Skip to content

Infisical

Imported from Confluence

Content may be outdated. Verify before following any procedures. View original | Last updated: December 2025

Login to Infisical

URL to login: Login)
Choose “Continue with SAML” and then put digital-turbine-ou-ig in the organisation slug.

Create a new project

To create a new project, pls adjust the Terragrunt code and apply:
appgrowthplatform (Gitlab)

After terragrunt apply, you will see your project in UI:
image-2025-11-24_13-34-43.png

Deploy Gateway

Infisical Gateway is needed for connection to private network endpoints like Cloud SQL instances or GKE services.
1. Create Access Identities to allow connection to Infisical.
Should be TF code, as for now, done manually in UI.  
https://app.infisical.com/organization/identities/
image-2025-11-21_17-42-56.png

2. Create GCP Token Auth

76D2Ff64 Ed8A 47E5 9Af1 C83C85A82A3E

3. Create Service Account in GCPWe need to have a service account in GCP, which will be used by Infiscal 
Needed permission is:

"roles/iam.serviceAccountTokenCreator"

  1. Create Identity to connect your Gateway
    image-2025-11-24_15-34-12.png

  2. Deploy Gateway Helm chart:
    appgrowthplatform (Gitlab)

Dynamic SQL Secret

Here is an example of MR for the Terragrunt code:
appgrowthplatform (Gitlab)
To merge your request you need to pass these validation steps:

After those pipelines, a Terragrunt plan pipeline will run. 
conventionalcommits.org
Conventional Commits

To manage Dynamic SQL Secret you can use custom TF module.
appgrowthplatform (Gitlab)
Do not forget to update Tags after the merge or in the MR.

Access Control

Infisical is already integrated with Google SAML. You must add new groups to the Google Infisical app -> you need CIT.
Integration automatically creates Google groups in Infisical after the first login attempt. 

Group assignment

After the group appears in Infisical, you need to assign it the project using the Default or Custom Role.
For Offerwall Dev as for now it was done manually in UI because we are using Custom Role.
image-2025-11-27_13-24-0.png

TBD: Import Roles to TF code:
appgrowthplatform (Gitlab)

image-2025-11-27_13-25-57.png

How to create DB user

To create Dynamic DB user, you need to click on Generate Button or Create New Lease when you click on the secret itself.

image-2025-11-27_13-37-45.png

image-2025-11-27_13-38-33.png

DB user for integration Infsical was created manually in each DB in a future we can move it to current terragrunt Iac creation process of instance.
SQL used for infisical user

CREATE USER infisical WITH PASSWORD '******' CREATEROLE;
GRANT cloudsqlsuperuser to infisical;

Prod Infisical user creation script:

CREATE USER infisical WITH ENCRYPTED PASSWORD '******' CREATEROLE NOSUPERUSER INHERIT;
GRANT ro_role TO infisical WITH ADMIN OPTION;

All credentials to DB could be found in 1Password search for infisical:
image-2025-12-10_10-32-16.png

Open Questions

  1. Audit Logs. (Currently, we can't identify who created the Lease for the Dynamic secret.)
    image-2025-12-17_11-40-12.png
  2. Prevent Remove Lease permissions for the role. (For now, only Manage Leases is available, which can do everything)
    image-2025-12-17_11-38-11.png
  3. Show username in Lease view for SQL credentials. (Add custom view fields configuration)
    image-2025-12-17_11-39-8.png