From 8f46a53104c71c56739ff6168809a25f04c20979 Mon Sep 17 00:00:00 2001 From: Ahmed Aburady Date: Sat, 13 Jun 2026 21:35:09 +0400 Subject: [PATCH 1/2] fix(relay): support --enroll-method in systemd install relay systemd install only wrote INFISICAL_TOKEN, so a systemd-managed relay always fell back to legacy machine-identity auth. Add --enroll-method (token|aws) and --relay-id to the install command, write the matching enrollment env vars to relay.conf, and add an INFISICAL_RELAY_ENROLLMENT_TOKEN env fallback in relay start so the flagless systemd invocation can read the token. Legacy behavior is unchanged when --enroll-method is omitted. --- packages/cmd/relay.go | 52 ++++++++++++++++++++++++++++++++------- packages/relay/enroll.go | 7 +++--- packages/relay/systemd.go | 39 ++++++++++++++++++++++------- 3 files changed, 77 insertions(+), 21 deletions(-) diff --git a/packages/cmd/relay.go b/packages/cmd/relay.go index ace0a7c8..4d7c4517 100644 --- a/packages/cmd/relay.go +++ b/packages/cmd/relay.go @@ -43,7 +43,7 @@ var relayStartCmd = &cobra.Command{ enrollMethod, _ := cmd.Flags().GetString("enroll-method") if enrollMethod == "" { - enrollMethod = os.Getenv("INFISICAL_RELAY_ENROLL_METHOD") + enrollMethod = os.Getenv(relay.INFISICAL_RELAY_ENROLL_METHOD_KEY) } if enrollMethod != "" && enrollMethod != relay.EnrollMethodToken && enrollMethod != relay.EnrollMethodAws { util.HandleError(fmt.Errorf("invalid --enroll-method %q: supported values are %q and %q", @@ -112,6 +112,9 @@ var relayStartCmd = &cobra.Command{ // --- Enrollment token path --- if enrollMethod == relay.EnrollMethodToken { enrollToken, _ := cmd.Flags().GetString("token") + if enrollToken == "" { + enrollToken = os.Getenv(relay.INFISICAL_RELAY_ENROLLMENT_TOKEN_KEY) + } if enrollToken == "" { util.HandleError(errors.New("--token is required when --enroll-method=token")) } @@ -260,7 +263,9 @@ var relaySystemdCmd = &cobra.Command{ Use: "systemd", Short: "Manage systemd service for Infisical relay", Long: "Manage systemd service for Infisical relay. Use 'systemd install' to install and enable the service.", - Example: `sudo infisical relay systemd install --token= --name= --host= + Example: `sudo infisical relay systemd install --enroll-method=token --token= --name= --host= + sudo infisical relay systemd install --enroll-method=aws --relay-id= --name= --host= + sudo infisical relay systemd install --token= --name= --host= sudo infisical relay systemd install --type=instance --name= --host= --relay-auth-secret= sudo infisical relay systemd uninstall`, DisableFlagsInUseLine: true, @@ -271,7 +276,9 @@ var relaySystemdInstallCmd = &cobra.Command{ Use: "install", Short: "Install and enable systemd service for the relay (requires sudo)", Long: "Install and enable systemd service for the relay. Must be run with sudo on Linux.", - Example: `sudo infisical relay systemd install --token= --name= --host= + Example: `sudo infisical relay systemd install --enroll-method=token --token= --name= --host= + sudo infisical relay systemd install --enroll-method=aws --relay-id= --name= --host= + sudo infisical relay systemd install --token= --name= --host= sudo infisical relay systemd install --type=instance --name= --host= --relay-auth-secret=`, DisableFlagsInUseLine: true, Args: cobra.NoArgs, @@ -328,15 +335,40 @@ var relaySystemdInstallCmd = &cobra.Command{ util.HandleError(err, "Unable to parse log-file flag") } - if instanceType == "instance" && relayAuthSecret == "" { - util.HandleError(fmt.Errorf("for type 'instance', --relay-auth-secret flag or %s env must be set", gatewayv2.RELAY_AUTH_SECRET_ENV_NAME)) + enrollMethod, err := cmd.Flags().GetString("enroll-method") + if err != nil { + util.HandleError(err, "Unable to parse enroll-method flag") + } + + relayID, err := util.GetCmdFlagOrEnvWithDefaultValue(cmd, "relay-id", []string{relay.INFISICAL_RELAY_ID_KEY}, "") + if err != nil { + util.HandleError(err, "Unable to parse relay-id flag or env") } - if instanceType != "instance" && token == "" { - util.HandleError(fmt.Errorf("for type '%s', --token flag or %s env must be set", instanceType, gatewayv2.INFISICAL_TOKEN_ENV_NAME)) + switch enrollMethod { + case relay.EnrollMethodToken: + // token is treated as a one-time enrollment token rather than a machine-identity token. + if token == "" { + util.HandleError(fmt.Errorf("--token is required when --enroll-method=token")) + } + case relay.EnrollMethodAws: + if relayID == "" { + util.HandleError(fmt.Errorf("--relay-id is required when --enroll-method=aws")) + } + case "": + // Legacy machine-identity auth. + if instanceType == "instance" && relayAuthSecret == "" { + util.HandleError(fmt.Errorf("for type 'instance', --relay-auth-secret flag or %s env must be set", gatewayv2.RELAY_AUTH_SECRET_ENV_NAME)) + } + + if instanceType != "instance" && token == "" { + util.HandleError(fmt.Errorf("for type '%s', --token flag or %s env must be set", instanceType, gatewayv2.INFISICAL_TOKEN_ENV_NAME)) + } + default: + util.HandleError(fmt.Errorf("invalid --enroll-method %q: supported values are %q and %q", enrollMethod, relay.EnrollMethodToken, relay.EnrollMethodAws)) } - if err := relay.InstallRelaySystemdService(token, domain, name, host, instanceType, relayAuthSecret, serviceLogFile); err != nil { + if err := relay.InstallRelaySystemdService(token, domain, name, host, instanceType, relayAuthSecret, serviceLogFile, enrollMethod, relayID); err != nil { util.HandleError(err, "Failed to install relay systemd service") } @@ -389,13 +421,15 @@ func init() { relayStartCmd.Flags().String("jwt", "", "JWT for jwt-based auth methods [oidc-auth, jwt-auth]") // systemd install command flags - relaySystemdInstallCmd.Flags().String("token", "", "Connect with Infisical using machine identity access token (org type)") + relaySystemdInstallCmd.Flags().String("token", "", "Connect with Infisical using machine identity access token, or a one-time enrollment token when --enroll-method=token") relaySystemdInstallCmd.Flags().String("log-file", "", "The file to write the service logs to. Example: /var/log/infisical/relay.log. If not provided, logs will not be written to a file.") relaySystemdInstallCmd.Flags().String("domain", "", "Domain of your self-hosted Infisical instance") relaySystemdInstallCmd.Flags().String("name", "", "The name of the relay") relaySystemdInstallCmd.Flags().String("host", "", "The IP or hostname for the relay") relaySystemdInstallCmd.Flags().String("type", "org", "The type of relay to run. Defaults to 'org'") relaySystemdInstallCmd.Flags().String("relay-auth-secret", "", "Relay auth secret (required for type=instance if env not set)") + relaySystemdInstallCmd.Flags().String("enroll-method", "", "relay auth method [token, aws]. when set to 'token', uses --token as a one-time enrollment token. when set to 'aws', authenticates via signed STS GetCallerIdentity using --relay-id") + relaySystemdInstallCmd.Flags().String("relay-id", "", "relay id (required when --enroll-method=aws)") relaySystemdCmd.AddCommand(relaySystemdInstallCmd) relaySystemdCmd.AddCommand(relaySystemdUninstallCmd) diff --git a/packages/relay/enroll.go b/packages/relay/enroll.go index e37898bb..b69fbeec 100644 --- a/packages/relay/enroll.go +++ b/packages/relay/enroll.go @@ -12,10 +12,11 @@ const ( EnrollMethodToken = "token" EnrollMethodAws = "aws" - INFISICAL_RELAY_ACCESS_TOKEN_KEY = "INFISICAL_RELAY_ACCESS_TOKEN" - INFISICAL_RELAY_DOMAIN_KEY = "INFISICAL_RELAY_DOMAIN" + INFISICAL_RELAY_ACCESS_TOKEN_KEY = "INFISICAL_RELAY_ACCESS_TOKEN" + INFISICAL_RELAY_DOMAIN_KEY = "INFISICAL_RELAY_DOMAIN" INFISICAL_RELAY_ENROLLMENT_TOKEN_KEY = "INFISICAL_RELAY_ENROLLMENT_TOKEN" - INFISICAL_RELAY_ID_KEY = "INFISICAL_RELAY_ID" + INFISICAL_RELAY_ID_KEY = "INFISICAL_RELAY_ID" + INFISICAL_RELAY_ENROLL_METHOD_KEY = "INFISICAL_RELAY_ENROLL_METHOD" ) func relayConfPath(name string) (string, error) { diff --git a/packages/relay/systemd.go b/packages/relay/systemd.go index 782b8f7b..52ee24e1 100644 --- a/packages/relay/systemd.go +++ b/packages/relay/systemd.go @@ -13,9 +13,14 @@ import ( ) // InstallRelaySystemdService installs the systemd unit and writes configuration for the relay. -// token is used for org-type relays (written as INFISICAL_TOKEN). For instance-type relays, -// relayAuthSecret is written as INFISICAL_RELAY_AUTH_SECRET. -func InstallRelaySystemdService(token string, domain string, name string, host string, instanceType string, relayAuthSecret string, serviceLogFile string) error { +// +// The auth variables written depend on enrollMethod: +// - "" (legacy): token is written as INFISICAL_TOKEN for org-type relays, or +// relayAuthSecret as INFISICAL_RELAY_AUTH_SECRET for instance-type relays. +// - "token": token is treated as a one-time enrollment token and written as +// INFISICAL_RELAY_ENROLLMENT_TOKEN alongside INFISICAL_RELAY_ENROLL_METHOD. +// - "aws": relayID is written as INFISICAL_RELAY_ID alongside INFISICAL_RELAY_ENROLL_METHOD. +func InstallRelaySystemdService(token string, domain string, name string, host string, instanceType string, relayAuthSecret string, serviceLogFile string, enrollMethod string, relayID string) error { if runtime.GOOS != "linux" { log.Info().Msg("Skipping systemd service installation - not on Linux") return nil @@ -44,13 +49,29 @@ func InstallRelaySystemdService(token string, domain string, name string, host s } // Auth settings - if instanceType == "instance" { - if relayAuthSecret != "" { - configContent += fmt.Sprintf("%s=%s\n", gatewayv2.RELAY_AUTH_SECRET_ENV_NAME, relayAuthSecret) - } - } else { + switch enrollMethod { + case EnrollMethodToken: + // token is a one-time enrollment token; relay start exchanges it for an access token on first boot. + configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ENROLL_METHOD_KEY, enrollMethod) if token != "" { - configContent += fmt.Sprintf("INFISICAL_TOKEN=%s\n", token) + configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ENROLLMENT_TOKEN_KEY, token) + } + case EnrollMethodAws: + // relay start authenticates via signed STS GetCallerIdentity using the relay id. + configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ENROLL_METHOD_KEY, enrollMethod) + if relayID != "" { + configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ID_KEY, relayID) + } + default: + // Legacy machine-identity auth (unchanged). + if instanceType == "instance" { + if relayAuthSecret != "" { + configContent += fmt.Sprintf("%s=%s\n", gatewayv2.RELAY_AUTH_SECRET_ENV_NAME, relayAuthSecret) + } + } else { + if token != "" { + configContent += fmt.Sprintf("%s=%s\n", gatewayv2.INFISICAL_TOKEN_ENV_NAME, token) + } } } From f10a438aa90de52358c6d8f5336cafea32d086a2 Mon Sep 17 00:00:00 2001 From: Ahmed Aburady Date: Sat, 13 Jun 2026 22:09:07 +0400 Subject: [PATCH 2/2] fix(relay): use INFISICAL_RELAY_ENROLLMENT_TOKEN fallback in