disable secret scanning

feat: added secret-scanning disable option

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -135,6 +135,6 @@ jobs:
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true

.github/workflows/update-be-new-migration-latest-timestamp.yml

@@ -38,6 +38,16 @@ jobs:
           rm added_files.txt
           git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
 
+      - name: Get PR details
+        id: pr_details
+        run: |
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
+          
+          echo "PR Number: $PR_NUMBER"
+          echo "PR Merger: $PR_MERGER"
+          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
+
       - name: Create Pull Request
         if: env.SKIP_RENAME != 'true'
         uses: peter-evans/create-pull-request@v6
@@ -46,3 +56,4 @@ jobs:
           commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
           title: 'GH Action: rename new migration file timestamp'
           branch-suffix: timestamp
+          reviewers: ${{ steps.pr_details.outputs.pr_merger }}

.infisicalignore

@@ -2,4 +2,6 @@
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/IdentityRbacSection.tsx:generic-api-key:206
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
+docs/self-hosting/configuration/envars.mdx:generic-api-key:106
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451

backend/package-lock.json

@@ -49,7 +49,7 @@
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.7",
         "nanoid": "^5.0.4",
         "nodemailer": "^6.9.9",
         "ora": "^7.0.1",
@@ -1207,6 +1207,58 @@
         "node": ">=14.0.0"
       }
     },
+    "node_modules/@aws-sdk/client-secrets-manager/node_modules/@aws-sdk/client-sts": {
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.504.0.tgz",
+      "integrity": "sha512-IESs8FkL7B/uY+ml4wgoRkrr6xYo4PizcNw6JX17eveq1gRBCPKeGMjE6HTDOcIYZZ8rqz/UeuH3JD4UhrMOnA==",
+      "dependencies": {
+        "@aws-crypto/sha256-browser": "3.0.0",
+        "@aws-crypto/sha256-js": "3.0.0",
+        "@aws-sdk/core": "3.496.0",
+        "@aws-sdk/middleware-host-header": "3.502.0",
+        "@aws-sdk/middleware-logger": "3.502.0",
+        "@aws-sdk/middleware-recursion-detection": "3.502.0",
+        "@aws-sdk/middleware-user-agent": "3.502.0",
+        "@aws-sdk/region-config-resolver": "3.502.0",
+        "@aws-sdk/types": "3.502.0",
+        "@aws-sdk/util-endpoints": "3.502.0",
+        "@aws-sdk/util-user-agent-browser": "3.502.0",
+        "@aws-sdk/util-user-agent-node": "3.502.0",
+        "@smithy/config-resolver": "^2.1.1",
+        "@smithy/core": "^1.3.1",
+        "@smithy/fetch-http-handler": "^2.4.1",
+        "@smithy/hash-node": "^2.1.1",
+        "@smithy/invalid-dependency": "^2.1.1",
+        "@smithy/middleware-content-length": "^2.1.1",
+        "@smithy/middleware-endpoint": "^2.4.1",
+        "@smithy/middleware-retry": "^2.1.1",
+        "@smithy/middleware-serde": "^2.1.1",
+        "@smithy/middleware-stack": "^2.1.1",
+        "@smithy/node-config-provider": "^2.2.1",
+        "@smithy/node-http-handler": "^2.3.1",
+        "@smithy/protocol-http": "^3.1.1",
+        "@smithy/smithy-client": "^2.3.1",
+        "@smithy/types": "^2.9.1",
+        "@smithy/url-parser": "^2.1.1",
+        "@smithy/util-base64": "^2.1.1",
+        "@smithy/util-body-length-browser": "^2.1.1",
+        "@smithy/util-body-length-node": "^2.2.1",
+        "@smithy/util-defaults-mode-browser": "^2.1.1",
+        "@smithy/util-defaults-mode-node": "^2.1.1",
+        "@smithy/util-endpoints": "^1.1.1",
+        "@smithy/util-middleware": "^2.1.1",
+        "@smithy/util-retry": "^2.1.1",
+        "@smithy/util-utf8": "^2.1.1",
+        "fast-xml-parser": "4.2.5",
+        "tslib": "^2.5.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "@aws-sdk/credential-provider-node": "^3.504.0"
+      }
+    },
     "node_modules/@aws-sdk/client-secrets-manager/node_modules/uuid": {
       "version": "8.3.2",
       "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
@@ -1314,7 +1366,7 @@
         "@aws-sdk/credential-provider-node": "^3.504.0"
       }
     },
-    "node_modules/@aws-sdk/client-sts": {
+    "node_modules/@aws-sdk/client-sso-oidc/node_modules/@aws-sdk/client-sts": {
       "version": "3.504.0",
       "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.504.0.tgz",
       "integrity": "sha512-IESs8FkL7B/uY+ml4wgoRkrr6xYo4PizcNw6JX17eveq1gRBCPKeGMjE6HTDOcIYZZ8rqz/UeuH3JD4UhrMOnA==",
@@ -1436,6 +1488,58 @@
         "node": ">=14.0.0"
       }
     },
+    "node_modules/@aws-sdk/credential-provider-ini/node_modules/@aws-sdk/client-sts": {
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.504.0.tgz",
+      "integrity": "sha512-IESs8FkL7B/uY+ml4wgoRkrr6xYo4PizcNw6JX17eveq1gRBCPKeGMjE6HTDOcIYZZ8rqz/UeuH3JD4UhrMOnA==",
+      "dependencies": {
+        "@aws-crypto/sha256-browser": "3.0.0",
+        "@aws-crypto/sha256-js": "3.0.0",
+        "@aws-sdk/core": "3.496.0",
+        "@aws-sdk/middleware-host-header": "3.502.0",
+        "@aws-sdk/middleware-logger": "3.502.0",
+        "@aws-sdk/middleware-recursion-detection": "3.502.0",
+        "@aws-sdk/middleware-user-agent": "3.502.0",
+        "@aws-sdk/region-config-resolver": "3.502.0",
+        "@aws-sdk/types": "3.502.0",
+        "@aws-sdk/util-endpoints": "3.502.0",
+        "@aws-sdk/util-user-agent-browser": "3.502.0",
+        "@aws-sdk/util-user-agent-node": "3.502.0",
+        "@smithy/config-resolver": "^2.1.1",
+        "@smithy/core": "^1.3.1",
+        "@smithy/fetch-http-handler": "^2.4.1",
+        "@smithy/hash-node": "^2.1.1",
+        "@smithy/invalid-dependency": "^2.1.1",
+        "@smithy/middleware-content-length": "^2.1.1",
+        "@smithy/middleware-endpoint": "^2.4.1",
+        "@smithy/middleware-retry": "^2.1.1",
+        "@smithy/middleware-serde": "^2.1.1",
+        "@smithy/middleware-stack": "^2.1.1",
+        "@smithy/node-config-provider": "^2.2.1",
+        "@smithy/node-http-handler": "^2.3.1",
+        "@smithy/protocol-http": "^3.1.1",
+        "@smithy/smithy-client": "^2.3.1",
+        "@smithy/types": "^2.9.1",
+        "@smithy/url-parser": "^2.1.1",
+        "@smithy/util-base64": "^2.1.1",
+        "@smithy/util-body-length-browser": "^2.1.1",
+        "@smithy/util-body-length-node": "^2.2.1",
+        "@smithy/util-defaults-mode-browser": "^2.1.1",
+        "@smithy/util-defaults-mode-node": "^2.1.1",
+        "@smithy/util-endpoints": "^1.1.1",
+        "@smithy/util-middleware": "^2.1.1",
+        "@smithy/util-retry": "^2.1.1",
+        "@smithy/util-utf8": "^2.1.1",
+        "fast-xml-parser": "4.2.5",
+        "tslib": "^2.5.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "@aws-sdk/credential-provider-node": "^3.504.0"
+      }
+    },
     "node_modules/@aws-sdk/credential-provider-node": {
       "version": "3.504.0",
       "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.504.0.tgz",
@@ -1505,6 +1609,58 @@
         "node": ">=14.0.0"
       }
     },
+    "node_modules/@aws-sdk/credential-provider-web-identity/node_modules/@aws-sdk/client-sts": {
+      "version": "3.504.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.504.0.tgz",
+      "integrity": "sha512-IESs8FkL7B/uY+ml4wgoRkrr6xYo4PizcNw6JX17eveq1gRBCPKeGMjE6HTDOcIYZZ8rqz/UeuH3JD4UhrMOnA==",
+      "dependencies": {
+        "@aws-crypto/sha256-browser": "3.0.0",
+        "@aws-crypto/sha256-js": "3.0.0",
+        "@aws-sdk/core": "3.496.0",
+        "@aws-sdk/middleware-host-header": "3.502.0",
+        "@aws-sdk/middleware-logger": "3.502.0",
+        "@aws-sdk/middleware-recursion-detection": "3.502.0",
+        "@aws-sdk/middleware-user-agent": "3.502.0",
+        "@aws-sdk/region-config-resolver": "3.502.0",
+        "@aws-sdk/types": "3.502.0",
+        "@aws-sdk/util-endpoints": "3.502.0",
+        "@aws-sdk/util-user-agent-browser": "3.502.0",
+        "@aws-sdk/util-user-agent-node": "3.502.0",
+        "@smithy/config-resolver": "^2.1.1",
+        "@smithy/core": "^1.3.1",
+        "@smithy/fetch-http-handler": "^2.4.1",
+        "@smithy/hash-node": "^2.1.1",
+        "@smithy/invalid-dependency": "^2.1.1",
+        "@smithy/middleware-content-length": "^2.1.1",
+        "@smithy/middleware-endpoint": "^2.4.1",
+        "@smithy/middleware-retry": "^2.1.1",
+        "@smithy/middleware-serde": "^2.1.1",
+        "@smithy/middleware-stack": "^2.1.1",
+        "@smithy/node-config-provider": "^2.2.1",
+        "@smithy/node-http-handler": "^2.3.1",
+        "@smithy/protocol-http": "^3.1.1",
+        "@smithy/smithy-client": "^2.3.1",
+        "@smithy/types": "^2.9.1",
+        "@smithy/url-parser": "^2.1.1",
+        "@smithy/util-base64": "^2.1.1",
+        "@smithy/util-body-length-browser": "^2.1.1",
+        "@smithy/util-body-length-node": "^2.2.1",
+        "@smithy/util-defaults-mode-browser": "^2.1.1",
+        "@smithy/util-defaults-mode-node": "^2.1.1",
+        "@smithy/util-endpoints": "^1.1.1",
+        "@smithy/util-middleware": "^2.1.1",
+        "@smithy/util-retry": "^2.1.1",
+        "@smithy/util-utf8": "^2.1.1",
+        "fast-xml-parser": "4.2.5",
+        "tslib": "^2.5.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "@aws-sdk/credential-provider-node": "^3.504.0"
+      }
+    },
     "node_modules/@aws-sdk/middleware-host-header": {
       "version": "3.502.0",
       "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.502.0.tgz",
@@ -3657,60 +3813,60 @@
       }
     },
     "node_modules/@smithy/abort-controller": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-2.1.3.tgz",
-      "integrity": "sha512-c2aYH2Wu1RVE3rLlVgg2kQOBJGM0WbjReQi5DnPTm2Zb7F0gk7J2aeQeaX2u/lQZoHl6gv8Oac7mt9alU3+f4A==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-2.2.0.tgz",
+      "integrity": "sha512-wRlta7GuLWpTqtFfGo+nZyOO1vEvewdNR1R4rTxpC8XU6vG/NDyrFBhwLZsqg1NUoR1noVaXJPC/7ZK47QCySw==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/config-resolver": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-2.1.4.tgz",
-      "integrity": "sha512-AW2WUZmBAzgO3V3ovKtsUbI3aBNMeQKFDumoqkNxaVDWF/xfnxAWqBKDr/NuG7c06N2Rm4xeZLPiJH/d+na0HA==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-2.2.0.tgz",
+      "integrity": "sha512-fsiMgd8toyUba6n1WRmr+qACzXltpdDkPTAaDqc8QqPBUzO+/JKwL6bUBseHVi8tu9l+3JOK+tSf7cay+4B3LA==",
       "dependencies": {
-        "@smithy/node-config-provider": "^2.2.4",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-config-provider": "^2.2.1",
-        "@smithy/util-middleware": "^2.1.3",
-        "tslib": "^2.5.0"
+        "@smithy/node-config-provider": "^2.3.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-config-provider": "^2.3.0",
+        "@smithy/util-middleware": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/core": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-1.3.5.tgz",
-      "integrity": "sha512-Rrc+e2Jj6Gu7Xbn0jvrzZlSiP2CZocIOfZ9aNUA82+1sa6GBnxqL9+iZ9EKHeD9aqD1nU8EK4+oN2EiFpSv7Yw==",
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-1.4.2.tgz",
+      "integrity": "sha512-2fek3I0KZHWJlRLvRTqxTEri+qV0GRHrJIoLFuBMZB4EMg4WgeBGfF0X6abnrNYpq55KJ6R4D6x4f0vLnhzinA==",
       "dependencies": {
-        "@smithy/middleware-endpoint": "^2.4.4",
-        "@smithy/middleware-retry": "^2.1.4",
-        "@smithy/middleware-serde": "^2.1.3",
-        "@smithy/protocol-http": "^3.2.1",
-        "@smithy/smithy-client": "^2.4.2",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-middleware": "^2.1.3",
-        "tslib": "^2.5.0"
+        "@smithy/middleware-endpoint": "^2.5.1",
+        "@smithy/middleware-retry": "^2.3.1",
+        "@smithy/middleware-serde": "^2.3.0",
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/smithy-client": "^2.5.1",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-middleware": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/credential-provider-imds": {
-      "version": "2.2.4",
-      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-2.2.4.tgz",
-      "integrity": "sha512-DdatjmBZQnhGe1FhI8gO98f7NmvQFSDiZTwC3WMvLTCKQUY+Y1SVkhJqIuLu50Eb7pTheoXQmK+hKYUgpUWsNA==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-2.3.0.tgz",
+      "integrity": "sha512-BWB9mIukO1wjEOo1Ojgl6LrG4avcaC7T/ZP6ptmAaW4xluhSIPZhY+/PI5YKzlk+jsm+4sQZB45Bt1OfMeQa3w==",
       "dependencies": {
-        "@smithy/node-config-provider": "^2.2.4",
-        "@smithy/property-provider": "^2.1.3",
-        "@smithy/types": "^2.10.1",
-        "@smithy/url-parser": "^2.1.3",
-        "tslib": "^2.5.0"
+        "@smithy/node-config-provider": "^2.3.0",
+        "@smithy/property-provider": "^2.2.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/url-parser": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
@@ -3779,459 +3935,451 @@
       }
     },
     "node_modules/@smithy/fetch-http-handler": {
-      "version": "2.4.3",
-      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-2.4.3.tgz",
-      "integrity": "sha512-Fn/KYJFo6L5I4YPG8WQb2hOmExgRmNpVH5IK2zU3JKrY5FKW7y9ar5e0BexiIC9DhSKqKX+HeWq/Y18fq7Dkpw==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-2.5.0.tgz",
+      "integrity": "sha512-BOWEBeppWhLn/no/JxUL/ghTfANTjT7kg3Ww2rPqTUY9R4yHPXxJ9JhMe3Z03LN3aPwiwlpDIUcVw1xDyHqEhw==",
       "dependencies": {
-        "@smithy/protocol-http": "^3.2.1",
-        "@smithy/querystring-builder": "^2.1.3",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-base64": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/querystring-builder": "^2.2.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-base64": "^2.3.0",
+        "tslib": "^2.6.2"
       }
     },
     "node_modules/@smithy/hash-node": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-2.1.3.tgz",
-      "integrity": "sha512-FsAPCUj7VNJIdHbSxMd5uiZiF20G2zdSDgrgrDrHqIs/VMxK85Vqk5kMVNNDMCZmMezp6UKnac0B4nAyx7HJ9g==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-2.2.0.tgz",
+      "integrity": "sha512-zLWaC/5aWpMrHKpoDF6nqpNtBhlAYKF/7+9yMN7GpdR8CzohnWfGtMznPybnwSS8saaXBMxIGwJqR4HmRp6b3g==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-buffer-from": "^2.1.1",
-        "@smithy/util-utf8": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-buffer-from": "^2.2.0",
+        "@smithy/util-utf8": "^2.3.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/invalid-dependency": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-2.1.3.tgz",
-      "integrity": "sha512-wkra7d/G4CbngV4xsjYyAYOvdAhahQje/WymuQdVEnXFExJopEu7fbL5AEAlBPgWHXwu94VnCSG00gVzRfExyg==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-2.2.0.tgz",
+      "integrity": "sha512-nEDASdbKFKPXN2O6lOlTgrEEOO9NHIeO+HVvZnkqc8h5U9g3BIhWsvzFo+UcUbliMHvKNPD/zVxDrkP1Sbgp8Q==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       }
     },
     "node_modules/@smithy/is-array-buffer": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-2.1.1.tgz",
-      "integrity": "sha512-xozSQrcUinPpNPNPds4S7z/FakDTh1MZWtRP/2vQtYB/u3HYrX2UXuZs+VhaKBd6Vc7g2XPr2ZtwGBNDN6fNKQ==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-2.2.0.tgz",
+      "integrity": "sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/middleware-content-length": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-2.1.3.tgz",
-      "integrity": "sha512-aJduhkC+dcXxdnv5ZpM3uMmtGmVFKx412R1gbeykS5HXDmRU6oSsyy2SoHENCkfOGKAQOjVE2WVqDJibC0d21g==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-2.2.0.tgz",
+      "integrity": "sha512-5bl2LG1Ah/7E5cMSC+q+h3IpVHMeOkG0yLRyQT1p2aMJkSrZG7RlXHPuAgb7EyaFeidKEnnd/fNaLLaKlHGzDQ==",
       "dependencies": {
-        "@smithy/protocol-http": "^3.2.1",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/middleware-endpoint": {
-      "version": "2.4.4",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-2.4.4.tgz",
-      "integrity": "sha512-4yjHyHK2Jul4JUDBo2sTsWY9UshYUnXeb/TAK/MTaPEb8XQvDmpwSFnfIRDU45RY1a6iC9LCnmJNg/yHyfxqkw==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-2.5.1.tgz",
+      "integrity": "sha512-1/8kFp6Fl4OsSIVTWHnNjLnTL8IqpIb/D3sTSczrKFnrE9VMNWxnrRKNvpUHOJ6zpGD5f62TPm7+17ilTJpiCQ==",
       "dependencies": {
-        "@smithy/middleware-serde": "^2.1.3",
-        "@smithy/node-config-provider": "^2.2.4",
-        "@smithy/shared-ini-file-loader": "^2.3.4",
-        "@smithy/types": "^2.10.1",
-        "@smithy/url-parser": "^2.1.3",
-        "@smithy/util-middleware": "^2.1.3",
-        "tslib": "^2.5.0"
+        "@smithy/middleware-serde": "^2.3.0",
+        "@smithy/node-config-provider": "^2.3.0",
+        "@smithy/shared-ini-file-loader": "^2.4.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/url-parser": "^2.2.0",
+        "@smithy/util-middleware": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/middleware-retry": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-2.1.4.tgz",
-      "integrity": "sha512-Cyolv9YckZTPli1EkkaS39UklonxMd08VskiuMhURDjC0HHa/AD6aK/YoD21CHv9s0QLg0WMLvk9YeLTKkXaFQ==",
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-2.3.1.tgz",
+      "integrity": "sha512-P2bGufFpFdYcWvqpyqqmalRtwFUNUA8vHjJR5iGqbfR6mp65qKOLcUd6lTr4S9Gn/enynSrSf3p3FVgVAf6bXA==",
       "dependencies": {
-        "@smithy/node-config-provider": "^2.2.4",
-        "@smithy/protocol-http": "^3.2.1",
-        "@smithy/service-error-classification": "^2.1.3",
-        "@smithy/smithy-client": "^2.4.2",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-middleware": "^2.1.3",
-        "@smithy/util-retry": "^2.1.3",
-        "tslib": "^2.5.0",
-        "uuid": "^8.3.2"
+        "@smithy/node-config-provider": "^2.3.0",
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/service-error-classification": "^2.1.5",
+        "@smithy/smithy-client": "^2.5.1",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-middleware": "^2.2.0",
+        "@smithy/util-retry": "^2.2.0",
+        "tslib": "^2.6.2",
+        "uuid": "^9.0.1"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
-    "node_modules/@smithy/middleware-retry/node_modules/uuid": {
-      "version": "8.3.2",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
     "node_modules/@smithy/middleware-serde": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-2.1.3.tgz",
-      "integrity": "sha512-s76LId+TwASrHhUa9QS4k/zeXDUAuNuddKklQzRgumbzge5BftVXHXIqL4wQxKGLocPwfgAOXWx+HdWhQk9hTg==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-2.3.0.tgz",
+      "integrity": "sha512-sIADe7ojwqTyvEQBe1nc/GXB9wdHhi9UwyX0lTyttmUWDJLP655ZYE1WngnNyXREme8I27KCaUhyhZWRXL0q7Q==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/middleware-stack": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-2.1.3.tgz",
-      "integrity": "sha512-opMFufVQgvBSld/b7mD7OOEBxF6STyraVr1xel1j0abVILM8ALJvRoFbqSWHGmaDlRGIiV9Q5cGbWi0sdiEaLQ==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-2.2.0.tgz",
+      "integrity": "sha512-Qntc3jrtwwrsAC+X8wms8zhrTr0sFXnyEGhZd9sLtsJ/6gGQKFzNB+wWbOcpJd7BR8ThNCoKt76BuQahfMvpeA==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/node-config-provider": {
-      "version": "2.2.4",
-      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-2.2.4.tgz",
-      "integrity": "sha512-nqazHCp8r4KHSFhRQ+T0VEkeqvA0U+RhehBSr1gunUuNW3X7j0uDrWBxB2gE9eutzy6kE3Y7L+Dov/UXT871vg==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-2.3.0.tgz",
+      "integrity": "sha512-0elK5/03a1JPWMDPaS726Iw6LpQg80gFut1tNpPfxFuChEEklo2yL823V94SpTZTxmKlXFtFgsP55uh3dErnIg==",
       "dependencies": {
-        "@smithy/property-provider": "^2.1.3",
-        "@smithy/shared-ini-file-loader": "^2.3.4",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/property-provider": "^2.2.0",
+        "@smithy/shared-ini-file-loader": "^2.4.0",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/node-http-handler": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-2.4.1.tgz",
-      "integrity": "sha512-HCkb94soYhJMxPCa61wGKgmeKpJ3Gftx1XD6bcWEB2wMV1L9/SkQu/6/ysKBnbOzWRE01FGzwrTxucHypZ8rdg==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-2.5.0.tgz",
+      "integrity": "sha512-mVGyPBzkkGQsPoxQUbxlEfRjrj6FPyA3u3u2VXGr9hT8wilsoQdZdvKpMBFMB8Crfhv5dNkKHIW0Yyuc7eABqA==",
       "dependencies": {
-        "@smithy/abort-controller": "^2.1.3",
-        "@smithy/protocol-http": "^3.2.1",
-        "@smithy/querystring-builder": "^2.1.3",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/abort-controller": "^2.2.0",
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/querystring-builder": "^2.2.0",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/property-provider": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-2.1.3.tgz",
-      "integrity": "sha512-bMz3se+ySKWNrgm7eIiQMa2HO/0fl2D0HvLAdg9pTMcpgp4SqOAh6bz7Ik6y7uQqSrk4rLjIKgbQ6yzYgGehCQ==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-2.2.0.tgz",
+      "integrity": "sha512-+xiil2lFhtTRzXkx8F053AV46QnIw6e7MV8od5Mi68E1ICOjCeCHw2XfLnDEUHnT9WGUIkwcqavXjfwuJbGlpg==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/protocol-http": {
-      "version": "3.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-3.2.1.tgz",
-      "integrity": "sha512-KLrQkEw4yJCeAmAH7hctE8g9KwA7+H2nSJwxgwIxchbp/L0B5exTdOQi9D5HinPLlothoervGmhpYKelZ6AxIA==",
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-3.3.0.tgz",
+      "integrity": "sha512-Xy5XK1AFWW2nlY/biWZXu6/krgbaf2dg0q492D8M5qthsnU2H+UgFeZLbM76FnH7s6RO/xhQRkj+T6KBO3JzgQ==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/querystring-builder": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-2.1.3.tgz",
-      "integrity": "sha512-kFD3PnNqKELe6m9GRHQw/ftFFSZpnSeQD4qvgDB6BQN6hREHELSosVFUMPN4M3MDKN2jAwk35vXHLoDrNfKu0A==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-2.2.0.tgz",
+      "integrity": "sha512-L1kSeviUWL+emq3CUVSgdogoM/D9QMFaqxL/dd0X7PCNWmPXqt+ExtrBjqT0V7HLN03Vs9SuiLrG3zy3JGnE5A==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-uri-escape": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-uri-escape": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/querystring-parser": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-2.1.3.tgz",
-      "integrity": "sha512-3+CWJoAqcBMR+yvz6D+Fc5VdoGFtfenW6wqSWATWajrRMGVwJGPT3Vy2eb2bnMktJc4HU4bpjeovFa566P3knQ==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-2.2.0.tgz",
+      "integrity": "sha512-BvHCDrKfbG5Yhbpj4vsbuPV2GgcpHiAkLeIlcA1LtfpMz3jrqizP1+OguSNSj1MwBHEiN+jwNisXLGdajGDQJA==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/service-error-classification": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-2.1.3.tgz",
-      "integrity": "sha512-iUrpSsem97bbXHHT/v3s7vaq8IIeMo6P6cXdeYHrx0wOJpMeBGQF7CB0mbJSiTm3//iq3L55JiEm8rA7CTVI8A==",
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-2.1.5.tgz",
+      "integrity": "sha512-uBDTIBBEdAQryvHdc5W8sS5YX7RQzF683XrHePVdFmAgKiMofU15FLSM0/HU03hKTnazdNRFa0YHS7+ArwoUSQ==",
       "dependencies": {
-        "@smithy/types": "^2.10.1"
+        "@smithy/types": "^2.12.0"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/shared-ini-file-loader": {
-      "version": "2.3.4",
-      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-2.3.4.tgz",
-      "integrity": "sha512-CiZmPg9GeDKbKmJGEFvJBsJcFnh0AQRzOtQAzj1XEa8N/0/uSN/v1LYzgO7ry8hhO8+9KB7+DhSW0weqBra4Aw==",
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-2.4.0.tgz",
+      "integrity": "sha512-WyujUJL8e1B6Z4PBfAqC/aGY1+C7T0w20Gih3yrvJSk97gpiVfB+y7c46T4Nunk+ZngLq0rOIdeVeIklk0R3OA==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/signature-v4": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-2.1.3.tgz",
-      "integrity": "sha512-Jq4iPPdCmJojZTsPePn4r1ULShh6ONkokLuxp1Lnk4Sq7r7rJp4HlA1LbPBq4bD64TIzQezIpr1X+eh5NYkNxw==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-2.3.0.tgz",
+      "integrity": "sha512-ui/NlpILU+6HAQBfJX8BBsDXuKSNrjTSuOYArRblcrErwKFutjrCNb/OExfVRyj9+26F9J+ZmfWT+fKWuDrH3Q==",
       "dependencies": {
-        "@smithy/eventstream-codec": "^2.1.3",
-        "@smithy/is-array-buffer": "^2.1.1",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-hex-encoding": "^2.1.1",
-        "@smithy/util-middleware": "^2.1.3",
-        "@smithy/util-uri-escape": "^2.1.1",
-        "@smithy/util-utf8": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/is-array-buffer": "^2.2.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-hex-encoding": "^2.2.0",
+        "@smithy/util-middleware": "^2.2.0",
+        "@smithy/util-uri-escape": "^2.2.0",
+        "@smithy/util-utf8": "^2.3.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/smithy-client": {
-      "version": "2.4.2",
-      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-2.4.2.tgz",
-      "integrity": "sha512-ntAFYN51zu3N3mCd95YFcFi/8rmvm//uX+HnK24CRbI6k5Rjackn0JhgKz5zOx/tbNvOpgQIwhSX+1EvEsBLbA==",
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-2.5.1.tgz",
+      "integrity": "sha512-jrbSQrYCho0yDaaf92qWgd+7nAeap5LtHTI51KXqmpIFCceKU3K9+vIVTUH72bOJngBMqa4kyu1VJhRcSrk/CQ==",
       "dependencies": {
-        "@smithy/middleware-endpoint": "^2.4.4",
-        "@smithy/middleware-stack": "^2.1.3",
-        "@smithy/protocol-http": "^3.2.1",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-stream": "^2.1.3",
-        "tslib": "^2.5.0"
+        "@smithy/middleware-endpoint": "^2.5.1",
+        "@smithy/middleware-stack": "^2.2.0",
+        "@smithy/protocol-http": "^3.3.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-stream": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/types": {
-      "version": "2.10.1",
-      "resolved": "https://registry.npmjs.org/@smithy/types/-/types-2.10.1.tgz",
-      "integrity": "sha512-hjQO+4ru4cQ58FluQvKKiyMsFg0A6iRpGm2kqdH8fniyNd2WyanoOsYJfMX/IFLuLxEoW6gnRkNZy1y6fUUhtA==",
+      "version": "2.12.0",
+      "resolved": "https://registry.npmjs.org/@smithy/types/-/types-2.12.0.tgz",
+      "integrity": "sha512-QwYgloJ0sVNBeBuBs65cIkTbfzV/Q6ZNPCJ99EICFEdJYG50nGIY/uYXp+TbsdJReIuPr0a0kXmCvren3MbRRw==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/url-parser": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-2.1.3.tgz",
-      "integrity": "sha512-X1NRA4WzK/ihgyzTpeGvI9Wn45y8HmqF4AZ/FazwAv8V203Ex+4lXqcYI70naX9ETqbqKVzFk88W6WJJzCggTQ==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-2.2.0.tgz",
+      "integrity": "sha512-hoA4zm61q1mNTpksiSWp2nEl1dt3j726HdRhiNgVJQMj7mLp7dprtF57mOB6JvEk/x9d2bsuL5hlqZbBuHQylQ==",
       "dependencies": {
-        "@smithy/querystring-parser": "^2.1.3",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/querystring-parser": "^2.2.0",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       }
     },
     "node_modules/@smithy/util-base64": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-base64/-/util-base64-2.1.1.tgz",
-      "integrity": "sha512-UfHVpY7qfF/MrgndI5PexSKVTxSZIdz9InghTFa49QOvuu9I52zLPLUHXvHpNuMb1iD2vmc6R+zbv/bdMipR/g==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-base64/-/util-base64-2.3.0.tgz",
+      "integrity": "sha512-s3+eVwNeJuXUwuMbusncZNViuhv2LjVJ1nMwTqSA0XAC7gjKhqqxRdJPhR8+YrkoZ9IiIbFk/yK6ACe/xlF+hw==",
       "dependencies": {
-        "@smithy/util-buffer-from": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/util-buffer-from": "^2.2.0",
+        "@smithy/util-utf8": "^2.3.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-body-length-browser": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-browser/-/util-body-length-browser-2.1.1.tgz",
-      "integrity": "sha512-ekOGBLvs1VS2d1zM2ER4JEeBWAvIOUKeaFch29UjjJsxmZ/f0L3K3x0dEETgh3Q9bkZNHgT+rkdl/J/VUqSRag==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-browser/-/util-body-length-browser-2.2.0.tgz",
+      "integrity": "sha512-dtpw9uQP7W+n3vOtx0CfBD5EWd7EPdIdsQnWTDoFf77e3VUf05uA7R7TGipIo8e4WL2kuPdnsr3hMQn9ziYj5w==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       }
     },
     "node_modules/@smithy/util-body-length-node": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-node/-/util-body-length-node-2.2.1.tgz",
-      "integrity": "sha512-/ggJG+ta3IDtpNVq4ktmEUtOkH1LW64RHB5B0hcr5ZaWBmo96UX2cIOVbjCqqDickTXqBWZ4ZO0APuaPrD7Abg==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-node/-/util-body-length-node-2.3.0.tgz",
+      "integrity": "sha512-ITWT1Wqjubf2CJthb0BuT9+bpzBfXeMokH/AAa5EJQgbv9aPMVfnM76iFIZVFf50hYXGbtiV71BHAthNWd6+dw==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-buffer-from": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-2.1.1.tgz",
-      "integrity": "sha512-clhNjbyfqIv9Md2Mg6FffGVrJxw7bgK7s3Iax36xnfVj6cg0fUG7I4RH0XgXJF8bxi+saY5HR21g2UPKSxVCXg==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-2.2.0.tgz",
+      "integrity": "sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA==",
       "dependencies": {
-        "@smithy/is-array-buffer": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/is-array-buffer": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-config-provider": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-config-provider/-/util-config-provider-2.2.1.tgz",
-      "integrity": "sha512-50VL/tx9oYYcjJn/qKqNy7sCtpD0+s8XEBamIFo4mFFTclKMNp+rsnymD796uybjiIquB7VCB/DeafduL0y2kw==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-config-provider/-/util-config-provider-2.3.0.tgz",
+      "integrity": "sha512-HZkzrRcuFN1k70RLqlNK4FnPXKOpkik1+4JaBoHNJn+RnJGYqaa3c5/+XtLOXhlKzlRgNvyaLieHTW2VwGN0VQ==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-defaults-mode-browser": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-2.1.4.tgz",
-      "integrity": "sha512-J6XAVY+/g7jf03QMnvqPyU+8jqGrrtXoKWFVOS+n1sz0Lg8HjHJ1ANqaDN+KTTKZRZlvG8nU5ZrJOUL6VdwgcQ==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-2.2.1.tgz",
+      "integrity": "sha512-RtKW+8j8skk17SYowucwRUjeh4mCtnm5odCL0Lm2NtHQBsYKrNW0od9Rhopu9wF1gHMfHeWF7i90NwBz/U22Kw==",
       "dependencies": {
-        "@smithy/property-provider": "^2.1.3",
-        "@smithy/smithy-client": "^2.4.2",
-        "@smithy/types": "^2.10.1",
+        "@smithy/property-provider": "^2.2.0",
+        "@smithy/smithy-client": "^2.5.1",
+        "@smithy/types": "^2.12.0",
         "bowser": "^2.11.0",
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">= 10.0.0"
       }
     },
     "node_modules/@smithy/util-defaults-mode-node": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-2.2.3.tgz",
-      "integrity": "sha512-ttUISrv1uVOjTlDa3nznX33f0pthoUlP+4grhTvOzcLhzArx8qHB94/untGACOG3nlf8vU20nI2iWImfzoLkYA==",
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-2.3.1.tgz",
+      "integrity": "sha512-vkMXHQ0BcLFysBMWgSBLSk3+leMpFSyyFj8zQtv5ZyUBx8/owVh1/pPEkzmW/DR/Gy/5c8vjLDD9gZjXNKbrpA==",
       "dependencies": {
-        "@smithy/config-resolver": "^2.1.4",
-        "@smithy/credential-provider-imds": "^2.2.4",
-        "@smithy/node-config-provider": "^2.2.4",
-        "@smithy/property-provider": "^2.1.3",
-        "@smithy/smithy-client": "^2.4.2",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/config-resolver": "^2.2.0",
+        "@smithy/credential-provider-imds": "^2.3.0",
+        "@smithy/node-config-provider": "^2.3.0",
+        "@smithy/property-provider": "^2.2.0",
+        "@smithy/smithy-client": "^2.5.1",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">= 10.0.0"
       }
     },
     "node_modules/@smithy/util-endpoints": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-1.1.4.tgz",
-      "integrity": "sha512-/qAeHmK5l4yQ4/bCIJ9p49wDe9rwWtOzhPHblu386fwPNT3pxmodgcs9jDCV52yK9b4rB8o9Sj31P/7Vzka1cg==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-1.2.0.tgz",
+      "integrity": "sha512-BuDHv8zRjsE5zXd3PxFXFknzBG3owCpjq8G3FcsXW3CykYXuEqM3nTSsmLzw5q+T12ZYuDlVUZKBdpNbhVtlrQ==",
       "dependencies": {
-        "@smithy/node-config-provider": "^2.2.4",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/node-config-provider": "^2.3.0",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">= 14.0.0"
       }
     },
     "node_modules/@smithy/util-hex-encoding": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-hex-encoding/-/util-hex-encoding-2.1.1.tgz",
-      "integrity": "sha512-3UNdP2pkYUUBGEXzQI9ODTDK+Tcu1BlCyDBaRHwyxhA+8xLP8agEKQq4MGmpjqb4VQAjq9TwlCQX0kP6XDKYLg==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-hex-encoding/-/util-hex-encoding-2.2.0.tgz",
+      "integrity": "sha512-7iKXR+/4TpLK194pVjKiasIyqMtTYJsgKgM242Y9uzt5dhHnUDvMNb+3xIhRJ9QhvqGii/5cRUt4fJn3dtXNHQ==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-middleware": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-2.1.3.tgz",
-      "integrity": "sha512-/+2fm7AZ2ozl5h8wM++ZP0ovE9/tiUUAHIbCfGfb3Zd3+Dyk17WODPKXBeJ/TnK5U+x743QmA0xHzlSm8I/qhw==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-2.2.0.tgz",
+      "integrity": "sha512-L1qpleXf9QD6LwLCJ5jddGkgWyuSvWBkJwWAZ6kFkdifdso+sk3L3O1HdmPvCdnCK3IS4qWyPxev01QMnfHSBw==",
       "dependencies": {
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-retry": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-2.1.3.tgz",
-      "integrity": "sha512-Kbvd+GEMuozbNUU3B89mb99tbufwREcyx2BOX0X2+qHjq6Gvsah8xSDDgxISDwcOHoDqUWO425F0Uc/QIRhYkg==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-2.2.0.tgz",
+      "integrity": "sha512-q9+pAFPTfftHXRytmZ7GzLFFrEGavqapFc06XxzZFcSIGERXMerXxCitjOG1prVDR9QdjqotF40SWvbqcCpf8g==",
       "dependencies": {
-        "@smithy/service-error-classification": "^2.1.3",
-        "@smithy/types": "^2.10.1",
-        "tslib": "^2.5.0"
+        "@smithy/service-error-classification": "^2.1.5",
+        "@smithy/types": "^2.12.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">= 14.0.0"
       }
     },
     "node_modules/@smithy/util-stream": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-2.1.3.tgz",
-      "integrity": "sha512-HvpEQbP8raTy9n86ZfXiAkf3ezp1c3qeeO//zGqwZdrfaoOpGKQgF2Sv1IqZp7wjhna7pvczWaGUHjcOPuQwKw==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-2.2.0.tgz",
+      "integrity": "sha512-17faEXbYWIRst1aU9SvPZyMdWmqIrduZjVOqCPMIsWFNxs5yQQgFrJL6b2SdiCzyW9mJoDjFtgi53xx7EH+BXA==",
       "dependencies": {
-        "@smithy/fetch-http-handler": "^2.4.3",
-        "@smithy/node-http-handler": "^2.4.1",
-        "@smithy/types": "^2.10.1",
-        "@smithy/util-base64": "^2.1.1",
-        "@smithy/util-buffer-from": "^2.1.1",
-        "@smithy/util-hex-encoding": "^2.1.1",
-        "@smithy/util-utf8": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/fetch-http-handler": "^2.5.0",
+        "@smithy/node-http-handler": "^2.5.0",
+        "@smithy/types": "^2.12.0",
+        "@smithy/util-base64": "^2.3.0",
+        "@smithy/util-buffer-from": "^2.2.0",
+        "@smithy/util-hex-encoding": "^2.2.0",
+        "@smithy/util-utf8": "^2.3.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-uri-escape": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-uri-escape/-/util-uri-escape-2.1.1.tgz",
-      "integrity": "sha512-saVzI1h6iRBUVSqtnlOnc9ssU09ypo7n+shdQ8hBTZno/9rZ3AuRYvoHInV57VF7Qn7B+pFJG7qTzFiHxWlWBw==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-uri-escape/-/util-uri-escape-2.2.0.tgz",
+      "integrity": "sha512-jtmJMyt1xMD/d8OtbVJ2gFZOSKc+ueYJZPW20ULW1GOp/q/YIM0wNh+u8ZFao9UaIGz4WoPW8hC64qlWLIfoDA==",
       "dependencies": {
-        "tslib": "^2.5.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@smithy/util-utf8": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.1.1.tgz",
-      "integrity": "sha512-BqTpzYEcUMDwAKr7/mVRUtHDhs6ZoXDi9NypMvMfOr/+u1NW7JgqodPDECiiLboEm6bobcPcECxzjtQh865e9A==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz",
+      "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==",
       "dependencies": {
-        "@smithy/util-buffer-from": "^2.1.1",
-        "tslib": "^2.5.0"
+        "@smithy/util-buffer-from": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
         "node": ">=14.0.0"
@@ -9954,9 +10102,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.7",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.7.tgz",
+      "integrity": "sha512-KnJT8vYRcNAZv73uf9zpXqNbvBG7DJrs+1nACsjZP1HMJ1TgXEy8wnNilXAn/5i57JizXKtrUtwDB7HxT9DDpw==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",

