docs/sdks/languages/rust.mdx
If you're working with Rust, the official Infisical Rust SDK package is the easiest way to fetch and work with secrets for your application.
cargo add infisical
The easiest way to get started is to use the builder pattern for both the client and your requests.
use infisical::{AuthMethod, Client, InfisicalError, encode_base64, decode_base64};
use infisical::secrets::GetSecretRequest;
async fn fetch_secret() -> Result<(), InfisicalError> {
// 1. Build the client. You can chain methods to configure it.
let mut client = Client::builder()
.base_url("https://app.infisical.com") // Optional: defaults to https://app.infisical.com
.build()
.await?;
// 2. Set up your authentication method and log in.
let auth_method = AuthMethod::new_universal_auth("<your-client-id>", "<your-client-secret>");
client.login(auth_method).await?;
// 3. Build a request to get a secret.
// Required parameters (name, project_id, environment) are passed to `builder()`.
let request = GetSecretRequest::builder("API_KEY", "<your-project-id>", "dev")
.path("/") // Optional parameters are set with builder methods.
.build();
// 4. Make the API call.
let secret = client.secrets().get(request).await?;
println!("Fetched secret key: {}", secret.secret_key);
// For security, avoid printing the secret value in production code!
// println!("Secret value: {}", secret.secret_value);
Ok(())
}
The Client::builder() provides several configuration options:
let mut client = Client::builder()
.base_url("https://app.infisical.com") // Optional: set custom Infisical instance URL
.build()
.await?;
Parameters
.base_url(url): Optional method to set the Infisical instance URL. Defaults to https://app.infisical.com for Infisical Cloud. Use https://eu.infisical.com for EU and http://localhost:8080 for local development.The SDK methods are organized into the following high-level categories:
Client::builder(): The main entry point for creating a client.client.login(): Allows client to make authenticated requests to the API.client.secrets(): Provides access to all CRUD operations for secrets.client.kms(): Provides access to all KMS (Key Management Service) operations.The SDK provides utility functions for common operations:
use infisical::{encode_base64, decode_base64};
// Base64 encode a string
let encoded = encode_base64("sensitive data");
println!("Encoded: {}", encoded);
// Base64 decode a string
let decoded = decode_base64(&encoded)?;
println!("Decoded: {}", decoded);
Available Functions
encode_base64(data: &str) -> String: Encodes a string as base64decode_base64(data: &str) -> Result<String, InfisicalError>: Decodes a base64 stringsecretsAll secret operations are accessed via client.secrets(). Each operation has a dedicated request builder.
Create a new secret in your project.
Example
use infisical::secrets::CreateSecretRequest;
let request = CreateSecretRequest::builder(
"API_KEY",
"your-secret-value",
"<your-project-id>",
"dev"
)
.path("/")
.secret_comment("A comment for the new secret")
.build();
let created_secret = client.secrets().create(request).await?;
Parameters
secret_name, secret_value, project_id, environment: Required parameters passed to the builder() function..path(path): Optional method to set the secret's path (defaults to /)..secret_comment(comment): Optional method to add a comment..skip_multiline_encoding(bool): Optional method to control multiline encoding (defaults to false)..r#type(type): Optional method to set the secret type (shared or personal), defaults to shared.Retrieve a specific secret by name.
Example
use infisical::secrets::GetSecretRequest;
let request = GetSecretRequest::builder("API_KEY", "<your-project-id>", "dev")
.path("/")
.build();
let secret = client.secrets().get(request).await?;
Parameters
secret_name, project_id, environment: Required parameters passed to the builder() function..path(path): Optional method to set the secret's path (defaults to /)..expand_secret_references(bool): Optional method to control secret reference expansion (defaults to true)..r#type(type): Optional method to set the secret type (shared or personal), defaults to shared.List all secrets in a project and environment.
Example
use infisical::secrets::ListSecretsRequest;
let request = ListSecretsRequest::builder("<your-project-id>", "dev")
.path("/")
.recursive(true)
.build();
let secrets = client.secrets().list(request).await?;
Parameters
project_id, environment: Required parameters passed to the builder() function..path(path): Optional method to set the path from which to list secrets (defaults to /)..expand_secret_references(bool): Optional method to control secret reference expansion (defaults to true)..recursive(bool): Optional method to recursively list secrets from sub-folders (defaults to false)..attach_to_process_env(bool): Optional method to attach fetched secrets to the current process's environment variables (defaults to false).Update an existing secret.
Example
use infisical::secrets::UpdateSecretRequest;
let request = UpdateSecretRequest::builder("API_KEY", "<your-project-id>", "dev")
.secret_value("new-secret-value") // Set the new value
.build();
let updated_secret = client.secrets().update(request).await?;
Parameters
secret_name, project_id, environment: Required parameters passed to the builder() function..new_secret_name(name): Optional method to rename the secret..secret_value(value): Optional method to set a new value for the secret..path(path): Optional method to set the secret's path..secret_comment(comment): Optional method to add or change the comment..skip_multiline_encoding(bool): Optional method to control multiline encoding..r#type(type): Optional method to set the secret type (shared or personal).Delete a secret from your project.
Example
use infisical::secrets::DeleteSecretRequest;
let request = DeleteSecretRequest::builder("API_KEY", "<your-project-id>", "dev")
.path("/")
.build();
let deleted_secret = client.secrets().delete(request).await?;
Parameters
secret_name, project_id, environment: Required parameters passed to the builder() function..path(path): Optional method to set the secret's path (defaults to /)..r#type(type): Optional method to set the secret type (shared or personal), defaults to shared.kmsAll KMS (Key Management Service) operations are accessed via client.kms(). Each operation has a dedicated request builder.
