Access roles provide clients with permission to work with secrets. When you add a secret to a role, you can specify exactly which CRUD operations clients can perform for that secret.
Let’s add a static secret to a role using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.
The CLI command to add a secret to a role is:
$ akeyless set-role-rule \ --role-name <role name> \ --path <secret name with path> \ --capability <read|create|update|delete|list|deny> \ --rule-type item-rule The requested rule was successfully set to the role <role name>
- role-name: The name of the role to which to add the static secret.
- path: The full path to the static secret.
- capability: A CRUD operation clients associated with the role can perform for the secret. Each
capabilityargument can include a single permission, either
Deny. Use multiple
capabilityarguments to assign multiple permissions
- rule type:
For example, to add the AdminCredentials secret in the Admin folder to the SystemAdmin access role, also in the Admin folder, with Read and List permissions, type:
$ akeyless set-role-rule \ --role-name /Admin/SystemAdmin \ --path /Admin/AdminCredentials \ --capability read \ --capability list \ --rule-type item-rule The requested rule was successfully set to the role /Admin/SystemAdmin
The full list of options for this command is:
-r, --role-name *The role name to be updated -p, --path *The path the rule refers to -c, --capability *List of the approved/denied capabilities in the path options: [read, create, update, delete, list, deny] --rule-type[=item-rule] item-rule, target-rule, role-rule, auth-method-rule, search-rule, reports-rule --profile Use a specific profile from your akeyless/profiles/ folder --username Optional username for various authentication flows --password Optional password for various authentication flows --uid-token The universal identity token, Required only for universal_identity authentication -h, --help display help information --json[=false] Set output format to JSON --no-creds-cleanup[=false] Do not clean local temporary expired creds
Let’s add a static secret to a role from the Akeyless Console. If you’d prefer, see how to do this from the Akeyless CLI instead.
Log in to the Akeyless Console and go to Access Roles.
Select the role to which you want to add the secret.
Select the Secrets & Keys tab, then select Add.
In the Associate Rules of Secrets & Keys dialog box, in the Restrict to the following path field, enter the full path to the static secret.
From the Allow the following actions options, select the CRUD operation(s) client associated with the role can perform for the secret.
Deny overrides all other operations.
- Select Add.
Updated 10 months ago