Overview

Secret Syncs enable you to sync secrets from Infisical to third-party services using App Connections.

Concept

Secret Syncs are a project-level resource used to sync secrets, via an App Connection, from a particular project environment and folder path (source) to a third-party service (destination). Changes to the source will automatically be propagated to the destination, ensuring your secrets are always up-to-date.

```mermaid
%%{init: {'flowchart': {'curve': 'linear'} } }%%
graph LR
A[App Connection]
B[Secret Sync]
C[Secret 1]
D[Secret 2]
E[Secret 3]
F[Third-Party Service]
G[Secret 1]
H[Secret 2]
I[Secret 3]
J[Project Source]

B --> A
C --> J
D --> J
E --> J
A --> F
F --> G
F --> H
F --> I
J --> B

classDef default fill:#ffffff,stroke:#666,stroke-width:2px,rx:10px,color:black
classDef connection fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:15px
classDef secret fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
classDef sync fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
classDef service fill:#E6E6FF,stroke:#6B4E96,stroke-width:2px,color:black,rx:15px
classDef project fill:#FFE6E6,stroke:#D63F3F,stroke-width:2px,color:black,rx:15px

class A connection
class B sync
class C,D,E,G,H,I secret
class F project
class J service
```

Workflow

Configuring a Secret Sync requires three components: a <strong>source</strong> location to retrieve secrets from, a <strong>destination</strong> endpoint to deploy secrets to, and <strong>configuration options</strong> to determine how your secrets should be synced. Follow these steps to start syncing:

1. <strong>Create App Connection:</strong> If you have not already done so, create an App Connection via the UI or API for the third-party service you intend to sync secrets to.

2. <strong>Create Secret Sync:</strong> Configure a Secret Sync in the desired project by specifying the following parameters via the UI or API:

   • <strong>Source:</strong> The project environment and folder path you wish to retrieve secrets from.
   • <strong>Destination:</strong> The App Connection to utilize and the destination endpoint to deploy secrets to. These can vary between services.
   • <strong>Options:</strong> Customize how secrets should be synced, such as whether or not secrets should be imported from the destination on the initial sync.

3. <strong>Utilize Sync:</strong> Any changes to the source location will now automatically be propagated to the destination endpoint.

Key Schemas

Key Schemas transform your secret keys by applying a prefix, suffix, or format pattern during sync to external destinations. This makes it clear which secrets are managed by Infisical and prevents accidental changes to unrelated secrets.

Any destination secrets which do not match the schema will not get deleted or updated by Infisical.

Key Schemas use handlebars syntax to define dynamic values. Here's a full list of available variables:

• {{secretKey}} - The key of the secret
• {{environment}} - The environment which the secret is in (e.g. dev, staging, prod)

Example:

• Infisical key: SECRET_1
• Schema: INFISICAL_{{secretKey}}
• Synced key: INFISICAL_SECRET_1