Atulin.InfisicalConfig 1.0.0

Atulin.InfisicalConfig

A .NET configuration provider that fetches secrets from Infisical and injects them into IConfiguration at startup. Supports retries, AOT compilation, and native integration with the .NET host builder.

Installation

dotnet add package Atulin.InfisicalConfig

Quick start

Call AddInfisicalAsync on your IHostApplicationBuilder before building the host:

var builder = WebApplication.CreateBuilder(args);

await builder.AddInfisicalAsync();

var app = builder.Build();

Secrets are available through the standard IConfiguration interface from that point on, including via IOptions<T> binding.

Configuration

Connection details are read from your existing configuration (e.g. appsettings.json, user secrets, or environment variables) under the Infisical key by default:

{
  "Infisical": {
    "Url": "https://app.infisical.com",
    "ProjectId": "your-project-id",
    "MachineId": "your-machine-identity-client-id",
    "ClientSecret": "your-machine-identity-client-secret",
    "Env": "prod",
    "SecretPath": "/",
    "Prefix": "",
    "ExpandSecretReferences": true,
    "IncludeImports": true
  }
}

Tip: In production, supply MachineId and ClientSecret via environment variables rather than appsettings.json to avoid committing credentials.

Binder options

Pass a delegate to AddInfisicalAsync to adjust retry and transport behaviour:

await builder.AddInfisicalAsync(cfg =>
{
    cfg.MaxRetries = 3;
    cfg.Prefix = "Infisical";

    cfg.OnRetry = (attempt, max, delay, ex) =>
        logger.LogWarning(ex, "Infisical unreachable ({Attempt}/{Max}), retrying in {Delay}s",
            attempt, max, delay.TotalSeconds);
});

Retry callback

OnRetry receives the attempt number, the configured maximum, the upcoming delay, and the exception:

cfg.OnRetry = (attempt, max, delay, ex) =>
    Console.Error.WriteLine($"[Infisical] Attempt {attempt}/{max} failed, retrying in {delay.TotalSeconds}s: {ex.Message}");

If OnRetry is null, transient failures are silently retried. Exhausting all attempts, or encountering a non-network error, throws immediately.

Custom HTTP handler

Use HttpMessageHandlerFactory to customise transport-level behaviour such as SSL certificates or proxies. The library takes ownership of each returned handler.

// Trust a self-signed certificate on a private Infisical instance
cfg.HttpMessageHandlerFactory = () => new HttpClientHandler
{
    ServerCertificateCustomValidationCallback = (_, cert, _, _) =>
        cert?.Thumbprint == "YOUR_CERT_THUMBPRINT";
};

Key mapping

Infisical secret keys are mapped to IConfiguration keys with two transformations applied:

• Double underscores (__) are replaced with : to represent configuration hierarchy, matching the standard .NET convention for environment variables.
• If Prefix is set in the Infisical options, it is prepended to every key.

Given Prefix = "MyApp", a secret named Database__ConnectionString becomes MyApp:Database:ConnectionString in IConfiguration, bindable as:

builder.Services.Configure<DatabaseOptions>(
    builder.Configuration.GetSection("MyApp:Database"));

AOT compatibility

The library is fully AOT and trim compatible. Add the following to your project to take advantage of the configuration binding source generator:

<PropertyGroup>
  <EnableConfigurationBindingGenerator>true</EnableConfigurationBindingGenerator>
</PropertyGroup>