@infisical/backstage-plugin-infisical

Backstage Infisical Plugin

A plugin for Backstage that integrates with Infisical for secrets management. This plugin allows you to:

• View, create, edit, and delete secrets in your Infisical projects
• Navigate secrets across different folders and environments
• Display secrets in a user-friendly table with access controls

Installation

For your Backstage app

# From your Backstage root directory
yarn add --cwd packages/app @infisical/backstage-plugin-infisical

Backend plugin

This frontend plugin requires the corresponding backend plugin to be installed. Please follow the instructions in the backend plugin repository.

Configuration

App Configuration

• Add the plugin to your Backstage application by modifying your packages/app/src/App.tsx:

import { infisicalPlugin } from '@infisical/backstage-plugin-infisical';

const app = createApp({
  // ... other configuration
  plugins: [
    // ... other plugins
    infisicalPlugin,
  ],
});

• Add the Infisical tab to your entity page in packages/app/src/components/catalog/EntityPage.tsx:

import { EntityInfisicalContent } from '@infisical/backstage-plugin-infisical';

// Add to the service entity page:
const serviceEntityPage = (
  <EntityLayout>
    {/* ...other tabs */}
    <EntityLayout.Route path="/infisical" title="Secrets">
      <EntityInfisicalContent />
    </EntityLayout.Route>
  </EntityLayout>
);

Entity Configuration

To connect an entity to its Infisical project, add the following annotation to your entity yaml file:

apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: example-service
  annotations:
    infisical/projectId: <your-infisical-project-id>
    infisical/environment: "staging"
    infisical/secretPath: "+/folder/nested"

Annotation	Required	Description
infisical/projectId	✅	The ID of your Infisical project
infisical/environment	❌	Lock the view to a specific environment (e.g., "development", "staging", "production")
infisical/secretPath	❌	Specify the folder path to display secrets from

Secret Path Behavior

The infisical/secretPath annotation controls both the starting location and navigation permissions:

Without "+" prefix (restricted navigation):

infisical/secretPath: "/folder/nested"

• Shows secrets only from the specified path
• Disables folder navigation - users cannot navigate to subfolders
• Ideal for restricting access to a specific folder level

With "+" prefix (allowed navigation):

infisical/secretPath: "+/folder/nested"

• Shows secrets starting from the specified path (without the "+")
• Enables folder navigation - users can navigate to subfolders
• Ideal for setting a starting point while allowing exploration

Examples:

Configuration	Behavior
infisical/secretPath: "/api/config"	View only /api/config, no subfolder navigation
infisical/secretPath: "+/api/config"	Start at /api/config, allow navigation to subfolders
No secretPath annotation	Start at root (/), allow full navigation

Features

Secret Management

• View Secrets: Browse secrets in a table with support for hiding sensitive values
• Create Secrets: Add new secrets with key, value, and optional comments
• Update Secrets: Modify existing secret values and metadata
• Delete Secrets: Remove secrets that are no longer needed

Folder Navigation

• Folder Browsing: Navigate the folder structure of your Infisical project
• Breadcrumb Navigation: Easily navigate up and down the folder hierarchy

Environment Support

• Environment Selection: View and manage secrets across different environments (Development, Staging, Production, etc.)
• Environment-specific Secrets: Each environment has its own set of secrets

Search and Filtering

• Instant Filtering: Quickly find secrets by filtering the table by key, value, or comment

Development

Getting Started

• Clone the repository
• Install dependencies:

yarn install

• Run the plugin in isolation:

yarn start

Running Tests

Run all tests:

yarn test

Run tests with coverage:

yarn test:coverage

Building

yarn build