backend/package.json

@@ -110,7 +110,7 @@
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "ms": "^2.1.3",
-    "mysql2": "^3.9.4",
+    "mysql2": "^3.9.7",
     "nanoid": "^5.0.4",
     "nodemailer": "^6.9.9",
     "ora": "^7.0.1",

backend/src/@types/fastify.d.ts

@@ -1,6 +1,8 @@
 import "fastify";
 
 import { TUsers } from "@app/db/schemas";
+import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
+import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
@@ -30,6 +32,7 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
+import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -113,6 +116,9 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
+      identityAwsAuth: TIdentityAwsAuthServiceFactory;
+      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
+      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
       secretApprovalRequest: TSecretApprovalRequestServiceFactory;
       secretRotation: TSecretRotationServiceFactory;

backend/src/@types/knex.d.ts

@@ -2,6 +2,18 @@ import { Knex } from "knex";
 
 import {
   TableName,
+  TAccessApprovalPolicies,
+  TAccessApprovalPoliciesApprovers,
+  TAccessApprovalPoliciesApproversInsert,
+  TAccessApprovalPoliciesApproversUpdate,
+  TAccessApprovalPoliciesInsert,
+  TAccessApprovalPoliciesUpdate,
+  TAccessApprovalRequests,
+  TAccessApprovalRequestsInsert,
+  TAccessApprovalRequestsReviewers,
+  TAccessApprovalRequestsReviewersInsert,
+  TAccessApprovalRequestsReviewersUpdate,
+  TAccessApprovalRequestsUpdate,
   TApiKeys,
   TApiKeysInsert,
   TApiKeysUpdate,
@@ -47,6 +59,9 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
+  TIdentityAwsAuths,
+  TIdentityAwsAuthsInsert,
+  TIdentityAwsAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -314,6 +329,11 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
+    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
+      TIdentityAwsAuths,
+      TIdentityAwsAuthsInsert,
+      TIdentityAwsAuthsUpdate
+    >;
     [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,
@@ -344,6 +364,31 @@ declare module "knex/types/tables" {
       TIdentityProjectAdditionalPrivilegeInsert,
       TIdentityProjectAdditionalPrivilegeUpdate
     >;
+
+    [TableName.AccessApprovalPolicy]: Knex.CompositeTableType<
+      TAccessApprovalPolicies,
+      TAccessApprovalPoliciesInsert,
+      TAccessApprovalPoliciesUpdate
+    >;
+
+    [TableName.AccessApprovalPolicyApprover]: Knex.CompositeTableType<
+      TAccessApprovalPoliciesApprovers,
+      TAccessApprovalPoliciesApproversInsert,
+      TAccessApprovalPoliciesApproversUpdate
+    >;
+
+    [TableName.AccessApprovalRequest]: Knex.CompositeTableType<
+      TAccessApprovalRequests,
+      TAccessApprovalRequestsInsert,
+      TAccessApprovalRequestsUpdate
+    >;
+
+    [TableName.AccessApprovalRequestReviewer]: Knex.CompositeTableType<
+      TAccessApprovalRequestsReviewers,
+      TAccessApprovalRequestsReviewersInsert,
+      TAccessApprovalRequestsReviewersUpdate
+    >;
+
     [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
     [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
       TSecretApprovalPolicies,

backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts

@@ -0,0 +1,54 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const isUsersTablePresent = await knex.schema.hasTable(TableName.Users);
+  if (isUsersTablePresent) {
+    const hasIsEmailVerifiedColumn = await knex.schema.hasColumn(TableName.Users, "isEmailVerified");
+
+    if (!hasIsEmailVerifiedColumn) {
+      await knex.schema.alterTable(TableName.Users, (t) => {
+        t.boolean("isEmailVerified").defaultTo(false);
+      });
+    }
+
+    // Backfilling the isEmailVerified to true where isAccepted is true
+    await knex(TableName.Users).update({ isEmailVerified: true }).where("isAccepted", true);
+  }
+
+  const isUserAliasTablePresent = await knex.schema.hasTable(TableName.UserAliases);
+  if (isUserAliasTablePresent) {
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.string("username").nullable().alter();
+    });
+  }
+
+  const isSuperAdminTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
+  if (isSuperAdminTablePresent) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.boolean("trustSamlEmails").defaultTo(false);
+      t.boolean("trustLdapEmails").defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Users, "isEmailVerified")) {
+    await knex.schema.alterTable(TableName.Users, (t) => {
+      t.dropColumn("isEmailVerified");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustSamlEmails")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("trustSamlEmails");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustLdapEmails")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("trustLdapEmails");
+    });
+  }
+}

backend/src/db/migrations/20240507162140_access-approval-policy.ts

@@ -0,0 +1,41 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicy))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicy, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.integer("approvals").defaultTo(1).notNullable();
+      t.string("secretPath");
+
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicyApprover, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("approverId").notNullable();
+      t.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyApprover);
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicy);
+
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
+}

backend/src/db/migrations/20240507162141_access.ts

@@ -0,0 +1,51 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequest))) {
+    await knex.schema.createTable(TableName.AccessApprovalRequest, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+
+      t.uuid("privilegeId").nullable();
+      t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
+
+      t.uuid("requestedBy").notNullable();
+      t.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+
+      // We use these values to create the actual privilege at a later point in time.
+      t.boolean("isTemporary").notNullable();
+      t.string("temporaryRange").nullable();
+
+      t.jsonb("permissions").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
+
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequestReviewer))) {
+    await knex.schema.createTable(TableName.AccessApprovalRequestReviewer, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("member").notNullable();
+      t.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      t.string("status").notNullable();
+      t.uuid("requestId").notNullable();
+      t.foreign("requestId").references("id").inTable(TableName.AccessApprovalRequest).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequestReviewer);
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequest);
+
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
+}

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
+    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("stsEndpoint").notNullable();
+      t.string("allowedPrincipalArns").notNullable();
+      t.string("allowedAccountIds").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
+}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalPoliciesApproversSchema = z.object({
+  id: z.string().uuid(),
+  approverId: z.string().uuid(),
+  policyId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
+export type TAccessApprovalPoliciesApproversInsert = Omit<
+  z.input<typeof AccessApprovalPoliciesApproversSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalPoliciesApproversUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesApproversSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/access-approval-policies.ts

@@ -7,16 +7,18 @@ import { z } from "zod";
 
 import { TImmutableDBKeys } from "./models";
 
-export const SecretApprovalPoliciesSchema = z.object({
+export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
-  secretPath: z.string().nullable().optional(),
   approvals: z.number().default(1),
+  secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
+  updatedAt: z.date()
 });
 
-export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
-export type TSecretApprovalPoliciesInsert = Omit<TSecretApprovalPolicies, TImmutableDBKeys>;
-export type TSecretApprovalPoliciesUpdate = Partial<Omit<TSecretApprovalPolicies, TImmutableDBKeys>>;
+export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
+export type TAccessApprovalPoliciesInsert = Omit<z.input<typeof AccessApprovalPoliciesSchema>, TImmutableDBKeys>;
+export type TAccessApprovalPoliciesUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/access-approval-requests-reviewers.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalRequestsReviewersSchema = z.object({
+  id: z.string().uuid(),
+  member: z.string().uuid(),
+  status: z.string(),
+  requestId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
+export type TAccessApprovalRequestsReviewersInsert = Omit<
+  z.input<typeof AccessApprovalRequestsReviewersSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalRequestsReviewersUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalRequestsReviewersSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/access-approval-requests.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalRequestsSchema = z.object({
+  id: z.string().uuid(),
+  policyId: z.string().uuid(),
+  privilegeId: z.string().uuid().nullable().optional(),
+  requestedBy: z.string().uuid(),
+  isTemporary: z.boolean(),
+  temporaryRange: z.string().nullable().optional(),
+  permissions: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
+export type TAccessApprovalRequestsInsert = Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>;
+export type TAccessApprovalRequestsUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityAwsAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  stsEndpoint: z.string(),
+  allowedPrincipalArns: z.string(),
+  allowedAccountIds: z.string()
+});
+
+export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
+export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -1,3 +1,7 @@
+export * from "./access-approval-policies";
+export * from "./access-approval-policies-approvers";
+export * from "./access-approval-requests";
+export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
 export * from "./audit-log-streams";
 export * from "./audit-logs";
@@ -13,6 +17,7 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
+export * from "./identity-aws-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/models.ts

