infisical relay start supports --enroll-method=token (and aws), which uses a
one-time enrollment token to authenticate against the V2 relay API. This avoids the
legacy machine-identity auth path that triggers the dashboard warning:
"Authenticated via Machine Identity (Legacy) — This relay is still using machine
identity. We recommend creating a new relay."
However, infisical relay systemd install does not expose --enroll-method. The
generated systemd unit runs infisical relay start with no flags, relying solely on
/etc/infisical/relay.conf. Because that file never contains
INFISICAL_RELAY_ENROLL_METHOD (nor an enrollment token), the relay always falls back
to legacy machine-identity auth on every boot. There is no way to install a
systemd-managed relay that uses the newer enrollment flow.
Root cause
relaySystemdInstallCmd only registers --token, --log-file, --domain,
--name, --host, --type, --relay-auth-secret. No --enroll-method /
--relay-id.
InstallRelaySystemdService(...) writes INFISICAL_RELAY_NAME/HOST/TYPE,
INFISICAL_API_URL, and either INFISICAL_TOKEN or INFISICAL_RELAY_AUTH_SECRET.
It never writes INFISICAL_RELAY_ENROLL_METHOD /
INFISICAL_RELAY_ENROLLMENT_TOKEN / INFISICAL_RELAY_ID.
- In
relay start, the enrollment token is read only from the --token flag and
has no environment fallback (unlike --relay-id, which falls back to
INFISICAL_RELAY_ID). So even if the env file carried the token, a flagless
systemd invocation could not pick it up.
To reproduce
- Install a relay as a systemd service:
sudo infisical relay systemd install \
--token=<one-time-enrollment-token> \
--name=homelab --host=localhost --domain=https://<self-hosted>
- Inspect /etc/infisical/relay.conf — it contains INFISICAL_TOKEN=... and no
enrollment-related variables.
- Start the service and check the dashboard.
Expected behavior
relay systemd install should support --enroll-method=token|aws (mirroring
relay start), write the appropriate enrollment variables to relay.conf, and the
resulting service should authenticate via the enrollment flow — showing enrollment
auth in the dashboard rather than "Machine Identity (Legacy)".
Actual behavior
--enroll-method is unavailable on relay systemd install, so a systemd-managed relay
can only ever use legacy machine-identity auth.
Environment
- Infisical CLI: infisical relay (V2 relay enrollment)
- OS: Linux (systemd)
- Self-hosted Infisical instance
Additional context
Happy to submit a PR. Planned approach: add --enroll-method/--relay-id to
relaySystemdInstallCmd, extend InstallRelaySystemdService to write the enrollment
variables (using the existing INFISICAL_RELAY_ENROLLMENT_TOKEN/INFISICAL_RELAY_ID
constants) while keeping legacy INFISICAL_TOKEN behavior unchanged when
--enroll-method is omitted, and add an INFISICAL_RELAY_ENROLLMENT_TOKEN env
fallback for the enrollment token in relay start. Fully backward compatible.
infisical relay startsupports--enroll-method=token(andaws), which uses aone-time enrollment token to authenticate against the V2 relay API. This avoids the
legacy machine-identity auth path that triggers the dashboard warning:
However,
infisical relay systemd installdoes not expose--enroll-method. Thegenerated systemd unit runs
infisical relay startwith no flags, relying solely on/etc/infisical/relay.conf. Because that file never containsINFISICAL_RELAY_ENROLL_METHOD(nor an enrollment token), the relay always falls backto legacy machine-identity auth on every boot. There is no way to install a
systemd-managed relay that uses the newer enrollment flow.
Root cause
relaySystemdInstallCmdonly registers--token,--log-file,--domain,--name,--host,--type,--relay-auth-secret. No--enroll-method/--relay-id.InstallRelaySystemdService(...)writesINFISICAL_RELAY_NAME/HOST/TYPE,INFISICAL_API_URL, and eitherINFISICAL_TOKENorINFISICAL_RELAY_AUTH_SECRET.It never writes
INFISICAL_RELAY_ENROLL_METHOD/INFISICAL_RELAY_ENROLLMENT_TOKEN/INFISICAL_RELAY_ID.relay start, the enrollment token is read only from the--tokenflag andhas no environment fallback (unlike
--relay-id, which falls back toINFISICAL_RELAY_ID). So even if the env file carried the token, a flaglesssystemd invocation could not pick it up.
To reproduce
enrollment-related variables.
Expected behavior
relay systemd install should support --enroll-method=token|aws (mirroring
relay start), write the appropriate enrollment variables to relay.conf, and the
resulting service should authenticate via the enrollment flow — showing enrollment
auth in the dashboard rather than "Machine Identity (Legacy)".
Actual behavior
--enroll-method is unavailable on relay systemd install, so a systemd-managed relay
can only ever use legacy machine-identity auth.
Environment
Additional context
Happy to submit a PR. Planned approach: add --enroll-method/--relay-id to
relaySystemdInstallCmd, extend InstallRelaySystemdService to write the enrollment
variables (using the existing INFISICAL_RELAY_ENROLLMENT_TOKEN/INFISICAL_RELAY_ID
constants) while keeping legacy INFISICAL_TOKEN behavior unchanged when
--enroll-method is omitted, and add an INFISICAL_RELAY_ENROLLMENT_TOKEN env
fallback for the enrollment token in relay start. Fully backward compatible.