List all KMS keys in a project.
Example
use infisical::kms::ListKmsKeysRequest;
let request = ListKmsKeysRequest::builder("<your-project-id>").build();
let keys = client.kms().list(request).await?;
Parameters
project_id: Required parameter passed to the builder() function.Retrieve a specific KMS key by ID.
Example
use infisical::kms::GetKmsKeyRequest;
let request = GetKmsKeyRequest::builder("<key-id>").build();
let key = client.kms().get(request).await?;
Parameters
key_id: Required parameter passed to the builder() function.Retrieve a specific KMS key by name.
Example
use infisical::kms::GetKmsKeyByNameRequest;
let request = GetKmsKeyByNameRequest::builder("<key-name>").build();
let key = client.kms().get_by_name(request).await?;
Parameters
key_name: Required parameter passed to the builder() function.Create a new KMS key in your project.
Example
use infisical::kms::{CreateKmsKeyRequest, EncryptionAlgorithm, KeyUsage};
let request = CreateKmsKeyRequest::builder("<your-project-id>", "my-key")
.description("A key for encryption operations")
.key_usage(KeyUsage::EncryptDecrypt)
.encryption_algorithm(EncryptionAlgorithm::Aes256Gcm)
.build();
let created_key = client.kms().create(request).await?;
Parameters
project_id, name: Required parameters passed to the builder() function..description(description): Optional method to set the key description..key_usage(usage): Optional method to set the key usage using the KeyUsage enum (defaults to KeyUsage::EncryptDecrypt)..encryption_algorithm(algorithm): Optional method to set the encryption algorithm using the EncryptionAlgorithm enum (defaults to EncryptionAlgorithm::Aes256Gcm).Update an existing KMS key.
Example
use infisical::kms::UpdateKmsKeyRequest;
let request = UpdateKmsKeyRequest::builder("<key-id>")
.name("updated-key-name")
.description("Updated description")
.is_disabled(false)
.build();
let updated_key = client.kms().update(request).await?;
Parameters
key_id: Required parameter passed to the builder() function..name(name): Optional method to rename the key..description(description): Optional method to update the key description..is_disabled(disabled): Optional method to enable or disable the key.Delete a KMS key from your project.
Example
use infisical::kms::DeleteKmsKeyRequest;
let request = DeleteKmsKeyRequest::builder("<key-id>").build();
let deleted_key = client.kms().delete(request).await?;
Parameters
key_id: Required parameter passed to the builder() function.Encrypt data using a KMS key.
Example
use infisical::kms::EncryptRequest;
let request = EncryptRequest::builder("<key-id>", "sensitive data").build();
let ciphertext = client.kms().encrypt(request).await?;
Parameters
key_id, plaintext: Required parameters passed to the builder() function.Decrypt data using a KMS key.
Example
use infisical::kms::DecryptRequest;
let request = DecryptRequest::builder("<key-id>", "encrypted-data").build();
let plaintext = client.kms().decrypt(request).await?;
Parameters
key_id, ciphertext: Required parameters passed to the builder() function.Sign data using a KMS key.
Example
use infisical::kms::{SigningAlgorithm, SignRequest};
let request = SignRequest::builder("<key-id>", "data to sign")
.signing_algorithm(SigningAlgorithm::RsassaPkcs1V15Sha256)
.is_digest(false)
.build();
let signature = client.kms().sign(request).await?;
Parameters
key_id, data: Required parameters passed to the builder() function..signing_algorithm(algorithm): Optional method to set the signing algorithm using the SigningAlgorithm enum (defaults to SigningAlgorithm::RsassaPkcs1V15Sha256)..is_digest(is_digest): Optional method to indicate if the data is a digest (defaults to false).Verify a signature using a KMS key.
Example
use infisical::kms::{SigningAlgorithm, VerifyRequest};
let request = VerifyRequest::builder("<key-id>", "data to sign", "signature")
.signing_algorithm(SigningAlgorithm::RsassaPkcs1V15Sha256)
.is_digest(false)
.build();
let verification = client.kms().verify(request).await?;
Parameters
key_id, data, signature: Required parameters passed to the builder() function..signing_algorithm(algorithm): Optional method to set the signing algorithm using the SigningAlgorithm enum (defaults to SigningAlgorithm::RsassaPkcs1V15Sha256)..is_digest(is_digest): Optional method to indicate if the data is a digest (defaults to false).Get the public key for a KMS key.
Example
let public_key = client.kms().get_public_key("<key-id>").await?;
Parameters
key_id: The ID of the key to get the public key for.Get the available signing algorithms for a KMS key.
Example
let algorithms = client.kms().get_signing_algorithms("<key-id>").await?;
Parameters
key_id: The ID of the key to get signing algorithms for.For development and testing, you'll need to set up environment variables. Create a .env file in your project root:
INFISICAL_CLIENT_ID=your_client_id_here
INFISICAL_CLIENT_SECRET=your_client_secret_here
INFISICAL_BASE_URL=http://localhost:8080 # Optional: for local development
# Project IDs for different resources
INFISICAL_SECRETS_PROJECT_ID=your_project_id_here
INFISICAL_KMS_PROJECT_ID=your_project_id_here
To obtain the required credentials:
Tests that require authentication are marked with #[ignore] and need valid credentials:
# Run ignored tests (requires .env file with valid credentials)
cargo test -- --ignored --nocapture
# Run a specific test
cargo test test_kms_resource -- --ignored --nocapture
Note: Integration tests require a running Infisical instance and valid authentication credentials.