@@ -45,11 +45,16 @@ export enum TableName {
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
+  IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   ScimToken = "scim_tokens",
+  AccessApprovalPolicy = "access_approval_policies",
+  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
+  AccessApprovalRequest = "access_approval_requests",
+  AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalRequest = "secret_approval_requests",
@@ -138,5 +143,6 @@ export enum ProjectUpgradeStatus {
 }
 
 export enum IdentityAuthMethod {
-  Univeral = "universal-auth"
+  Univeral = "universal-auth",
+  AWS_AUTH = "aws-auth"
 }

backend/src/db/schemas/super-admin.ts

@@ -14,7 +14,9 @@ export const SuperAdminSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   allowedSignUpDomain: z.string().nullable().optional(),
-  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000")
+  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
+  trustSamlEmails: z.boolean().default(false).nullable().optional(),
+  trustLdapEmails: z.boolean().default(false).nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/schemas/user-aliases.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const UserAliasesSchema = z.object({
   id: z.string().uuid(),
   userId: z.string().uuid(),
-  username: z.string(),
+  username: z.string().nullable().optional(),
   aliasType: z.string(),
   externalId: z.string(),
   emails: z.string().array().nullable().optional(),

backend/src/db/schemas/users.ts

@@ -21,7 +21,8 @@ export const UsersSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
-  username: z.string()
+  username: z.string(),
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -0,0 +1,168 @@
+import { nanoid } from "nanoid";
+import { z } from "zod";
+
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    schema: {
+      body: z
+        .object({
+          projectSlug: z.string().trim(),
+          name: z.string().optional(),
+          secretPath: z.string().trim().default("/"),
+          environment: z.string(),
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approvers.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        projectSlug: req.body.projectSlug,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
+      });
+      return { approval };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          approvals: sapPubSchema.extend({ approvers: z.string().array(), secretPath: z.string().optional() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const approvals = await server.services.accessApprovalPolicy.getAccessApprovalPolicyByProjectSlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectSlug: req.query.projectSlug
+      });
+      return { approvals };
+    }
+  });
+
+  server.route({
+    url: "/count",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string(),
+        envSlug: z.string()
+      }),
+      response: {
+        200: z.object({
+          count: z.number()
+        })
+      }
+    },
+
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { count } = await server.services.accessApprovalPolicy.getAccessPolicyCountByEnvSlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        projectSlug: req.query.projectSlug,
+        actorOrgId: req.permission.orgId,
+        envSlug: req.query.envSlug
+      });
+      return { count };
+    }
+  });
+
+  server.route({
+    url: "/:policyId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      body: z
+        .object({
+          name: z.string().optional(),
+          secretPath: z
+            .string()
+            .trim()
+            .optional()
+            .transform((val) => (val === "" ? "/" : val)),
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
+        })
+        .refine((data) => data.approvals <= data.approvers.length, {
+          path: ["approvals"],
+          message: "The number of approvals should be lower than the number of approvers."
+        }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
+        policyId: req.params.policyId,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body
+      });
+    }
+  });
+
+  server.route({
+    url: "/:policyId",
+    method: "DELETE",
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        policyId: req.params.policyId
+      });
+      return { approval };
+    }
+  });
+};

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -0,0 +1,160 @@
+import { z } from "zod";
+
+import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema } from "@app/db/schemas";
+import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAccessApprovalRequestRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    schema: {
+      body: z.object({
+        permissions: z.any().array(),
+        isTemporary: z.boolean(),
+        temporaryRange: z.string().optional()
+      }),
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          approval: AccessApprovalRequestsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { request } = await server.services.accessApprovalRequest.createAccessApprovalRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        permissions: req.body.permissions,
+        actorOrgId: req.permission.orgId,
+        projectSlug: req.query.projectSlug,
+        temporaryRange: req.body.temporaryRange,
+        isTemporary: req.body.isTemporary
+      });
+      return { approval: request };
+    }
+  });
+
+  server.route({
+    url: "/count",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          pendingCount: z.number(),
+          finalizedCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { count } = await server.services.accessApprovalRequest.getCount({
+        projectSlug: req.query.projectSlug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { ...count };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    schema: {
+      querystring: z.object({
+        projectSlug: z.string().trim(),
+        authorProjectMembershipId: z.string().trim().optional(),
+        envSlug: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          requests: AccessApprovalRequestsSchema.extend({
+            environmentName: z.string(),
+            isApproved: z.boolean(),
+            privilege: z
+              .object({
+                membershipId: z.string(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().nullish(),
+                temporaryRange: z.string().nullish(),
+                temporaryAccessStartTime: z.date().nullish(),
+                temporaryAccessEndTime: z.date().nullish(),
+                permissions: z.unknown()
+              })
+              .nullable(),
+            policy: z.object({
+              id: z.string(),
+              name: z.string(),
+              approvals: z.number(),
+              approvers: z.string().array(),
+              secretPath: z.string().nullish(),
+              envId: z.string()
+            }),
+            reviewers: z
+              .object({
+                member: z.string(),
+                status: z.string()
+              })
+              .array()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
+        projectSlug: req.query.projectSlug,
+        authorProjectMembershipId: req.query.authorProjectMembershipId,
+        envSlug: req.query.envSlug,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { requests };
+    }
+  });
+
+  server.route({
+    url: "/:requestId/review",
+    method: "POST",
+    schema: {
+      params: z.object({
+        requestId: z.string().trim()
+      }),
+      body: z.object({
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+      }),
+      response: {
+        200: z.object({
+          review: AccessApprovalRequestsReviewersSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const review = await server.services.accessApprovalRequest.reviewAccessRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        requestId: req.params.requestId,
+        status: req.body.status
+      });
+
+      return { review };
+    }
+  });
+};

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,16 +1,14 @@
-import { MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import { packRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 
-import { IdentityProjectAdditionalPrivilegeSchema } from "@app/db/schemas";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
-import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { PermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@@ -41,11 +39,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -92,7 +90,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         temporaryMode: z
           .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@@ -107,7 +105,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -157,7 +155,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                 message: "Slug must be a valid slug"
               })
               .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
             temporaryMode: z
               .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
@@ -175,7 +173,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -219,7 +217,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -260,7 +258,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -293,16 +291,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       ],
       querystring: z.object({
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.identityId),
-        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug),
-        unpacked: z
-          .enum(["false", "true"])
-          .transform((el) => el === "true")
-          .default("true")
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.unpacked)
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug)
       }),
       response: {
         200: z.object({
-          privileges: IdentityProjectAdditionalPrivilegeSchema.array()
+          privileges: SanitizedIdentityPrivilegeSchema.array()
         })
       }
     },
@@ -315,15 +308,9 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         actorOrgId: req.permission.orgId,
         ...req.query
       });
-      if (req.query.unpacked) {
-        return {
-          privileges: privileges.map(({ permissions, ...el }) => ({
-            ...el,
-            permissions: unpackRules(permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
-          }))
-        };
-      }
-      return { privileges };
+      return {
+        privileges
+      };
     }
   });
 };

backend/src/ee/routes/v1/index.ts

@@ -1,3 +1,5 @@
+import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
+import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
@@ -41,6 +43,9 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     prefix: "/secret-rotation-providers"
   });
 
+  await server.register(registerAccessApprovalPolicyRouter, { prefix: "/access-approvals/policies" });
+  await server.register(registerAccessApprovalRequestRouter, { prefix: "/access-approvals/requests" });
+
   await server.register(
     async (dynamicSecretRouter) => {
       await dynamicSecretRouter.register(registerDynamicSecretRouter);

backend/src/ee/routes/v1/ldap-router.ts

@@ -18,6 +18,7 @@ import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -52,6 +53,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
       // eslint-disable-next-line
       async (req: IncomingMessage, user, cb) => {
         try {
+          if (!user.email) throw new BadRequestError({ message: "Invalid request. Missing email." });
           const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;
 
           let groups: { dn: string; cn: string }[] | undefined;
@@ -74,7 +76,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
             username: user.uid,
             firstName: user.givenName ?? user.cn ?? "",
             lastName: user.sn ?? "",
-            emails: user.mail ? [user.mail] : [],
+            email: user.mail,
             groups,
             relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
             orgId: (req as unknown as FastifyRequest).ldapConfig.organization

backend/src/ee/routes/v1/saml-router.ts

@@ -102,12 +102,12 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
           if (!profile) throw new BadRequestError({ message: "Missing profile" });
           const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved
 
-          if (!profile.email || !profile.firstName) {
+          if (!email || !profile.firstName) {
             throw new BadRequestError({ message: "Invalid request. Missing email or first name" });
           }
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
-            username: profile.nameID ?? email,
+            externalId: profile.nameID,
             email,
             firstName: profile.firstName as string,
             lastName: profile.lastName as string,

backend/src/ee/routes/v1/scim-router.ts

@@ -153,7 +153,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const users = await req.server.services.scim.listScimUsers({
-        offset: req.query.startIndex,
+        startIndex: req.query.startIndex,
         limit: req.query.count,
         filter: req.query.filter,
         orgId: req.permission.orgId
@@ -163,11 +163,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/Users/:userId",
+    url: "/Users/:orgMembershipId",
     method: "GET",
     schema: {
       params: z.object({
-        userId: z.string().trim()
+        orgMembershipId: z.string().trim()
       }),
       response: {
         201: z.object({
@@ -193,7 +193,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const user = await req.server.services.scim.getScimUser({
-        userId: req.params.userId,
+        orgMembershipId: req.params.orgMembershipId,
         orgId: req.permission.orgId
       });
       return user;
@@ -249,7 +249,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
       const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;
 
       const user = await req.server.services.scim.createScimUser({
-        username: req.body.userName,
+        externalId: req.body.userName,
         email: primaryEmail,
         firstName: req.body.name.givenName,
         lastName: req.body.name.familyName,
@@ -261,11 +261,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/Users/:userId",
+    url: "/Users/:orgMembershipId",
     method: "DELETE",
     schema: {
       params: z.object({
-        userId: z.string().trim()
+        orgMembershipId: z.string().trim()
       }),
       response: {
         200: z.object({})
@@ -274,7 +274,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const user = await req.server.services.scim.deleteScimUser({
-        userId: req.params.userId,
+        orgMembershipId: req.params.orgMembershipId,
         orgId: req.permission.orgId
       });
 
@@ -361,7 +361,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const groups = await req.server.services.scim.listScimGroups({
         orgId: req.permission.orgId,
-        offset: req.query.startIndex,
+        startIndex: req.query.startIndex,
         limit: req.query.count
       });
 
@@ -416,10 +416,10 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         displayName: z.string().trim(),
         members: z.array(
           z.object({
-            value: z.string(), // infisical userId
+            value: z.string(), // infisical orgMembershipId
             display: z.string()
           })
-        ) // note: is this where members are added to group?
+        )
       }),
       response: {
         200: z.object({
@@ -534,11 +534,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/Users/:userId",
+    url: "/Users/:orgMembershipId",
     method: "PUT",
     schema: {
       params: z.object({
-        userId: z.string().trim()
+        orgMembershipId: z.string().trim()
       }),
       body: z.object({
         schemas: z.array(z.string()),
@@ -575,7 +575,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const user = await req.server.services.scim.replaceScimUser({
-        userId: req.params.userId,
+        orgMembershipId: req.params.orgMembershipId,
         orgId: req.permission.orgId,
         active: req.body.active
       });

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TAccessApprovalPolicyApproverDALFactory = ReturnType<typeof accessApprovalPolicyApproverDALFactory>;
+
+export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
+  const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
+  return { ...accessApprovalPolicyApproverOrm };
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -0,0 +1,76 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName, TAccessApprovalPolicies } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { buildFindFilter, mergeOneToManyRelation, ormify, selectAllTableCols, TFindFilter } from "@app/lib/knex";
+
+export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
+
+export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
+  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);
+
+  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
+    const result = await tx(TableName.AccessApprovalPolicy)
+      // eslint-disable-next-line
+      .where(buildFindFilter(filter))
+      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+      .join(
+        TableName.AccessApprovalPolicyApprover,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyApprover}.policyId`
+      )
+      .select(tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
+      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
+      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
+      .select(tx.ref("projectId").withSchema(TableName.Environment))
+      .select(selectAllTableCols(TableName.AccessApprovalPolicy));
+
+    return result;
+  };
+
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const doc = await accessApprovalPolicyFindQuery(tx || db, {
+        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
+      });
+      const formatedDoc = mergeOneToManyRelation(
+        doc,
+        "id",
+        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+          ...el,
+          envId,
+          environment: { id: envId, name, slug }
+        }),
+        ({ approverId }) => approverId,
+        "approvers"
+      );
+      return formatedDoc?.[0];
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindById" });
+    }
+  };
+
+  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
+    try {
+      const docs = await accessApprovalPolicyFindQuery(tx || db, filter);
+      const formatedDoc = mergeOneToManyRelation(
+        docs,
+        "id",
+        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
+          ...el,
+          envId,
+          environment: { id: envId, name, slug }
+        }),
+        ({ approverId }) => approverId,
+        "approvers"
+      );
+      return formatedDoc.map((policy) => ({ ...policy, secretPath: policy.secretPath || undefined }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find" });
+    }
+  };
+
+  return { ...accessApprovalPolicyOrm, find, findById };
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts

@@ -0,0 +1,36 @@
+import { ForbiddenError, subject } from "@casl/ability";
+
+import { BadRequestError } from "@app/lib/errors";
+import { ActorType } from "@app/services/auth/auth-type";
+
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TVerifyApprovers } from "./access-approval-policy-types";
+
+export const verifyApprovers = async ({
+  userIds,
+  projectId,
+  orgId,
+  envSlug,
+  actorAuthMethod,
+  secretPath,
+  permissionService
+}: TVerifyApprovers) => {
+  for await (const userId of userIds) {
+    try {
+      const { permission: approverPermission } = await permissionService.getProjectPermission(
+        ActorType.USER,
+        userId,
+        projectId,
+        actorAuthMethod,
+        orgId
+      );
+
+      ForbiddenError.from(approverPermission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
+      );
+    } catch (err) {
+      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
+    }
+  }
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -0,0 +1,273 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { BadRequestError } from "@app/lib/errors";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+
+import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
+import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
+import { verifyApprovers } from "./access-approval-policy-fns";
+import {
+  TCreateAccessApprovalPolicy,
+  TDeleteAccessApprovalPolicy,
+  TGetAccessPolicyCountByEnvironmentDTO,
+  TListAccessApprovalPoliciesDTO,
+  TUpdateAccessApprovalPolicy
+} from "./access-approval-policy-types";
+
+type TSecretApprovalPolicyServiceFactoryDep = {
+  projectDAL: TProjectDALFactory;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
+  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+};
+
+export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
+
+export const accessApprovalPolicyServiceFactory = ({
+  accessApprovalPolicyDAL,
+  accessApprovalPolicyApproverDAL,
+  permissionService,
+  projectEnvDAL,
+  projectDAL,
+  projectMembershipDAL
+}: TSecretApprovalPolicyServiceFactoryDep) => {
+  const createAccessApprovalPolicy = async ({
+    name,
+    actor,
+    actorId,
+    actorOrgId,
+    secretPath,
+    actorAuthMethod,
+    approvals,
+    approvers,
+    projectSlug,
+    environment
+  }: TCreateAccessApprovalPolicy) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    if (approvals > approvers.length)
+      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.SecretApproval
+    );
+    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
+    if (!env) throw new BadRequestError({ message: "Environment not found" });
+
+    const secretApprovers = await projectMembershipDAL.find({
+      projectId: project.id,
+      $in: { id: approvers }
+    });
+
+    if (secretApprovers.length !== approvers.length) {
+      throw new BadRequestError({ message: "Approver not found in project" });
+    }
+
+    await verifyApprovers({
+      projectId: project.id,
+      orgId: actorOrgId,
+      envSlug: environment,
+      secretPath,
+      actorAuthMethod,
+      permissionService,
+      userIds: secretApprovers.map((approver) => approver.userId)
+    });
+
+    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
+      const doc = await accessApprovalPolicyDAL.create(
+        {
+          envId: env.id,
+          approvals,
+          secretPath,
+          name
+        },
+        tx
+      );
+      await accessApprovalPolicyApproverDAL.insertMany(
+        secretApprovers.map(({ id }) => ({
+          approverId: id,
+          policyId: doc.id
+        })),
+        tx
+      );
+      return doc;
+    });
+    return { ...accessApproval, environment: env, projectId: project.id };
+  };
+
+  const getAccessApprovalPolicyByProjectSlug = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug
+  }: TListAccessApprovalPoliciesDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    // Anyone in the project should be able to get the policies.
+    /* const { permission } = */ await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    // ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+
+    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id });
+    return accessApprovalPolicies;
+  };
+
+  const updateAccessApprovalPolicy = async ({
+    policyId,
+    approvers,
+    secretPath,
+    name,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    approvals
+  }: TUpdateAccessApprovalPolicy) => {
+    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
+    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      accessApprovalPolicy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+
+    const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
+      const doc = await accessApprovalPolicyDAL.updateById(
+        accessApprovalPolicy.id,
+        {
+          approvals,
+          secretPath,
+          name
+        },
+        tx
+      );
+      if (approvers) {
+        // Find the workspace project memberships of the users passed in the approvers array
+        const secretApprovers = await projectMembershipDAL.find(
+          {
+            projectId: accessApprovalPolicy.projectId,
+            $in: { id: approvers }
+          },
+          { tx }
+        );
+
+        await verifyApprovers({
+          projectId: accessApprovalPolicy.projectId,
+          orgId: actorOrgId,
+          envSlug: accessApprovalPolicy.environment.slug,
+          secretPath: doc.secretPath!,
+          actorAuthMethod,
+          permissionService,
+          userIds: secretApprovers.map((approver) => approver.userId)
+        });
+
+        if (secretApprovers.length !== approvers.length)
+          throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+        await accessApprovalPolicyApproverDAL.insertMany(
+          secretApprovers.map(({ id }) => ({
+            approverId: id,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+      return doc;
+    });
+    return {
+      ...updatedPolicy,
+      environment: accessApprovalPolicy.environment,
+      projectId: accessApprovalPolicy.projectId
+    };
+  };
+
+  const deleteAccessApprovalPolicy = async ({
+    policyId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteAccessApprovalPolicy) => {
+    const policy = await accessApprovalPolicyDAL.findById(policyId);
+    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      policy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Delete,
+      ProjectPermissionSub.SecretApproval
+    );
+
+    await accessApprovalPolicyDAL.deleteById(policyId);
+    return policy;
+  };
+
+  const getAccessPolicyCountByEnvSlug = async ({
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug,
+    actorId,
+    envSlug
+  }: TGetAccessPolicyCountByEnvironmentDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+
+    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
+    if (!environment) throw new BadRequestError({ message: "Environment not found" });
+
+    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
+    if (!policies) throw new BadRequestError({ message: "No policies found" });
+
+    return { count: policies.length };
+  };
+
+  return {
+    getAccessPolicyCountByEnvSlug,
+    createAccessApprovalPolicy,
+    deleteAccessApprovalPolicy,
+    updateAccessApprovalPolicy,
+    getAccessApprovalPolicyByProjectSlug
+  };
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -0,0 +1,44 @@
+import { TProjectPermission } from "@app/lib/types";
+import { ActorAuthMethod } from "@app/services/auth/auth-type";
+
+import { TPermissionServiceFactory } from "../permission/permission-service";
+
+export type TVerifyApprovers = {
+  userIds: string[];
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  envSlug: string;
+  actorAuthMethod: ActorAuthMethod;
+  secretPath: string;
+  projectId: string;
+  orgId: string;
+};
+
+export type TCreateAccessApprovalPolicy = {
+  approvals: number;
+  secretPath: string;
+  environment: string;
+  approvers: string[];
+  projectSlug: string;
+  name: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateAccessApprovalPolicy = {
+  policyId: string;
+  approvals?: number;
+  approvers?: string[];
+  secretPath?: string;
+  name?: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteAccessApprovalPolicy = {
+  policyId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetAccessPolicyCountByEnvironmentDTO = {
+  envSlug: string;
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TListAccessApprovalPoliciesDTO = {
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -0,0 +1,266 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
+
+import { ApprovalStatus } from "./access-approval-request-types";
+
+export type TAccessApprovalRequestDALFactory = ReturnType<typeof accessApprovalRequestDALFactory>;
+
+export const accessApprovalRequestDALFactory = (db: TDbClient) => {
+  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
+
+  const findRequestsWithPrivilegeByPolicyIds = async (policyIds: string[]) => {
+    try {
+      const docs = await db(TableName.AccessApprovalRequest)
+        .whereIn(`${TableName.AccessApprovalRequest}.policyId`, policyIds)
+
+        .leftJoin(
+          TableName.ProjectUserAdditionalPrivilege,
+          `${TableName.AccessApprovalRequest}.privilegeId`,
+          `${TableName.ProjectUserAdditionalPrivilege}.id`
+        )
+        .leftJoin(
+          TableName.AccessApprovalPolicy,
+          `${TableName.AccessApprovalRequest}.policyId`,
+          `${TableName.AccessApprovalPolicy}.id`
+        )
+
+        .leftJoin(
+          TableName.AccessApprovalRequestReviewer,
+          `${TableName.AccessApprovalRequest}.id`,
+          `${TableName.AccessApprovalRequestReviewer}.requestId`
+        )
+        .leftJoin(
+          TableName.AccessApprovalPolicyApprover,
+          `${TableName.AccessApprovalPolicy}.id`,
+          `${TableName.AccessApprovalPolicyApprover}.policyId`
+        )
+
+        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+
+        .select(selectAllTableCols(TableName.AccessApprovalRequest))
+        .select(
+          db.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
+          db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
+          db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
+          db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
+        )
+
+        .select(db.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
+
+        .select(
+          db.ref("projectId").withSchema(TableName.Environment),
+          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
+          db.ref("name").withSchema(TableName.Environment).as("envName")
+        )
+
+        .select(
+          db.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"),
+          db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus")
+        )
+
+        .select(
+          db
+            .ref("projectMembershipId")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("privilegeMembershipId"),
+          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeIsTemporary"),
+          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryMode"),
+          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("privilegeTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("privilegeTemporaryAccessEndTime"),
+
+          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegePermissions")
+        )
+        .orderBy(`${TableName.AccessApprovalRequest}.createdAt`, "desc");
+
+      const formattedDocs = sqlNestRelationships({
+        data: docs,
+        key: "id",
+        parentMapper: (doc) => ({
+          ...AccessApprovalRequestsSchema.parse(doc),
+          projectId: doc.projectId,
+          environment: doc.envSlug,
+          environmentName: doc.envName,
+          policy: {
+            id: doc.policyId,
+            name: doc.policyName,
+            approvals: doc.policyApprovals,
+            secretPath: doc.policySecretPath,
+            envId: doc.policyEnvId
+          },
+          privilege: doc.privilegeId
+            ? {
+                membershipId: doc.privilegeMembershipId,
+                isTemporary: doc.privilegeIsTemporary,
+                temporaryMode: doc.privilegeTemporaryMode,
+                temporaryRange: doc.privilegeTemporaryRange,
+                temporaryAccessStartTime: doc.privilegeTemporaryAccessStartTime,
+                temporaryAccessEndTime: doc.privilegeTemporaryAccessEndTime,
+                permissions: doc.privilegePermissions
+              }
+            : null,
+
+          isApproved: !!doc.privilegeId
+        }),
+        childrenMapper: [
+          {
+            key: "reviewerMemberId",
+            label: "reviewers" as const,
+            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
+          },
+          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
+        ]
+      });
+
+      if (!formattedDocs) return [];
+
+      return formattedDocs.map((doc) => ({
+        ...doc,
+        policy: { ...doc.policy, approvers: doc.approvers }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
+    }
+  };
+
+  const findQuery = (filter: TFindFilter<TAccessApprovalRequests>, tx: Knex) =>
+    tx(TableName.AccessApprovalRequest)
+      .where(filter)
+      .join(
+        TableName.AccessApprovalPolicy,
+        `${TableName.AccessApprovalRequest}.policyId`,
+        `${TableName.AccessApprovalPolicy}.id`
+      )
+
+      .join(
+        TableName.AccessApprovalPolicyApprover,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyApprover}.policyId`
+      )
+      .leftJoin(
+        TableName.AccessApprovalRequestReviewer,
+        `${TableName.AccessApprovalRequest}.id`,
+        `${TableName.AccessApprovalRequestReviewer}.requestId`
+      )
+
+      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+      .select(selectAllTableCols(TableName.AccessApprovalRequest))
+      .select(
+        tx.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"),
+        tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
+        tx.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
+        tx.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
+        tx.ref("projectId").withSchema(TableName.Environment),
+        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
+        tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
+        tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover)
+      );
+
+  const findById = async (id: string, tx?: Knex) => {
+    try {
+      const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db);
+      const docs = await sql;
+      const formatedDoc = sqlNestRelationships({
+        data: docs,
+        key: "id",
+        parentMapper: (el) => ({
+          ...AccessApprovalRequestsSchema.parse(el),
+          projectId: el.projectId,
+          environment: el.environment,
+          policy: {
+            id: el.policyId,
+            name: el.policyName,
+            approvals: el.policyApprovals,
+            secretPath: el.policySecretPath
+          }
+        }),
+        childrenMapper: [
+          {
+            key: "reviewerMemberId",
+            label: "reviewers" as const,
+            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
+          },
+          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
+        ]
+      });
+      if (!formatedDoc?.[0]) return;
+      return {
+        ...formatedDoc[0],
+        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
+      };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
+    }
+  };
+
+  const getCount = async ({ projectId }: { projectId: string }) => {
+    try {
+      const accessRequests = await db(TableName.AccessApprovalRequest)
+        .leftJoin(
+          TableName.AccessApprovalPolicy,
+          `${TableName.AccessApprovalRequest}.policyId`,
+          `${TableName.AccessApprovalPolicy}.id`
+        )
+        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+        .leftJoin(
+          TableName.ProjectUserAdditionalPrivilege,
+          `${TableName.AccessApprovalRequest}.privilegeId`,
+          `${TableName.ProjectUserAdditionalPrivilege}.id`
+        )
+
+        .leftJoin(
+          TableName.AccessApprovalRequestReviewer,
+          `${TableName.AccessApprovalRequest}.id`,
+          `${TableName.AccessApprovalRequestReviewer}.requestId`
+        )
+
+        .where(`${TableName.Environment}.projectId`, projectId)
+        .select(selectAllTableCols(TableName.AccessApprovalRequest))
+        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
+        .select(db.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"));
+
+      const formattedRequests = sqlNestRelationships({
+        data: accessRequests,
+        key: "id",
+        parentMapper: (doc) => ({
+          ...AccessApprovalRequestsSchema.parse(doc)
+        }),
+        childrenMapper: [
+          {
+            key: "reviewerMemberId",
+            label: "reviewers" as const,
+            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
+          }
+        ]
+      });
+
+      // an approval is pending if there is no reviewer rejections and no privilege ID is set
+      const pendingApprovals = formattedRequests.filter(
+        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+      );
+
+      // an approval is finalized if there are any rejections or a privilege ID is set
+      const finalizedApprovals = formattedRequests.filter(
+        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+      );
+
+      return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetCountAccessApprovalRequest" });
+    }
+  };
+
+  return { ...accessApprovalRequestOrm, findById, findRequestsWithPrivilegeByPolicyIds, getCount };
+};

backend/src/ee/services/access-approval-request/access-approval-request-fns.ts

@@ -0,0 +1,53 @@
+import { PackRule, unpackRules } from "@casl/ability/extra";
+
+import { UnauthorizedError } from "@app/lib/errors";
+
+import { TVerifyPermission } from "./access-approval-request-types";
+
+function filterUnique(value: string, index: number, array: string[]) {
+  return array.indexOf(value) === index;
+}
+
+export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) => {
+  const permission = unpackRules(
+    permissions as PackRule<{
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      conditions?: Record<string, any>;
+      action: string;
+      subject: [string];
+    }>[]
+  );
+
+  if (!permission || !permission.length) {
+    throw new UnauthorizedError({ message: "No permission provided" });
+  }
+
+  const requestedPermissions: string[] = [];
+
+  for (const p of permission) {
+    if (p.action[0] === "read") requestedPermissions.push("Read Access");
+    if (p.action[0] === "create") requestedPermissions.push("Create Access");
+    if (p.action[0] === "delete") requestedPermissions.push("Delete Access");
+    if (p.action[0] === "edit") requestedPermissions.push("Edit Access");
+  }
+
+  const firstPermission = permission[0];
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
+  const permissionSecretPath = firstPermission.conditions?.secretPath?.$glob;
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars, @typescript-eslint/no-unsafe-assignment
+  const permissionEnv = firstPermission.conditions?.environment;
+
+  if (!permissionEnv || typeof permissionEnv !== "string") {
+    throw new UnauthorizedError({ message: "Permission environment is not a string" });
+  }
+  if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
+    throw new UnauthorizedError({ message: "Permission path is not a string" });
+  }
+
+  return {
+    envSlug: permissionEnv,
+    secretPath: permissionSecretPath,
+    accessTypes: requestedPermissions.filter(filterUnique)
+  };
+};

backend/src/ee/services/access-approval-request/access-approval-request-reviewer-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TAccessApprovalRequestReviewerDALFactory = ReturnType<typeof accessApprovalRequestReviewerDALFactory>;
+
+export const accessApprovalRequestReviewerDALFactory = (db: TDbClient) => {
+  const secretApprovalRequestReviewerOrm = ormify(db, TableName.AccessApprovalRequestReviewer);
+  return secretApprovalRequestReviewerOrm;
+};

