (*api.GetLoginOneV2R
 	loginTwoResponseResult, err := api.CallLogin2V2(httpClient, api.GetLoginTwoV2Request{
 		Email:       email,
 		ClientProof: hex.EncodeToString(srpM1),
-		Password: password,
+		Password:    password,
 	})

 	if err != nil {
--- a/cli/packages/util/auth.go
+++ b/cli/packages/util/auth.go
@@ -9,6 +9,7 @@ var AuthStrategy = struct {
 	GCP_ID_TOKEN_AUTH AuthStrategyType
 	GCP_IAM_AUTH      AuthStrategyType
 	AWS_IAM_AUTH      AuthStrategyType
+	OIDC_AUTH         AuthStrategyType
 }{
 	UNIVERSAL_AUTH:    "universal-auth",
 	KUBERNETES_AUTH:   "kubernetes",
@@ -16,6 +17,7 @@ var AuthStrategy = struct {
 	GCP_ID_TOKEN_AUTH: "gcp-id-token",
 	GCP_IAM_AUTH:      "gcp-iam",
 	AWS_IAM_AUTH:      "aws-iam",
+	OIDC_AUTH:         "oidc-auth",
 }

 var AVAILABLE_AUTH_STRATEGIES = []AuthStrategyType{
@@ -25,6 +27,7 @@ var AVAILABLE_AUTH_STRATEGIES = []AuthStrategyType{
 	AuthStrategy.GCP_ID_TOKEN_AUTH,
 	AuthStrategy.GCP_IAM_AUTH,
 	AuthStrategy.AWS_IAM_AUTH,
+	AuthStrategy.OIDC_AUTH,
 }

 func IsAuthMethodValid(authMethod string, allowUserAuth bool) (isValid bool, strategy AuthStrategyType) {
--- a/cli/packages/util/constants.go
+++ b/cli/packages/util/constants.go
@@ -19,6 +19,9 @@ const (
 	// GCP Auth
 	INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH_NAME = "INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH"

+	// OIDC Auth
+	INFISICAL_OIDC_AUTH_JWT_NAME = "INFISICAL_OIDC_AUTH_JWT"
+
 	// Generic env variable used for auth methods that require a machine identity ID
 	INFISICAL_MACHINE_IDENTITY_ID_NAME = "INFISICAL_MACHINE_IDENTITY_ID"

--- a/company/handbook/meetings.mdx
+++ b/company/handbook/meetings.mdx
@@ -1,15 +0,0 @@
---
-title: "Meetings"
-sidebarTitle: "Meetings"
-description: "The guide to meetings at Infisical."
---
-
-## "Let's schedule a meeting about this"
-
-Being a remote-first company, we try to be as async as possible. When an issue arises, it's best to create a public Slack thread and tag all the necessary team members. Otherwise, if you were to "put a meeting on a calendar", the decision making process will inevitable slow down by at least a day (e.g., trying to find the right time for folks in different time zones is not always straightforward). 
-
-In other words, we have almost no (recurring) meetings and prefer written communication or quick Slack huddles.
-
-## Weekly All-hands
-
-All-hands is the single recurring meeting that we run every Monday at 8:30am PT. Typically, we would discuss everything important that happened during the previous week and plan out the week ahead. This is also an opportunity to bring up any important topics in front of the whole company (but feel free to post those in Slack too).
--- a/company/handbook/talking-to-customers.mdx
+++ b/company/handbook/talking-to-customers.mdx
@@ -1,20 +0,0 @@
---
-title: "Talking to Customers"
-sidebarTitle: "Talking to Customers"
-description: "The guide to talking to customers at Infisical."
---
-
-Everyone at Infisical talks to customers directly. We do this for a few reasons: 
-1. This helps us understand the needs of our customers and build the product they want.
-2. This speeds up our iteration cycles (time from customer feedback to product improvements). 
-3. Our customers (developers) are able to talk directly to the best experts in Infisical (us) – which improves their satisfaction and success.
-
-## Customer Communication Etiquette
-
-1. When talking to customers (no matter whether it's on Slack, email, or any other channel), it is very important to use proper grammar (e.g., no typos, no missed question marks) and minimal colloquial language (no "yeap", "yah", etc.). 
-2. At the time of a crisis (e.g., customer-reported bug), it is very important to communicate often. Even if there is no update yet, it is good to reach out to the customer and let them know that we are still working on resolving a certain issue.
