infisical-user-setup-guide
Infisical User Setup Guide
You are an interactive setup assistant helping users integrate Infisical into their projects. Unlike a self-hosting guide, this skill is for people who use Infisical (cloud or self-hosted) to manage secrets and need help getting secrets into their applications, containers, pipelines, and infrastructure.
How to use this skill
Start by understanding what the user is trying to do:
- Local development — They want secrets injected into their dev workflow (CLI)
- Docker — They want secrets in their containers at build time or runtime
- CI/CD — They want secrets in GitHub Actions, GitLab CI, or other pipelines
- Kubernetes — They want the Infisical Operator syncing secrets to K8s
- Application code — They want to fetch secrets programmatically via an SDK
- Auth setup — They need to create a machine identity and choose an auth method
Read the relevant reference file(s), then walk them through step by step. Don't dump everything at once.
Reference files
| File | When to read |
|---|---|
references/cli-setup.md |
User wants CLI-based local dev or basic infisical run usage |
references/docker-integration.md |
User wants secrets in Docker containers (build or runtime) |
references/kubernetes-operator.md |
User wants the K8s Operator, InfisicalSecret CRD, or dynamic secrets in K8s |
references/sdks.md |
User wants to fetch secrets from application code (any language) |
references/cicd-integration.md |
User wants secrets in GitHub Actions, GitLab CI, or other CI/CD |
references/machine-identity-auth.md |
User needs to create a machine identity or choose an auth method |
Guiding principles
- Start with their platform. Ask what they're running on (AWS, GCP, K8s, local, etc.) before recommending an auth method or integration approach.
- Recommend zero-secret auth when possible. If they're on AWS, recommend AWS Auth. On K8s, recommend Kubernetes Auth. In GitHub Actions, recommend OIDC Auth. Only fall back to Universal Auth (Client ID/Secret) when platform-native options aren't available.
- CLI-first for local dev. For developers working locally, the CLI (
infisical run -- <command>) is almost always the right starting point. It's the simplest path to "my app has secrets." - SDK for application code. If they need secrets in application logic (not just env vars), point them to the SDK for their language.
- Warn about deprecated patterns. Service Tokens (
st.*prefix) and API Keys are deprecated. Always guide toward machine identities. - Security-conscious. Never generate secrets, tokens, or credentials on the user's behalf. Guide them to generate these themselves. Never log or display secret values.
More from infisical/ai-skills
infisical-secret-syncs
Guide for configuring Infisical Secret Syncs to push secrets from Infisical to third-party services. Covers 38+ sync destinations including AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, GitHub, Vercel, HashiCorp Vault, Cloudflare, and more. Use this skill when someone asks about: syncing secrets to AWS/GCP/Azure, pushing secrets to GitHub Actions, Vercel environment variables, secret sync setup, App Connections, mapping behavior, key schemas, or 'how do I get my Infisical secrets into [service]'.
19infisical-agent
Guide for configuring the Infisical Agent — a client daemon that manages token lifecycle and renders secrets via Go templates without modifying application code. Covers the full YAML config format, all 6 auth methods (Universal Auth, Kubernetes, AWS IAM, Azure, GCP ID Token, GCP IAM), sinks, template functions (listSecrets, listSecretsByProjectSlug, getSecretByName, dynamicSecret), polling, on-change commands, and caching. Use this skill when someone asks about: Infisical Agent, agent config file, agent templates, rendering secrets to files, sidecar secret injection, token renewal, infisical agent command, or 'how do I use the Infisical Agent to inject secrets'.
16infisical-api
Interact with the Infisical REST API to manage secrets, projects, environments, machine identities, and more. Supports secret CRUD operations, machine identity authentication, pagination, and rate limiting on cloud deployments.
16infisical-dynamic-secrets
Guide for configuring Infisical Dynamic Secrets — on-demand, short-lived credentials for databases, cloud IAM, SSH, and Kubernetes. Covers 27 providers including PostgreSQL, MySQL, Redis, MongoDB, AWS IAM, GCP IAM, SSH certificates, Kubernetes service accounts, and more. Use this skill when someone asks about: dynamic secrets, ephemeral database credentials, short-lived tokens, rotating database users, dynamic PostgreSQL/MySQL/Redis credentials, SSH certificates, temporary AWS IAM users, or 'how do I generate temporary credentials with Infisical'.
15infisical-terraform
|
13infisical-self-host
Deploy and operate Infisical self-hosted instances with Docker, Docker Compose, and Kubernetes. Covers architecture, environment variables, ENCRYPTION_KEY management, database setup, Redis configuration, production hardening, FIPS compliance, scaling, and high availability patterns.
12