Access roles provide clients with permission to work with secrets. When you add a secret to a role, you can specify exactly which CRUD operations clients can perform for that secret.
By default, the account owner has privilege permissions in Akeyless. Managing users' access roles and permissions can be done using Akeyless Platform Authentication Methods with Access Roles to grant users the minimum permissions they need.
Let’s add a static secret to an existing role using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.
The CLI command to add a secret to a role is:
akeyless set-role-rule \ --role-name <role name> \ --path <secret name with path> \ --capability <read|create|update|delete|list|deny> \ --rule-type item-rule
role-name: The name of the role to which to add the static secret.
path: The full path to the static secret.
capability: A CRUD operation clients associated with the role can perform for the secret. Each
capabilityargument can include a single permission, either
Deny. Use multiple
capabilityarguments to assign multiple permissions.
For example, to add the AdminCredentials secret in the Admin folder to the SystemAdmin access role, also in the Admin folder, with Read and List permissions, type:
akeyless set-role-rule \ --role-name /Admin/SystemAdmin \ --path /Admin/AdminCredentials \ --capability read \ --capability list \ --rule-type item-rule
The response should be like this:
$ The requested rule was successfully set to the role /Admin/SystemAdmin
You can find the complete list of parameters for this command in the CLI Reference - Access Roles section.
Let’s add a static secret to a role from the Akeyless Console. If you’d prefer, see how to do this from the Akeyless CLI instead.
Log in to the Akeyless Console and go to Access Roles.
Select the role to which you want to add the secret.
Select the Secrets & Keys tab, then select Add.
In the Add Rule for Secrets & Keys dialog box, in the Allow access to the following path * field, enter the full path to the static secret.
From the Allow the following actions options, select the CRUD operation(s) the client associated with the role that can perform for the secret.
Deny overrides all other operations.
- Click Add.
Updated 3 days ago