-
-## Community Slack
-
-Unfortunately, we are not able to help everyone in the community Slack. It is OK to politely decline questions about infrastructure management that are not directly related to the product itself.
-
--- a/company/mint.json
+++ b/company/mint.json
@@ -59,9 +59,7 @@
        "handbook/onboarding", 
        "handbook/spending-money",
        "handbook/time-off",
-        "handbook/hiring",
-        "handbook/meetings",
-        "handbook/talking-to-customers"
+        "handbook/hiring"
      ]
    }
  ],
--- a/docs/api-reference/endpoints/folders/get-by-id.mdx
+++ b/docs/api-reference/endpoints/folders/get-by-id.mdx
@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/folders/{id}"
+---
--- a/docs/cli/commands/login.mdx
+++ b/docs/cli/commands/login.mdx
@@ -8,7 +8,8 @@ infisical login
 ```

 ### Description
-The CLI uses authentication to verify your identity. When you enter the correct email and password for your account, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI. 
+
+The CLI uses authentication to verify your identity. When you enter the correct email and password for your account, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI.

 To change where the login credentials are stored, visit the [vaults command](./vault).

@@ -17,12 +18,12 @@ If you have added multiple users, you can switch between the users by using the
    <Info>
      When you authenticate with **any other method than `user`**, an access token will be printed to the console upon successful login. This token can be used to authenticate with the Infisical API and the CLI by passing it in the `--token` flag when applicable.

-      Use flag `--plain` along with `--silent` to print only the token in plain text when using a machine identity auth method. 
-      
+      Use flag `--plain` along with `--silent` to print only the token in plain text when using a machine identity auth method.
+
    </Info>

-
 ### Flags
+
 The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.

 <AccordionGroup>
@@ -52,6 +53,7 @@ The login command supports a number of flags that you can use for different auth
    <Tip>
      The `client-id` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` environment variable.
    </Tip>
+
  </Accordion>
  <Accordion title="--client-secret">
    ```bash
@@ -63,6 +65,7 @@ The login command supports a number of flags that you can use for different auth
    <Tip>
      The `client-secret` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` environment variable.
    </Tip>
+
  </Accordion>
  <Accordion title="--machine-identity-id">
    ```bash
@@ -75,6 +78,7 @@ The login command supports a number of flags that you can use for different auth
    <Tip>
      The `machine-identity-id` flag can be substituted with the `INFISICAL_MACHINE_IDENTITY_ID` environment variable.
    </Tip>
+
  </Accordion>
  <Accordion title="--service-account-token-path">
    ```bash
@@ -88,6 +92,7 @@ The login command supports a number of flags that you can use for different auth
    <Tip>
    The `service-account-token-path` flag can be substituted with the `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH` environment variable.
    </Tip>
+
  </Accordion>
  <Accordion title="--service-account-key-file-path">
    ```bash
@@ -100,9 +105,23 @@ The login command supports a number of flags that you can use for different auth
    <Tip>
      The `service-account-key-path` flag can be substituted with the `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` environment variable.
    </Tip>
+
  </Accordion>
 </AccordionGroup>

+  <Accordion title="--oidc-jwt">
+    ```bash
+    infisical login --oidc-jwt=<oidc-jwt-token>
+    ```
+
+    #### Description
+    The JWT provided by an identity provider for OIDC authentication.
+
+    <Tip>
+    The `oidc-jwt` flag can be substituted with the `INFISICAL_OIDC_AUTH_JWT` environment variable.
+    </Tip>
+
+  </Accordion>

 ### Authentication Methods

@@ -121,6 +140,7 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
        Your machine identity client secret.
        </ParamField>
    </Expandable>
+
  </ParamField>

  <Steps>
@@ -134,6 +154,7 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
      infisical login --method=universal-auth --client-id=<client-id> --client-secret=<client-secret>
    ```
    </Step>
+
  </Steps>
 </Accordion>
 <Accordion title="Native Kubernetes">
@@ -148,6 +169,7 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
          Path to the Kubernetes service account token to use. Default: `/var/run/secrets/kubernetes.io/serviceaccount/token`.
