docs/cli/commands/pam.mdx
infisical pam access <path> [flags]
The infisical pam command provides privileged access management capabilities for securely accessing databases, SSH servers, Kubernetes clusters, AWS IAM roles, and Windows/RDP servers through Infisical's Gateway.
All PAM commands require the user to be logged in via infisical login.
infisical pam
└── access <path> # unified, path-based access to all PAM resources
Access PAM-managed resources through Infisical's Gateway. This unified command handles all resource types — databases, SSH servers, Kubernetes clusters, AWS IAM roles, and Windows/RDP servers. The account type is determined by the template assigned to the account.
infisical pam access <path> [flags]
| Argument | Description |
|---|---|
<path> | Required. Path to the PAM account in format folder/account-name |
Default value: 1h
# Example
infisical pam access production/postgres-main --duration 4h
# Example
infisical pam access production/database --reason "Investigating incident INC-1234"
Default value: 0
# Example
infisical pam access staging/mysql-replica --port 3306
# Example
infisical pam access windows/domain-admin --target dc01.corp.local
# Example
infisical pam access production/database --domain https://your-infisical-instance.com
Based on the account's template, the CLI starts the appropriate local proxy or credential helper.
Starts a local database proxy on 127.0.0.1. Connect using standard database clients — no password required as authentication is handled by the proxy.
# Example
infisical pam access production/postgres-main --duration 2h
The output includes connection details and CLI examples:
| Database Type | Connection String Format |
|---|---|
| PostgreSQL | postgres://<username>@127.0.0.1:<port>/<database> |
| MySQL | mysql://<username>@127.0.0.1:<port>/<database> |
| SQL Server | sqlserver://<username>@127.0.0.1:<port>?database=<database> |
| MongoDB | mongodb://127.0.0.1:<port>/<database> |
Starts a local SSH proxy. Use standard SSH/SCP/SFTP/rsync commands to connect.
# Start the proxy
infisical pam access servers/prod-bastion
Then connect using your SSH client:
# SSH
ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected]
# SCP file transfer
scp -P <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null file.txt [email protected]:/path/
# rsync
rsync -e "ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" local-dir/ [email protected]:/remote/path/
Starts a local Kubernetes proxy and automatically configures kubectl context.
# Example
infisical pam access clusters/prod-cluster --duration 4h
kubectl is automatically configured with a context named infisical-k8s-pam/folder/account-name. Use kubectl normally:
kubectl get pods
kubectl get namespaces
The original kubeconfig context is restored when the session ends.
Writes temporary STS credentials to your AWS credentials file (~/.aws/credentials or wherever AWS_SHARED_CREDENTIALS_FILE points).
# Example
infisical pam access aws/production-role
The credentials are written as a named profile: infisical-pam/folder/account-name
Use with the AWS CLI:
# Use --profile flag
aws s3 ls --profile "infisical-pam/aws/production-role"
# Or export the profile
export AWS_PROFILE="infisical-pam/aws/production-role"
aws s3 ls
The session blocks until Ctrl+C or credential expiry. When the session ends, the profile is removed from the credentials file.
Starts a local RDP proxy. Connect your RDP client to 127.0.0.1 on the assigned port.
# Single-server Windows account
infisical pam access windows/admin-server
# Windows AD with multiple targets
infisical pam access windows/domain-admin --target dc01.corp.local
Connect using your preferred RDP client (e.g., Microsoft Remote Desktop, xfreerdp, Remmina).
If your organization requires MFA for PAM access:
SESSION_MFA_REQUIRED responseSome PAM policies require an audit reason. Behavior:
| Scenario | Behavior |
|---|---|
With --reason flag | Uses provided reason |
| Interactive terminal (TTY) | Prompts for reason if required |
| Non-interactive (CI/CD) | Fails with error if reason required but not provided |
# Provide reason via flag
infisical pam access production/database --reason "Investigating incident INC-1234"
| Error | Cause | Solution |
|---|---|---|
Invalid duration format | Malformed --duration value | Use formats like 1h, 30m, 2h30m |
a reason is required to access this account | Policy requires reason, no TTY | Pass --reason flag |
Gateway does not support '{type}' PAM accounts | Gateway version too old | Upgrade Infisical Gateway |
PAM response metadata is missing | API response incomplete | Contact support |