ContextQMD
Back to Infisical

infisical relay

docs/cli/commands/relay.mdx

0.160.54.5 KB
Original Source

Description

Relay-related commands for Infisical. Relays are organization-deployed servers that route encrypted traffic between Infisical and your gateways.

Relays are created via the Infisical dashboard (Networking → Relays → Create Relay) and then deployed using the CLI commands below.

Subcommands & flags

<AccordionGroup> <Accordion title="infisical relay start" defaultOpen="true"> Run the Infisical relay component. The relay handles network traffic routing between Infisical and your gateways.

Authentication

Relays support two enrollment methods. The enrollment method is set when creating the relay in the dashboard.

<AccordionGroup> <Accordion title="Token Auth"> Token auth uses a one-time enrollment token (1 hour expiry) generated from the relay detail page. The token is exchanged for a long-lived access token on first start and stored on disk for subsequent restarts. 
The `--host` flag is not required — the host is stored server-side when the relay is created.

<Tabs>
  <Tab title="Foreground">
    ```bash
    infisical relay start \
      --name=<name> \
      --enroll-method=token \
      --token=<enrollment-token> \
      --domain=<your-infisical-domain>
    ```
  </Tab>
  <Tab title="Linux (systemd)">
    ```bash
    sudo infisical relay systemd install \
      --name=<name> \
      --enroll-method=token \
      --token=<enrollment-token> \
      --domain=<your-infisical-domain>
    sudo systemctl start infisical-relay
    ```
  </Tab>
</Tabs>

On subsequent starts with the same enrollment token, the relay skips enrollment and uses the stored access token.

Token-method enrollment tokens are single-use and expire after 1 hour. If the token expires before deployment, click **Show deploy command** on the relay detail page to generate a new one.
</Accordion> <Accordion title="AWS Auth"> AWS auth uses the host's AWS credentials (instance role, env vars, or shared profile) to authenticate via STS GetCallerIdentity. A fresh token is minted on every start — no on-disk persistence needed. 
<Tabs>
  <Tab title="Foreground">
    ```bash
    infisical relay start \
      --name=<name> \
      --enroll-method=aws \
      --relay-id=<relay-id> \
      --domain=<your-infisical-domain>
    ```
  </Tab>
  <Tab title="Linux (systemd)">
    ```bash
    sudo infisical relay systemd install \
      --name=<name> \
      --enroll-method=aws \
      --relay-id=<relay-id> \
      --domain=<your-infisical-domain>
    sudo systemctl start infisical-relay
    ```
  </Tab>
</Tabs>

The `--relay-id` is the relay's UUID, visible on the relay detail page. The relay ID is persisted after first use so subsequent starts don't need `--relay-id` again.
</Accordion> </AccordionGroup>

Flags

<AccordionGroup> <Accordion title="--name"> The name of the relay. Must match the name used when creating the relay in the dashboard. </Accordion> <Accordion title="--enroll-method"> The enrollment method to use. Supported values: `token`, `aws`. </Accordion> <Accordion title="--token"> The one-time enrollment token (required when `--enroll-method=token`). Generated from the relay detail page via **Show deploy command**. </Accordion> <Accordion title="--relay-id"> The relay UUID (required when `--enroll-method=aws`). Visible on the relay detail page. </Accordion> <Accordion title="--domain"> Domain of your Infisical instance. Required for self-hosted deployments. </Accordion> </AccordionGroup> </Accordion> <Accordion title="infisical relay systemd" defaultOpen="false"> Manage systemd service for the Infisical relay on Linux systems.

Requirements

  • Operating System: Linux only
  • Privileges: Root/sudo privileges required
  • Systemd: The system must be running systemd

Subcommands

<AccordionGroup> <Accordion title="install"> Install and enable systemd service for the relay. See the authentication section above for install commands.

After installation, start the service:

bash
sudo systemctl start infisical-relay
sudo systemctl enable infisical-relay

To check status and logs:

bash
sudo systemctl status infisical-relay
sudo journalctl -u infisical-relay -f
</Accordion> <Accordion title="uninstall"> Uninstall and remove systemd service for the relay.
bash
sudo infisical relay systemd uninstall
</Accordion> </AccordionGroup> </Accordion> </AccordionGroup>