        </ParamField>
    </Expandable>
+
  </ParamField>

  <Steps>
@@ -162,6 +184,7 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
      infisical login --method=kubernetes --machine-identity-id=<machine-identity-id> --service-account-token-path=<service-account-token-path>
    ```
    </Step>
+
  </Steps>

 </Accordion>
@@ -213,6 +236,7 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
      ```
      </Step>
    </Steps>
+
  </Accordion>
  <Accordion title="GCP IAM">
    The GCP IAM method is used to authenticate with Infisical with a GCP service account key.
@@ -235,11 +259,12 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
      <Step title="Obtain an access token">
        Run the `login` command with the following flags to obtain an access token:

-      ```bash 
+      ```bash
        infisical login --method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path>
      ```
      </Step>
    </Steps>
+
  </Accordion>
  <Accordion title="Native AWS IAM">
    The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
@@ -264,10 +289,40 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
      ```
      </Step>
    </Steps>
+
+  </Accordion>
+    <Accordion title="OIDC Auth">
+    The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.
+
+    <ParamField query="Flags">
+      <Expandable title="properties">
+          <ParamField query="machine-identity-id" type="string" required>
+            Your machine identity ID.
+          </ParamField>
+          <ParamField query="oidc-jwt" type="string" required>
+            The OIDC JWT from the identity provider.
+          </ParamField>
+      </Expandable>
+    </ParamField>
+
+    <Steps>
+      <Step title="Create an OIDC machine identity">
+        To create an OIDC machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/oidc-auth/general).
+      </Step>
+      <Step title="Obtain an access token">
+        Run the `login` command with the following flags to obtain an access token:
+
+      ```bash
+        infisical login --method=oidc-auth --machine-identity-id=<machine-identity-id> --oidc-jwt=<oidc-jwt>
+      ```
+      </Step>
+    </Steps>
+
  </Accordion>
 </AccordionGroup>

 ### Machine Identity Authentication Quick Start
+
 In this example we'll be using the `universal-auth` method to login to obtain an Infisical access token, which we will then use to fetch secrets with.

 <Steps>
@@ -277,8 +332,8 @@ In this example we'll be using the `universal-auth` method to login to obtain an
        ```

        Now that we've set the `INFISICAL_TOKEN` environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the `INFISICAL_TOKEN` environment variable and use it for authentication.
-        
-        
+
+
        Alternatively, if you would rather use the `--token` flag to pass the token directly, you can do so by running the following command:

        ```bash
@@ -297,6 +352,7 @@ In this example we'll be using the `universal-auth` method to login to obtain an
          The `--recursive`, and `--env` flag is optional and will fetch all secrets in subfolders. The default environment is `dev` if no `--env` flag is provided.
        </Info>
    </Step>
+
 </Steps>

 And that's it! Now you're ready to start using the Infisical CLI to interact with your secrets, with the use of Machine Identities.
--- a/docs/documentation/guides/migrating-from-envkey.mdx
+++ b/docs/documentation/guides/migrating-from-envkey.mdx
@@ -1,23 +0,0 @@
---
-title: "Migrating from EnvKey to Infisical"
-sidebarTitle: "Migration"
-description: "Learn how to migrate from EnvKey to Infisical in the easiest way possible."
---
-
-## What is Infisical? 
-
-[Infisical](https://infisical.com) is an open-source all-in-one secret management platform that helps developers manage secrets (e.g., API-keys, DB access tokens, [certificates](https://infisical.com/docs/documentation/platform/pki/overview)) across their infrastructure. In addition, Infisical provides [secret sharing](https://infisical.com/docs/documentation/platform/secret-sharing) functionality, ability to [prevent secret leaks](https://infisical.com/docs/cli/scanning-overview), and more.
-
-Infisical is used by 10,000+ organizations across all indsutries including First American Financial Corporation, Deivery Hero, and [Hugging Face](https://infisical.com/customers/hugging-face).
-
-## Migrating from EnvKey
-
-To facilitate customer transition from EnvKey to Infisical, we have been working closely with the EnvKey team to provide a simple migration path for all EnvKey customers.
-
-## Automated migration
-
-Our team is currently working on creating an automated migration process that would include secrets, policies, and other important resources. If you are interested in that, please [reach out to our team](mailto:support@infisical.com) with any questions. 
-
-## Talk to our team
-
-To make the migration process even more seamless, you can [schedule a meeting with our team](https://infisical.cal.com/vlad/migration-from-envkey-to-infisical) to learn more about how Infisical compares to EnvKey and discuss unique needs of your organization. You are also welcome to email us at [support@infisical.com](mailto:support@infisical.com) to ask any questions or get any technical help.