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -0,0 +1,369 @@
+import slugify from "@sindresorhus/slugify";
+import ms from "ms";
+
+import { ProjectMembershipRole } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { TUserDALFactory } from "@app/services/user/user-dal";
+
+import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
+import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
+import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
+import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
+import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
+import { verifyRequestedPermissions } from "./access-approval-request-fns";
+import { TAccessApprovalRequestReviewerDALFactory } from "./access-approval-request-reviewer-dal";
+import {
+  ApprovalStatus,
+  TCreateAccessApprovalRequestDTO,
+  TGetAccessRequestCountDTO,
+  TListApprovalRequestsDTO,
+  TReviewAccessRequestDTO
+} from "./access-approval-request-types";
+
+type TSecretApprovalRequestServiceFactoryDep = {
+  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  accessApprovalPolicyApproverDAL: Pick<TAccessApprovalPolicyApproverDALFactory, "find">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug">;
+  accessApprovalRequestDAL: Pick<
+    TAccessApprovalRequestDALFactory,
+    | "create"
+    | "find"
+    | "findRequestsWithPrivilegeByPolicyIds"
+    | "findById"
+    | "transaction"
+    | "updateById"
+    | "findOne"
+    | "getCount"
+  >;
+  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
+  accessApprovalRequestReviewerDAL: Pick<
+    TAccessApprovalRequestReviewerDALFactory,
+    "create" | "find" | "findOne" | "transaction"
+  >;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
+  smtpService: Pick<TSmtpService, "sendMail">;
+  userDAL: Pick<TUserDALFactory, "findUserByProjectMembershipId" | "findUsersByProjectMembershipIds">;
+};
+
+export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;
+
+export const accessApprovalRequestServiceFactory = ({
+  projectDAL,
+  projectEnvDAL,
+  permissionService,
+  accessApprovalRequestDAL,
+  accessApprovalRequestReviewerDAL,
+  projectMembershipDAL,
+  accessApprovalPolicyDAL,
+  accessApprovalPolicyApproverDAL,
+  additionalPrivilegeDAL,
+  smtpService,
+  userDAL
+}: TSecretApprovalRequestServiceFactoryDep) => {
+  const createAccessApprovalRequest = async ({
+    isTemporary,
+    temporaryRange,
+    actorId,
+    permissions: requestedPermissions,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    projectSlug
+  }: TCreateAccessApprovalRequestDTO) => {
+    const cfg = getConfig();
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+
+    // Anyone can create an access approval request.
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+
+    const requestedByUser = await userDAL.findUserByProjectMembershipId(membership.id);
+    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
+
+    await projectDAL.checkProjectUpgradeStatus(project.id);
+
+    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
+    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
+
+    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
+
+    const policy = await accessApprovalPolicyDAL.findOne({
+      envId: environment.id,
+      secretPath
+    });
+    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
+
+    const approvers = await accessApprovalPolicyApproverDAL.find({
+      policyId: policy.id
+    });
+
+    const approverUsers = await userDAL.findUsersByProjectMembershipIds(
+      approvers.map((approver) => approver.approverId)
+    );
+
+    const duplicateRequests = await accessApprovalRequestDAL.find({
+      policyId: policy.id,
+      requestedBy: membership.id,
+      permissions: JSON.stringify(requestedPermissions),
+      isTemporary
+    });
+
+    if (duplicateRequests?.length > 0) {
+      for await (const duplicateRequest of duplicateRequests) {
+        if (duplicateRequest.privilegeId) {
+          const privilege = await additionalPrivilegeDAL.findById(duplicateRequest.privilegeId);
+
+          const isExpired = new Date() > new Date(privilege.temporaryAccessEndTime || ("" as string));
+
+          if (!isExpired || !privilege.isTemporary) {
+            throw new BadRequestError({ message: "You already have an active privilege with the same criteria" });
+          }
+        } else {
+          const reviewers = await accessApprovalRequestReviewerDAL.find({
+            requestId: duplicateRequest.id
+          });
+
+          const isRejected = reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED);
+
+          if (!isRejected) {
+            throw new BadRequestError({ message: "You already have a pending access request with the same criteria" });
+          }
+        }
+      }
+    }
+
+    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
+      const approvalRequest = await accessApprovalRequestDAL.create(
+        {
+          policyId: policy.id,
+          requestedBy: membership.id,
+          temporaryRange: temporaryRange || null,
+          permissions: JSON.stringify(requestedPermissions),
+          isTemporary
+        },
+        tx
+      );
+
+      await smtpService.sendMail({
+        recipients: approverUsers.filter((approver) => approver.email).map((approver) => approver.email!),
+        subjectLine: "Access Approval Request",
+
+        substitutions: {
+          projectName: project.name,
+          requesterFullName: `${requestedByUser.firstName} ${requestedByUser.lastName}`,
+          requesterEmail: requestedByUser.email,
+          isTemporary,
+          ...(isTemporary && {
+            expiresIn: ms(ms(temporaryRange || ""), { long: true })
+          }),
+          secretPath,
+          environment: envSlug,
+          permissions: accessTypes,
+          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
+        },
+        template: SmtpTemplates.AccessApprovalRequest
+      });
+
+      return approvalRequest;
+    });
+
+    return { request: approval };
+  };
+
+  const listApprovalRequests = async ({
+    projectSlug,
+    authorProjectMembershipId,
+    envSlug,
+    actor,
+    actorOrgId,
+    actorId,
+    actorAuthMethod
+  }: TListApprovalRequestsDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+
+    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
+    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
+
+    if (authorProjectMembershipId) {
+      requests = requests.filter((request) => request.requestedBy === authorProjectMembershipId);
+    }
+
+    if (envSlug) {
+      requests = requests.filter((request) => request.environment === envSlug);
+    }
+
+    return { requests };
+  };
+
+  const reviewAccessRequest = async ({
+    requestId,
+    actor,
+    status,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TReviewAccessRequestDTO) => {
+    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
+    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+
+    const { policy } = accessApprovalRequest;
+    const { membership, hasRole } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      accessApprovalRequest.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+
+    if (
+      !hasRole(ProjectMembershipRole.Admin) &&
+      accessApprovalRequest.requestedBy !== membership.id && // The request wasn't made by the current user
+      !policy.approvers.find((approverId) => approverId === membership.id) // The request isn't performed by an assigned approver
+    ) {
+      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
+    }
+
+    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
+
+    await verifyApprovers({
+      projectId: accessApprovalRequest.projectId,
+      orgId: actorOrgId,
+      envSlug: accessApprovalRequest.environment,
+      secretPath: accessApprovalRequest.policy.secretPath!,
+      actorAuthMethod,
+      permissionService,
+      userIds: [reviewerProjectMembership.userId]
+    });
+
+    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
+    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
+      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
+    }
+
+    const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
+      const review = await accessApprovalRequestReviewerDAL.findOne(
+        {
+          requestId: accessApprovalRequest.id,
+          member: membership.id
+        },
+        tx
+      );
+      if (!review) {
+        const newReview = await accessApprovalRequestReviewerDAL.create(
+          {
+            status,
+            requestId: accessApprovalRequest.id,
+            member: membership.id
+          },
+          tx
+        );
+
+        const allReviews = [...existingReviews, newReview];
+
+        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+
+        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
+        if (approvedReviews.length === policy.approvals) {
+          if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
+            throw new BadRequestError({ message: "Temporary range is required for temporary access" });
+          }
+
+          let privilegeId: string | null = null;
+
+          if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
+            // Permanent access
+            const privilege = await additionalPrivilegeDAL.create(
+              {
+                projectMembershipId: accessApprovalRequest.requestedBy,
+                slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
+                permissions: JSON.stringify(accessApprovalRequest.permissions)
+              },
+              tx
+            );
+            privilegeId = privilege.id;
+          } else {
+            // Temporary access
+            const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
+            const startTime = new Date();
+
+            const privilege = await additionalPrivilegeDAL.create(
+              {
+                projectMembershipId: accessApprovalRequest.requestedBy,
+                slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
+                permissions: JSON.stringify(accessApprovalRequest.permissions),
+                isTemporary: true,
+                temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
+                temporaryRange: accessApprovalRequest.temporaryRange!,
+                temporaryAccessStartTime: startTime,
+                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
+              },
+              tx
+            );
+            privilegeId = privilege.id;
+          }
+
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
+        }
+
+        return newReview;
+      }
+      throw new BadRequestError({ message: "You have already reviewed this request" });
+    });
+
+    return reviewStatus;
+  };
+
+  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+
+    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
+
+    return { count };
+  };
+
+  return {
+    createAccessApprovalRequest,
+    listApprovalRequests,
+    reviewAccessRequest,
+    getCount
+  };
+};

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -0,0 +1,33 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export enum ApprovalStatus {
+  PENDING = "pending",
+  APPROVED = "approved",
+  REJECTED = "rejected"
+}
+
+export type TVerifyPermission = {
+  permissions: unknown;
+};
+
+export type TGetAccessRequestCountDTO = {
+  projectSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TReviewAccessRequestDTO = {
+  requestId: string;
+  status: ApprovalStatus;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TCreateAccessApprovalRequestDTO = {
+  projectSlug: string;
+  permissions: unknown;
+  isTemporary: boolean;
+  temporaryRange?: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TListApprovalRequestsDTO = {
+  projectSlug: string;
+  authorProjectMembershipId?: string;
+  envSlug?: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -66,6 +66,10 @@ export enum EventType {
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
+  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
+  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
+  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -406,6 +410,50 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
+interface LoginIdentityAwsAuthEvent {
+  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+    identityAwsAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityAwsAuthEvent {
+  type: EventType.ADD_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+    stsEndpoint: string;
+    allowedPrincipalArns: string;
+    allowedAccountIds: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityAwsAuthEvent {
+  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+    stsEndpoint?: string;
+    allowedPrincipalArns?: string;
+    allowedAccountIds?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityAwsAuthEvent {
+  type: EventType.GET_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface CreateEnvironmentEvent {
   type: EventType.CREATE_ENVIRONMENT;
   metadata: {
@@ -660,6 +708,10 @@ export type Event =
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
+  | LoginIdentityAwsAuthEvent
+  | AddIdentityAwsAuthEvent
+  | UpdateIdentityAwsAuthEvent
+  | GetIdentityAwsAuthEvent
   | CreateEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent

backend/src/ee/services/group/group-fns.ts

@@ -1,6 +1,6 @@
 import { Knex } from "knex";
 
-import { SecretKeyEncoding, TUsers } from "@app/db/schemas";
+import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ScimRequestError } from "@app/lib/errors";
 
@@ -188,9 +188,9 @@ export const addUsersToGroupByUserIds = async ({
     // check if all user(s) are part of the organization
     const existingUserOrgMemberships = await orgDAL.findMembership(
       {
-        orgId: group.orgId,
+        [`${TableName.OrgMembership}.orgId` as "orgId"]: group.orgId,
         $in: {
-          userId: userIds
+          [`${TableName.OrgMembership}.userId` as "userId"]: userIds
         }
       },
       { tx }

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,5 +1,7 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
+import { PackRule, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
+import { z } from "zod";
 
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
@@ -8,7 +10,7 @@ import { TIdentityProjectDALFactory } from "@app/services/identity-project/ident
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
 import {
   IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -30,6 +32,27 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
   typeof identityProjectAdditionalPrivilegeServiceFactory
 >;
 
+// TODO(akhilmhdh): move this to more centralized
+export const UnpackedPermissionSchema = z.object({
+  subject: z.union([z.string().min(1), z.string().array()]).optional(),
+  action: z.union([z.string().min(1), z.string().array()]),
+  conditions: z
+    .object({
+      environment: z.string().optional(),
+      secretPath: z
+        .object({
+          $glob: z.string().min(1)
+        })
+        .optional()
+    })
+    .optional()
+});
+
+const unpackPermissions = (permissions: unknown) =>
+  UnpackedPermissionSchema.array().parse(
+    unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
+  );
+
 export const identityProjectAdditionalPrivilegeServiceFactory = ({
   identityProjectAdditionalPrivilegeDAL,
   identityProjectDAL,
@@ -86,7 +109,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         slug,
         permissions: customPermission
       });
-      return additionalPrivilege;
+      return {
+        ...additionalPrivilege,
+        permissions: unpackPermissions(additionalPrivilege.permissions)
+      };
     }
 
     const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
@@ -100,7 +126,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
       temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
     });
-    return additionalPrivilege;
+    return {
+      ...additionalPrivilege,
+      permissions: unpackPermissions(additionalPrivilege.permissions)
+    };
   };
 
   const updateBySlug = async ({
@@ -163,7 +192,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
-      return additionalPrivilege;
+      return {
+        ...additionalPrivilege,
+
+        permissions: unpackPermissions(additionalPrivilege.permissions)
+      };
     }
 
     const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
@@ -174,7 +207,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryRange: null,
       temporaryMode: null
     });
-    return additionalPrivilege;
+    return {
+      ...additionalPrivilege,
+
+      permissions: unpackPermissions(additionalPrivilege.permissions)
+    };
   };
 
   const deleteBySlug = async ({
@@ -220,7 +257,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
-    return deletedPrivilege;
+    return {
+      ...deletedPrivilege,
+
+      permissions: unpackPermissions(deletedPrivilege.permissions)
+    };
   };
 
   const getPrivilegeDetailsBySlug = async ({
@@ -254,7 +295,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
 
-    return identityPrivilege;
+    return {
+      ...identityPrivilege,
+      permissions: unpackPermissions(identityPrivilege.permissions)
+    };
   };
 
   const listIdentityProjectPrivileges = async ({
@@ -284,7 +328,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find({
       projectMembershipId: identityProjectMembership.id
     });
-    return identityPrivileges;
+    return identityPrivileges.map((el) => ({
+      ...el,
+
+      permissions: unpackPermissions(el.permissions)
+    }));
   };
 
   return {

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -1,7 +1,14 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
-import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
+import {
+  OrgMembershipRole,
+  OrgMembershipStatus,
+  SecretKeyEncoding,
+  TableName,
+  TLdapConfigsUpdate,
+  TUsers
+} from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -19,12 +26,15 @@ import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
+import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -46,6 +56,7 @@ import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";
 type TLdapConfigServiceFactoryDep = {
   ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
   ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
@@ -75,6 +86,7 @@ export const ldapConfigServiceFactory = ({
   ldapConfigDAL,
   ldapGroupMapDAL,
   orgDAL,
+  orgMembershipDAL,
   orgBotDAL,
   groupDAL,
   groupProjectDAL,
@@ -379,16 +391,17 @@ export const ldapConfigServiceFactory = ({
     username,
     firstName,
     lastName,
-    emails,
+    email,
     groups,
     orgId,
     relayState
   }: TLdapLoginDTO) => {
     const appCfg = getConfig();
+    const serverCfg = await getServerCfg();
     let userAlias = await userAliasDAL.findOne({
       externalId,
       orgId,
-      aliasType: AuthMethod.LDAP
+      aliasType: UserAliasType.LDAP
     });
 
     const organization = await orgDAL.findOrgById(orgId);
@@ -396,7 +409,13 @@ export const ldapConfigServiceFactory = ({
 
     if (userAlias) {
       await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership({ userId: userAlias.userId }, { tx });
+        const [orgMembership] = await orgDAL.findMembership(
+          {
+            [`${TableName.OrgMembership}.userId` as "userId"]: userAlias.userId,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+          },
+          { tx }
+        );
         if (!orgMembership) {
           await orgDAL.createMembership(
             {
@@ -419,40 +438,75 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       userAlias = await userDAL.transaction(async (tx) => {
-        const uniqueUsername = await normalizeUsername(username, userDAL);
-        const newUser = await userDAL.create(
-          {
-            username: uniqueUsername,
-            email: emails[0],
-            firstName,
-            lastName,
-            authMethods: [AuthMethod.LDAP],
-            isGhost: false
-          },
-          tx
-        );
+        let newUser: TUsers | undefined;
+        if (serverCfg.trustSamlEmails) {
+          newUser = await userDAL.findOne(
+            {
+              email,
+              isEmailVerified: true
+            },
+            tx
+          );
+        }
+
+        if (!newUser) {
+          const uniqueUsername = await normalizeUsername(username, userDAL);
+          newUser = await userDAL.create(
+            {
+              username: serverCfg.trustLdapEmails ? email : uniqueUsername,
+              email,
+              isEmailVerified: serverCfg.trustLdapEmails,
+              firstName,
+              lastName,
+              authMethods: [],
+              isGhost: false
+            },
+            tx
+          );
+        }
+
         const newUserAlias = await userAliasDAL.create(
           {
             userId: newUser.id,
             username,
-            aliasType: AuthMethod.LDAP,
+            aliasType: UserAliasType.LDAP,
             externalId,
-            emails,
+            emails: [email],
             orgId
           },
           tx
         );
 
-        await orgDAL.createMembership(
+        const [orgMembership] = await orgDAL.findMembership(
           {
-            userId: newUser.id,
-            orgId,
-            role: OrgMembershipRole.Member,
-            status: OrgMembershipStatus.Invited
+            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
           },
-          tx
+          { tx }
         );
 
+        if (!orgMembership) {
+          await orgMembershipDAL.create(
+            {
+              userId: userAlias.userId,
+              inviteEmail: email,
+              orgId,
+              role: OrgMembershipRole.Member,
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+            },
+            tx
+          );
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
+          await orgDAL.updateMembershipById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+
         return newUserAlias;
       });
     }
@@ -543,11 +597,14 @@ export const ldapConfigServiceFactory = ({
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
         username: user.username,
+        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
         firstName,
         lastName,
         organizationName: organization.name,
         organizationId: organization.id,
+        organizationSlug: organization.slug,
         authMethod: AuthMethod.LDAP,
+        authType: UserAliasType.LDAP,
         isUserCompleted,
         ...(relayState
           ? {

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -51,7 +51,7 @@ export type TLdapLoginDTO = {
   username: string;
   firstName: string;
   lastName: string;
-  emails: string[];
+  email: string;
   orgId: string;
   groups?: {
     dn: string;

backend/src/ee/services/license/license-service.ts

@@ -121,8 +121,8 @@ export const licenseServiceFactory = ({
 
         if (isValidOfflineLicense) {
           onPremFeatures = contents.license.features;
-          instanceType = InstanceType.EnterpriseOnPrem;
-          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
+          instanceType = InstanceType.EnterpriseOnPremOffline;
+          logger.info(`Instance type: ${InstanceType.EnterpriseOnPremOffline}`);
           isValidLicense = true;
           return;
         }

backend/src/ee/services/license/license-types.ts

@@ -3,6 +3,7 @@ import { TOrgPermission } from "@app/lib/types";
 export enum InstanceType {
   OnPrem = "self-hosted",
   EnterpriseOnPrem = "enterprise-self-hosted",
+  EnterpriseOnPremOffline = "enterprise-self-hosted-offline",
   Cloud = "cloud"
 }
 

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -7,7 +7,8 @@ import {
   SecretKeyEncoding,
   TableName,
   TSamlConfigs,
-  TSamlConfigsUpdate
+  TSamlConfigsUpdate,
+  TUsers
 } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import {
@@ -19,10 +20,18 @@ import {
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
-import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthTokenType } from "@app/services/auth/auth-type";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
+import { normalizeUsername } from "@app/services/user/user-fns";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
+import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -31,15 +40,19 @@ import { TSamlConfigDALFactory } from "./saml-config-dal";
 import { TCreateSamlCfgDTO, TGetSamlCfgDTO, TSamlLoginDTO, TUpdateSamlCfgDTO } from "./saml-config-types";
 
 type TSamlConfigServiceFactoryDep = {
-  samlConfigDAL: TSamlConfigDALFactory;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
+  samlConfigDAL: Pick<TSamlConfigDALFactory, "create" | "findOne" | "update" | "findById">;
+  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById" | "findById">;
+  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
   >;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TSamlConfigServiceFactory = ReturnType<typeof samlConfigServiceFactory>;
@@ -48,9 +61,13 @@ export const samlConfigServiceFactory = ({
   samlConfigDAL,
   orgBotDAL,
   orgDAL,
+  orgMembershipDAL,
   userDAL,
+  userAliasDAL,
   permissionService,
-  licenseService
+  licenseService,
+  tokenService,
+  smtpService
 }: TSamlConfigServiceFactoryDep) => {
   const createSamlCfg = async ({
     cert,
@@ -305,7 +322,7 @@ export const samlConfigServiceFactory = ({
   };
 
   const samlLogin = async ({
-    username,
+    externalId,
     email,
     firstName,
     lastName,
@@ -314,38 +331,40 @@ export const samlConfigServiceFactory = ({
     relayState
   }: TSamlLoginDTO) => {
     const appCfg = getConfig();
-    let user = await userDAL.findOne({ username });
+    const serverCfg = await getServerCfg();
+    const userAlias = await userAliasDAL.findOne({
+      externalId,
+      orgId,
+      aliasType: UserAliasType.SAML
+    });
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) throw new BadRequestError({ message: "Org not found" });
 
-    // TODO(dangtony98): remove this after aliases update
-    if (authProvider === AuthMethod.KEYCLOAK_SAML && appCfg.LICENSE_SERVER_KEY) {
-      throw new BadRequestError({ message: "Keycloak SAML is not yet available on Infisical Cloud" });
-    }
-
-    if (user) {
-      await userDAL.transaction(async (tx) => {
+    let user: TUsers;
+    if (userAlias) {
+      user = await userDAL.transaction(async (tx) => {
+        const foundUser = await userDAL.findById(userAlias.userId, tx);
         const [orgMembership] = await orgDAL.findMembership(
           {
-            userId: user.id,
+            [`${TableName.OrgMembership}.userId` as "userId"]: foundUser.id,
             [`${TableName.OrgMembership}.orgId` as "id"]: orgId
           },
           { tx }
         );
         if (!orgMembership) {
-          await orgDAL.createMembership(
+          await orgMembershipDAL.create(
             {
-              userId: user.id,
-              orgId,
+              userId: userAlias.userId,
               inviteEmail: email,
+              orgId,
               role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
           // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && foundUser.isAccepted) {
           await orgDAL.updateMembershipById(
             orgMembership.id,
             {
@@ -354,40 +373,97 @@ export const samlConfigServiceFactory = ({
             tx
           );
         }
+
+        return foundUser;
       });
     } else {
       user = await userDAL.transaction(async (tx) => {
-        const newUser = await userDAL.create(
+        let newUser: TUsers | undefined;
+        if (serverCfg.trustSamlEmails) {
+          newUser = await userDAL.findOne(
+            {
+              email,
+              isEmailVerified: true
+            },
+            tx
+          );
+        }
+
+        if (!newUser) {
+          const uniqueUsername = await normalizeUsername(`${firstName ?? ""}-${lastName ?? ""}`, userDAL);
+          newUser = await userDAL.create(
+            {
+              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
+              email,
+              isEmailVerified: serverCfg.trustSamlEmails,
+              firstName,
+              lastName,
+              authMethods: [],
+              isGhost: false
+            },
+            tx
+          );
+        }
+
+        await userAliasDAL.create(
           {
-            username,
-            email,
-            firstName,
-            lastName,
-            authMethods: [AuthMethod.EMAIL],
-            isGhost: false
+            userId: newUser.id,
+            aliasType: UserAliasType.SAML,
+            externalId,
+            emails: email ? [email] : [],
+            orgId
           },
           tx
         );
-        await orgDAL.createMembership({
-          inviteEmail: email,
-          orgId,
-          role: OrgMembershipRole.Member,
-          status: OrgMembershipStatus.Invited
-        });
+
+        const [orgMembership] = await orgDAL.findMembership(
+          {
+            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+          },
+          { tx }
+        );
+
+        if (!orgMembership) {
+          await orgMembershipDAL.create(
+            {
+              userId: newUser.id,
+              inviteEmail: email,
+              orgId,
+              role: OrgMembershipRole.Member,
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+            },
+            tx
+          );
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
+          await orgDAL.updateMembershipById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+
         return newUser;
       });
     }
+
     const isUserCompleted = Boolean(user.isAccepted);
     const providerAuthToken = jwt.sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
         username: user.username,
+        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
         firstName,
         lastName,
         organizationName: organization.name,
         organizationId: organization.id,
+        organizationSlug: organization.slug,
         authMethod: authProvider,
+        authType: UserAliasType.SAML,
         isUserCompleted,
         ...(relayState
           ? {
@@ -403,6 +479,22 @@ export const samlConfigServiceFactory = ({
 
     await samlConfigDAL.update({ orgId }, { lastUsed: new Date() });
 
