feat(relay): add resource identity auth for relays#6515
Merged
saifsmailbox98 merged 24 commits intoMay 22, 2026
Conversation
Extends the resource auth method abstraction (built for gateways) to relays, allowing org relays to authenticate via enrollment tokens or AWS IAM instead of requiring a machine identity. Backend: - Migration: add relayId to resource_auth_methods, tokenVersion to relays - Auth: RELAY_ACCESS_TOKEN / ActorType.RELAY / AuthMode.RELAY_ACCESS_TOKEN - Resource auth method service extended for relay resources - New v2 relay router (create, get, patch, login, connect, heartbeat, generate-enrollment-token, revoke) - New relay service methods (createRelay, connectRelay, heartbeatRelay) - RevokeRelayAccess permission added - Audit log events for relay create/delete/enrollment-token - v1 org relay endpoints hidden from API docs (still functional) Frontend: - Relay detail page with auth method display, edit modal, deploy section - Reworked deploy modal: resource auth flow (name + host → create → token) - Clickable relay rows navigate to detail page - API hooks: useCreateRelay, useGetRelayById, useUpdateRelayAuthMethod, useGenerateRelayEnrollmentToken, useRevokeRelayAccess - RevokeRelayAccess in permission types, role editor, Zod schema - Deleted old machine-identity deployment method components Existing relays on machine identity auth and instance relays on RELAY_AUTH_SECRET are completely unaffected.
Replaces the table-based list views and separate detail pages with a split view layout using v3 components: - Left card: searchable item list with health dot indicators - Right card: inline detail panel with general info, auth method, deploy button, connected resources - Gateways/Pools sub-tabs using v3 filled Tabs - Responsive: stacks on mobile (<1100px) with back button - Create buttons at section level (Create Gateway / Create Pool / Create Relay) - Relay deploy modal simplified to name + host only (no auth method step) - Deleted old GatewayTab, RelayTab, PoolDetailSheet, and standalone detail page components (GatewayPageHeader, GatewayDetailsCard, etc.) All existing modals, API hooks, and permissions unchanged.
… and relays" This reverts commit 25ff699.
…lth status - Add GET /v2/relays/:relayId/gateways endpoint returning gateways connected to a relay, permission-gated by ListRelays only - Add RelayConnectedGatewaysSection with accordion grouping by health status (Healthy/Unreachable/Unregistered), matching the gateway connected resources pattern - Rework relay create modal: name + host only, navigates to detail page on success (deploy command available there) - Fix relay list health status bug: no heartbeat was showing "Healthy" instead of "Unregistered" - Make relay list rows clickable (navigate to detail page for org relays) - Rename "Deploy Relay" → "Create Relay" button and modal title
…ixes - Add host update to PATCH /v2/relays/:relayId with EditRelays permission and verifyHostInputValidity check - Add Edit Relay dialog on detail page General section (matching auth method edit pattern) - Add ActorType.RELAY to audit-log plugin (fixes 400 on relay connect) - Add orgId mismatch check in inject-identity for RELAY_ACCESS_TOKEN - Eliminate redundant DB fetch in PATCH handler (updateRelay result reused instead of separate getRelayById) - Add audit log for host updates - Frontend mutation only sends defined fields (omits undefined host/authMethod) - Rename useUpdateRelayAuthMethod → useUpdateRelay, accept optional host - Add createdAt + heartbeat subtitle to connected gateways rows - Align name validation with v1 slugSchema (1-32 chars)
|
💬 Discussion in Slack: #pr-review-infisical-6515-feat-relay-add-resource-identity-auth-for-relays Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
6 tasks
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
…ort fix - Add resource type check on loginWithToken result in both relay v2 and gateway v3 login handlers — reject enrollment tokens belonging to the wrong resource type with 400 before audit-logging - Add RELAY_UPDATE event type and use it for host updates in PATCH handler (was incorrectly using RELAY_CREATE) - Include host value in RELAY_UPDATE audit metadata - Add RELAY_UPDATE to frontend audit log enum + display name
|
Preview environment failed to deploy. |
Contributor
Author
|
@claude review once |
- Wire RELAY_DELETE audit event in v1 delete handler - Invalidate relay list query on update (fixes stale host in list) - Replace token-only deploy dialog with unified RelayDeployCommandDialog that handles both token and AWS auth methods - Delete old RelayEnrollmentTokenDialog (superseded)
- Rewrite relay CLI docs with enrollment-based auth as primary flow (token and AWS methods), legacy machine identity as secondary - Add revoke-relay-access to organization permissions reference
carlosmonastyrski
requested changes
May 20, 2026
…t token Move the resource type check from the route handlers into loginWithToken itself, before the consumption transaction. Prevents a cross-resource token from being burned on the wrong endpoint — the token stays intact and a clear 400 is returned.
Route handlers (GET and PATCH) now use getOrgRelay which filters by orgId, instead of the bare getRelayById. getRelayById stays as-is for inject-identity.ts where org context isn't available yet.
…or heartbeat Add optional timeoutMs to createRelayConnection (default 100s for backward compat). Heartbeat callers (v1 and v2) now pass 15s — a health probe doesn't need 100s to determine reachability. Also fixes the log message that said "120 seconds" when the actual timeout was 100s.
- Replace machine identity provisioning step with "Create the Relay in the UI" step matching the gateway deployment pattern - Update CLI commands to use --enroll-method with token/AWS auth - Update terraform user_data to use enrollment token instead of machine identity token - Keep FAQ, network/firewall, and general structure unchanged
carlosmonastyrski
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Move relays to resource identity auth (same abstraction gateways use). Relays can now authenticate via enrollment tokens or AWS IAM without needing a machine identity.
Existing machine identity relays and instance relays are unaffected.
CLI companion: Infisical/cli#237
Screenshots
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).