Command Line Interface (CLI)

There are a handful of ways to interact with the Akeyless Vault Platform for managing, creating, and fetching multiple types of supported secrets. One of them is our Command Line Interface (CLI), which is purpose-built to serve your custom automation scripts (usually within a CI/CD pipeline or backup process), as well as human DevOps/Software engineers. For a full list of the available CLI command, see the CLI reference.

Akeyless Vault CLI has a pre-compiled binary version for Linux, macOS, and Windows which can be easily installed.

Download and Install

If you don’t already have an Akeyless account, register for an account with Akeyless Vault Platform here.


Zero Knowledge with Akeyless CLI

In case you are working with your own Fragment, please create the following environment variable to point your CLI to interact with the relevant Gateway:

export AKEYLESS_GATEWAY_URL=https://Your_GW_URL:8080

Run the following command with Admin privileges to download and install the CLI binary.

curl -o akeyless
chmod +x akeyless
curl -o akeyless
chmod +x akeyless
curl -o akeyless
chmod +x akeyless
curl -o akeyless.exe

To pull the latest CLI version from the Akeyless official bucket, please make sure the following endpoint is trusted:


Or using Homebrew package manager:

brew tap akeylesslabs/tap
brew install akeyless


At the first time you run any command, the CLI will prompt you to authenticate to Akeyless.



PowerShell ISE does not support interactive input mode. Please work with the PowerShell cmdlet to set up the Akeyless CLI.

To work directly with Akeyless SaaS services, use the Default URL

At the prompt Would you like to configure a profile (Y/n) line, type Y. Then, type a name to rename the default profile, or press Enter to leave the name as default.

You can configure various types of authentication methods from the CLI:

  1. API Key (access_key)
  2. AWS IAM (aws_iam)
  3. Azure Active Directory (azure_ad)
  4. SAML (saml)
  5. LDAP (ldap)
  6. Password (email/password)
  7. OIDC (oidc)
  8. K8s (k8s)
  9. GCP (GCP)

For more information about authentication methods, see Authentication Methods.

For example, you can use your email & password or an API Key.

akeyless configure --admin-email yourEmailAddress
#configure a profile
akeyless configure
Access ID:  p-abc12de
Access Key: <Your Access Key>
Profile default successfully configured
akeyless configure --access-type ldap
Access ID:  p-abc12de
Ldap Proxy URL: https://<Your Akeyless Gateway URL>
Profile ldap successfully configured



If you don’t enter the correct credentials, for security reasons, the Akeyless CLI will not give you an error message. An error message will be received when you attempt to run commands.

At the prompt Would you like to add AKEYLESS-CLI to PATH (...)? (Y/n) line, type Y.

You are now ready to use the CLI.

Run the create-secret command similar to the following:

akeyless create-secret --name MySecret1 --value MySecretPassword

For more information about authentication methods, see Authentication Methods

Working with Profiles

Akeyless has the option to work with profiles. Different profiles can be linked with different authentication methods, and from there also linked with different permissions associated with them.
As described above, the default profile is set up when you first open the CLI, and will be used to perform any command until more profiles are configured.
To see which profiles exist on your machine, go to the .akeyless folder that was created on your machine during the installation, it should be located in your home folder on Linux or under your <username> folder in Windows.
Under the .akeyless folder you will see a folder named profiles, within there is a TOML file for each profile.

If you wish to configure a new profile, use the following command:

akeyless configure --profile <profile name> --access-id <Access id> --access-key <Access key> --access-type access_key

While the default method is an API access key, if you wish to use a different authentication method please consult the CLI reference for this command.

After you've created an additional profile, simply add the --profile parameter with the profile name to any akeyless command to perform it from that profile.


If you are trying to perform an action with a certain platform and are denied access, it is important you check the two following settings:

  • Permissions: Make sure the authentication method you created the profile with is associated with the proper role that has the authority to perform the action you tried.
  • Profile TOML: As discussed in the following section, creating a profile will create a corresponding TOML file. The general structure of these files, if opened in a text editor, is:
["<profile name>"]
  access_id = '<Access ID>'
  access_type = 'access_key'
  access_key = '<Access Key>'

The parameters may change based on your access type. In the file, you may check that everything is spelled correctly and matches the authentication method you chose.