Akeyless Connect

Akeyless connect provides you with secure CLI access to resources or a secure tunnel from any UNIX terminal.


To use Akeyless Connect you need:



Akeyless connect command supports legacy ~/.akeyless-sphere.rc configuration file.

Starting from Windows 10, Microsoft supports the native feature "Windows Subsystem for Linux."
This feature enables users to utilize their Windows OS environment as a UNIX-like system.

To work with the akeyless-connect command from the Windows machine, place the .akeyless-connect.rc script on your home directory.

Set Up Akeyless Connect

  1. Download the latest version of Akeyless Command Line Interface (CLI).

  2. Create a resource file called ~/.akeyless-connect.rc as follows:

# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
# All rights reserved
# ----------------------------------------------------------------------

# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session

# AKEYLESS_PROFILE - Akeyless CLI profile to be used

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)

# Following are used for control service, to configure the temporary session:

# Allow caching of temp session creds

# Display connection stages

# Use SSH Agent to store user's identity keys.

The latest version of this file can be found in Akeyless official artifacts.

Set the following settings as follow:

CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.

AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.

AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.

BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.

BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.

BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.

Optional when working with Application Load Balancers, you can set the exact path of your ssh-sra service, which listens to the bastion api control port:

BASTION_API_PREFIX - Set your path prefix as your load balancer settings.

BASTION_API_PATH - Set your path as your load balancer settings.

Where the URL will be set as follow:


  1. Use the akeyless connect command to connect to a resource through the Secure Remote Access Bastion:
akeyless connect -t  <[[email protected]]target/hostname/ip[:port]> via <sra-bastion-ssh-sra-service/ip[:port]>

Full options list:

-t, --target                     *Target resource, example formats: [email protected][:port], us-east-2, mysql-server:3306, etc.
-v, --via-bastion                 Bastion host, which the connection will go through. e.g.: bastion-host:port. 
-c, --cert-issuer-name            Akeyless Certificate Issuer Name. If not specified will be taken from ~/.akeyless-connect.rc 
-i, --identity-file               Selects a file from which the identity (private key) for public key authentication is read.  The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa.
-n, --secret-name                 Path to Secret, based on the required connection
    --ssh-extra-args              Additional SSH arguments (except -i)
    --bastion-ctrl-proto[=http]   Bastion API Protocol [http/https]
    --bastion-ctrl-subdomain      Bastion control API URL prefix. e.g. https://<prefix>.bastion-host
    --bastion-ctrl-path           Bastion control API path. e.g. https://bastion-host/<path>
    --bastion-ctrl-port[=9900]    Bastion control API port. e.g. https://bastion-host:<7777>
    --gateway-rest-endpoint       Gateway RestAPI URL. e.g. https://rest.akeyless.io
    --profile                     Use a specific profile from your akeyless/profiles/ folder



For network access through the bastion, please use the -c cert issue name option. For access without read permission on the cert issuer item, you can simply pass the command with -n cert issuer name to get access based on the bastions allowed users list where the bastion will request the secret on your behalf.

akeyless connect -t [email protected][:port] -v <via-sra-bastion-ssh-service>


akeyless connect -t us-east-1 -c my-ssh-cert-issuer -v <via-sra-bastion-ssh-service>:<port> -n "<Path to AWS Dynamic Secret>"

In case you already defined the Cert Issuer inside the akeyless-connect.rc file you can use:

akeyless connect -t us-east-1 -v <via-sra-bastion-ssh-service>:<port> -n "<Path to AWS Dynamic Secret>"


akeyless connect -t <mongo server IP>:27017 -v <via-sra-bastion-ssh-service>:<port> -n "<Path to MongoDB Dynamic Secret>"


akeyless connect -t <mysql-server>:3306 -v <via-sra-bastion-ssh-service>:<port> -n "<Path to MySQL Dynamic Secret>"


akeyless connect -t us-east-1 -v <via-sra-bastion-ssh-service>:<port> -n "<Path to EKS Dynamic secret>"

Non- interactive connection to K8s:


AKEYLESS_PARAM='get pod' akeyless connect -t <k8 cluster endpoint> -v <via-sra-bastion-ssh-service> -n "Path To K8s Dynamnic Secret" --ssh-extra-args "non-interactive"


$env:AKEYLESS_PARAM = 'get pods'; .\akeyless.exe connect -t <k8 cluster endpoint> -v <via-sra-bastion-ssh-service> -n "Path To K8s Dynamnic Secret" --ssh-extra-args "non-interactive"

What’s Next
Did this page help you?