Authentication enables infrastructure access without the need for static secrets, keys or shared passwords. Instead, users log in with an authentication method, and short-lived credentials are distributed to users automatically.

authentication flow

Logging in

Users authenticate by downloading the Infra CLI and then log in via their terminal:

infra login

infra login prompts users to log in via different authentication methods. For authentication methods that require a browser, Infra will direct users to a login page in their browser:

login page

After logging in, Infra automatically updates local configuration files with the required short-lived credentials for access.

Authentication Methods

Users may log in to Infra using a web browser or via the CLI.

Navigate to <org> in a web browser.

Access Keys

Access Keys are a built-in authentication method. To log in using an access key, set the INFRA_SERVER and INFRA_ACCESS_KEY environment variables:

export INFRA_SERVER=<org>
export INFRA_ACCESS_KEY=<xxxxxxxxxxxx.yyyyyyyyyyyyyyyyyyyyyyyyyyy>

Then, run infra login:

infra login

Access keys can be created by logging in to the Infra dashboard and clicking Settings.


In order for a user to log into your organization using Google they must either have been manually added as a user by an administrator or have a Google account with an email that matches the organization's allowed domains. Allowed email domains can be configured in "settings > authentication".

Note: When users log in using Google they will not have access to any infrastructure by default. They must be directly granted access by an administrator.

Custom Identity Providers

Infra supports logging in using custom identity providers such as your own Google Workspace client and Okta. To configure a custom identity provider, refer to the individual guides for each provider below:

After configuring an identity provider, users will be able to authenticate with it when running infra login.