Migration tool for moving secrets from config.yaml into Infisical.
ObjSecretMigrate reads credential sections from config.yaml and
pushes them to a running Infisical instance. It provides seven
commands: migrate, verify, list, push-keys, delete, promote, and
cache-seed.
resource.bin/start_infisical.sh)base.infisical.enabled: true in config.yamlclient_id and client_secret configured (via config.yamlAXION_INFISICAL_CLIENT_ID / AXION_INFISICAL_CLIENT_SECRET{package}_{role}_{deployment}homechoice_ao_uat)Config values are mapped to Infisical secret names using the pattern:
SECTION__OPTION
Double underscore separates section from option, uppercase.
Examples:
base.database.primaryip becomes DATABASE__PRIMARYIPbase.mqtt.password becomes MQTT__PASSWORDbase.aws.secret becomes AWS__SECRETPEM encryption keys use the prefix PEM__:
data.config/homechoice_private.pem becomes PEM__HOMECHOICE_PRIVATEdata.config/homechoice_public.pem becomes PEM__HOMECHOICE_PUBLICPush secrets from config.yaml to Infisical.
python factory.deploy/ObjSecretMigrate.py migrate
python factory.deploy/ObjSecretMigrate.py migrate --dry-run
python factory.deploy/ObjSecretMigrate.py migrate --config-file /path/to/config.yaml
Options:
--config-file - Path to config.yaml (default: config.yaml)--dry-run - Show what would be migrated without writingCompare config.yaml values against Infisical to detect drift.
python factory.deploy/ObjSecretMigrate.py verify
Reports: Match, Mismatch, or Missing for each secret.
List all secrets currently stored in the Infisical project.
python factory.deploy/ObjSecretMigrate.py list
Push RSA PEM key files from disk to Infisical.
python factory.deploy/ObjSecretMigrate.py push-keys
python factory.deploy/ObjSecretMigrate.py push-keys --dry-run
python factory.deploy/ObjSecretMigrate.py push-keys --key-folder /path/to/keys
Options:
--config-file - Path to config.yaml (default: config.yaml)--key-folder - Folder containing PEM files (default: data.config)--dry-run - Show what would be pushed without writingNaming convention:
{package}_private.pem -> PEM__{PACKAGE}_PRIVATE{package}_public.pem -> PEM__{PACKAGE}_PUBLICDelete secrets from the Infisical project.
python factory.deploy/ObjSecretMigrate.py delete DATABASE__PRIMARYIP
python factory.deploy/ObjSecretMigrate.py delete DATABASE__PRIMARYIP --dry-run
python factory.deploy/ObjSecretMigrate.py delete all --force
python factory.deploy/ObjSecretMigrate.py delete all --force --dry-run
Options:
SECRET_NAME - Name of the secret to delete (uppercased automatically),all to delete every secret in the project--force - Required when deleting all secrets--dry-run - Show what would be deleted without writingCopy secrets from one deployment tier to another.
python factory.deploy/ObjSecretMigrate.py promote uat live
python factory.deploy/ObjSecretMigrate.py promote uat live --dry-run
python factory.deploy/ObjSecretMigrate.py promote uat live --include-pem
The source and target projects are derived from the current package
and role, with the deployment tier replaced:
{package}_{role}_{source} (e.g. homechoice_ao_uat){package}_{role}_{target} (e.g. homechoice_ao_live)Options:
SOURCE - Source deployment tier (e.g. uat)TARGET - Target deployment tier (e.g. live)--include-pem - Include PEM keys (excluded by default)--dry-run - Show what would be promoted without writingSeed the local encrypted disk cache from Infisical.
python factory.deploy/ObjSecretMigrate.py cache-seed
Fetches all secrets from the Infisical project and writes them
to data.config/.infisical_cache.yaml, encrypted with the
reference package key. This cache is used as an offline
fallback when Infisical is unavailable.
The following config.yaml sections are migrated:
aws, bitbucket, mongo, mqtt, rabbitmq, influxdbcloudflare, gemini, proxmox, netbirdsmtp, imap, keycloak, slackdatabaseai_mcp_* (all AI provider sections)The tool skips:
YOUR_*)$terraform$, $package$, etc.)backup, storage, supervisor, infisical, domain