Skip to content

CLI cannot access projects across multiple organizations without re-logging in #299

Description

@fdarian

Summary

The CLI cannot access projects across more than one organization within a single login. If my account belongs to org A and org B, infisical login makes me pick one org, and infisical run then only works for projects in that org. Running it in a project that lives in the other org fails, even though my account has access to both.

Steps to reproduce

  1. Have an account that belongs to two organizations, A and B, each with at least one project.
  2. infisical login and select org A.
  3. cd into a project whose .infisical.json points at a workspace in org B.
  4. infisical run -- printenv

Expected

Secrets for the org-B project are fetched, since my account has access to org B.

Actual

The request is rejected (not authorized / project not found). The only workaround is to infisical login again and select org B, which then breaks projects in org A. There is no way to work across both orgs without re-logging in each time you switch.

The existing login-time org flags (--organization-id in #43, --organization-slug in #143) pick the org at login and so don't cover this: the problem is running against a second org within a session, not choosing which single org to log into.

Proposed solution

The re-scoping mechanism already exists: infisical init lets a logged-in user pick a different organization mid-session and calls POST /v3/auth/select-organization to mint a token scoped to the chosen org, without re-entering credentials. The same call can be reused in the secrets-fetch path:

  • Record the selected organizationId in .infisical.json at infisical init time (optional field, backward compatible).
  • Add an --organization-id flag to infisical run, plus an INFISICAL_ORGANIZATION_ID env var.
  • When a target org is resolved (flag, then env, then .infisical.json) and it differs from the current token's org, mint a token for that org via select-organization and use it for that invocation only. When no target org is set, behavior is unchanged.

This keeps single-org usage identical and lets a multi-org user run against any org they already have access to without re-logging in. I have an implementation ready in a PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions