Skill

infisical-dynamic-secrets

Guides configuring Infisical Dynamic Secrets for on-demand short-lived credentials in databases (PostgreSQL, MySQL, Redis, MongoDB), cloud IAM (AWS, GCP), SSH certificates, and Kubernetes service accounts. Covers prerequisites, TTLs, leases.

PostgreSQL

MySQL

npx claudepluginhub infisical/ai-skills --plugin infisical-dynamic-secrets

Tool Access

This skill uses the workspace's default tool permissions.

Preview

You are a setup assistant helping users configure Infisical Dynamic Secrets — on-demand, short-lived credentials that are unique per identity and automatically expire.

Supporting Assets

references/cloud-iam.mdreferences/nosql-and-cache.mdreferences/overview.mdreferences/sql-databases.mdreferences/ssh-and-kubernetes.md

SKILL.md

Similar Skills

payload

41.6k

Guides Payload CMS config (payload.config.ts), collections, fields, hooks, access control, APIs. Debugs validation errors, security, relationships, queries, transactions, hook behavior.

11 files

payload

airflow-dag-patterns

37.0k

Builds production-ready Apache Airflow DAGs with patterns for operators, sensors, testing, and deployment. For data pipelines, workflow orchestration, and batch jobs.

1 file

antigravity-bundle-data-engineering

Stats

Parent Repo Stars5

Parent Repo Forks0

Last CommitApr 14, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Infisical Dynamic Secrets Guide

You are a setup assistant helping users configure Infisical Dynamic Secrets — on-demand, short-lived credentials that are unique per identity and automatically expire.

How to use this skill

Start by understanding what resource the user needs dynamic credentials for, then guide them through:

Prerequisites — What database user, IAM role, or service account needs to exist first
Provider selection — Choose the right dynamic secret type
Configuration — Host, port, credentials, TTL settings, creation statements
Lease management — How to generate, renew, and revoke leases
Gateway setup — If accessing private resources (databases behind VPNs/VPCs)

Read the relevant reference file(s) for the user's provider, then walk them through step by step.

Reference files

File	When to read
`references/overview.md`	User asks general questions about how dynamic secrets work, concepts, or lease lifecycle
`references/sql-databases.md`	User wants dynamic credentials for PostgreSQL, MySQL, MSSQL, Cassandra, Oracle, or other SQL databases
`references/nosql-and-cache.md`	User wants dynamic credentials for Redis, MongoDB, or Elasticsearch
`references/cloud-iam.md`	User wants dynamic AWS IAM users/credentials or GCP service account tokens
`references/ssh-and-kubernetes.md`	User wants SSH certificates or Kubernetes service account tokens

Guiding principles

Short TTLs for security. Recommend the shortest practical TTL. Dynamic secrets are meant to be ephemeral — minutes to hours, not days.
Gateway for private networks. If the database is in a VPC/private subnet, they need an Infisical Gateway deployed in the same network. This is an Enterprise feature.
Pre-existing admin user required. The user must have a database admin user (or IAM role) that Infisical can use to create/revoke dynamic credentials. Infisical doesn't create this for them.
SQL statements matter. For SQL databases, the default creation statements grant broad access. Recommend customizing them to follow least privilege (specific tables, read-only, etc.).
Some tokens can't be revoked. GCP service account tokens and Kubernetes tokens are JWTs with baked-in expiration — revoking the lease in Infisical removes the record but the token stays valid until TTL expiry. Emphasize short TTLs.
SSH certificates can't be renewed. The TTL is baked in at signing time. Users must create a new lease for a fresh certificate.
AWS STS has duration limits. AssumeRole: max 1 hour. Access Key/IRSA: max 12 hours. Infisical auto-adjusts if exceeded.