Deployment Steps
To successfully deploy an Infisical Gateway for use, follow these steps in order.1
Provision a Machine Identity
Create a machine identity with the correct permissions to create and manage gateways. This identity is used by the gateway to authenticate with Infisical and should be provisioned in advance.
The gateway supports several machine identity auth methods, as listed below. Choose the one that best fits your environment and set the corresponding environment variables when deploying the gateway.
Universal Auth
Universal Auth
Simple and secure authentication using client ID and client secret.Environment Variables:
INFISICAL_AUTH_METHOD=universal-authINFISICAL_UNIVERSAL_AUTH_CLIENT_ID=<client-id>INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=<client-secret>
Token Auth
Token Auth
Direct authentication using a machine identity access token.Environment Variables:
INFISICAL_TOKEN=<token>
Native Kubernetes
Native Kubernetes
Authentication using Kubernetes service account tokens.Environment Variables:
INFISICAL_AUTH_METHOD=kubernetesINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
Native AWS IAM
Native AWS IAM
Authentication using AWS IAM roles.Environment Variables:
INFISICAL_AUTH_METHOD=aws-iamINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
Native GCP ID Token
Native GCP ID Token
Authentication using GCP identity tokens.Environment Variables:
INFISICAL_AUTH_METHOD=gcp-id-tokenINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
GCP IAM
GCP IAM
Authentication using GCP service account keys.Environment Variables:
INFISICAL_AUTH_METHOD=gcp-iamINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>INFISICAL_GCP_SERVICE_ACCOUNT_KEY_FILE_PATH=<path-to-key-file>
Native Azure
Native Azure
Authentication using Azure managed identity.Environment Variables:
INFISICAL_AUTH_METHOD=azureINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
OIDC Auth
OIDC Auth
Authentication using OIDC identity tokens.Environment Variables:
INFISICAL_AUTH_METHOD=oidc-authINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>INFISICAL_JWT=<oidc-jwt>
JWT Auth
JWT Auth
Authentication using JWT tokens.Environment Variables:
INFISICAL_AUTH_METHOD=jwt-authINFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>INFISICAL_JWT=<jwt>
2
Set Up a Relay Server
Ensure a relay server is running and accessible before you deploy any gateways. You have two options:
- Managed relay (Infisical Cloud, US/EU only): Managed relays are only available for Infisical Cloud instances in the US and EU regions. If you are using Infisical Cloud in these regions, you can use the provided managed relay.
- Self-hosted relay: For all other cases, including all self-hosted and dedicated enterprise instances of Infisical, you must deploy your own relay server. You can also choose to deploy your own relay server when using Infisical Cloud if you require reduced geographic proximity to your target resources for lower latency or to reduce network congestion. For setup instructions, see the Relay Deployment Guide.
3
Install the Infisical CLI
Make sure the Infisical CLI is installed on the machine or environment where you plan to deploy the gateway. The CLI is required for gateway installation and management.See the CLI Installation Guide for instructions.
4
Configure Network & Firewall
Ensure your network and firewall settings allow the gateway to connect to all required services. All connections are outbound only; no inbound ports need to be opened.
For managed relays, allow outbound traffic to the provided relay server IP/hostname. For self-hosted relays, allow outbound traffic to your own relay server address.If you are in a corporate environment with strict egress filtering, ensure outbound TCP 2222 to relay servers and outbound HTTPS 443 to Infisical API endpoints are allowed.
| Protocol | Destination | Port | Purpose |
|---|---|---|---|
| TCP | Relay Server IP/Hostname | 2222 | SSH reverse tunnel establishment |
| TCP | Infisical instance host (US/EU, other) | 443 | API communication and certificate requests |
5
Select a Deployment Method
The Infisical CLI is used to install and start the gateway in your chosen environment. The CLI provides commands for both production and development scenarios, and supports a variety of options/flags to configure your deployment.To view all available flags and equivalent environment variables for gateway deployment, see the Gateway CLI Command Reference.
- Linux Server (Production)
- Kubernetes (Production)
- Development & Testing
For production deployments on Linux servers, install the Gateway as a systemd service so that it runs securely in the background and automatically restarts on failure or system reboot:
The systemd install command requires a Linux operating system with root/sudo
privileges.
6
Verify Your Gateway Deployment
After deployment, verify your gateway is working:
- Check logs for “Gateway started successfully” message indicating the gateway is running and connected to the relay
- Verify registration in the Infisical by visiting the Gateways section of your organization. The new gateway should appear with a recent heartbeat timestamp.
- Test connectivity by creating a resource in Infisical that uses the gateway to access a private service. Verify the resource can successfully connect through the gateway.
Frequently Asked Questions
Do I need to open any inbound ports on my firewall?
Do I need to open any inbound ports on my firewall?
No inbound ports need to be opened for gateways. The gateway only makes outbound connections:
- Outbound SSH to relay servers on port 2222
- Outbound HTTPS to Infisical API endpoints on port 443
- SSH reverse tunnels handle all communication - no return traffic configuration needed
How do I test network connectivity from the gateway?
How do I test network connectivity from the gateway?
Test relay connectivity and outbound API access from the gateway:
- Test SSH port to relay:
- Test outbound API access (replace with your Infisical domain if different):
How do I troubleshoot relay connectivity issues?
How do I troubleshoot relay connectivity issues?
If the gateway cannot connect to the relay:
- Verify the relay server is running and accessible
- Check firewall rules allow outbound connections on port 2222
- Confirm the relay name matches exactly
- Test SSH port to relay:
How do I troubleshoot authentication failures?
How do I troubleshoot authentication failures?
If you encounter authentication failures:
- Verify machine identity credentials are correct
- Check token expiration and renewal
- Ensure authentication method is properly configured
Where can I find gateway logs?
Where can I find gateway logs?
Check gateway logs for detailed error information:
- systemd service:
- Kubernetes:
- Local installation: Logs appear in the terminal where you started the gateway
Where is the gateway configuration file stored?
Where is the gateway configuration file stored?
For systemd-based installations, the gateway’s configuration file is stored at
/etc/infisical/gateway.conf. You may reference or inspect this file for troubleshooting advanced configuration issues.What happens if there is a network interruption?
What happens if there is a network interruption?
The gateway is designed to handle network interruptions gracefully:
- Automatic reconnection: The gateway will automatically attempt to reconnect to relay servers if the SSH connection is lost
- Connection retry logic: Built-in retry mechanisms handle temporary network outages without manual intervention
- Persistent SSH tunnels: SSH connections are automatically re-established when connectivity is restored
- Certificate rotation: The gateway handles certificate renewal automatically during reconnection
- Graceful degradation: The gateway logs connection issues and continues attempting to restore connectivity