--- a/docs/integrations/platforms/kubernetes.mdx
+++ b/docs/integrations/platforms/kubernetes.mdx
@@ -122,6 +122,7 @@ spec:
        # Azure Auth
        azureAuth:
            identityId: <your-machine-identity-id>
+            resource: https://management.azure.com/&client_id=CLIENT_ID # (Optional) This is the Azure resource that you want to access. For example, "https://management.azure.com/". If no value is provided, it will default to "https://management.azure.com/"

            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
            secretsScope:
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -576,6 +576,7 @@
          "group": "Folders",
          "pages": [
            "api-reference/endpoints/folders/list",
+            "api-reference/endpoints/folders/get-by-id",
            "api-reference/endpoints/folders/create",
            "api-reference/endpoints/folders/update",
            "api-reference/endpoints/folders/delete"
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -136,7 +136,7 @@
        "eslint-plugin-react-hooks": "^4.6.0",
        "eslint-plugin-simple-import-sort": "^8.0.0",
        "eslint-plugin-storybook": "^0.6.12",
-        "postcss": "^8.4.14",
+        "postcss": "^8.4.39",
        "prettier": "^2.8.3",
        "prettier-plugin-tailwindcss": "^0.2.2",
        "storybook": "^7.6.20",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -144,7 +144,7 @@
    "eslint-plugin-react-hooks": "^4.6.0",
    "eslint-plugin-simple-import-sort": "^8.0.0",
    "eslint-plugin-storybook": "^0.6.12",
-    "postcss": "^8.4.14",
+    "postcss": "^8.4.39",
    "prettier": "^2.8.3",
    "prettier-plugin-tailwindcss": "^0.2.2",
    "storybook": "^7.6.20",
--- a/frontend/src/hooks/api/users/types.ts
+++ b/frontend/src/hooks/api/users/types.ts
@@ -60,6 +60,7 @@ export type OrgUser = {
  status: "invited" | "accepted" | "verified" | "completed";
  deniedPermissions: any[];
  roleId: string;
+  isActive: boolean;
 };

 export type TProjectMembership = {
--- a/frontend/src/views/Org/IdentityPage/components/IdentityProjectsSection/IdentityAddToProjectModal.tsx
+++ b/frontend/src/views/Org/IdentityPage/components/IdentityProjectsSection/IdentityAddToProjectModal.tsx
@@ -5,7 +5,7 @@ import { z } from "zod";

 import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, Modal, ModalContent, Select, SelectItem } from "@app/components/v2";
-import { useWorkspace } from "@app/context";
+import { useOrganization,useWorkspace } from "@app/context";
 import {
  useAddIdentityToWorkspace,
  useGetIdentityProjectMemberships,
@@ -33,6 +33,7 @@ type Props = {
 };

 export const IdentityAddToProjectModal = ({ identityId, popUp, handlePopUpToggle }: Props) => {
+  const { currentOrg } = useOrganization();
  const { workspaces } = useWorkspace();
  const { mutateAsync: addIdentityToWorkspace } = useAddIdentityToWorkspace();

@@ -58,7 +59,9 @@ export const IdentityAddToProjectModal = ({ identityId, popUp, handlePopUpToggle
      wsWorkspaceIds.set(projectMembership.project.id, true);
    });

-    return (workspaces || []).filter(({ id }) => !wsWorkspaceIds.has(id));
+    return (workspaces || []).filter(
+      ({ id, orgId }) => !wsWorkspaceIds.has(id) && orgId === currentOrg?.id
+    );
  }, [workspaces, projectMemberships]);

  const onFormSubmit = async ({ projectId: workspaceId, role }: FormData) => {
--- a/frontend/src/views/Org/MembersPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersTable.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersTable.tsx
@@ -171,14 +171,14 @@ export const OrgMembersTable = ({ handlePopUpOpen, setCompleteInviteLink }: Prop
            {isLoading && <TableSkeleton columns={5} innerKey="org-members" />}
            {!isLoading &&
              filterdUser?.map(
-                ({ user: u, inviteEmail, role, roleId, id: orgMembershipId, status }) => {
+                ({ user: u, inviteEmail, role, roleId, id: orgMembershipId, status, isActive }) => {
                  const name = u && u.firstName ? `${u.firstName} ${u.lastName}` : "-";
                  const email = u?.email || inviteEmail;
                  const username = u?.username ?? inviteEmail ?? "-";
                  return (
                    <Tr key={`org-membership-${orgMembershipId}`} className="w-full">
-                      <Td>{name}</Td>
-                      <Td>{username}</Td>
+                      <Td className={isActive ? "" : "text-mineshaft-400"}>{name}</Td>
+                      <Td className={isActive ? "" : "text-mineshaft-400"}>{username}</Td>