systemd install token mode --- packages/cmd/relay.go | 7 +++++-- packages/relay/systemd.go | 14 +++----------- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/packages/cmd/relay.go b/packages/cmd/relay.go index 4d7c4517..9c4b6f91 100644 --- a/packages/cmd/relay.go +++ b/packages/cmd/relay.go @@ -347,7 +347,11 @@ var relaySystemdInstallCmd = &cobra.Command{ switch enrollMethod { case relay.EnrollMethodToken: - // token is treated as a one-time enrollment token rather than a machine-identity token. + // --token is an enrollment token here; fall back to INFISICAL_RELAY_ENROLLMENT_TOKEN + // (not INFISICAL_TOKEN) when the flag is unset, matching `relay start`. + if !cmd.Flags().Changed("token") { + token = os.Getenv(relay.INFISICAL_RELAY_ENROLLMENT_TOKEN_KEY) + } if token == "" { util.HandleError(fmt.Errorf("--token is required when --enroll-method=token")) } @@ -356,7 +360,6 @@ var relaySystemdInstallCmd = &cobra.Command{ util.HandleError(fmt.Errorf("--relay-id is required when --enroll-method=aws")) } case "": - // Legacy machine-identity auth. if instanceType == "instance" && relayAuthSecret == "" { util.HandleError(fmt.Errorf("for type 'instance', --relay-auth-secret flag or %s env must be set", gatewayv2.RELAY_AUTH_SECRET_ENV_NAME)) } diff --git a/packages/relay/systemd.go b/packages/relay/systemd.go index 52ee24e1..58f8f93e 100644 --- a/packages/relay/systemd.go +++ b/packages/relay/systemd.go @@ -12,14 +12,9 @@ import ( "github.com/rs/zerolog/log" ) -// InstallRelaySystemdService installs the systemd unit and writes configuration for the relay. -// -// The auth variables written depend on enrollMethod: -// - "" (legacy): token is written as INFISICAL_TOKEN for org-type relays, or -// relayAuthSecret as INFISICAL_RELAY_AUTH_SECRET for instance-type relays. -// - "token": token is treated as a one-time enrollment token and written as -// INFISICAL_RELAY_ENROLLMENT_TOKEN alongside INFISICAL_RELAY_ENROLL_METHOD. -// - "aws": relayID is written as INFISICAL_RELAY_ID alongside INFISICAL_RELAY_ENROLL_METHOD. +// InstallRelaySystemdService installs the systemd unit and writes the relay config. The auth +// variables written depend on enrollMethod: "token" writes INFISICAL_RELAY_ENROLLMENT_TOKEN, +// "aws" writes INFISICAL_RELAY_ID, and "" (legacy) writes INFISICAL_TOKEN or INFISICAL_RELAY_AUTH_SECRET. func InstallRelaySystemdService(token string, domain string, name string, host string, instanceType string, relayAuthSecret string, serviceLogFile string, enrollMethod string, relayID string) error { if runtime.GOOS != "linux" { log.Info().Msg("Skipping systemd service installation - not on Linux") @@ -51,19 +46,16 @@ func InstallRelaySystemdService(token string, domain string, name string, host s // Auth settings switch enrollMethod { case EnrollMethodToken: - // token is a one-time enrollment token; relay start exchanges it for an access token on first boot. configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ENROLL_METHOD_KEY, enrollMethod) if token != "" { configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ENROLLMENT_TOKEN_KEY, token) } case EnrollMethodAws: - // relay start authenticates via signed STS GetCallerIdentity using the relay id. configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ENROLL_METHOD_KEY, enrollMethod) if relayID != "" { configContent += fmt.Sprintf("%s=%s\n", INFISICAL_RELAY_ID_KEY, relayID) } default: - // Legacy machine-identity auth (unchanged). if instanceType == "instance" { if relayAuthSecret != "" { configContent += fmt.Sprintf("%s=%s\n", gatewayv2.RELAY_AUTH_SECRET_ENV_NAME, relayAuthSecret)