+    if (user.email && !user.isEmailVerified) {
+      const token = await tokenService.createTokenForUser({
+        type: TokenType.TOKEN_EMAIL_VERIFICATION,
+        userId: user.id
+      });
+
+      await smtpService.sendMail({
+        template: SmtpTemplates.EmailVerification,
+        subjectLine: "Infisical confirmation code",
+        recipients: [user.email],
+        substitutions: {
+          code: token
+        }
+      });
+    }
+
     return { isUserCompleted, providerAuthToken };
   };
 

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -45,8 +45,8 @@ export type TGetSamlCfgDTO =
     };
 
 export type TSamlLoginDTO = {
-  username: string;
-  email?: string;
+  externalId: string;
+  email: string;
   firstName: string;
   lastName?: string;
   authProvider: string;

backend/src/ee/services/scim/scim-fns.ts

@@ -2,31 +2,31 @@ import { TListScimGroups, TListScimUsers, TScimGroup, TScimUser } from "./scim-t
 
 export const buildScimUserList = ({
   scimUsers,
-  offset,
+  startIndex,
   limit
 }: {
   scimUsers: TScimUser[];
-  offset: number;
+  startIndex: number;
   limit: number;
 }): TListScimUsers => {
   return {
     Resources: scimUsers,
     itemsPerPage: limit,
     schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    startIndex: offset,
+    startIndex,
     totalResults: scimUsers.length
   };
 };
 
 export const buildScimUser = ({
-  userId,
+  orgMembershipId,
   username,
   email,
   firstName,
   lastName,
   active
 }: {
-  userId: string;
+  orgMembershipId: string;
   username: string;
   email?: string | null;
   firstName: string;
@@ -35,7 +35,7 @@ export const buildScimUser = ({
 }): TScimUser => {
   const scimUser = {
     schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
-    id: userId,
+    id: orgMembershipId,
     userName: username,
     displayName: `${firstName} ${lastName}`,
     name: {
@@ -65,18 +65,18 @@ export const buildScimUser = ({
 
 export const buildScimGroupList = ({
   scimGroups,
-  offset,
+  startIndex,
   limit
 }: {
   scimGroups: TScimGroup[];
-  offset: number;
+  startIndex: number;
   limit: number;
 }): TListScimGroups => {
   return {
     Resources: scimGroups,
     itemsPerPage: limit,
     schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    startIndex: offset,
+    startIndex,
     totalResults: scimGroups.length
   };
 };

backend/src/ee/services/scim/scim-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";
 
-import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -11,16 +11,21 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
-import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { deleteOrgMembership } from "@app/services/org/org-fns";
+import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
+import { normalizeUsername } from "@app/services/user/user-fns";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
+import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -47,24 +52,32 @@ import {
 
 type TScimServiceFactoryDep = {
   scimDAL: Pick<TScimDALFactory, "create" | "find" | "findById" | "deleteById">;
-  userDAL: Pick<TUserDALFactory, "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch">;
+  userDAL: Pick<
+    TUserDALFactory,
+    "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch" | "findById"
+  >;
+  userAliasDAL: Pick<TUserAliasDALFactory, "findOne" | "create" | "delete">;
   orgDAL: Pick<
     TOrgDALFactory,
-    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction"
+    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" | "updateMembershipById"
   >;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById">;
   projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
   groupDAL: Pick<
     TGroupDALFactory,
     "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups" | "transaction"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  userGroupMembershipDAL: TUserGroupMembershipDALFactory; // TODO: Pick
+  userGroupMembershipDAL: Pick<
+    TUserGroupMembershipDALFactory,
+    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
+  >;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  smtpService: TSmtpService;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TScimServiceFactory = ReturnType<typeof scimServiceFactory>;
@@ -73,7 +86,9 @@ export const scimServiceFactory = ({
   licenseService,
   scimDAL,
   userDAL,
+  userAliasDAL,
   orgDAL,
+  orgMembershipDAL,
   projectDAL,
   projectMembershipDAL,
   groupDAL,
@@ -160,7 +175,7 @@ export const scimServiceFactory = ({
   };
 
   // SCIM server endpoints
-  const listScimUsers = async ({ offset, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
+  const listScimUsers = async ({ startIndex, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
     const org = await orgDAL.findById(orgId);
 
     if (!org.scimEnabled)
@@ -178,11 +193,11 @@ export const scimServiceFactory = ({
         attributeName = "email";
       }
 
-      return { [attributeName]: parsedValue };
+      return { [attributeName]: parsedValue.replace(/"/g, "") };
     };
 
     const findOpts = {
-      ...(offset && { offset }),
+      ...(startIndex && { offset: startIndex - 1 }),
       ...(limit && { limit })
     };
 
@@ -194,10 +209,10 @@ export const scimServiceFactory = ({
       findOpts
     );
 
-    const scimUsers = users.map(({ userId, username, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email }) =>
       buildScimUser({
-        userId: userId ?? "",
-        username,
+        orgMembershipId: id ?? "",
+        username: externalId ?? username,
         firstName: firstName ?? "",
         lastName: lastName ?? "",
         email,
@@ -207,16 +222,16 @@ export const scimServiceFactory = ({
 
     return buildScimUserList({
       scimUsers,
-      offset,
+      startIndex,
       limit
     });
   };
 
-  const getScimUser = async ({ userId, orgId }: TGetScimUserDTO) => {
+  const getScimUser = async ({ orgMembershipId, orgId }: TGetScimUserDTO) => {
     const [membership] = await orgDAL
       .findMembership({
-        userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
+        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -238,8 +253,8 @@ export const scimServiceFactory = ({
       });
 
     return buildScimUser({
-      userId: membership.userId as string,
-      username: membership.username,
+      orgMembershipId: membership.id,
+      username: membership.externalId ?? membership.username,
       email: membership.email ?? "",
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
@@ -247,7 +262,9 @@ export const scimServiceFactory = ({
     });
   };
 
-  const createScimUser = async ({ username, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
+  const createScimUser = async ({ externalId, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
+    if (!email) throw new ScimRequestError({ detail: "Invalid request. Missing email.", status: 400 });
+
     const org = await orgDAL.findById(orgId);
 
     if (!org)
@@ -262,67 +279,121 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    let user = await userDAL.findOne({
-      username
+    const appCfg = getConfig();
+    const serverCfg = await getServerCfg();
+
+    const userAlias = await userAliasDAL.findOne({
+      externalId,
+      orgId,
+      aliasType: UserAliasType.SAML
     });
 
-    if (user) {
-      await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership(
+    const { user: createdUser, orgMembership: createdOrgMembership } = await userDAL.transaction(async (tx) => {
+      let user: TUsers | undefined;
+      let orgMembership: TOrgMemberships;
+      if (userAlias) {
+        user = await userDAL.findById(userAlias.userId, tx);
+        orgMembership = await orgMembershipDAL.findOne(
           {
             userId: user.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+            orgId
           },
-          { tx }
+          tx
         );
-        if (orgMembership)
-          throw new ScimRequestError({
-            detail: "User already exists in the database",
-            status: 409
-          });
 
         if (!orgMembership) {
-          await orgDAL.createMembership(
+          orgMembership = await orgMembershipDAL.create(
             {
-              userId: user.id,
-              orgId,
+              userId: userAlias.userId,
               inviteEmail: email,
+              orgId,
               role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Invited
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+            },
+            tx
+          );
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
+          orgMembership = await orgMembershipDAL.updateById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
             },
             tx
           );
         }
-      });
-    } else {
-      user = await userDAL.transaction(async (tx) => {
-        const newUser = await userDAL.create(
+      } else {
+        if (serverCfg.trustSamlEmails) {
+          user = await userDAL.findOne(
+            {
+              email,
+              isEmailVerified: true
+            },
+            tx
+          );
+        }
+
+        if (!user) {
+          const uniqueUsername = await normalizeUsername(`${firstName}-${lastName}`, userDAL);
+          user = await userDAL.create(
+            {
+              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
+              email,
+              isEmailVerified: serverCfg.trustSamlEmails,
+              firstName,
+              lastName,
+              authMethods: [],
+              isGhost: false
+            },
+            tx
+          );
+        }
+
+        await userAliasDAL.create(
           {
-            username,
-            email,
-            firstName,
-            lastName,
-            authMethods: [AuthMethod.EMAIL],
-            isGhost: false
+            userId: user.id,
+            aliasType: UserAliasType.SAML,
+            externalId,
+            emails: email ? [email] : [],
+            orgId
           },
           tx
         );
 
-        await orgDAL.createMembership(
+        const [foundOrgMembership] = await orgDAL.findMembership(
           {
-            inviteEmail: email,
-            orgId,
-            userId: newUser.id,
-            role: OrgMembershipRole.Member,
-            status: OrgMembershipStatus.Invited
+            [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
           },
-          tx
+          { tx }
         );
-        return newUser;
-      });
-    }
 
-    const appCfg = getConfig();
+        orgMembership = foundOrgMembership;
+
+        if (!orgMembership) {
+          orgMembership = await orgMembershipDAL.create(
+            {
+              userId: user.id,
+              inviteEmail: email,
+              orgId,
+              role: OrgMembershipRole.Member,
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+            },
+            tx
+          );
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
+          orgMembership = await orgDAL.updateMembershipById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+      }
+
+      return { user, orgMembership };
+    });
 
     if (email) {
       await smtpService.sendMail({
@@ -337,20 +408,20 @@ export const scimServiceFactory = ({
     }
 
     return buildScimUser({
-      userId: user.id,
-      username: user.username,
-      firstName: user.firstName as string,
-      lastName: user.lastName as string,
-      email: user.email ?? "",
+      orgMembershipId: createdOrgMembership.id,
+      username: externalId,
+      firstName: createdUser.firstName as string,
+      lastName: createdUser.lastName as string,
+      email: createdUser.email ?? "",
       active: true
     });
   };
 
-  const updateScimUser = async ({ userId, orgId, operations }: TUpdateScimUserDTO) => {
+  const updateScimUser = async ({ orgMembershipId, orgId, operations }: TUpdateScimUserDTO) => {
     const [membership] = await orgDAL
       .findMembership({
-        userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
+        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -386,18 +457,20 @@ export const scimServiceFactory = ({
     });
 
     if (!active) {
-      await deleteOrgMembership({
+      await deleteOrgMembershipFn({
         orgMembershipId: membership.id,
         orgId: membership.orgId,
         orgDAL,
-        projectDAL,
-        projectMembershipDAL
+        projectMembershipDAL,
+        projectKeyDAL,
+        userAliasDAL,
+        licenseService
       });
     }
 
     return buildScimUser({
-      userId: membership.userId as string,
-      username: membership.username,
+      orgMembershipId: membership.id,
+      username: membership.externalId ?? membership.username,
       email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
@@ -405,11 +478,11 @@ export const scimServiceFactory = ({
     });
   };
 
-  const replaceScimUser = async ({ userId, active, orgId }: TReplaceScimUserDTO) => {
+  const replaceScimUser = async ({ orgMembershipId, active, orgId }: TReplaceScimUserDTO) => {
     const [membership] = await orgDAL
       .findMembership({
-        userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
+        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -431,19 +504,20 @@ export const scimServiceFactory = ({
       });
 
     if (!active) {
-      // tx
-      await deleteOrgMembership({
+      await deleteOrgMembershipFn({
         orgMembershipId: membership.id,
         orgId: membership.orgId,
         orgDAL,
-        projectDAL,
-        projectMembershipDAL
+        projectMembershipDAL,
+        projectKeyDAL,
+        userAliasDAL,
+        licenseService
       });
     }
 
     return buildScimUser({
-      userId: membership.userId as string,
-      username: membership.username,
+      orgMembershipId: membership.id,
+      username: membership.externalId ?? membership.username,
       email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
@@ -451,18 +525,11 @@ export const scimServiceFactory = ({
     });
   };
 
-  const deleteScimUser = async ({ userId, orgId }: TDeleteScimUserDTO) => {
-    const [membership] = await orgDAL
-      .findMembership({
-        userId,
-        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-      })
-      .catch(() => {
-        throw new ScimRequestError({
-          detail: "User not found",
-          status: 404
-        });
-      });
+  const deleteScimUser = async ({ orgMembershipId, orgId }: TDeleteScimUserDTO) => {
+    const [membership] = await orgDAL.findMembership({
+      [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
+      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+    });
 
     if (!membership)
       throw new ScimRequestError({
@@ -477,18 +544,20 @@ export const scimServiceFactory = ({
       });
     }
 
-    await deleteOrgMembership({
+    await deleteOrgMembershipFn({
       orgMembershipId: membership.id,
       orgId: membership.orgId,
       orgDAL,
-      projectDAL,
-      projectMembershipDAL
+      projectMembershipDAL,
+      projectKeyDAL,
+      userAliasDAL,
+      licenseService
     });
 
     return {}; // intentionally return empty object upon success
   };
 
-  const listScimGroups = async ({ orgId, offset, limit }: TListScimGroupsDTO) => {
+  const listScimGroups = async ({ orgId, startIndex, limit }: TListScimGroupsDTO) => {
     const plan = await licenseService.getPlan(orgId);
     if (!plan.groups)
       throw new BadRequestError({
@@ -509,21 +578,27 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const groups = await groupDAL.findGroups({
-      orgId
-    });
+    const groups = await groupDAL.findGroups(
+      {
+        orgId
+      },
+      {
+        offset: startIndex - 1,
+        limit
+      }
+    );
 
     const scimGroups = groups.map((group) =>
       buildScimGroup({
         groupId: group.id,
         name: group.name,
-        members: []
+        members: [] // does this need to be populated?
       })
     );
 
     return buildScimGroupList({
       scimGroups,
-      offset,
+      startIndex,
       limit
     });
   };
@@ -562,9 +637,15 @@ export const scimServiceFactory = ({
       );
 
       if (members && members.length) {
+        const orgMemberships = await orgMembershipDAL.find({
+          $in: {
+            id: members.map((member) => member.value)
+          }
+        });
+
         const newMembers = await addUsersToGroupByUserIds({
           group,
-          userIds: members.map((member) => member.value),
+          userIds: orgMemberships.map((membership) => membership.userId as string),
           userDAL,
           userGroupMembershipDAL,
           orgDAL,
@@ -581,12 +662,19 @@ export const scimServiceFactory = ({
       return { group, newMembers: [] };
     });
 
+    const orgMemberships = await orgDAL.findMembership({
+      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
+      $in: {
+        [`${TableName.OrgMembership}.userId` as "userId"]: newGroup.newMembers.map((member) => member.id)
+      }
+    });
+
     return buildScimGroup({
       groupId: newGroup.group.id,
       name: newGroup.group.name,
-      members: newGroup.newMembers.map((member) => ({
-        value: member.id,
-        display: `${member.firstName} ${member.lastName}`
+      members: orgMemberships.map(({ id, firstName, lastName }) => ({
+        value: id,
+        display: `${firstName} ${lastName}`
       }))
     });
   };
@@ -615,15 +703,22 @@ export const scimServiceFactory = ({
       groupId: group.id
     });
 
+    const orgMemberships = await orgDAL.findMembership({
+      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
+      $in: {
+        [`${TableName.OrgMembership}.userId` as "userId"]: users
+          .filter((user) => user.isPartOfGroup)
+          .map((user) => user.id)
+      }
+    });
+
     return buildScimGroup({
       groupId: group.id,
       name: group.name,
-      members: users
-        .filter((user) => user.isPartOfGroup)
-        .map((user) => ({
-          value: user.id,
-          display: `${user.firstName} ${user.lastName}`
-        }))
+      members: orgMemberships.map(({ id, firstName, lastName }) => ({
+        value: id,
+        display: `${firstName} ${lastName}`
+      }))
     });
   };
 
@@ -667,7 +762,13 @@ export const scimServiceFactory = ({
       }
 
       if (members) {
-        const membersIdsSet = new Set(members.map((member) => member.value));
+        const orgMemberships = await orgMembershipDAL.find({
+          $in: {
+            id: members.map((member) => member.value)
+          }
+        });
+
+        const membersIdsSet = new Set(orgMemberships.map((orgMembership) => orgMembership.userId));
 
         const directMemberUserIds = (
           await userGroupMembershipDAL.find({
@@ -686,13 +787,13 @@ export const scimServiceFactory = ({
         const allMembersUserIds = directMemberUserIds.concat(pendingGroupAdditionsUserIds);
         const allMembersUserIdsSet = new Set(allMembersUserIds);
 
-        const toAddUserIds = members.filter((member) => !allMembersUserIdsSet.has(member.value));
+        const toAddUserIds = orgMemberships.filter((member) => !allMembersUserIdsSet.has(member.userId as string));
         const toRemoveUserIds = allMembersUserIds.filter((userId) => !membersIdsSet.has(userId));
 
         if (toAddUserIds.length) {
           await addUsersToGroupByUserIds({
             group,
-            userIds: toAddUserIds.map((member) => member.value),
+            userIds: toAddUserIds.map((member) => member.userId as string),
             userDAL,
             userGroupMembershipDAL,
             orgDAL,

backend/src/ee/services/scim/scim-types.ts

@@ -12,7 +12,7 @@ export type TDeleteScimTokenDTO = {
 // SCIM server endpoint types
 
 export type TListScimUsersDTO = {
-  offset: number;
+  startIndex: number;
   limit: number;
   filter?: string;
   orgId: string;
@@ -27,12 +27,12 @@ export type TListScimUsers = {
 };
 
 export type TGetScimUserDTO = {
-  userId: string;
+  orgMembershipId: string;
   orgId: string;
 };
 
 export type TCreateScimUserDTO = {
-  username: string;
+  externalId: string;
   email?: string;
   firstName: string;
   lastName: string;
@@ -40,7 +40,7 @@ export type TCreateScimUserDTO = {
 };
 
 export type TUpdateScimUserDTO = {
-  userId: string;
+  orgMembershipId: string;
   orgId: string;
   operations: {
     op: string;
@@ -54,18 +54,18 @@ export type TUpdateScimUserDTO = {
 };
 
 export type TReplaceScimUserDTO = {
-  userId: string;
+  orgMembershipId: string;
   active: boolean;
   orgId: string;
 };
 
 export type TDeleteScimUserDTO = {
-  userId: string;
+  orgMembershipId: string;
   orgId: string;
 };
 
 export type TListScimGroupsDTO = {
-  offset: number;
+  startIndex: number;
   limit: number;
   orgId: string;
 };

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,15 +90,17 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    await Promise.all(
-      repositories.map(({ id, full_name }) =>
-        secretScanningQueue.startFullRepoScan({
-          organizationId: session.orgId,
-          installationId,
-          repository: { id, fullName: full_name }
-        })
-      )
-    );
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await Promise.all(
+        repositories.map(({ id, full_name }) =>
+          secretScanningQueue.startFullRepoScan({
+            organizationId: session.orgId,
+            installationId,
+            repository: { id, fullName: full_name }
+          })
+        )
+      );
+    }
     return { installatedApp };
   };
 
@@ -151,6 +153,7 @@ export const secretScanningServiceFactory = ({
   };
 
   const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
+    const appCfg = getConfig();
     const { commits, repository, installation, pusher } = payload;
     if (!commits || !repository || !installation || !pusher) {
       return;
@@ -161,13 +164,15 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    await secretScanningQueue.startPushEventScan({
-      commits,
-      pusher: { name: pusher.name, email: pusher.email },
-      repository: { fullName: repository.full_name, id: repository.id },
-      organizationId: installationLink.orgId,
-      installationId: String(installation?.id)
-    });
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await secretScanningQueue.startPushEventScan({
+        commits,
+        pusher: { name: pusher.name, email: pusher.email },
+        repository: { fullName: repository.full_name, id: repository.id },
+        organizationId: installationLink.orgId,
+        installationId: String(installation?.id)
+      });
+    }
   };
 
   const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {

backend/src/lib/api-docs/constants.ts

@@ -92,6 +92,18 @@ export const UNIVERSAL_AUTH = {
   }
 } as const;
 
+export const AWS_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login.",
+    iamHttpRequestMethod: "The HTTP request method used in the signed request.",
+    iamRequestUrl:
+      "The base64-encoded HTTP URL used in the signed request. Most likely, the base64-encoding of https://sts.amazonaws.com/",
+    iamRequestBody:
+      "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
+    iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
+  }
+} as const;
+
 export const ORGANIZATIONS = {
   LIST_USER_MEMBERSHIPS: {
     organizationId: "The ID of the organization to get memberships from."
@@ -240,6 +252,7 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -276,7 +289,8 @@ export const RAW_SECRETS = {
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    workspaceSlug:
+      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -295,6 +309,7 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
+    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -465,12 +480,21 @@ export const SECRET_TAGS = {
 export const IDENTITY_ADDITIONAL_PRIVILEGE = {
   CREATE: {
     projectSlug: "The slug of the project of the identity in.",
-    identityId: "The ID of the identity to delete.",
+    identityId: "The ID of the identity to create.",
     slug: "The slug of the privilege to create.",
     permissions: `The permission object for the privilege.
-1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
-2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
-2. [["read", "secrets", {environment: "dev"}]]
+- Read secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"]}
+\`\`\`
+- Read and Write secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
+\`\`\`
+- Read secrets scoped to an environment and secret path
+\`\`\`
+- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
+\`\`\`
 `,
     isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
@@ -484,11 +508,19 @@ export const IDENTITY_ADDITIONAL_PRIVILEGE = {
     slug: "The slug of the privilege to update.",
     newSlug: "The new slug of the privilege to update.",
     permissions: `The permission object for the privilege.
-1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
-2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
-2. [["read", "secrets", {environment: "dev"}]]
+- Read secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"]}
+\`\`\`
+- Read and Write secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
+\`\`\`
+- Read secrets scoped to an environment and secret path
+\`\`\`
+- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
+\`\`\`
 `,
-    isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
     temporaryMode: "Type of temporary access given. Types: relative",
     temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
@@ -596,7 +628,8 @@ export const INTEGRATION = {
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      kmsKeyId: "The ID of the encryption key from AWS KMS.",
+      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
     }
   },
   UPDATE: {

backend/src/lib/config/env.ts

@@ -13,6 +13,10 @@ const zodStrBool = z
 const envSchema = z
   .object({
     PORT: z.coerce.number().default(4000),
+    DISABLE_SECRET_SCANNING: z
+      .enum(["true", "false"])
+      .default("false")
+      .transform((el) => el === "true"),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(

backend/src/server/plugins/auth/inject-identity.ts

@@ -108,6 +108,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
     if (req.url.includes("/api/v3/auth/")) {
       return;
     }
+
     if (!authMode) return;
 
     switch (authMode) {

backend/src/server/plugins/maintenanceMode.ts

@@ -5,8 +5,13 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
   fastify.addHook("onRequest", async (req) => {
     const serverEnvs = getConfig();
-    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
-      throw new Error("Infisical is in maintenance mode. Please try again later.");
+    if (serverEnvs.MAINTENANCE_MODE) {
+      // skip if its universal auth login or renew
+      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
+      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
+      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
+        throw new Error("Infisical is in maintenance mode. Please try again later.");
+      }
     }
   });
 });

backend/src/server/routes/index.ts

@@ -2,6 +2,12 @@ import { Knex } from "knex";
 import { z } from "zod";
 
 import { registerV1EERoutes } from "@app/ee/routes/v1";
+import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
+import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
+import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
+import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
+import { accessApprovalRequestReviewerDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-reviewer-dal";
+import { accessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
@@ -72,6 +78,8 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
+import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
+import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -88,6 +96,7 @@ import { orgDALFactory } from "@app/services/org/org-dal";
 import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
+import { orgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@@ -147,7 +156,10 @@ export const registerRoutes = async (
     keyStore
   }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  const appCfg = getConfig();
+  if (!appCfg.DISABLE_SECRET_SCANNING) {
+    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  }
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -155,6 +167,7 @@ export const registerRoutes = async (
   const authDAL = authDALFactory(db);
   const authTokenDAL = tokenDALFactory(db);
   const orgDAL = orgDALFactory(db);
+  const orgMembershipDAL = orgMembershipDALFactory(db);
   const orgBotDAL = orgBotDALFactory(db);
   const incidentContactDAL = incidentContactDALFactory(db);
   const orgRoleDAL = orgRoleDALFactory(db);
@@ -193,6 +206,7 @@ export const registerRoutes = async (
 
   const identityUaDAL = identityUaDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
+  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -205,6 +219,12 @@ export const registerRoutes = async (
   const scimDAL = scimDALFactory(db);
   const ldapConfigDAL = ldapConfigDALFactory(db);
   const ldapGroupMapDAL = ldapGroupMapDALFactory(db);
+
+  const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
+  const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
+  const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
+  const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
+
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@@ -262,13 +282,19 @@ export const registerRoutes = async (
     permissionService,
     secretApprovalPolicyDAL
   });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
+
   const samlService = samlConfigServiceFactory({
     permissionService,
     orgBotDAL,
     orgDAL,
+    orgMembershipDAL,
     userDAL,
+    userAliasDAL,
     samlConfigDAL,
-    licenseService
+    licenseService,
+    tokenService,
+    smtpService
   });
   const groupService = groupServiceFactory({
     userDAL,
@@ -297,7 +323,9 @@ export const registerRoutes = async (
     licenseService,
     scimDAL,
     userDAL,
+    userAliasDAL,
     orgDAL,
+    orgMembershipDAL,
     projectDAL,
     projectMembershipDAL,
     groupDAL,
@@ -313,6 +341,7 @@ export const registerRoutes = async (
     ldapConfigDAL,
     ldapGroupMapDAL,
     orgDAL,
+    orgMembershipDAL,
     orgBotDAL,
     groupDAL,
     groupProjectDAL,
@@ -336,8 +365,13 @@ export const registerRoutes = async (
     queueService
   });
 