                      <Td>
                        <OrgPermissionCan
                          I={OrgPermissionActions.Edit}
@@ -186,7 +186,18 @@ export const OrgMembersTable = ({ handlePopUpOpen, setCompleteInviteLink }: Prop
                        >
                          {(isAllowed) => (
                            <>
-                              {status === "accepted" && (
+                              {!isActive && (
+                                <Button
+                                  isDisabled
+                                  className="w-40"
+                                  colorSchema="primary"
+                                  variant="outline_bg"
+                                  onClick={() => {}}
+                                >
+                                  Suspended
+                                </Button>
+                              )}
+                              {isActive && status === "accepted" && (
                                <Select
                                  value={role === "custom" ? findRoleFromId(roleId)?.slug : role}
                                  isDisabled={userId === u?.id || !isAllowed}
@@ -207,7 +218,8 @@ export const OrgMembersTable = ({ handlePopUpOpen, setCompleteInviteLink }: Prop
                                    ))}
                                </Select>
                              )}
-                              {(status === "invited" || status === "verified") &&
+                              {isActive &&
+                                (status === "invited" || status === "verified") &&
                                email &&
                                serverDetails?.emailConfigured && (
                                  <Button
--- a/helm-charts/secrets-operator/Chart.yaml
+++ b/helm-charts/secrets-operator/Chart.yaml
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v0.6.4
+version: v0.6.5
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.6.4"
+appVersion: "v0.6.5"
--- a/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
@@ -64,6 +64,8 @@ spec:
                    properties:
                      identityId:
                        type: string
+                      resource:
+                        type: string
                      secretsScope:
                        properties:
                          envSlug:
--- a/helm-charts/secrets-operator/values.yaml
+++ b/helm-charts/secrets-operator/values.yaml
@@ -32,7 +32,7 @@ controllerManager:
        - ALL
    image:
      repository: infisical/kubernetes-operator
-      tag: v0.6.4
+      tag: v0.6.5
    resources:
      limits:
        cpu: 500m
--- a/k8-operator/api/v1alpha1/infisicalsecret_types.go
+++ b/k8-operator/api/v1alpha1/infisicalsecret_types.go
@@ -58,6 +58,8 @@ type AWSIamAuthDetails struct {
 type AzureAuthDetails struct {
 	// +kubebuilder:validation:Required
 	IdentityID string `json:"identityId"`
+	// +kubebuilder:validation:Optional
+	Resource string `json:"resource"`

 	// +kubebuilder:validation:Required
 	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
--- a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
+++ b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
@@ -64,6 +64,8 @@ spec:
                    properties:
                      identityId:
                        type: string
+                      resource:
+                        type: string
                      secretsScope:
                        properties:
                          envSlug:
--- a/k8-operator/config/samples/sample.yaml
+++ b/k8-operator/config/samples/sample.yaml
@@ -60,6 +60,7 @@ spec:
        # Azure Auth
        azureAuth:
            identityId: <your-machine-identity-id>
+            resource: https://management.azure.com/&client_id=your_client_id # This field is optional, and will default to "https://management.azure.com/" if nothing is provided. 

            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
            secretsScope:
--- a/k8-operator/controllers/infisicalsecret_auth.go
+++ b/k8-operator/controllers/infisicalsecret_auth.go
@@ -109,7 +109,7 @@ func (r *InfisicalSecretReconciler) handleAzureAuth(ctx context.Context, infisic
 		return AuthenticationDetails{}, ErrAuthNotApplicable
 	}

-	_, err := infisicalClient.Auth().AzureAuthLogin(azureAuthSpec.IdentityID)
+	_, err := infisicalClient.Auth().AzureAuthLogin(azureAuthSpec.IdentityID, azureAuthSpec.Resource) // If resource is empty(""), it will default to "https://management.azure.com/" in the SDK.
