Configure Per-Project Machine Identity Credentials
Summary
Configure per-project Machine Identity (MI) credentials in the Infisical God builtin tool to enable proper access control across multiple Infisical projects.
Background
The Infisical God tool supports per-project MI routing (commit bebdad1c), aligned with DevOps Moiria's architecture. However, the credentials are not yet configured in the backend.
Current State
- ✅ Per-project routing logic implemented
- ✅ Fallback chain: per-project MI → God Mode MI → env vars
- ✅ Token caching per project
- ❌ Credentials not configured in backend env vars
Required Configuration
Option 1: Environment Variables (Backend)
# God Mode MI (for org-level ops like list-projects)
INFISICAL_GOD_MODE_CLIENT_ID=d0e92fd6-f25f-4042-b3bc-8cb7d0e7f1f7
INFISICAL_GOD_MODE_CLIENT_SECRET=132dfdbff7d7d70f66af1b2d5299414ad4fd7e9d46a675fb5cc15601779d36d2
# Per-project MI credentials (loaded via configure_project_credentials())
# See INFISICAL_GOD_BUILTIN.md for details
Option 2: Infisical Secret (Auto-load)
Create a secret INFISICAL_PROJECT_MI_CREDENTIALS in Infisical with JSON:
{
"af441074-e1b8-462a-8157-c47a05f5ec65": {
"client_id": "7f59e8cb-1ca2-42c2-b212-db7fec82659e",
"client_secret": "92fa72ddb0b77cad6ac9cb12c7e61d84c20dd0859046b6b8738adeaa0ec04531"
},
"60343507-6515-467f-accc-7521008354b2": {
"client_id": "3c1d79b8-679d-4dd8-a154-82e6a6e547aa",
"client_secret": "1b7216c15fd9a0a77d7e09b4f66e48e76f5491f8fcddeae991d8f6e17c081d6b"
}
}Projects to Configure
Based on DevOps Moiria's routing table:
- Moiria Infra Agents (
af441074-...) ✅ Has MI
- Rosemarie Records Agents (
60343507-...) ✅ Has MI
- Genesis Core Agents (
13e31c9b-...) ✅ Has MI
- Cornell Beck Agents (
2afa0814-...) ✅ Has MI
- Moiria Agents (
f18111dd-...) ✅ Has MI
- AgnarSL Agents (
cc7f8dcc-...) ❌ Needs MI creation
- Moneva Agents (
ce8f374b-...) ❌ Needs MI creation
- Storyline Secrets (
c29bffdc-...) ❌ Needs MI creation
Testing
After configuration, test with:
# Should use per-project MI
infisical_god(command="list-secrets", env="prod", project="af441074-...")
# Should use God Mode MI
infisical_god(command="list-projects")
Priority
High - Required for proper multi-tenant secret isolation.
Related
- Commit
bebdad1c: Per-project MI routing implementation
/data/workspace/INFISICAL_GOD_BUILTIN.md: Technical documentation- DevOps Moiria's
infisical_god.py: Reference implementation
Configure Per-Project Machine Identity Credentials
Summary
Configure per-project Machine Identity (MI) credentials in the Infisical God builtin tool to enable proper access control across multiple Infisical projects.
Background
The Infisical God tool supports per-project MI routing (commit
bebdad1c), aligned with DevOps Moiria's architecture. However, the credentials are not yet configured in the backend.Current State
Required Configuration
Option 1: Environment Variables (Backend)
Option 2: Infisical Secret (Auto-load)
Create a secret
INFISICAL_PROJECT_MI_CREDENTIALSin Infisical with JSON:{ "af441074-e1b8-462a-8157-c47a05f5ec65": { "client_id": "7f59e8cb-1ca2-42c2-b212-db7fec82659e", "client_secret": "92fa72ddb0b77cad6ac9cb12c7e61d84c20dd0859046b6b8738adeaa0ec04531" }, "60343507-6515-467f-accc-7521008354b2": { "client_id": "3c1d79b8-679d-4dd8-a154-82e6a6e547aa", "client_secret": "1b7216c15fd9a0a77d7e09b4f66e48e76f5491f8fcddeae991d8f6e17c081d6b" } }Projects to Configure
Based on DevOps Moiria's routing table:
af441074-...) ✅ Has MI60343507-...) ✅ Has MI13e31c9b-...) ✅ Has MI2afa0814-...) ✅ Has MIf18111dd-...) ✅ Has MIcc7f8dcc-...) ❌ Needs MI creationce8f374b-...) ❌ Needs MI creationc29bffdc-...) ❌ Needs MI creationTesting
After configuration, test with:
Priority
High - Required for proper multi-tenant secret isolation.
Related
bebdad1c: Per-project MI routing implementation/data/workspace/INFISICAL_GOD_BUILTIN.md: Technical documentationinfisical_god.py: Reference implementation