-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
-  const userService = userServiceFactory({ userDAL });
+  const userService = userServiceFactory({
+    userDAL,
+    userAliasDAL,
+    orgMembershipDAL,
+    tokenService,
+    smtpService
+  });
   const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
   const passwordService = authPaswordServiceFactory({
     tokenService,
@@ -346,6 +380,7 @@ export const registerRoutes = async (
     userDAL
   });
   const orgService = orgServiceFactory({
+    userAliasDAL,
     licenseService,
     samlConfigDAL,
     orgRoleDAL,
@@ -506,8 +541,10 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService
+    snapshotService,
+    projectDAL
   });
+
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -580,6 +617,30 @@ export const registerRoutes = async (
     secretVersionTagDAL,
     secretQueueService
   });
+
+  const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
+    accessApprovalPolicyDAL,
+    accessApprovalPolicyApproverDAL,
+    permissionService,
+    projectEnvDAL,
+    projectMembershipDAL,
+    projectDAL
+  });
+
+  const accessApprovalRequestService = accessApprovalRequestServiceFactory({
+    projectDAL,
+    permissionService,
+    accessApprovalRequestReviewerDAL,
+    additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
+    projectMembershipDAL,
+    accessApprovalPolicyDAL,
+    accessApprovalRequestDAL,
+    projectEnvDAL,
+    userDAL,
+    smtpService,
+    accessApprovalPolicyApproverDAL
+  });
+
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -646,6 +707,14 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
+  const identityAwsAuthService = identityAwsAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityAwsAuthDAL,
+    identityOrgMembershipDAL,
+    identityDAL,
+    licenseService,
+    permissionService
+  });
 
   const dynamicSecretProviders = buildDynamicSecretProviders();
   const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
@@ -715,7 +784,10 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
+    identityAwsAuth: identityAwsAuthService,
     secretApprovalPolicy: sapService,
+    accessApprovalPolicy: accessApprovalPolicyService,
+    accessApprovalRequest: accessApprovalRequestService,
     secretApprovalRequest: sarService,
     secretRotation: secretRotationService,
     dynamicSecret: dynamicSecretService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -2,10 +2,12 @@ import { z } from "zod";
 
 import {
   DynamicSecretsSchema,
+  IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
   SecretApprovalPoliciesSchema,
   UsersSchema
 } from "@app/db/schemas";
+import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -62,6 +64,35 @@ export const secretRawSchema = z.object({
   secretComment: z.string().optional()
 });
 
+export const PermissionSchema = z.object({
+  action: z
+    .string()
+    .min(1)
+    .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
+  subject: z
+    .string()
+    .min(1)
+    .describe("The entity this permission pertains to. Possible options: secrets, environments"),
+  conditions: z
+    .object({
+      environment: z.string().describe("The environment slug this permission should allow.").optional(),
+      secretPath: z
+        .object({
+          $glob: z
+            .string()
+            .min(1)
+            .describe("The secret path this permission should allow. Can be a glob pattern such as /folder-name/*/** ")
+        })
+        .optional()
+    })
+    .describe("When specified, only matching conditions will be allowed to access given resource.")
+    .optional()
+});
+
+export const SanitizedIdentityPrivilegeSchema = IdentityProjectAdditionalPrivilegeSchema.extend({
+  permissions: UnpackedPermissionSchema.array()
+});
+
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   inputIV: true,
   inputTag: true,

backend/src/server/routes/v1/admin-router.ts

@@ -20,16 +20,23 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
-            z.object({ isMigrationModeOn: z.boolean() })
-          )
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
+            isMigrationModeOn: z.boolean(),
+            isSecretScanningDisabled: z.boolean()
+          })
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
-      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
+      return {
+        config: {
+          ...config,
+          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
+          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
+        }
+      };
     }
   });
 
@@ -42,7 +49,9 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       body: z.object({
         allowSignUp: z.boolean().optional(),
-        allowedSignUpDomain: z.string().optional().nullable()
+        allowedSignUpDomain: z.string().optional().nullable(),
+        trustSamlEmails: z.boolean().optional(),
+        trustLdapEmails: z.boolean().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -0,0 +1,269 @@
+import { z } from "zod";
+
+import { IdentityAwsAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { AWS_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import {
+  validateAccountIds,
+  validatePrincipalArns
+} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
+
+export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/aws-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with AWS Auth",
+      body: z.object({
+        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
+        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
+        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
+        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAwsAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityAwsAuthId: identityAwsAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityAwsAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach AWS Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        stsEndpoint: z.string().trim().min(1).default("https://sts.amazonaws.com/"),
+        allowedPrincipalArns: validatePrincipalArns,
+        allowedAccountIds: validateAccountIds,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAwsAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update AWS Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      body: z.object({
+        stsEndpoint: z.string().trim().min(1).optional(),
+        allowedPrincipalArns: validatePrincipalArns,
+        allowedAccountIds: validateAccountIds,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityAwsAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve AWS Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId
+          }
+        }
+      });
+      return { identityAwsAuth };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -2,6 +2,7 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
+import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -28,6 +29,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
+      await authRouter.register(registerIdentityAwsAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/integration-router.ts

@@ -66,7 +66,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
           })
           .default({})
       }),
@@ -142,8 +143,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
       }),
       body: z.object({
-        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
-        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
+        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
         isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
@@ -153,7 +154,33 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .describe(INTEGRATION.UPDATE.secretPath),
         targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
         owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
+        metadata: z
+          .object({
+            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
+            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
+            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
+            secretGCPLabel: z
+              .object({
+                labelName: z.string(),
+                labelValue: z.string()
+              })
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
+            secretAWSTag: z
+              .array(
+                z.object({
+                  key: z.string(),
+                  value: z.string()
+                })
+              )
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
+          })
+          .optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -127,6 +127,70 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/batch",
+    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Update folders by batch",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectSlug: z.string().trim().describe(FOLDERS.UPDATE.projectSlug),
+        folders: z
+          .object({
+            id: z.string().describe(FOLDERS.UPDATE.folderId),
+            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
+            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+          })
+          .array()
+          .min(1)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { newFolders, oldFolders, projectId } = await server.services.folder.updateManyFolders({
+        ...req.body,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await Promise.all(
+        req.body.folders.map(async (folder, index) => {
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId,
+            event: {
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment: oldFolders[index].envId,
+                folderId: oldFolders[index].id,
+                folderPath: folder.path,
+                newFolderName: newFolders[index].name,
+                oldFolderName: oldFolders[index].name
+              }
+            }
+          });
+        })
+      );
+
+      return { folders: newFolders };
+    }
+  });
+
   // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     method: "DELETE",

backend/src/server/routes/v2/user-router.ts

@@ -2,11 +2,52 @@ import { z } from "zod";
 
 import { AuthTokenSessionsSchema, OrganizationsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode } from "@app/services/auth/auth-type";
 
 export const registerUserRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/me/emails/code",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        username: z.string().trim()
+      }),
+      response: {
+        200: z.object({})
+      }
+    },
+    handler: async (req) => {
+      await server.services.user.sendEmailVerificationCode(req.body.username);
+      return {};
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/me/emails/verify",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        username: z.string().trim(),
+        code: z.string().trim()
+      }),
+      response: {
+        200: z.object({})
+      }
+    },
+    handler: async (req) => {
+      await server.services.user.verifyEmailVerificationCode(req.body.username, req.body.code);
+      return {};
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/me/mfa",

backend/src/server/routes/v3/secret-router.ts

@@ -293,6 +293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       }),
       querystring: z.object({
         workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@@ -311,6 +312,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const { workspaceSlug } = req.query;
       let { secretPath, environment, workspaceId } = req.query;
       if (req.auth.actor === ActorType.SERVICE) {
         const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@@ -322,7 +324,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+      if (!environment) throw new BadRequestError({ message: "Missing environment" });
+      if (!workspaceId && !workspaceSlug)
+        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -331,6 +335,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         environment,
         projectId: workspaceId,
+        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -339,7 +344,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: secret.workspace,
         ...req.auditLogInfo,
         event: {
           type: EventType.GET_SECRET,
@@ -358,7 +363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId,
+          workspaceId: secret.workspace,
           environment,
           secretPath: req.query.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),

backend/src/services/auth-token/auth-token-service.ts

@@ -27,10 +27,17 @@ export const getTokenConfig = (tokenType: TokenType) => {
       const expiresAt = new Date(new Date().getTime() + 86400000);
       return { token, expiresAt };
     }
+    case TokenType.TOKEN_EMAIL_VERIFICATION: {
+      // generate random 6-digit code
+      const token = String(crypto.randomInt(10 ** 5, 10 ** 6 - 1));
+      const triesLeft = 3;
+      const expiresAt = new Date(new Date().getTime() + 86400000);
+      return { token, triesLeft, expiresAt };
+    }
     case TokenType.TOKEN_EMAIL_MFA: {
       // generate random 6-digit code
       const token = String(crypto.randomInt(10 ** 5, 10 ** 6 - 1));
-      const triesLeft = 5;
+      const triesLeft = 3;
       const expiresAt = new Date(new Date().getTime() + 300000);
       return { token, triesLeft, expiresAt };
     }

backend/src/services/auth-token/auth-token-types.ts

@@ -1,5 +1,6 @@
 export enum TokenType {
   TOKEN_EMAIL_CONFIRMATION = "emailConfirmation",
+  TOKEN_EMAIL_VERIFICATION = "emailVerification", // unverified -> verified
   TOKEN_EMAIL_MFA = "emailMfa",
   TOKEN_EMAIL_ORG_INVITATION = "organizationInvitation",
   TOKEN_EMAIL_PASSWORD_RESET = "passwordReset"

backend/src/services/auth/auth-login-service.ts

@@ -361,6 +361,7 @@ export const authLoginServiceFactory = ({
       user = await userDAL.create({
         username: email,
         email,
+        isEmailVerified: true,
         firstName,
         lastName,
         authMethods: [authMethod],
@@ -374,6 +375,8 @@ export const authLoginServiceFactory = ({
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
         username: user.username,
+        email: user.email,
+        isEmailVerified: user.isEmailVerified,
         firstName: user.firstName,
         lastName: user.lastName,
         authMethod,

backend/src/services/auth/auth-signup-service.ts

@@ -1,6 +1,6 @@
 import jwt from "jsonwebtoken";
 
-import { OrgMembershipStatus } from "@app/db/schemas";
+import { OrgMembershipStatus, TableName } from "@app/db/schemas";
 import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -80,7 +80,7 @@ export const authSignupServiceFactory = ({
     });
 
     await smtpService.sendMail({
-      template: SmtpTemplates.EmailVerification,
+      template: SmtpTemplates.SignupEmailVerification,
       subjectLine: "Infisical confirmation code",
       recipients: [user.email as string],
       substitutions: {
@@ -102,6 +102,8 @@ export const authSignupServiceFactory = ({
       code
     });
 
+    await userDAL.updateById(user.id, { isEmailVerified: true });
+
     // generate jwt token this is a temporary token
     const jwtToken = jwt.sign(
       {
@@ -169,12 +171,11 @@ export const authSignupServiceFactory = ({
         tx
       );
       // If it's SAML Auth and the organization ID is present, we should check if the user has a pending invite for this org, and accept it
-      if (isAuthMethodSaml(authMethod) && organizationId) {
+      if ((isAuthMethodSaml(authMethod) || authMethod === AuthMethod.LDAP) && organizationId) {
         const [pendingOrgMembership] = await orgDAL.findMembership({
-          inviteEmail: email,
-          userId: user.id,
+          [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
           status: OrgMembershipStatus.Invited,
-          orgId: organizationId
+          [`${TableName.OrgMembership}.orgId` as "orgId"]: organizationId
         });
 
         if (pendingOrgMembership) {

backend/src/services/identity-aws-auth/identity-aws-auth-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAwsAuthDALFactory = ReturnType<typeof identityAwsAuthDALFactory>;
+
+export const identityAwsAuthDALFactory = (db: TDbClient) => {
+  const awsAuthOrm = ormify(db, TableName.IdentityAwsAuth);
+
+  return awsAuthOrm;
+};

backend/src/services/identity-aws-auth/identity-aws-auth-fns.ts

@@ -0,0 +1,67 @@
+/**
+ * Extracts the identity ARN from the GetCallerIdentity response to one of the following formats:
+ * - arn:aws:iam::123456789012:user/MyUserName
+ * - arn:aws:iam::123456789012:role/MyRoleName
+ */
+export const extractPrincipalArn = (arn: string) => {
+  // split the ARN into parts using ":" as the delimiter
+  const fullParts = arn.split(":");
+  if (fullParts.length !== 6) {
+    throw new Error(`Unrecognized ARN: contains ${fullParts.length} colon-separated parts, expected 6`);
+  }
+  const [prefix, partition, service, , accountNumber, resource] = fullParts;
+  if (prefix !== "arn") {
+    throw new Error('Unrecognized ARN: does not begin with "arn:"');
+  }
+
+  // structure to hold the parsed data
+  const entity = {
+    Partition: partition,
+    Service: service,
+    AccountNumber: accountNumber,
+    Type: "",
+    Path: "",
+    FriendlyName: "",
+    SessionInfo: ""
+  };
+
+  // validate the service is either 'iam' or 'sts'
+  if (entity.Service !== "iam" && entity.Service !== "sts") {
+    throw new Error(`Unrecognized service: ${entity.Service}, not one of iam or sts`);
+  }
+
+  // parse the last part of the ARN which describes the resource
+  const parts = resource.split("/");
+  if (parts.length < 2) {
+    throw new Error(`Unrecognized ARN: "${resource}" contains fewer than 2 slash-separated parts`);
+  }
+
+  const [type, ...rest] = parts;
+  entity.Type = type;
+  entity.FriendlyName = parts[parts.length - 1];
+
+  // handle different types of resources
+  switch (entity.Type) {
+    case "assumed-role": {
+      if (rest.length < 2) {
+        throw new Error(`Unrecognized ARN: "${resource}" contains fewer than 3 slash-separated parts`);
+      }
+      // assumed roles use a special format where the friendly name is the role name
+      const [roleName, sessionId] = rest;
+      entity.Type = "role"; // treat assumed role case as role
+      entity.FriendlyName = roleName;
+      entity.SessionInfo = sessionId;
+      break;
+    }
+    case "user":
+    case "role":
+    case "instance-profile":
+      // standard cases: just join back the path if there's any
+      entity.Path = rest.slice(0, -1).join("/");
+      break;
+    default:
+      throw new Error(`Unrecognized principal type: "${entity.Type}"`);
+  }
+
+  return `arn:aws:iam::${entity.AccountNumber}:${entity.Type}/${entity.FriendlyName}`;
+};

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -0,0 +1,310 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+import { ForbiddenError } from "@casl/ability";
+import axios from "axios";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
+import { extractPrincipalArn } from "./identity-aws-auth-fns";
+import {
+  TAttachAwsAuthDTO,
+  TAwsGetCallerIdentityHeaders,
+  TGetAwsAuthDTO,
+  TGetCallerIdentityResponse,
+  TLoginAwsAuthDTO,
+  TUpdateAwsAuthDTO
+} from "./identity-aws-auth-types";
+
+type TIdentityAwsAuthServiceFactoryDep = {
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
+
+export const identityAwsAuthServiceFactory = ({
+  identityAccessTokenDAL,
+  identityAwsAuthDAL,
+  identityOrgMembershipDAL,
+  identityDAL,
+  licenseService,
+  permissionService
+}: TIdentityAwsAuthServiceFactoryDep) => {
+  const login = async ({ identityId, iamHttpRequestMethod, iamRequestBody, iamRequestHeaders }: TLoginAwsAuthDTO) => {
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
+    if (!identityAwsAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
+
+    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
+    const body: string = Buffer.from(iamRequestBody, "base64").toString();
+
+    const {
+      data: {
+        GetCallerIdentityResponse: {
+          GetCallerIdentityResult: { Account, Arn }
+        }
+      }
+    }: { data: TGetCallerIdentityResponse } = await axios({
+      method: iamHttpRequestMethod,
+      url: identityAwsAuth.stsEndpoint,
+      headers,
+      data: body
+    });
+
+    if (identityAwsAuth.allowedAccountIds) {
+      // validate if Account is in the list of allowed Account IDs
+
+      const isAccountAllowed = identityAwsAuth.allowedAccountIds
+        .split(",")
+        .map((accountId) => accountId.trim())
+        .some((accountId) => accountId === Account);
+
+      if (!isAccountAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityAwsAuth.allowedPrincipalArns) {
+      // validate if Arn is in the list of allowed Principal ARNs
+
+      const isArnAllowed = identityAwsAuth.allowedPrincipalArns
+        .split(",")
+        .map((principalArn) => principalArn.trim())
+        .some((principalArn) => {
+          // convert wildcard ARN to a regular expression: "arn:aws:iam::123456789012:*" -> "^arn:aws:iam::123456789012:.*$"
+          // considers exact matches + wildcard matches
+          const regex = new RegExp(`^${principalArn.replace(/\*/g, ".*")}$`);
+          return regex.test(extractPrincipalArn(Arn));
+        });
+
+      if (!isArnAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityAwsAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityAwsAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityAwsAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachAwsAuth = async ({
+    identityId,
+    stsEndpoint,
+    allowedPrincipalArns,
+    allowedAccountIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add AWS Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const doc = await identityAwsAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          type: "iam",
+          stsEndpoint,
+          allowedPrincipalArns,
+          allowedAccountIds,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.AWS_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityAwsAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateAwsAuth = async ({
+    identityId,
+    stsEndpoint,
+    allowedPrincipalArns,
+    allowedAccountIds,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update AWS Auth"
+      });
+
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityAwsAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedAwsAuth = await identityAwsAuthDAL.updateById(identityAwsAuth.id, {
+      stsEndpoint,
+      allowedPrincipalArns,
+      allowedAccountIds,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return { ...updatedAwsAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const getAwsAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have AWS Auth attached"
+      });
+
+    const awsIdentityAuth = await identityAwsAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachAwsAuth,
+    updateAwsAuth,
+    getAwsAuth
+  };
+};

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -0,0 +1,54 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginAwsAuthDTO = {
+  identityId: string;
+  iamHttpRequestMethod: string;
+  iamRequestBody: string;
+  iamRequestHeaders: string;
+};
+
+export type TAttachAwsAuthDTO = {
+  identityId: string;
+  stsEndpoint: string;
+  allowedPrincipalArns: string;
+  allowedAccountIds: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateAwsAuthDTO = {
+  identityId: string;
+  stsEndpoint?: string;
+  allowedPrincipalArns?: string;
+  allowedAccountIds?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetAwsAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TAwsGetCallerIdentityHeaders = {
+  "Content-Type": string;
+  Host: string;
+  "X-Amz-Date": string;
+  "Content-Length": number;
+  "x-amz-security-token": string;
+  Authorization: string;
+};
+
+export type TGetCallerIdentityResponse = {
+  GetCallerIdentityResponse: {
+    GetCallerIdentityResult: {
+      Account: string;
+      Arn: string;
+      UserId: string;
+    };
+    ResponseMetadata: { RequestId: string };
+  };
+};

backend/src/services/identity-aws-auth/identity-aws-auth-validators.ts

@@ -0,0 +1,58 @@
+import { z } from "zod";
+
+const twelveDigitRegex = /^\d{12}$/;
+const arnRegex = /^arn:aws:iam::\d{12}:(user\/[\w-]+|role\/[\w-]+|\*)$/;
+
+export const validateAccountIds = z
+  .string()
+  .trim()
+  .default("")
+  // Custom validation to ensure each part is a 12-digit number
+  .refine(
+    (data) => {
+      if (data === "") return true;
+      // Split the string by commas to check each supposed number
+      const accountIds = data.split(",").map((id) => id.trim());
+      // Return true only if every item matches the 12-digit requirement
+      return accountIds.every((id) => twelveDigitRegex.test(id));
+    },
+    {
+      message: "Each account ID must be a 12-digit number."
+    }
+  )
+  // Transform the string to normalize space after commas
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each ID and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });
+
+export const validatePrincipalArns = z
+  .string()
+  .trim()
+  .default("")
+  // Custom validation for ARN format
+  .refine(
+    (data) => {
+      // Skip validation if the string is empty
+      if (data === "") return true;
+      // Split the string by commas to check each supposed ARN
+      const arns = data.split(",");
+      // Return true only if every item matches one of the allowed ARN formats
+      return arns.every((arn) => arnRegex.test(arn.trim()));
+    },
+    {
+      message:
+        "Each ARN must be in the format of 'arn:aws:iam::123456789012:user/UserName', 'arn:aws:iam::123456789012:role/RoleName', or 'arn:aws:iam::123456789012:*'."
+    }
+  )
+  // Transform to normalize the spaces around commas
+  .transform((data) =>
+    data
+      .split(",")
+      .map((arn) => arn.trim())
+      .join(", ")
+  );

backend/src/services/identity-ua/identity-ua-service.ts

@@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
   const login = async (clientId: string, clientSecret: string, ip: string) => {
     const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError();
+    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
 
@@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
     const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
       bcrypt.compareSync(clientSecret, clientSecretHash)
     );
-    if (!validClientSecretInfo) throw new UnauthorizedError();
+    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
     if (Number(clientSecretTTL) > 0) {

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -9,9 +9,12 @@
 
 import {
   CreateSecretCommand,
+  DescribeSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
   SecretsManagerClient,
+  TagResourceCommand,
+  UntagResourceCommand,
   UpdateSecretCommand
 } from "@aws-sdk/client-secrets-manager";
 import { Octokit } from "@octokit/rest";
@@ -517,20 +520,22 @@ const syncSecretsAWSParameterStore = async ({
     })
   );
 
-  // Identify secrets to delete
-  await Promise.all(
-    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case:
-        // -> delete secret
-        await ssm
-          .deleteParameter({
-            Name: awsParameterStoreSecretsObj[key].Name as string
-          })
-          .promise();
-      }
-    })
-  );
+  if (!metadata.shouldDisableDelete) {
+    // Identify secrets to delete
+    await Promise.all(
+      Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
+        if (!(key in secrets)) {
+          // case:
+          // -> delete secret
+          await ssm
+            .deleteParameter({
+              Name: awsParameterStoreSecretsObj[key].Name as string
+            })
+            .promise();
+        }
+      })
+    );
+  }
 };
 