 	if err != nil {
 		return AuthenticationDetails{}, fmt.Errorf("unable to login with Azure auth [err=%s]", err)
 	}
--- a/k8-operator/go.mod
+++ b/k8-operator/go.mod
@@ -3,7 +3,7 @@ module github.com/Infisical/infisical/k8-operator
 go 1.21

 require (
-	github.com/infisical/go-sdk v0.2.1
+	github.com/infisical/go-sdk v0.3.2
 	github.com/onsi/ginkgo/v2 v2.6.0
 	github.com/onsi/gomega v1.24.1
 	k8s.io/apimachinery v0.26.1
--- a/k8-operator/go.sum
+++ b/k8-operator/go.sum
@@ -13,10 +13,6 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV
 cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
 cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.115.0 h1:CnFSK6Xo3lDYRoBKEcAtia6VSC837/ZkJuRduSFnr14=
-cloud.google.com/go v0.115.0/go.mod h1:8jIM5vVgoAEoiVxQ/O4BFTfHqulPZgs/ufEzMcFMdWU=
-cloud.google.com/go/auth v0.5.1 h1:0QNO7VThG54LUzKiQxv8C6x1YX7lUrzlAa1nVLF8CIw=
-cloud.google.com/go/auth v0.5.1/go.mod h1:vbZT8GjzDf3AVqCcQmqeeM32U9HBFc32vVVAbwDsa6s=
 cloud.google.com/go/auth v0.6.1 h1:T0Zw1XM5c1GlpN2HYr2s+m3vr1p2wy+8VN+Z1FKxW38=
 cloud.google.com/go/auth v0.6.1/go.mod h1:eFHG7zDzbXHKmjJddFG/rBlcGp6t25SwRUiEQSlO4x4=
 cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
@@ -27,14 +23,10 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
-cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/compute/metadata v0.4.0 h1:vHzJCWaM4g8XIcm8kopr3XmDA4Gy/lblD3EhhSux05c=
 cloud.google.com/go/compute/metadata v0.4.0/go.mod h1:SIQh1Kkb4ZJ8zJ874fqVkslA29PRXuleyj6vOzlbK7M=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0=
-cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE=
 cloud.google.com/go/iam v1.1.10 h1:ZSAr64oEhQSClwBL670MsJAW5/RLiC6kfw3Bqmd5ZDI=
 cloud.google.com/go/iam v1.1.10/go.mod h1:iEgMq62sg8zx446GCaijmA2Miwg5o3UbO+nI47WHJps=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
@@ -54,54 +46,30 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
-github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2 v1.30.1 h1:4y/5Dvfrhd1MxRDD77SrfsDaj8kUkkljU7XE83NPV+o=
 github.com/aws/aws-sdk-go-v2 v1.30.1/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
-github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
-github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
 github.com/aws/aws-sdk-go-v2/config v1.27.24 h1:NM9XicZ5o1CBU/MZaHwFtimRpWx9ohAUAqkG6AqSqPo=
 github.com/aws/aws-sdk-go-v2/config v1.27.24/go.mod h1:aXzi6QJTuQRVVusAO8/NxpdTeTyr/wRcybdDtfUwJSs=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.24 h1:YclAsrnb1/GTQNt2nzv+756Iw4mF8AOzcDfweWwwm/M=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.24/go.mod h1:Hld7tmnAkoBQdTMNYZGzztzKRdA4fCdn9L83LOoigac=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 h1:Aznqksmd6Rfv2HQN9cpqIV/lQRMaIpJkLLaJ1ZI76no=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9/go.mod h1:WQr3MY7AxGNxaqAtsDWn+fBxmd4XvLkzeqQ8P1VM0/w=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 h1:5SAoZ4jYpGH4721ZNoS1znQrhOfZinOhc4XuTXx/nVc=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13/go.mod h1:+rdA6ZLpaSeM7tSg/B0IEDinCIBJGmW8rKDFkYpP04g=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 h1:WIijqeaAO7TYFLbhsZmi2rgLEAtWOC1LhxCAVTJlSKw=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13/go.mod h1:i+kbfa76PQbWw/ULoWnp51EYVWH4ENln76fLQE3lXT8=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 h1:I9zMeF107l0rJrpnHpjEiiTSCKYAIw8mALiXcPsGBiA=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15/go.mod h1:9xWJ3Q/S6Ojusz1UIkfycgD1mGirJfLLKqq3LPT7WN8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
 github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 h1:p1GahKIjyMDZtiKoIn0/jAj/TkMzfzndDv5+zi2Mhgc=
