feat(secret-manager): dynamic secret support for proxied services#7288
feat(secret-manager): dynamic secret support for proxied services#7288saifsmailbox98 wants to merge 14 commits into
Conversation
Let a proxied-service credential reference a dynamic secret instead of a static secret. The agent proxy mints a per-agent lease and injects a chosen output field into headers or substitutions. Backend: - migration: add dynamicSecretName/dynamicSecretField/dynamicSecretConfig to proxied_service_credentials, make secretKey nullable (exactly-one XOR) - provider output registry (provider -> injectable fields + lease config) - validation: creator must hold Lease on the referenced dynamic secret, field must be valid for the provider, plan.dynamicSecret gated - list/get responses carry callerCanLease + projectSlug; audit logs record referenced dynamic secret names - Agent Proxy built-in role gains Lease on dynamic secrets Frontend: - grouped drill-in secret picker (secrets + dynamic secrets -> output field) - lease-output modal driven by the shared provider registry - dynamic badge in the overview row Docs: dynamic secrets section on the proxied services page.
- SSH: add a principals lease input (comma-separated) and map it through save/edit round-trip, so SSH-backed credentials can be fully configured - render lease inputs by their kind (string vs string[]) instead of assuming namespace - preserve leaseConfig when re-selecting a single-field dynamic secret
|
💬 Discussion in Slack: #pr-review-infisical-7288-feat-secret-manager-dynamic-secret-support-for-proxied Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
| Filename | Overview |
|---|---|
| backend/src/ee/services/dynamic-secret/providers/dynamic-secret-provider-outputs.ts | Adds the backend provider output registry used to validate dynamic-secret credential fields. |
| frontend/src/hooks/api/dynamicSecret/providerOutputs.ts | Adds the frontend mirror for provider output labels and lease input rendering. |
| backend/src/ee/services/proxied-service/proxied-service-service.ts | Adds dynamic-secret lookup, permission checks, field validation, lease config validation, and callerCanLease decoration. |
| frontend/src/components/proxied-services/forms/CredentialSourceFields.tsx | Adds the combined static and dynamic credential source picker with output-field drill-in. |
| frontend/src/components/proxied-services/forms/ProxiedServiceForm.tsx | Maps persisted and form credential sources between static secrets and dynamic secret references. |
| docs/documentation/platform/agent-proxy/proxied-services.mdx | Documents dynamic-secret-backed proxied-service credentials and lease behavior. |
Reviews (1): Last reviewed commit: "fix(secret-manager): address review for ..." | Re-trigger Greptile
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 2 · PR risk: 0/10 |
- lease config (k8s namespace, ssh principals) is collected once per dynamic secret and fanned out to every credential that references it, instead of per-credential; the backend rejects divergent configs for the same secret so basic-auth username/password can't end up minting separate leases - validate ssh principals at save time (at least one, and each in the dynamic secret's allowed list) so a broken config fails the save instead of failing later in the proxy - use the shared CreatableSelect tag input for principals; align the secret picker drill chevrons into a single trailing slot shared with the tick - drop the overview "Dynamic" badge; tidy the dynamic secret settings copy - docs: correct which providers actually work over HTTP brokering
- correct the provider-outputs comment: any listed field is injectable and it's the user's choice; we don't distinguish credential fields from metadata or recommend any (the "frontend marks recommended vs metadata" claim was never true) - drop the docs note that steered users toward/away from specific provider fields
…ring in the roles reference
akhilmhdh
left a comment
There was a problem hiding this comment.
Application testing pending. Some minor suggestions
…secret-support # Conflicts: # backend/src/ee/services/permission/default-roles.ts # backend/src/ee/services/proxied-service/proxied-service-schemas.test.ts # frontend/src/components/proxied-services/forms/schema.ts
…HTTP-brokerable dynamic secrets
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 34885932 | Triggered | Generic Password | 4d267c5 | frontend/src/components/proxied-services/forms/brokerableDynamicSecrets.ts | View secret |
| 34885932 | Triggered | Generic Password | 4d267c5 | backend/src/ee/services/proxied-service/proxied-service-brokerable-outputs.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Context
A proxied-service credential can now point at a dynamic secret instead of a static one. When an agent connects, the proxy mints a per-agent lease and injects a chosen output field (generated username, password, token, etc.) into the outgoing headers or substitutions, so brokered credentials become short-lived and per-agent instead of shared static values. Builds on the secrets brokering work in #7246. CLI PR: Infisical/cli#314.
Data model: a credential now references exactly one of a static secret or a dynamic secret (XOR). The migration adds
dynamicSecretName/dynamicSecretField/dynamicSecretConfigand makessecretKeynullable. A provider output registry maps each dynamic secret provider to its injectable fields and lease config, and is shared between backend validation and the frontend picker so the two never drift.Validation & permissions: on save, the creator must hold
Leaseon the referenced dynamic secret, the chosen field must be valid for that provider, and the whole feature is gated onplan.dynamicSecret. List/get responses carrycallerCanLease+projectSlug, audit logs record the referenced dynamic secret names, and the built-in Agent Proxy role gainsLease.Frontend: the secret picker becomes a grouped drill-in (static secrets and dynamic secrets → output field), with a lease-output modal driven by the shared registry and a dynamic badge in the overview row. SSH-backed credentials also get a
principalslease input (comma-separated), and lease inputs render by their kind (stringvsstring[]).Docs: a dynamic secrets section on the proxied services page.
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).