 /**
@@ -572,6 +577,7 @@ const syncSecretsAWSSecretManager = async ({
     if (awsSecretManagerSecret?.SecretString) {
       awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
     }
+
     if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
       await secretsManager.send(
         new UpdateSecretCommand({
@@ -580,7 +586,88 @@ const syncSecretsAWSSecretManager = async ({
         })
       );
     }
+
+    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+
+    if (secretAWSTag && secretAWSTag.length) {
+      const describedSecret = await secretsManager.send(
+        // requires secretsmanager:DescribeSecret policy
+        new DescribeSecretCommand({
+          SecretId: integration.app as string
+        })
+      );
+
+      if (!describedSecret.Tags) return;
+
+      const integrationTagObj = secretAWSTag.reduce(
+        (acc, item) => {
+          acc[item.key] = item.value;
+          return acc;
+        },
+        {} as Record<string, string>
+      );
+
+      const awsTagObj = (describedSecret.Tags || []).reduce(
+        (acc, item) => {
+          if (item.Key && item.Value) {
+            acc[item.Key] = item.Value;
+          }
+          return acc;
+        },
+        {} as Record<string, string>
+      );
+
+      const tagsToUpdate: { Key: string; Value: string }[] = [];
+      const tagsToDelete: { Key: string; Value: string }[] = [];
+
+      describedSecret.Tags?.forEach((tag) => {
+        if (tag.Key && tag.Value) {
+          if (!(tag.Key in integrationTagObj)) {
+            // delete tag from AWS secret manager
+            tagsToDelete.push({
+              Key: tag.Key,
+              Value: tag.Value
+            });
+          } else if (tag.Value !== integrationTagObj[tag.Key]) {
+            // update tag in AWS secret manager
+            tagsToUpdate.push({
+              Key: tag.Key,
+              Value: integrationTagObj[tag.Key]
+            });
+          }
+        }
+      });
+
+      secretAWSTag?.forEach((tag) => {
+        if (!(tag.key in awsTagObj)) {
+          // create tag in AWS secret manager
+          tagsToUpdate.push({
+            Key: tag.key,
+            Value: tag.value
+          });
+        }
+      });
+
+      if (tagsToUpdate.length) {
+        await secretsManager.send(
+          new TagResourceCommand({
+            SecretId: integration.app as string,
+            Tags: tagsToUpdate
+          })
+        );
+      }
+
+      if (tagsToDelete.length) {
+        await secretsManager.send(
+          new UntagResourceCommand({
+            SecretId: integration.app as string,
+            TagKeys: tagsToDelete.map((tag) => tag.Key)
+          })
+        );
+      }
+    }
   } catch (err) {
+    // case when AWS manager can't find the specified secret
     if (err instanceof ResourceNotFoundException && secretsManager) {
       await secretsManager.send(
         new CreateSecretCommand({

backend/src/services/integration/integration-service.ts

@@ -103,7 +103,8 @@ export const integrationServiceFactory = ({
     owner,
     isActive,
     environment,
-    secretPath
+    secretPath,
+    metadata
   }: TUpdateIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
@@ -127,7 +128,17 @@ export const integrationServiceFactory = ({
       appId,
       targetEnvironment,
       owner,
-      secretPath
+      secretPath,
+      metadata: {
+        ...(integration.metadata as object),
+        ...metadata
+      }
+    });
+
+    await secretQueueService.syncIntegrations({
+      environment: folder.environment.slug,
+      secretPath,
+      projectId: folder.projectId
     });
 
     return updatedIntegration;

backend/src/services/integration/integration-types.ts

@@ -27,18 +27,33 @@ export type TCreateIntegrationDTO = {
       value: string;
     }[];
     kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateIntegrationDTO = {
   id: string;
-  app: string;
-  appId: string;
+  app?: string;
+  appId?: string;
   isActive?: boolean;
   secretPath: string;
   targetEnvironment: string;
   owner: string;
   environment: string;
+  metadata?: {
+    secretPrefix?: string;
+    secretSuffix?: string;
+    secretGCPLabel?: {
+      labelName: string;
+      labelValue: string;
+    };
+    secretAWSTag?: {
+      key: string;
+      value: string;
+    }[];
+    kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
+  };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteIntegrationDTO = {

backend/src/services/org-membership/org-membership-dal.ts

@@ -0,0 +1,13 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TOrgMembershipDALFactory = ReturnType<typeof orgMembershipDALFactory>;
+
+export const orgMembershipDALFactory = (db: TDbClient) => {
+  const orgMembershipOrm = ormify(db, TableName.OrgMembership);
+
+  return {
+    ...orgMembershipOrm
+  };
+};

backend/src/services/org/org-dal.ts

@@ -262,13 +262,19 @@ export const orgDALFactory = (db: TDbClient) => {
         .where(buildFindFilter(filter))
         .join(TableName.Users, `${TableName.Users}.id`, `${TableName.OrgMembership}.userId`)
         .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.OrgMembership}.orgId`)
+        .leftJoin(TableName.UserAliases, function joinUserAlias() {
+          this.on(`${TableName.UserAliases}.userId`, "=", `${TableName.OrgMembership}.userId`)
+            .andOn(`${TableName.UserAliases}.orgId`, "=", `${TableName.OrgMembership}.orgId`)
+            .andOn(`${TableName.UserAliases}.aliasType`, "=", (tx || db).raw("?", ["saml"]));
+        })
         .select(
           selectAllTableCols(TableName.OrgMembership),
           db.ref("email").withSchema(TableName.Users),
           db.ref("username").withSchema(TableName.Users),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
-          db.ref("scimEnabled").withSchema(TableName.Organization)
+          db.ref("scimEnabled").withSchema(TableName.Organization),
+          db.ref("externalId").withSchema(TableName.UserAliases)
         )
         .where({ isGhost: false });
 

backend/src/services/org/org-fns.ts

@@ -1,41 +1,78 @@
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
 type TDeleteOrgMembership = {
   orgMembershipId: string;
   orgId: string;
   orgDAL: Pick<TOrgDALFactory, "findMembership" | "deleteMembershipById" | "transaction">;
-  projectDAL: Pick<TProjectDALFactory, "find">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "delete" | "findProjectMembershipsByUserId">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete">;
+  userAliasDAL: Pick<TUserAliasDALFactory, "delete">;
+  licenseService: Pick<TLicenseServiceFactory, "updateSubscriptionOrgMemberCount">;
 };
 
-export const deleteOrgMembership = async ({
+export const deleteOrgMembershipFn = async ({
   orgMembershipId,
   orgId,
   orgDAL,
-  projectDAL,
-  projectMembershipDAL
+  projectMembershipDAL,
+  projectKeyDAL,
+  userAliasDAL,
+  licenseService
 }: TDeleteOrgMembership) => {
-  const membership = await orgDAL.transaction(async (tx) => {
-    // delete org membership
+  const deletedMembership = await orgDAL.transaction(async (tx) => {
     const orgMembership = await orgDAL.deleteMembershipById(orgMembershipId, orgId, tx);
 
-    const projects = await projectDAL.find({ orgId }, { tx });
+    if (!orgMembership.userId) {
+      await licenseService.updateSubscriptionOrgMemberCount(orgId);
+      return orgMembership;
+    }
 
-    // delete associated project memberships
-    await projectMembershipDAL.delete(
+    await userAliasDAL.delete(
       {
-        $in: {
-          projectId: projects.map((project) => project.id)
-        },
-        userId: orgMembership.userId as string
+        userId: orgMembership.userId,
+        orgId
       },
       tx
     );
 
+    // Get all the project memberships of the user in the organization
+    const projectMemberships = await projectMembershipDAL.findProjectMembershipsByUserId(orgId, orgMembership.userId);
+
+    // Delete all the project memberships of the user in the organization
+    await projectMembershipDAL.delete(
+      {
+        $in: {
+          id: projectMemberships.map((membership) => membership.id)
+        }
+      },
+      tx
+    );
+
+    // Get all the project keys of the user in the organization
+    const projectKeys = await projectKeyDAL.find({
+      $in: {
+        projectId: projectMemberships.map((membership) => membership.projectId)
+      },
+      receiverId: orgMembership.userId
+    });
+
+    // Delete all the project keys of the user in the organization
+    await projectKeyDAL.delete(
+      {
+        $in: {
+          id: projectKeys.map((key) => key.id)
+        }
+      },
+      tx
+    );
+
+    await licenseService.updateSubscriptionOrgMemberCount(orgId);
     return orgMembership;
   });
 
-  return membership;
+  return deletedMembership;
 };

backend/src/services/org/org-service.ts

@@ -4,7 +4,7 @@ import crypto from "crypto";
 import jwt from "jsonwebtoken";
 import { Knex } from "knex";
 
-import { OrgMembershipRole, OrgMembershipStatus } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName } from "@app/db/schemas";
 import { TProjects } from "@app/db/schemas/projects";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -18,6 +18,7 @@ import { generateUserSrpKeys } from "@app/lib/crypto/srp";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
 import { ActorAuthMethod, ActorType, AuthMethod, AuthTokenType } from "../auth/auth-type";
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
@@ -30,6 +31,7 @@ import { TUserDALFactory } from "../user/user-dal";
 import { TIncidentContactsDALFactory } from "./incident-contacts-dal";
 import { TOrgBotDALFactory } from "./org-bot-dal";
 import { TOrgDALFactory } from "./org-dal";
+import { deleteOrgMembershipFn } from "./org-fns";
 import { TOrgRoleDALFactory } from "./org-role-dal";
 import {
   TDeleteOrgMembershipDTO,
@@ -43,6 +45,7 @@ import {
 } from "./org-types";
 
 type TOrgServiceFactoryDep = {
+  userAliasDAL: Pick<TUserAliasDALFactory, "delete">;
   orgDAL: TOrgDALFactory;
   orgBotDAL: TOrgBotDALFactory;
   orgRoleDAL: TOrgRoleDALFactory;
@@ -65,6 +68,7 @@ type TOrgServiceFactoryDep = {
 export type TOrgServiceFactory = ReturnType<typeof orgServiceFactory>;
 
 export const orgServiceFactory = ({
+  userAliasDAL,
   orgDAL,
   userDAL,
   groupDAL,
@@ -427,7 +431,13 @@ export const orgServiceFactory = ({
       if (inviteeUser) {
         // if user already exist means its already part of infisical
         // Thus the signup flow is not needed anymore
-        const [inviteeMembership] = await orgDAL.findMembership({ orgId, userId: inviteeUser.id }, { tx });
+        const [inviteeMembership] = await orgDAL.findMembership(
+          {
+            [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
+            [`${TableName.OrgMembership}.userId` as "userId"]: inviteeUser.id
+          },
+          { tx }
+        );
         if (inviteeMembership && inviteeMembership.status === OrgMembershipStatus.Accepted) {
           throw new BadRequestError({
             message: "Failed to invite an existing member of org",
@@ -519,9 +529,9 @@ export const orgServiceFactory = ({
       throw new BadRequestError({ message: "Invalid request", name: "Verify user to org" });
     }
     const [orgMembership] = await orgDAL.findMembership({
-      userId: user.id,
+      [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
       status: OrgMembershipStatus.Invited,
-      orgId
+      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
     });
     if (!orgMembership)
       throw new BadRequestError({
@@ -536,6 +546,10 @@ export const orgServiceFactory = ({
       code
     });
 
+    await userDAL.updateById(user.id, {
+      isEmailVerified: true
+    });
+
     if (user.isAccepted) {
       // this means user has already completed signup process
       // isAccepted is set true when keys are exchanged
@@ -572,47 +586,14 @@ export const orgServiceFactory = ({
     const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Member);
 
-    const deletedMembership = await orgDAL.transaction(async (tx) => {
-      const orgMembership = await orgDAL.deleteMembershipById(membershipId, orgId, tx);
-
-      if (!orgMembership.userId) {
-        await licenseService.updateSubscriptionOrgMemberCount(orgId);
-        return orgMembership;
-      }
-
-      // Get all the project memberships of the user in the organization
-      const projectMemberships = await projectMembershipDAL.findProjectMembershipsByUserId(orgId, orgMembership.userId);
-
-      // Delete all the project memberships of the user in the organization
-      await projectMembershipDAL.delete(
-        {
-          $in: {
-            id: projectMemberships.map((membership) => membership.id)
-          }
-        },
-        tx
-      );
-
-      // Get all the project keys of the user in the organization
-      const projectKeys = await projectKeyDAL.find({
-        $in: {
-          projectId: projectMemberships.map((membership) => membership.projectId)
-        },
-        receiverId: orgMembership.userId
-      });
-
-      // Delete all the project keys of the user in the organization
-      await projectKeyDAL.delete(
-        {
-          $in: {
-            id: projectKeys.map((key) => key.id)
-          }
-        },
-        tx
-      );
-
-      await licenseService.updateSubscriptionOrgMemberCount(orgId);
-      return orgMembership;
+    const deletedMembership = await deleteOrgMembershipFn({
+      orgMembershipId: membershipId,
+      orgId,
+      orgDAL,
+      projectMembershipDAL,
+      projectKeyDAL,
+      userAliasDAL,
+      licenseService
     });
 
     return deletedMembership;

backend/src/services/project-membership/project-membership-service.ts

@@ -110,7 +110,7 @@ export const projectMembershipServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
     const orgMembers = await orgDAL.findMembership({
-      orgId: project.orgId,
+      [`${TableName.OrgMembership}.orgId` as "orgId"]: project.orgId,
       $in: {
         [`${TableName.OrgMembership}.id` as "id"]: members.map(({ orgMembershipId }) => orgMembershipId)
       }
@@ -119,7 +119,7 @@ export const projectMembershipServiceFactory = ({
 
     const existingMembers = await projectMembershipDAL.find({
       projectId,
-      $in: { userId: orgMembers.map(({ userId }) => userId).filter(Boolean) as string[] }
+      $in: { userId: orgMembers.map(({ userId }) => userId).filter(Boolean) }
     });
     if (existingMembers.length) throw new BadRequestError({ message: "Some users are already part of project" });
 
@@ -134,7 +134,7 @@ export const projectMembershipServiceFactory = ({
       const projectMemberships = await projectMembershipDAL.insertMany(
         orgMembers.map(({ userId }) => ({
           projectId,
-          userId: userId as string
+          userId
         })),
         tx
       );
@@ -145,12 +145,12 @@ export const projectMembershipServiceFactory = ({
       const encKeyGroupByOrgMembId = groupBy(members, (i) => i.orgMembershipId);
       await projectKeyDAL.insertMany(
         orgMembers
-          .filter(({ userId }) => !userIdsToExcludeForProjectKeyAddition.has(userId as string))
+          .filter(({ userId }) => !userIdsToExcludeForProjectKeyAddition.has(userId))
           .map(({ userId, id }) => ({
             encryptedKey: encKeyGroupByOrgMembId[id][0].workspaceEncryptedKey,
             nonce: encKeyGroupByOrgMembId[id][0].workspaceEncryptedNonce,
             senderId: actorId,
-            receiverId: userId as string,
+            receiverId: userId,
             projectId
           })),
         tx

backend/src/services/project/project-queue.ts

@@ -8,6 +8,7 @@ import {
   SecretKeyEncoding,
   SecretsSchema,
   SecretVersionsSchema,
+  TableName,
   TIntegrationAuths,
   TSecretApprovalRequestsSecrets,
   TSecrets,
@@ -273,7 +274,10 @@ export const projectQueueFactory = ({
 
         for (const key of existingProjectKeys) {
           const user = await userDAL.findUserEncKeyByUserId(key.receiverId);
-          const [orgMembership] = await orgDAL.findMembership({ userId: key.receiverId, orgId: project.orgId });
+          const [orgMembership] = await orgDAL.findMembership({
+            [`${TableName.OrgMembership}.userId` as "userId"]: key.receiverId,
+            [`${TableName.OrgMembership}.orgId` as "orgId"]: project.orgId
+          });
 
           if (!user) {
             throw new Error(`User with ID ${key.receiverId} was not found during upgrade.`);

backend/src/services/secret-folder/secret-folder-service.ts

@@ -8,9 +8,16 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
-import { TCreateFolderDTO, TDeleteFolderDTO, TGetFolderDTO, TUpdateFolderDTO } from "./secret-folder-types";
+import {
+  TCreateFolderDTO,
+  TDeleteFolderDTO,
+  TGetFolderDTO,
+  TUpdateFolderDTO,
+  TUpdateManyFoldersDTO
+} from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
 
 type TSecretFolderServiceFactoryDep = {
@@ -19,6 +26,7 @@ type TSecretFolderServiceFactoryDep = {
   folderDAL: TSecretFolderDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderVersionDAL: TSecretFolderVersionDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
 
 export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
@@ -28,7 +36,8 @@ export const secretFolderServiceFactory = ({
   snapshotService,
   permissionService,
   projectEnvDAL,
-  folderVersionDAL
+  folderVersionDAL,
+  projectDAL
 }: TSecretFolderServiceFactoryDep) => {
   const createFolder = async ({
     projectId,
@@ -116,6 +125,105 @@ export const secretFolderServiceFactory = ({
     return folder;
   };
 
+  const updateManyFolders = async ({
+    actor,
+    actorId,
+    projectSlug,
+    actorAuthMethod,
+    actorOrgId,
+    folders
+  }: TUpdateManyFoldersDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) {
+      throw new BadRequestError({ message: "Project not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    });
+
+    const result = await folderDAL.transaction(async (tx) =>
+      Promise.all(
+        folders.map(async (newFolder) => {
+          const { environment, path: secretPath, id, name } = newFolder;
+
+          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
+          if (!parentFolder) {
+            throw new BadRequestError({ message: "Secret path not found", name: "Batch update folder" });
+          }
+
+          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
+          if (!env) {
+            throw new BadRequestError({ message: "Environment not found", name: "Batch update folder" });
+          }
+          const folder = await folderDAL
+            .findOne({ envId: env.id, id, parentId: parentFolder.id })
+            // now folder api accepts id based change
+            // this is for cli backward compatiability and when cli removes this, we will remove this logic
+            .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
+
+          if (!folder) {
+            throw new BadRequestError({ message: "Folder not found" });
+          }
+          if (name !== folder.name) {
+            // ensure that new folder name is unique
+            const folderToCheck = await folderDAL.findOne({
+              name,
+              envId: env.id,
+              parentId: parentFolder.id
+            });
+
+            if (folderToCheck) {
+              throw new BadRequestError({
+                message: "Folder with specified name already exists",
+                name: "Batch update folder"
+              });
+            }
+          }
+
+          const [doc] = await folderDAL.update(
+            { envId: env.id, id: folder.id, parentId: parentFolder.id },
+            { name },
+            tx
+          );
+          await folderVersionDAL.create(
+            {
+              name: doc.name,
+              envId: doc.envId,
+              version: doc.version,
+              folderId: doc.id
+            },
+            tx
+          );
+          if (!doc) {
+            throw new BadRequestError({ message: "Folder not found", name: "Batch update folder" });
+          }
+
+          return { oldFolder: folder, newFolder: doc };
+        })
+      )
+    );
+
+    await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
+
+    return {
+      projectId: project.id,
+      newFolders: result.map((res) => res.newFolder),
+      oldFolders: result.map((res) => res.oldFolder)
+    };
+  };
+
   const updateFolder = async ({
     projectId,
     actor,
@@ -151,6 +259,21 @@ export const secretFolderServiceFactory = ({
       .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
 
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (name !== folder.name) {
+      // ensure that new folder name is unique
+      const folderToCheck = await folderDAL.findOne({
+        name,
+        envId: env.id,
+        parentId: parentFolder.id
+      });
+
+      if (folderToCheck) {
+        throw new BadRequestError({
+          message: "Folder with specified name already exists",
+          name: "Update folder"
+        });
+      }
+    }
 
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update({ envId: env.id, id: folder.id, parentId: parentFolder.id }, { name }, tx);
@@ -239,6 +362,7 @@ export const secretFolderServiceFactory = ({
   return {
     createFolder,
     updateFolder,
+    updateManyFolders,
     deleteFolder,
     getFolders
   };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -13,6 +13,16 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
+export type TUpdateManyFoldersDTO = {
+  projectSlug: string;
+  folders: {
+    environment: string;
+    path: string;
+    id: string;
+    name: string;
+  }[];
+} & Omit<TProjectPermission, "projectId">;
+
 export type TDeleteFolderDTO = {
   environment: string;
   path: string;

backend/src/services/secret/secret-service.ts

@@ -972,7 +972,8 @@ export const secretServiceFactory = ({
     path,
     actor,
     environment,
-    projectId,
+    projectId: workspaceId,
+    projectSlug,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -980,6 +981,8 @@ export const secretServiceFactory = ({
     includeImports,
     version
   }: TGetASecretRawDTO) => {
+    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
+
     const botKey = await projectBotService.getBotKey(projectId);
     if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
 

backend/src/services/secret/secret-types.ts

@@ -152,7 +152,9 @@ export type TGetASecretRawDTO = {
   type: "shared" | "personal";
   includeImports?: boolean;
   version?: number;
-} & TProjectPermission;
+  projectSlug?: string;
+  projectId?: string;
+} & Omit<TProjectPermission, "projectId">;
 
 export type TCreateSecretRawDTO = TProjectPermission & {
   secretPath: string;

backend/src/services/smtp/smtp-service.ts

@@ -17,9 +17,11 @@ export type TSmtpSendMail = {
 export type TSmtpService = ReturnType<typeof smtpServiceFactory>;
 
 export enum SmtpTemplates {
+  SignupEmailVerification = "signupEmailVerification.handlebars",
   EmailVerification = "emailVerification.handlebars",
   SecretReminder = "secretReminder.handlebars",
   EmailMfa = "emailMfa.handlebars",
+  AccessApprovalRequest = "accessApprovalRequest.handlebars",
   HistoricalSecretList = "historicalSecretLeakIncident.handlebars",
   NewDeviceJoin = "newDevice.handlebars",
   OrgInvite = "organizationInvitation.handlebars",

backend/src/services/smtp/templates/accessApprovalRequest.handlebars

@@ -0,0 +1,50 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Access Approval Request</title>
+  </head>
+
+  <body>
+    <h2>Infisical</h2>
+    <h2>New access approval request pending your review</h2>
+    <p>You have a new access approval request pending review in project "{{projectName}}".</p>
+
+    <p>
+      {{requesterFullName}}
+      ({{requesterEmail}}) has requested
+      {{#if isTemporary}}
+        temporary
+      {{else}}
+        permanent
+      {{/if}}
+      access to
+      {{secretPath}}
+      in the
+      {{environment}}
+      environment.
+
+      {{#if isTemporary}}
+        <br />
+        This access will expire
+        {{expiresIn}}
+        after it has been approved.
+      {{/if}}
+    </p>
+    <p>
+      The following permissions are requested:
+      <ul>
+        {{#each permissions}}
+          <li>{{this}}</li>
+        {{/each}}
+      </ul>
+    </p>
+
+    <p>
+      View the request and approve or deny it
+      <a href="{{approvalUrl}}">here</a>.
+    </p>
+  </body>
+
+</html>

backend/src/services/smtp/templates/emailVerification.handlebars

@@ -1,17 +1,15 @@
-<!DOCTYPE html>
 <html>
 
-<head>
-    <meta charset="utf-8">
-    <meta http-equiv="x-ua-compatible" content="ie=edge">
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
     <title>Code</title>
-</head>
+  </head>
 
-<body>
+  <body>
     <h2>Confirm your email address</h2>
-    <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
+    <p>Your confirmation code is below — enter it in the browser window where you've started confirming your email.</p>
     <h1>{{code}}</h1>
-    <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
-</body>
+  </body>
 
 </html>

backend/src/services/smtp/templates/signupEmailVerification.handlebars

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Code</title>
+</head>
+
+<body>
+    <h2>Confirm your email address</h2>
+    <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
+    <h1>{{code}}</h1>
+    <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
+</body>
+
+</html>

backend/src/services/super-admin/super-admin-service.ts

@@ -102,7 +102,8 @@ export const superAdminServiceFactory = ({
           superAdmin: true,
           isGhost: false,
           isAccepted: true,
-          authMethods: [AuthMethod.EMAIL]
+          authMethods: [AuthMethod.EMAIL],
+          isEmailVerified: true
         },
         tx
       );

backend/src/services/user-alias/user-alias-types.ts

@@ -0,0 +1,4 @@
+export enum UserAliasType {
+  LDAP = "ldap",
+  SAML = "saml"
+}

backend/src/services/user/user-dal.ts

@@ -74,6 +74,17 @@ export const userDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findUsersByProjectMembershipIds = async (projectMembershipIds: string[]) => {
+    try {
+      return await db(TableName.ProjectMembership)
+        .whereIn(`${TableName.ProjectMembership}.id`, projectMembershipIds)
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .select("*");
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find users by project membership ids" });
+    }
+  };
+
   const createUserEncryption = async (data: TUserEncryptionKeysInsert, tx?: Knex) => {
     try {
       const [userEnc] = await (tx || db)(TableName.UserEncryptionKey).insert(data).returning("*");
@@ -140,6 +151,7 @@ export const userDALFactory = (db: TDbClient) => {
     findUserEncKeyByUserId,
     updateUserEncryptionByUserId,
     findUserByProjectMembershipId,
+    findUsersByProjectMembershipIds,
     upsertUserEncryptionKey,
     createUserEncryption,
     findOneUserAction,

backend/src/services/user/user-fns.ts

@@ -4,7 +4,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 export const normalizeUsername = async (username: string, userDAL: Pick<TUserDALFactory, "findOne">) => {
-  let attempt = slugify(username);
+  let attempt = slugify(`${username}-${alphaNumericNanoId(4)}`);
 
   let user = await userDAL.findOne({ username: attempt });
   if (!user) return attempt;

backend/src/services/user/user-service.ts

@@ -1,15 +1,151 @@
 import { BadRequestError } from "@app/lib/errors";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
 import { AuthMethod } from "../auth/auth-type";
 import { TUserDALFactory } from "./user-dal";
 
 type TUserServiceFactoryDep = {
-  userDAL: TUserDALFactory;
+  userDAL: Pick<
+    TUserDALFactory,
+    | "find"
+    | "findOne"
+    | "findById"
+    | "transaction"
+    | "updateById"
+    | "update"
+    | "deleteById"
+    | "findOneUserAction"
+    | "createUserAction"
+    | "findUserEncKeyByUserId"
+  >;
+  userAliasDAL: Pick<TUserAliasDALFactory, "find" | "insertMany">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "insertMany">;
+  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser" | "validateTokenForUser">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TUserServiceFactory = ReturnType<typeof userServiceFactory>;
 