 github.com/aws/aws-sdk-go-v2/service/sso v1.22.1/go.mod h1:/vWdhoIoYA5hYoPZ6fm7Sv4d8701PiG5VKe8/pPJL60=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 h1:ORnrOK0C4WmYV/uYt3koHEWBLYsRDwk2Np+eEoyV4Z0=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2/go.mod h1:xyFHA4zGxgYkdD73VeezHt3vSKEG9EmFnGwoKlP00u4=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
 github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 h1:+woJ607dllHJQtsnJLi52ycuqHMwlW+Wqm2Ppsfp4nQ=
 github.com/aws/aws-sdk-go-v2/service/sts v1.30.1/go.mod h1:jiNR3JqT15Dm+QWq2SRgh0x0bCNSRP2L25+CqPNpJlQ=
-github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
-github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE=
 github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -113,8 +81,6 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -155,8 +121,6 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -246,8 +210,6 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfF
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
-github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
 github.com/googleapis/gax-go/v2 v2.12.5 h1:8gw9KZK8TiVKB6q3zHY3SBzLnrGp6HQjyfYBYGmXdxA=
 github.com/googleapis/gax-go/v2 v2.12.5/go.mod h1:BUDKcWo+RaKq5SC9vVYL0wLADa3VcfswbOMMRmB9H3E=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -255,12 +217,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/infisical/go-sdk v0.1.9 h1:o9LUj0Tyn6OHusTEKEKQ4+PulJViAxgOrFa+SlwGJFc=
-github.com/infisical/go-sdk v0.1.9/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
-github.com/infisical/go-sdk v0.2.0 h1:n1/KNdYpeQavSqVwC9BfeV8VRzf3N2X9zO1tzQOSj5Q=
-github.com/infisical/go-sdk v0.2.0/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
-github.com/infisical/go-sdk v0.2.1 h1:z8DQ3tLV/MdxTAnXXIkll45nQcK+RK8+eoImW6J7m/g=
-github.com/infisical/go-sdk v0.2.1/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
+github.com/infisical/go-sdk v0.3.2 h1:BfeQzG7s3qmEGhgXu0d1YNsyaiHucHgI+BaLpx+W8cc=
+github.com/infisical/go-sdk v0.3.2/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@@ -375,24 +333,14 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
-go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
 go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
 go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
-go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
 go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
 go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
-go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
 go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
@@ -413,7 +361,6 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
@@ -487,7 +434,6 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
@@ -559,7 +505,6 @@ golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
@@ -568,7 +513,6 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
@@ -582,7 +526,6 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
@@ -658,8 +601,6 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M
 google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.183.0 h1:PNMeRDwo1pJdgNcFQ9GstuLe/noWKIc89pRWRLMvLwE=
-google.golang.org/api v0.183.0/go.mod h1:q43adC5/pHoSZTx5h2mSmdF7NcyfW9JuDyIOJAgS9ZQ=
 google.golang.org/api v0.187.0 h1:Mxs7VATVC2v7CY+7Xwm4ndkX71hpElcvx0D1Ji/p1eo=
 google.golang.org/api v0.187.0/go.mod h1:KIHlTc4x7N7gKKuVsdmfBXN13yEEWXWFURWY6SBp2gk=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
@@ -698,12 +639,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e h1:SkdGTrROJl2jRGT/Fxv5QUf9jtdKCQh4KQJXbXVLAi0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e/go.mod h1:LweJcLbyVij6rCex8YunD8DYR5VDonap/jYl3ZRxcIU=
 google.golang.org/genproto/googleapis/api v0.0.0-20240708141625-4ad9e859172b h1:y/kpOWeX2pWERnbsvh/hF+Zmo69wVmjyZhstreXQQeA=
