feat(relay): add resource auth enrollment for relays

[saifsmailbox98]

Description 📣

Add --enroll-method flag to relay start command for token and AWS auth. Companion to Infisical/infisical#6515.

Backend PR: Infisical/infisical#6515

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[linear]

PAM-215

[infisical-review-police]

💬 Discussion in Slack: #pr-review-cli-237-feat-relay-add-resource-auth-enrollment-for-relays

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[saifsmailbox98]

@claude review once

[claude]

Both previously flagged issues look correctly addressed in the latest revision — token-path now uses the same LoadStoredDomain fallback as the AWS path, and invalid --enroll-method values are rejected up front. Deferring approval to a human since this is non-trivial auth/enrollment code.

Extended reasoning...

Overview

The PR adds a new --enroll-method flag to infisical relay start supporting two enrollment modes:

• token: one-time enrollment token exchanged via POST /v2/relays/login for a persisted access token
• aws: AWS STS GetCallerIdentity signed-request login via POST /v2/relays/login

Touches: new resty wrappers (CallRelayLogin, CallRelayConnect, CallRelayHeartbeatV2) in packages/api/api.go, request/response models in packages/api/model.go, the relay start command in packages/cmd/relay.go, and two new files: packages/relay/aws_auth.go (SigV4 signing for STS) and packages/relay/enroll.go (on-disk relay config: access token, enrollment token, domain, relay id). packages/relay/relay.go is updated to dispatch heartbeat/register through the v2 endpoints when an enroll method is set.

Security risks

• New persisted-secret storage in packages/relay/enroll.go writes access tokens and enrollment tokens to /etc/infisical/relays/<name>.conf (root) or ~/.infisical/relays/<name>.conf (non-root) with 0600 perms and 0700 directory perms. Looks reasonable but worth a human eye on the format (plain KEY=VALUE, no escaping — values containing newlines would corrupt the file, though tokens normally won't).
• The token flag is now overloaded between legacy machine-identity tokens and one-time enrollment tokens, distinguished only by --enroll-method. Help text covers it but the dual meaning increases footgun surface.
• AWS SigV4 path constructs and base64-encodes signed STS request headers and forwards them to the Infisical backend — standard AWS-auth pattern used elsewhere in the codebase (mirrors gateway AWS auth).
• Global mutation of config.INFISICAL_URL based on stored state means re-runs effectively trust the on-disk <name>.conf for the backend URL; a writable-as-user attacker who can modify the conf could redirect enrollment to a malicious backend. Probably acceptable given the conf is in the user's home dir, but worth confirming.

Level of scrutiny

Medium-high. This is new authentication code on a critical path (relay enrollment talks to the production backend with bearer tokens), introduces new on-disk secret storage, and overloads an existing flag. Not a config tweak or refactor. The companion backend PR (infisical#6515) defines the server side, so the contract should be reviewed jointly — that's not something an automated reviewer can do well.

Other factors

• Both previously flagged bugs were addressed with minimal, targeted diffs that match the suggested fix.
• There is some redundancy: the domain resolution block at the end of the dispatch also runs after both per-method blocks did the same thing, but it is benign (idempotent through AppendAPIEndpoint).
• I'd want a human to verify the response shape of CallRelayConnect against the backend PR and confirm the v2 heartbeat unauthenticated-vs-authenticated semantics match the access-token-based auth model.