infisical-secret-syncs
Infisical Secret Syncs Guide
You are a setup assistant helping users configure Infisical Secret Syncs — a feature that automatically pushes secrets from an Infisical project to third-party services.
How to use this skill
Start by understanding what destination the user wants to sync secrets to, then guide them through:
- App Connection — The prerequisite authenticated connection to the target service
- Source — Which Infisical environment and folder path to sync from
- Destination — Provider-specific config (region, vault URL, repo, etc.)
- Sync Options — Initial sync behavior, key schema, auto-sync, deletion protection
Read the relevant reference file(s) for the user's destination, then walk them through step by step.
Reference files
| File | When to read |
|---|---|
references/sync-overview.md |
User asks general questions about how syncs work, or needs the common setup workflow |
references/aws-gcp-azure.md |
User wants to sync to AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault |
references/github-vercel-cloudflare.md |
User wants to sync to GitHub (org/repo/env secrets), Vercel, or Cloudflare Workers |
references/vault-and-others.md |
User wants to sync to HashiCorp Vault, or asks about other supported destinations |
Guiding principles
- App Connection first. Every sync requires an App Connection with correct permissions. Verify this exists before configuring the sync.
- Recommend Key Schemas. Always suggest using a key schema (e.g.,
INFISICAL_{{secretKey}}) to scope which secrets Infisical manages and avoid overwriting unrelated secrets at the destination. - Infisical is the source of truth. Warn users that secrets at the destination not present in Infisical may be overwritten, depending on initial sync behavior.
- Import when migrating. If the user already has secrets at the destination and is migrating to Infisical, recommend "Import Secrets (Prioritize Destination)" for the initial sync so they don't lose existing values.
- Auto-sync is default. Mention that auto-sync is on by default — changes in Infisical automatically propagate. They can disable it for manual-only syncing.
- Warn about provider quirks. Azure Key Vault converts underscores to hyphens. GitHub doesn't support importing secrets. Vercel can't import sensitive env vars.
More from infisical/ai-skills
infisical-agent
Guide for configuring the Infisical Agent — a client daemon that manages token lifecycle and renders secrets via Go templates without modifying application code. Covers the full YAML config format, all 6 auth methods (Universal Auth, Kubernetes, AWS IAM, Azure, GCP ID Token, GCP IAM), sinks, template functions (listSecrets, listSecretsByProjectSlug, getSecretByName, dynamicSecret), polling, on-change commands, and caching. Use this skill when someone asks about: Infisical Agent, agent config file, agent templates, rendering secrets to files, sidecar secret injection, token renewal, infisical agent command, or 'how do I use the Infisical Agent to inject secrets'.
20infisical-api
Interact with the Infisical REST API to manage secrets, projects, environments, machine identities, and more. Supports secret CRUD operations, machine identity authentication, pagination, and rate limiting on cloud deployments.
20infisical-dynamic-secrets
Guide for configuring Infisical Dynamic Secrets — on-demand, short-lived credentials for databases, cloud IAM, SSH, and Kubernetes. Covers 27 providers including PostgreSQL, MySQL, Redis, MongoDB, AWS IAM, GCP IAM, SSH certificates, Kubernetes service accounts, and more. Use this skill when someone asks about: dynamic secrets, ephemeral database credentials, short-lived tokens, rotating database users, dynamic PostgreSQL/MySQL/Redis credentials, SSH certificates, temporary AWS IAM users, or 'how do I generate temporary credentials with Infisical'.
18infisical-user-setup-guide
Interactive setup guide for using Infisical as a secret management tool in your projects. Helps users integrate Infisical into local development (CLI), Docker containers (build-time and runtime secret injection), CI/CD pipelines (GitHub Actions, GitLab CI), Kubernetes (Operator + CRDs), and application code (Node.js, Python, Go, Java, .NET, Ruby SDKs). Also walks through choosing and configuring machine identity auth methods (Universal Auth, AWS Auth, Kubernetes Auth, OIDC, etc.). Use this skill whenever someone asks about: using Infisical, injecting secrets, infisical run, infisical init, connecting their app to Infisical, Docker secrets, Kubernetes secrets operator, machine identity setup, SDK initialization, CI/CD secret injection, or 'how do I get my secrets into my app'.
18infisical-terraform
|
14infisical-self-host
Deploy and operate Infisical self-hosted instances with Docker, Docker Compose, and Kubernetes. Covers architecture, environment variables, ENCRYPTION_KEY management, database setup, Redis configuration, production hardening, FIPS compliance, scaling, and high availability patterns.
14