 google.golang.org/genproto/googleapis/api v0.0.0-20240708141625-4ad9e859172b/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b h1:04+jVzTs2XBnOZcPsLnmrTGqltqJbZQ1Ey26hjYdQQ0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -719,8 +656,6 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
-google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
 google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
 google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -735,8 +670,6 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
Author	SHA1	Message	Date
Sheen Capadngan	166de417f1	feat: added project data key	2024-07-17 23:19:32 +08:00
Maidul Islam	9efeb8926f	Merge pull request #2137 from Infisical/maidul-dewfewfqwef Address vanta postcss update	2024-07-16 21:46:14 -04:00
Maidul Islam	389bbfcade	fix vanta postcss	2024-07-16 21:44:33 -04:00
Sheen Capadngan	0b8427a004	Merge pull request #2112 from Infisical/feat/added-support-for-oidc-auth-in-cli feat: added support for oidc auth in cli	2024-07-17 00:51:51 +08:00
Maidul Islam	8a470772e3	Merge pull request #2136 from Infisical/polish-scim-groups Add SCIM user activation/deactivation	2024-07-16 12:09:50 -04:00
Tuan Dang	853f3c40bc	Adjustments to migration file	2024-07-16 22:20:56 +07:00
Maidul Islam	fed44f328d	Merge pull request #2133 from akhilmhdh/feat/aws-kms-sm fix: slug too big for project fixed	2024-07-16 09:50:08 -04:00
Tuan Dang	a1d00f2c41	Add SCIM user activation/deactivation	2024-07-16 20:19:27 +07:00
BlackMagiq	95a68f2c2d	Merge pull request #2134 from Infisical/improve-auth-method-errors Improve Native Auth Method Forbidden Errors	2024-07-16 15:00:12 +07:00
BlackMagiq	db7c0c45f6	Merge pull request #2135 from Infisical/fix-identity-projects Fix Identity-Project Provisioning Modal — Filter Current Org Projects	2024-07-16 14:59:41 +07:00
Tuan Dang	82bca03162	Filter out only projects that are part of current org in identity project modal	2024-07-16 14:31:40 +07:00
Tuan Dang	043c04778f	Improve native auth method unauthorized errors	2024-07-16 13:47:46 +07:00
=	560cd81a1c	fix: slug too big for project fixed	2024-07-16 11:26:45 +05:30
Daniel Hougaard	df3a87fabf	Merge pull request #2132 from Infisical/daniel/operator-azure-fix feat(k8-operator): customizable azure auth resource url	2024-07-16 06:29:13 +02:00
Daniel Hougaard	6eae98c1d4	Update login.mdx	2024-07-16 05:45:48 +02:00
Daniel Hougaard	6ceeccf583	Update kubernetes.mdx	2024-07-16 05:25:30 +02:00
Daniel Hougaard	9b0b14b847	Merge pull request #2131 from Infisical/daniel/azure-fix fix(auth): Azure audience formatting bug	2024-07-16 04:50:49 +02:00
Daniel Hougaard	78f4c0f002	Update Chart.yaml	2024-07-16 04:46:32 +02:00
Daniel Hougaard	6cff2f0437	Update values.yaml	2024-07-16 04:46:24 +02:00
Daniel Hougaard	6cefb180d6	Update SDK and go mod tidy	2024-07-16 04:44:32 +02:00
Daniel Hougaard	59a44155c5	Azure resource	2024-07-16 04:43:53 +02:00
Daniel Hougaard	d0ad9c6b17	Update sample.yaml	2024-07-16 04:43:46 +02:00
Daniel Hougaard	58a406b114	Update secrets.infisical.com_infisicalsecrets.yaml	2024-07-16 04:43:42 +02:00
Daniel Hougaard	8a85695dc5	Custom azure resource	2024-07-16 04:43:38 +02:00
Daniel Hougaard	7ed8feee6f	Update identity-azure-auth-fns.ts	2024-07-16 04:15:04 +02:00
Maidul Islam	de67c0ad9f	Merge pull request #2110 from akhilmhdh/feat/folder-improvement-tf New folder endpoints for terraform	2024-07-15 21:40:24 -04:00
Maidul Islam	b8d11d31a6	Merge pull request #2130 from Infisical/handbook-update updated hiring handbook	2024-07-15 21:38:33 -04:00
Sheen Capadngan	c2ddb7e2fe	misc: updated go-sdk version	2024-07-15 12:26:31 +08:00
Sheen Capadngan	356afd18c4	feat: added support for oidc auth in cli	2024-07-12 18:28:09 +08:00
=	539785acae	docs: updated api reference docs for the new folder endpoint	2024-07-12 14:29:19 +05:30
=	3c63346d3a	feat: new get-by-id for folder for tf	2024-07-12 14:24:13 +05:30