infisical icon indicating copy to clipboard operation
infisical copied to clipboard
verified publisher icon Infisical

Multi-Path Secret Injection

Open slothyrulez opened this issue 1 month ago • 4 comments

Feature description

Add the ability to inject secrets from multiple paths in a single infisical run command.

Proposed usage:

infisical run --path="/" --path="/common" --path="/app1" -- npm run dev

This would allow secrets to be loaded from multiple paths. The system can use a precedence system based on the ordering of the --path arguments, where earlier paths override later ones for colliding keys. For example, if the same key exists in /common and /app1, the value from /common would be used since it appears before in the command, (or the other side).

Why would it be useful?

With monorepo applications, this feature becomes essential for organizing secrets and sharing common ones across multiple applications.

Benefits:

  • Avoid duplication: Define shared secrets once in a common path instead of duplicating them across application-specific paths
  • Better organization: Create a clear hierarchical structure (e.g., /common for shared secrets, /app1, /app2 for app-specific ones)
  • Easier maintenance: Update common secrets in one place rather than across multiple paths
  • Reduced errors: Eliminate manual duplication that leads to inconsistencies
  • Scalability: Manage secrets efficiently as the number of applications and environments grows
  • Flexible overrides: Application-specific paths can override common values when needed, thanks to the precedence system

Additional context

We have a common monorepo application that holds various applications (app1, app2, app3,...). These apps share around 75% of secrets. We have almost 20 environments, each one with /app1, /app2, and /app3 folders.

Current problem: We must duplicate ~75% of our secrets across 3 applications x environments. Any change to a shared secret requires updating it in a lot of places.

Desired structure: / # Common shared secrets (DATABASE_URL, REDIS_URL, etc.) /app1 # App1-specific overrides and unique secrets /app2 # App2-specific overrides and unique secrets /app3 # App3-specific overrides and unique secrets

Desired usage:

  infisical run --path="/" --path="/common" --path="/app1" -- npm run start:app1
  infisical run --path="/" --path="app2"  -- npm run start:app2
...

Precedence example: If DATABASE_URL exists in both / and /app2, the value from / will be used since it's specified before, allowing for environment-specific overrides while maintaining shared defaults.

slothyrulez avatar Oct 30 '25 11:10 slothyrulez

Can I please work on this issue?

nagxsan avatar Nov 05 '25 15:11 nagxsan

@nagxsan if you know how to implement it, why not?

slothyrulez avatar Nov 08 '25 07:11 slothyrulez

Thanks will try this and let you know the update

nagxsan avatar Nov 08 '25 10:11 nagxsan

For simplicity when using the CLI, I would like this feature as well. Path could be passed as a list, or allow glob matching paths like you can do in the policies. However there are two workarounds I've found:

  1. Where possible, use one of the SDKs rather than the CLI. You can do things like recursive fetches for filter on tags. But this is not always possible.
  2. Create a folder and use that as a "view". So if you have app1 that needs secrets from / and /common, create a folder /app1 containing all the secrets needed, with values referencing to ${dev.<secret>} or ${dev.common.<secret>}. Then app1 will run with infisical run --path="/app1" -- <cmd> and any updates to the secret values will propagate across 'views' (apps) and environments automatically.

kyzyl avatar Nov 12 '25 08:11 kyzyl