-export const userServiceFactory = ({ userDAL }: TUserServiceFactoryDep) => {
+export const userServiceFactory = ({
+  userDAL,
+  userAliasDAL,
+  orgMembershipDAL,
+  tokenService,
+  smtpService
+}: TUserServiceFactoryDep) => {
+  const sendEmailVerificationCode = async (username: string) => {
+    const user = await userDAL.findOne({ username });
+    if (!user) throw new BadRequestError({ name: "Failed to find user" });
+    if (!user.email)
+      throw new BadRequestError({ name: "Failed to send email verification code due to no email on user" });
+    if (user.isEmailVerified)
+      throw new BadRequestError({ name: "Failed to send email verification code due to email already verified" });
+
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_VERIFICATION,
+      userId: user.id
+    });
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.EmailVerification,
+      subjectLine: "Infisical confirmation code",
+      recipients: [user.email],
+      substitutions: {
+        code: token
+      }
+    });
+  };
+
+  const verifyEmailVerificationCode = async (username: string, code: string) => {
+    const user = await userDAL.findOne({ username });
+    if (!user) throw new BadRequestError({ name: "Failed to find user" });
+    if (!user.email)
+      throw new BadRequestError({ name: "Failed to verify email verification code due to no email on user" });
+    if (user.isEmailVerified)
+      throw new BadRequestError({ name: "Failed to verify email verification code due to email already verified" });
+
+    await tokenService.validateTokenForUser({
+      type: TokenType.TOKEN_EMAIL_VERIFICATION,
+      userId: user.id,
+      code
+    });
+
+    const { email } = user;
+
+    await userDAL.transaction(async (tx) => {
+      await userDAL.updateById(
+        user.id,
+        {
+          isEmailVerified: true
+        },
+        tx
+      );
+
+      // check if there are users with the same email.
+      const users = await userDAL.find(
+        {
+          email,
+          isEmailVerified: true
+        },
+        { tx }
+      );
+
+      if (users.length > 1) {
+        // merge users
+        const mergeUser = users.find((u) => u.id !== user.id);
+        if (!mergeUser) throw new BadRequestError({ name: "Failed to find merge user" });
+
+        const mergeUserOrgMembershipSet = new Set(
+          (await orgMembershipDAL.find({ userId: mergeUser.id }, { tx })).map((m) => m.orgId)
+        );
+        const myOrgMemberships = (await orgMembershipDAL.find({ userId: user.id }, { tx })).filter(
+          (m) => !mergeUserOrgMembershipSet.has(m.orgId)
+        );
+
+        const userAliases = await userAliasDAL.find(
+          {
+            userId: user.id
+          },
+          { tx }
+        );
+        await userDAL.deleteById(user.id, tx);
+
+        if (myOrgMemberships.length) {
+          await orgMembershipDAL.insertMany(
+            myOrgMemberships.map((orgMembership) => ({
+              ...orgMembership,
+              userId: mergeUser.id
+            })),
+            tx
+          );
+        }
+
+        if (userAliases.length) {
+          await userAliasDAL.insertMany(
+            userAliases.map((userAlias) => ({
+              ...userAlias,
+              userId: mergeUser.id
+            })),
+            tx
+          );
+        }
+      } else {
+        // update current user's username to [email]
+        await userDAL.updateById(
+          user.id,
+          {
+            username: email
+          },
+          tx
+        );
+      }
+    });
+  };
+
   const toggleUserMfa = async (userId: string, isMfaEnabled: boolean) => {
     const user = await userDAL.findById(userId);
 
@@ -72,6 +208,8 @@ export const userServiceFactory = ({ userDAL }: TUserServiceFactoryDep) => {
   };
 
   return {
+    sendEmailVerificationCode,
+    verifyEmailVerificationCode,
     toggleUserMfa,
     updateUserName,
     updateAuthMethods,

docs/documentation/getting-started/introduction.mdx

@@ -4,59 +4,66 @@ sidebarTitle: "What is Infisical?"
 description: "An Introduction to the Infisical secret management platform."
 ---
 
-Infisical is an [open-source](https://github.com/infisical/infisical) secret management platform for developers. 
-It provides capabilities for  storing, managing, and syncing application configuration and secrets like API keys, database 
-credentials, and certificates across infrastructure. In addition, Infisical prevents secrets leaks to git and enables secure 
+Infisical is an [open-source](https://github.com/infisical/infisical) secret management platform for developers.
+It provides capabilities for storing, managing, and syncing application configuration and secrets like API keys, database
+credentials, and certificates across infrastructure. In addition, Infisical prevents secrets leaks to git and enables secure
 sharing of secrets among engineers.
 
 Start managing secrets securely with [Infisical Cloud](https://app.infisical.com) or learn how to [host Infisical](/self-hosting/overview) yourself.
 
 <CardGroup cols={2}>
-    <Card
-        title="Infisical Cloud"
-        href="https://app.infisical.com/signup"
-        icon="cloud"
-        color="#000000"
-    >
-        Get started with Infisical Cloud in just a few minutes.
-    </Card>
-    <Card 
-        href="/self-hosting/overview" 
-        title="Self-hosting" 
-        icon="server" 
-        color="#000000"
-    >
-        Self-host Infisical on your own infrastructure.
-    </Card>
+  <Card
+    title="Infisical Cloud"
+    href="https://app.infisical.com/signup"
+    icon="cloud"
+    color="#000000"
+  >
+    Get started with Infisical Cloud in just a few minutes.
+  </Card>
+  <Card
+    href="/self-hosting/overview"
+    title="Self-hosting"
+    icon="server"
+    color="#000000"
+  >
+    Self-host Infisical on your own infrastructure.
+  </Card>
 </CardGroup>
 
-## Why Infisical? 
+## Why Infisical?
+
+Infisical helps developers achieve secure centralized secret management and provides all the tools to easily manage secrets in various environments and infrastructure components. In particular, here are some of the most common points that developers mention after adopting Infisical:
 
-Infisical helps developers achieve secure centralized secret management and provides all the tools to easily manage secrets in various environments and infrastructure components. In particular, here are some of the most common points that developers mention after adopting Infisical: 
 - Streamlined **local development** processes (switching .env files to [Infisical CLI](/cli/commands/run) and removing secrets from developer machines).
-- **Best-in-class developer experience** with an easy-to-use [Web Dashboard](/documentation/platform/project). 
-- Simple secret management inside **[CI/CD pipelines](/integrations/cicd/githubactions)** and staging environments. 
-- Secure and compliant secret management practices in **[production environments](/sdks/overview)**. 
+- **Best-in-class developer experience** with an easy-to-use [Web Dashboard](/documentation/platform/project).
+- Simple secret management inside **[CI/CD pipelines](/integrations/cicd/githubactions)** and staging environments.
+- Secure and compliant secret management practices in **[production environments](/sdks/overview)**.
 - **Facilitated workflows** around [secret change management](/documentation/platform/pr-workflows), [access requests](/documentation/platform/access-controls/access-requests), [temporary access provisioning](/documentation/platform/access-controls/temporary-access), and more.
 - **Improved security posture** thanks to [secret scanning](/cli/scanning-overview), [granular access control policies](/documentation/platform/access-controls/overview), [automated secret rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview), and [dynamic secrets](/documentation/platform/dynamic-secrets/overview) capabilities.
 
-## How does Infisical work? 
+## How does Infisical work?
 
-To make secret management effortless and secure, Infisical follows a certain structure for enabling secret management workflows as defined below. 
+To make secret management effortless and secure, Infisical follows a certain structure for enabling secret management workflows as defined below.
 
-**Identities** in Infisical are users or machine which have a certain set of roles and permissions assigned to them. Such identities are able to manage secrets in various **Clients** throughout the entire infrastructure. To do that, identities have to verify themselves through one of the available **Authentication Methods**. 
+**Identities** in Infisical are users or machine which have a certain set of roles and permissions assigned to them. Such identities are able to manage secrets in various **Clients** throughout the entire infrastructure. To do that, identities have to verify themselves through one of the available **Authentication Methods**.
 
-As a result, the 3 main concepts that are important to understand are: 
-- **[Identities](/documentation/platform/identities/overview)**: users or machines with a set permissions assigned to them. 
+As a result, the 3 main concepts that are important to understand are:
+
+- **[Identities](/documentation/platform/identities/overview)**: users or machines with a set permissions assigned to them.
 - **[Clients](/integrations/platforms/kubernetes)**: Infisical-developed tools for managing secrets in various infrastructure components (e.g., [Kubernetes Operator](/integrations/platforms/kubernetes), [Infisical Agent](/integrations/platforms/infisical-agent), [CLI](/cli/usage), [SDKs](/sdks/overview), [API](/api-reference/overview/introduction), [Web Dashboard](/documentation/platform/organization)).
-- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, etc.).
+- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, AWS Auth etc.).
 
-## How to get started with Infisical? 
+## How to get started with Infisical?
 
 Depending on your use case, it might be helpful to look into some of the resources and guides provided below.
 
 <CardGroup cols={2}>
-  <Card href="../../cli/overview" title="Command Line Interface (CLI)" icon="square-terminal" color="#000000">
+  <Card
+    href="../../cli/overview"
+    title="Command Line Interface (CLI)"
+    icon="square-terminal"
+    color="#000000"
+  >
     Inject secrets into any application process/environment.
   </Card>
   <Card
@@ -67,7 +74,12 @@ Depending on your use case, it might be helpful to look into some of the resourc
   >
     Fetch secrets with any programming language on demand.
   </Card>
-  <Card href="../../integrations/platforms/docker-intro" title="Docker" icon="docker" color="#000000">
+  <Card
+    href="../../integrations/platforms/docker-intro"
+    title="Docker"
+    icon="docker"
+    color="#000000"
+  >
     Inject secrets into Docker containers.
   </Card>
   <Card

docs/documentation/platform/identities/aws-auth.mdx

@@ -0,0 +1,304 @@
+---
+title: AWS Auth
+description: "Learn how to authenticate with Infisical for EC2 instances, Lambda functions, and other IAM principals."
+---
+
+**AWS Auth** is an AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to access Infisical.
+
+## Diagram
+
+The following sequence digram illustrates the AWS Auth workflow for authenticating AWS IAM principals with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+  participant AWS as AWS STS
+
+  Note over Client,Client: Step 1: Sign GetCallerIdentityQuery
+
+  Note over Client,Infis: Step 2: Login Operation
+  Client->>Infis: Send signed query details /api/v1/auth/aws-auth/login
+
+  Note over Infis,AWS: Step 3: Query verification
+  Infis->>AWS: Forward signed GetCallerIdentity query
+  AWS-->>Infis: Return IAM user/role details
+
+  Note over Infis: Step 4: Identity Property Validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 4: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high-level, Infisical authenticates an IAM principal by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed IAM principal ARN) at the `/api/v1/auth/aws-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+In AWS Auth, an IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
+The query data including the request method, request body, and request headers are sent to Infisical afterwhich Infisical forwards the signed query to AWS STS API via the [sts:GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) method to verify and obtain the identity of the IAM principal.
+Once obtained, the identity information is verified against specified requirements such as if the associated IAM principal ARN is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using AWS Auth as they handle the
+authentication process including the signed `GetCallerIdentity` query
+construction for you.
+
+Also, note that Infisical needs network-level access to send requests to the AWS STS API
+as part of the AWS Auth workflow.
+
+</Note>
+
+## Workflow
+
+In the following steps, we explore how to create and use identities for your workloads and applications on AWS to
+access the Infisical API using the AWS Auth authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **AWS Auth**.
+
+    ![identities create aws auth method](/images/platform/identities/identities-org-create-aws-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Allowed Principal ARNs: A comma-separated list of trusted IAM principal ARNs that are allowed to authenticate with Infisical. The values should take one of three forms: `arn:aws:iam::123456789012:user/MyUserName`, `arn:aws:iam::123456789012:role/MyRoleName`, or `arn:aws:iam::123456789012:*`. Using a wildcard in this case allows any IAM principal in the account `123456789012` to authenticate with Infisical under the identity.
+    - Allowed Account IDs: A comma-separated list of trusted AWS account IDs that are allowed to authenticate with Infisical.
+    - STS Endpoint (default is `https://sts.amazonaws.com/`): The endpoint URL for the AWS STS API. This is useful for AWS GovCloud or other AWS regions that have different STS endpoints.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+        To access the Infisical API as the identity, you need to construct a signed `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) and make a request to the `/api/v1/auth/aws-auth/login` endpoint containing the query data
+        in exchange for an access token.
+
+        We provide a few code examples below of how you can authenticate with Infisical from inside a Lambda function, EC2 instance, etc. and obtain an access token to access the [Infisical API](/api-reference/overview/introduction).
+
+        <AccordionGroup>
+            <Accordion
+                title="Sample code for inside a Lambda function"
+            >
+                The following query construction is an example of how you can authenticate with Infisical from inside a Lambda function.
+
+                The shown example uses Node.js but you can use other languages supported by AWS Lambda.
+
+                ```javascript
+                import AWS from "aws-sdk";
+                import axios from "axios";
+
+                export const handler = async (event, context) => {
+                    try {
+                        const region = process.env.AWS_REGION;
+                        AWS.config.update({ region });
+
+                        const iamRequestURL = `https://sts.${region}.amazonaws.com/`;
+                        const iamRequestBody = "Action=GetCallerIdentity&Version=2011-06-15";
+                        const iamRequestHeaders = {
+                            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+                            Host: `sts.${region}.amazonaws.com`,
+                        };
+
+                        // Create the request
+                        const request = new AWS.HttpRequest(iamRequestURL, region);
+                        request.method = "POST";
+                        request.headers = iamRequestHeaders;
+                        request.headers["X-Amz-Date"] = AWS.util.date
+                            .iso8601(new Date())
+                            .replace(/[:-]|\.\d{3}/g, "");
+                        request.body = iamRequestBody;
+                        request.headers["Content-Length"] =
+                        Buffer.byteLength(iamRequestBody).toString();
+
+                        // Sign the request
+                        const signer = new AWS.Signers.V4(request, "sts");
+                        signer.addAuthorization(AWS.config.credentials, new Date());
+
+                        const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
+                        const identityId = "<your-identity-id>";
+
+                        const { data } = await axios.post(
+                            `${infisicalUrl}/api/v1/auth/aws-auth/login`,
+                            {
+                                identityId,
+                                iamHttpRequestMethod: "POST",
+                                iamRequestUrl: Buffer.from(iamRequestURL).toString("base64"),
+                                iamRequestBody: Buffer.from(iamRequestBody).toString("base64"),
+                                iamRequestHeaders: Buffer.from(
+                                JSON.stringify(iamRequestHeaders)
+                                ).toString("base64"),
+                            }
+                        );
+
+                        console.log("result data: ", data); // access token here
+                    } catch (err) {
+                        console.error(err);
+                    }
+                };
+                ````
+            </Accordion>
+            <Accordion
+                title="Sample code for inside an EC2 instance"
+            >
+                The following query construction is an example of how you can authenticate with Infisical from inside a EC2 instance.
+
+                The shown example uses Node.js but you can use other language you wish.
+
+                ```javascript
+                import AWS from "aws-sdk";
+                import axios from "axios";
+
+                const main = async () => {
+                    try {
+                        // obtain region from EC2 instance metadata
+                        const tokenResponse = await axios.put("http://169.254.169.254/latest/api/token", null, {
+                            headers: {
+                            "X-aws-ec2-metadata-token-ttl-seconds": "21600"
+                            }
+                        });
+
+                        const url = "http://169.254.169.254/latest/dynamic/instance-identity/document";
+                        const response = await axios.get(url, {
+                            headers: {
+                                "X-aws-ec2-metadata-token": tokenResponse.data
+                            }
+                        });
+
+                        const region = response.data.region;
+
+                        AWS.config.update({
+                            region
+                        });
+
+                        const iamRequestURL = `https://sts.${region}.amazonaws.com/`;
+                        const iamRequestBody = "Action=GetCallerIdentity&Version=2011-06-15";
+                        const iamRequestHeaders = {
+                            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+                            Host: `sts.${region}.amazonaws.com`
+                        };
+
+                        const request = new AWS.HttpRequest(new AWS.Endpoint(iamRequestURL), AWS.config.region);
+                        request.method = "POST";
+                        request.headers = iamRequestHeaders;
+                        request.headers["X-Amz-Date"] = AWS.util.date.iso8601(new Date()).replace(/[:-]|\.\d{3}/g, "");
+                        request.body = iamRequestBody;
+                        request.headers["Content-Length"] = Buffer.byteLength(iamRequestBody);
+
+                        const signer = new AWS.Signers.V4(request, "sts");
+                        signer.addAuthorization(AWS.config.credentials, new Date());
+
+                        const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
+                        const identityId = "<your-identity-id>";
+
+                        const { data } = await axios.post(`${infisicalUrl}/api/v1/auth/aws-auth/login`, {
+                            identityId,
+                            iamHttpRequestMethod: "POST",
+                            iamRequestUrl: Buffer.from(iamRequestURL).toString("base64"),
+                            iamRequestBody: Buffer.from(iamRequestBody).toString("base64"),
+                            iamRequestHeaders: Buffer.from(JSON.stringify(iamRequestHeaders)).toString("base64")
+                        });
+
+                        console.log("result data: ", data); // access token here
+                    } catch (err) {
+                        console.error(err);
+                    }
+                }
+
+                main();
+                ````
+            </Accordion>
+            <Accordion
+                title="Sample code for general query construction"
+            >
+                The following query construction provides a generic example of how you can construct a signed `GetCallerIdentity` query and obtain the required payload components.
+
+                The shown example uses Node.js but you can use any language you wish.
+
+                ```javascript
+                const AWS = require("aws-sdk");
+
+                const region = "<your-aws-region>";
+                const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
+
+                const iamRequestURL = `https://sts.${region}.amazonaws.com/`;
+                const iamRequestBody = "Action=GetCallerIdentity&Version=2011-06-15";
+                const iamRequestHeaders = {
+                    "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+                    Host: `sts.${region}.amazonaws.com`
+                };
+
+                const request = new AWS.HttpRequest(new AWS.Endpoint(iamRequestURL), region);
+                request.method = "POST";
+                request.headers = iamRequestHeaders;
+                request.headers["X-Amz-Date"] = AWS.util.date.iso8601(new Date()).replace(/[:-]|\.\d{3}/g, "");
+                request.body = iamRequestBody;
+                request.headers["Content-Length"] = Buffer.byteLength(iamRequestBody);
+                ````
+
+                #### Sample request
+
+                ```bash Request
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/aws-auth/login' \
+                    --header 'Content-Type: application/x-www-form-urlencoded' \
+                    --data-urlencode 'identityId=...' \
+                    --data-urlencode 'iamHttpRequestMethod=...' \
+                    --data-urlencode 'iamRequestBody=...' \
+                    --data-urlencode 'iamRequestHeaders=...'
+                ```
+
+                #### Sample response
+
+                ```bash Response
+                {
+                    "accessToken": "...",
+                    "expiresIn": 7200,
+                    "accessTokenMaxTTL": 43244
+                    "tokenType": "Bearer"
+                }
+                ```
+
+                Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+            </Accordion>
+        </AccordionGroup>
+
+        <Tip>
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using AWS Auth as they handle the authentication process including the signed `GetCallerIdentity` query construction for you.
+        </Tip>
+
+        <Note>
+        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+        </Note>
+    </Step>
+
+</Steps>

docs/documentation/platform/identities/machine-identities.mdx

@@ -7,7 +7,7 @@ description: "Learn how to use Machine Identities to programmatically interact w
 
 An Infisical machine identity is an entity that represents a workload or application that require access to various resources in Infisical. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).
 
-Each identity must authenticate with the API using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth) to get back a short-lived access token to be used in subsequent requests.
+Each identity must authenticate using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS Auth](/documentation/platform/identities/aws-auth) to get back a short-lived access token to be used in subsequent requests.
 
 ![organization identities](/images/platform/organization/organization-machine-identities.png)
 
@@ -21,7 +21,7 @@ Key Features:
 A typical workflow for using identities consists of four steps:
 
 1. Creating the identity with a name and [role](/documentation/platform/role-based-access-controls) in Organization Access Control > Machine Identities.
-   This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth).
+   This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS Auth](/documentation/platform/identities/aws-auth).
 2. Adding the identity to the project(s) you want it to have access to.
 3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
 4. Authenticating subsequent requests with the Infisical API using the short-lived access token.
@@ -37,7 +37,8 @@ Machine Identity support for the rest of the clients is planned to be released i
 
 To interact with various resources in Infisical, Machine Identities are able to authenticate using:
 
-- [Universal Auth](/documentation/platform/identities/universal-auth): the most versatile authentication method that can be configured on an identity from any platform/environment to access Infisical.
+- [Universal Auth](/documentation/platform/identities/universal-auth): A platform-agnostic authentication method that can be configured on an identity suitable to authenticate from any platform/environment.
+- [AWS Auth](/documentation/platform/identities/aws-auth): An AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to authenticate with Infisical.
 
 ## FAQ
 

docs/documentation/platform/identities/universal-auth.mdx

@@ -3,19 +3,35 @@ title: Universal Auth
 description: "Learn how to authenticate to Infisical from any platform or environment."
 ---
 
-**Universal Auth** is the most versatile authentication method that can be configured for a [machine identity](/documentation/platform/identities/machine-identities) to access Infisical from any platform or environment.
+**Universal Auth** is a platform-agnostic authentication method that can be configured for a [machine identity](/documentation/platform/identities/machine-identities) suitable to authenticate from any platform/environment.
 
-In this method, each identity is given a **Client ID** for which you can generate one or more **Client Secret(s)**. Together, a **Client ID** and **Client Secret** can be exchanged for an access token to authenticate with the Infisical API.
+## Diagram
 
-## Properties
+The following sequence digram illustrates the Universal Auth workflow for authenticating clients with Infisical.
 
-Universal Auth supports many settings that can be beneficial for tightening your workflow security configuration:
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
 
-- Support for restrictions on the number of times that the **Client Secret(s)** and access token(s) can be used.
-- Support for expiration, so, if specified, the **Client Secret** of the identity will automatically be defunct after a period of time.
-- Support for IP allowlisting; this means you can restrict the usage of **Client Secret(s)** and access token to a specific IP or CIDR range.
+  Note over Client,Infis: Step 1: Login Operation
+  Client->>Infis: Send Client ID and Client Secret
 
-## Workflow
+  Note over Infis: Step 2: Client ID and Client Secret validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 3: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+In this method, Infisical authenticates an identity by verifying the credentials issued for it at the `/api/v1/auth/universal-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+In Universal Auth, an identity is given a **Client ID** and one or more **Client Secret(s)**. Together, a **Client ID** and **Client Secret** can be exchanged for a short-lived access token to authenticate with the Infisical API.
+
+## Guide
 
 In the following steps, we explore how to create and use identities for your workloads and applications to access the Infisical API
 using the Universal Auth authentication method.
@@ -27,18 +43,18 @@ using the Universal Auth authentication method.
     ![identities organization](/images/platform/identities/identities-org.png)
 
     When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
-    
+
     ![identities organization create](/images/platform/identities/identities-org-create.png)
 
     Now input a few details for your new identity. Here's some guidance for each field:
 
     - Name (required): A friendly name for the identity.
     - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
-    
+
     Once you've created an identity, you'll be prompted to configure the **Universal Auth** authentication method for it.
-    
+
     ![identities organization create auth method](/images/platform/identities/identities-org-create-auth-method.png)
-    
+
     Here's some more guidance on each field:
 
     - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
@@ -78,8 +94,9 @@ using the Universal Auth authentication method.
     Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
 
     ![identities project](/images/platform/identities/identities-project.png)
-    
+
     ![identities project create](/images/platform/identities/identities-project-create.png)
+
   </Step>
   <Step title="Accessing the Infisical API with the identity">
     To access the Infisical API as the identity, you should first perform a login operation
@@ -88,16 +105,16 @@ using the Universal Auth authentication method.
     
     #### Sample request
 
-    ```
+    ```bash Request
     curl --location --request POST 'https://app.infisical.com/api/v1/auth/universal-auth/login' \
       --header 'Content-Type: application/x-www-form-urlencoded' \
-      --data-urlencode 'clientSecret=...' \
-      --data-urlencode 'clientId=...'
+      --data-urlencode 'clientId=...' \
+      --data-urlencode 'clientSecret=...'
     ```
-    
+
     #### Sample response
-    
-    ```
+
+    ```bash Response
     {
       "accessToken": "...",
       "expiresIn": 7200,
@@ -107,7 +124,7 @@ using the Universal Auth authentication method.
     ```
 
     Next, you can use the access token to authenticate with the [Infisical API](/api-reference/overview/introduction)
-    
+
     <Note>
       Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
       the default TTL is `7200` seconds which can be adjusted.
@@ -115,6 +132,7 @@ using the Universal Auth authentication method.
       If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
       a new access token should be obtained by performing another login operation.
     </Note>
+
   </Step>
 </Steps>
 
@@ -134,7 +152,8 @@ using the Universal Auth authentication method.
   
   In certain cases, you may want to extend the lifespan of an access token; to do so, you must set a max TTL parameter.
 
-  A token can be renewed any number of time and each call to renew it will extend the toke life by increments of access token TTL. 
-  Regardless of how frequently an access token is renewed, its lifespan remains bound to the maximum TTL determined at its creation
+A token can be renewed any number of time and each call to renew it will extend the toke life by increments of access token TTL.
+Regardless of how frequently an access token is renewed, its lifespan remains bound to the maximum TTL determined at its creation
+
 </Accordion>
-</AccordionGroup>
+</AccordionGroup>