docs/cli/commands/pam.mdx
infisical pam access <path> [flags]
The infisical pam command provides brokered, credential-less access to your PAM-managed resources — databases, servers, and cloud accounts — through Infisical's Gateway.
All PAM commands require the user to be logged in via infisical login.
infisical pam
└── access <path> # unified, path-based access to all PAM resources
Access your PAM-managed resources. This unified command handles every account type — the CLI adapts its behavior to whichever type the account's template defines (see Account Types and Behavior below).
infisical pam access <path> [flags]
| Argument | Description |
|---|---|
<path> | Required. Path to the PAM account in format folder/account-name |
Default value: 1h
# Example
infisical pam access production/postgres-main --duration 4h
# Example
infisical pam access production/database --reason "Investigating incident INC-1234"
Default value: 0
# Example
infisical pam access staging/mysql-replica --port 3306
# Example
infisical pam access windows/domain-admin --target dc01.corp.local
# Example
infisical pam access production/database --domain https://your-infisical-instance.com
Based on the account's template, the CLI starts the appropriate local proxy or credential helper.
<AccordionGroup> <Accordion title="Databases (PostgreSQL, MySQL, SQL Server, MongoDB)"> Starts a local database proxy on `127.0.0.1`. Connect using standard database clients — no password required as authentication is handled by the proxy.```bash
# Example
infisical pam access production/postgres-main --duration 2h
```
The output includes connection details and CLI examples:
| Database Type | Connection String Format |
|--------------|-------------------------|
| PostgreSQL | `postgres://<username>@127.0.0.1:<port>/<database>` |
| MySQL | `mysql://<username>@127.0.0.1:<port>/<database>` |
| SQL Server | `sqlserver://<username>@127.0.0.1:<port>?database=<database>` |
| MongoDB | `mongodb://127.0.0.1:<port>/<database>` |
```bash
# Start the proxy
infisical pam access servers/prod-bastion
```
Then connect using your SSH client:
```bash
# SSH
ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected]
# SCP file transfer
scp -P <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null file.txt [email protected]:/path/
# rsync
rsync -e "ssh -p <port> -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" local-dir/ [email protected]:/remote/path/
```
```bash
# Example
infisical pam access clusters/prod-cluster --duration 4h
```
kubectl is automatically configured with a context named `infisical-k8s-pam/folder/account-name`. Use kubectl normally:
```bash
kubectl get pods
kubectl get namespaces
```
The original kubeconfig context is restored when the session ends.
```bash
# Example
infisical pam access aws/production-role
```
The credentials are written as a named profile: `infisical-pam/folder/account-name`
Use with the AWS CLI:
```bash
# Use --profile flag
aws s3 ls --profile "infisical-pam/aws/production-role"
# Or export the profile
export AWS_PROFILE="infisical-pam/aws/production-role"
aws s3 ls
```
The session blocks until `Ctrl+C` or credential expiry. When the session ends, the profile is removed from the credentials file.
```bash
# Example
infisical pam access gcp/prod-deployer
```
Run `gcloud` and other Google Cloud tooling as normal — no per-command configuration needed:
```bash
gcloud compute instances list
gcloud storage ls
```
The session blocks until `Ctrl+C` or expiry. On shutdown, your `gcloud` configuration is restored.
```bash
# Single-server Windows account
infisical pam access windows/admin-server
# Windows AD with multiple targets
infisical pam access windows/domain-admin --target dc01.corp.local
```
Connect using your preferred RDP client (e.g., Microsoft Remote Desktop, xfreerdp, Remmina).
If your organization requires MFA for PAM access:
SESSION_MFA_REQUIRED responseSome PAM policies require an audit reason. Behavior:
| Scenario | Behavior |
|---|---|
With --reason flag | Uses provided reason |
| Interactive terminal (TTY) | Prompts for reason if required |
| Non-interactive (CI/CD) | Fails with error if reason required but not provided |
# Provide reason via flag
infisical pam access production/database --reason "Investigating incident INC-1234"
| Error | Cause | Solution |
|---|---|---|
Invalid duration format | Malformed --duration value | Use formats like 1h, 30m, 2h30m |
a reason is required to access this account | Policy requires reason, no TTY | Pass --reason flag |
Gateway does not support '{type}' PAM accounts | Gateway version too old | Upgrade Infisical Gateway |
PAM response metadata is missing | API response incomplete | Contact support |