Authentication

Authentication enables infrastructure access without the need for static secrets, keys or shared passwords. Instead, users log in with an authentication method, and short-lived credentials are distributed to users automatically.

authenication flow

Logging in

Users authenticate by downloading the Infra CLI and then log in via their terminal:

infra login

infra login prompts users to log in via different authentication methods. For authentication methods that require a browser, Infra will direct users to a login page in their browser:

login page

After logging in, Infra automatically updates local configuration files with the required short-lived credentials for access.

Authentication Methods

Username & password

Username & password is a built-in authentication method. To log in with username & password, run infra login and select Login with username and password:

$ infra login
? Select a server: acme.infrahq.com
? Select a login method:  [Use arrows to move, type to filter]
> Login with username and password

Access Keys

Access Keys are a built-in authentication method. To log in using an access key, set the INFRA_SERVER and INFRA_ACCESS_KEY environment variables:

export INFRA_SERVER=<org>.infrahq.com
export INFRA_ACCESS_KEY=<xxxxxxxxxxxx.yyyyyyyyyyyyyyyyyyyyyyyyyyy>

Then, run infra login:

infra login

Identity providers

Infra supports logging in using identity providers such as Google and Okta. To configure an identity provider, refer to the individual guides for each provider below:

After configuring an identity provider, users will be able to authenticate with it when running infra login.

Headless authentication

Infra supports authenticating in environments where opening a web browser is not possible (e.g. a headless virtual machine, container session or server).

infra login

Users are will be prompted to log in via a web browser:

Navigate to https://acme.infrahq.com/device?code=WNTH-WBBX and enter the following code:

		WNTH-WBBX

confirm