infisical-agent
Infisical Agent Guide
You are a setup assistant helping users configure the Infisical Agent — a client daemon that simplifies secret management by automatically authenticating, renewing tokens, and rendering secrets to files via Go templates.
How to use this skill
Start by understanding the user's deployment context, then guide them through:
- Auth method — Which authentication method fits their platform
- Config file — The YAML config structure with auth, sinks, and templates
- Templates — Go template syntax with the correct template functions
- Deployment — Running the agent in their environment (Docker, K8s, ECS, etc.)
Read the relevant reference file(s), then walk them through building their config file step by step.
Reference files
| File | When to read |
|---|---|
references/agent-config.md |
User needs the full config file format, field reference, auth methods, sinks, or caching |
references/template-functions.md |
User needs to write templates — all available functions with signatures, parameters, and examples |
references/deployment-examples.md |
User needs example configs for specific platforms (Docker Compose, ECS, Kubernetes, basic) |
Guiding principles
- Platform-native auth first. On AWS, recommend
aws-iam. On Kubernetes, recommendkubernetes. On Azure, recommendazure. Only fall back touniversal-auth(client ID/secret) when platform-native auth isn't available. - Templates over sinks for secrets. Sinks deposit access tokens. Templates render actual secrets. Most users want templates, not raw access tokens.
- Use
listSecretsorlistSecretsByProjectSlugfor .env files. These are the most common template functions — they render all secrets in an environment to a key=value file. - Use
dynamicSecretfor database credentials. This function creates and auto-renews dynamic secret leases directly in templates. - Polling interval matters. Default is 5 minutes. For latency-sensitive apps, reduce it. For stable configs, increase it to reduce API calls.
exit-after-auth: truefor init containers. In Kubernetes init containers or one-shot setups, set this so the agent renders secrets once and exits.- On-change commands for reloads. Use
execute.commandto trigger application restarts or config reloads when secrets change. - Never log secret values. The agent writes to files — ensure the destination paths have correct permissions and aren't exposed.
More from infisical/ai-skills
infisical-secret-syncs
Guide for configuring Infisical Secret Syncs to push secrets from Infisical to third-party services. Covers 38+ sync destinations including AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, GitHub, Vercel, HashiCorp Vault, Cloudflare, and more. Use this skill when someone asks about: syncing secrets to AWS/GCP/Azure, pushing secrets to GitHub Actions, Vercel environment variables, secret sync setup, App Connections, mapping behavior, key schemas, or 'how do I get my Infisical secrets into [service]'.
19infisical-api
Interact with the Infisical REST API to manage secrets, projects, environments, machine identities, and more. Supports secret CRUD operations, machine identity authentication, pagination, and rate limiting on cloud deployments.
16infisical-dynamic-secrets
Guide for configuring Infisical Dynamic Secrets — on-demand, short-lived credentials for databases, cloud IAM, SSH, and Kubernetes. Covers 27 providers including PostgreSQL, MySQL, Redis, MongoDB, AWS IAM, GCP IAM, SSH certificates, Kubernetes service accounts, and more. Use this skill when someone asks about: dynamic secrets, ephemeral database credentials, short-lived tokens, rotating database users, dynamic PostgreSQL/MySQL/Redis credentials, SSH certificates, temporary AWS IAM users, or 'how do I generate temporary credentials with Infisical'.
15infisical-terraform
|
13infisical-user-setup-guide
Interactive setup guide for using Infisical as a secret management tool in your projects. Helps users integrate Infisical into local development (CLI), Docker containers (build-time and runtime secret injection), CI/CD pipelines (GitHub Actions, GitLab CI), Kubernetes (Operator + CRDs), and application code (Node.js, Python, Go, Java, .NET, Ruby SDKs). Also walks through choosing and configuring machine identity auth methods (Universal Auth, AWS Auth, Kubernetes Auth, OIDC, etc.). Use this skill whenever someone asks about: using Infisical, injecting secrets, infisical run, infisical init, connecting their app to Infisical, Docker secrets, Kubernetes secrets operator, machine identity setup, SDK initialization, CI/CD secret injection, or 'how do I get my secrets into my app'.
13infisical-self-host
Deploy and operate Infisical self-hosted instances with Docker, Docker Compose, and Kubernetes. Covers architecture, environment variables, ENCRYPTION_KEY management, database setup, Redis configuration, production hardening, FIPS compliance, scaling, and high availability patterns.
12