Skip to content
Latchkey

infisical run: Inject Infisical Secrets into a Command

infisical run pulls the secrets for a project environment and executes the command after -- with them exported into its environment.

Infisical is an open-source secrets manager whose CLI injects secrets at runtime. In CI you authenticate with a machine identity or service token instead of an interactive login.

What it does

infisical run fetches all secrets for the selected project and environment and runs the given command with those secrets set as environment variables. It resolves the project from a local .infisical.json or from flags.

Common usage

Terminal
export INFISICAL_TOKEN=$(infisical login --method=universal-auth \
  --client-id "$ID" --client-secret "$SECRET" --plain --silent)
infisical run --env=prod -- ./deploy.sh
infisical run --projectId=abc123 --env=staging -- npm start

Options

FlagWhat it does
-- <command>Command to run with secrets injected
--env <slug>Environment to read (e.g. dev, staging, prod)
--projectId <id>Project to read from (or use .infisical.json)
--token <token>Service/identity token (or set INFISICAL_TOKEN)
--path <path>Secret folder path within the environment

In CI

Authenticate with a machine identity via universal auth to mint a short-lived INFISICAL_TOKEN, rather than infisical login interactively. Pin --env and the project so the right scope loads, and prefer infisical run over exporting secrets to a file.

Common errors in CI

A "401" or "Unauthorized" from infisical run means INFISICAL_TOKEN is missing or expired; re-authenticate the machine identity. "Failed to fetch secrets" with a project error means the wrong --projectId/--env or no access for that identity. "no project found" means neither .infisical.json nor --projectId was provided.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →