Akeyless Vault

The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

CLI reference

Suggest Edits

This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:

$ akeyless -h
akeyless <command> -h, --help
akeyless <command> --debug

Use the CLI as follows:

Download and install

Update your installation

Update the CLI

Static secrets

create-secret

Create new static secrets and configure their values.

Synopsis

akeyless create-secret --name mySecret1 --value MyPasswordString

Mandatory Options

--name
Assign a unique name to the secret.

--value
Enter the value of the secret, which is the password string.

Optional

-m, --metadata This is especially handy when the name of the secret is generic or not specific enough.
-t, --tag Use tags as an extra tool for organizing and searching secrets. If the tag you want hasn't yet been created, you can add it as part of secret creation. Use commas to create or indicate mutiple tags: -t Tag1 -t Tag2
-k, --key Choose an Encryption Key to be used to encrypt your secret. Leave the field empty in order to use the default (protectionKey) system key.
--multilineThe provided value is a multiline value (separated by '\n')

Output

From the CLI, the following notification appears:
A new secret named NAME was successfully created.

The static secret can also be found from the UI of the Vault as well.

update-secret-val

Update the password for an existing static secret.

Synopsis

akeyless update-secret-val --name mySecret1 --value "new value"

Mandatory Options

--name
Enter the name of the existing secret that you want to update.

--value
Enter the new value for the secret, which is the password string.

Optional

-k, --key Choose an Encryption Key to be used to encrypt your secret. Leave the field empty in order to use the default (protectionKey) system key.
--multilineThe provided value is a multiline value (separated by '\n')
--new-versionCreate a new version for the secret when updating additional values.
For other data, such as metadata or tags, use update-item as described in Commands for all items and objects.

Output

The value of the secret mySecret1 was successfully created.

The new value can also be viewed from the UI of the Vault as well.

get-secret-value

Retrieve the password of a given secret.

Synopsis

akeyless get-secret-value --name mySecret1

Mandatory Options

--name
Enter the name of the existing secret that you want to update.

Optional

--version
Get the value of a specific version of the secret.
See Updating and versioning static secrets for information about this value.

Output

The password for the specified secret is returned.

View all static secret versions

Use describe-item --name NAME --show-versions to show the list of versions for a specified static or dynamic secret. See Commands for all items and objects and also Updating and versioning static secrets for details.

rollback-secret

Replace the current version with a previously used version of the static secret password.

Synopsis

akeyless rollback-secret -n /secret1 --old-version 2

Mandatory Options

--name
Enter the name of the secret that you want to update with one of its previous versions.

--old-version
Enter the number of the previous version to which you want to roll the secret back. This version must be older than the current version.

Optional

--version
Get the value of a specific version of the secret.
See Updating and versioning static secrets for information about this value.

Output

Secret /secret1 was successfully rolled back to version 2.

Delete the static secret

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Encryption keys

create-key

Create a new encryption key.

Synopsis

Options

-n, --name Key name
-a, --alg Key type. options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048]
-m, --metadata Metadata about the key
-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2] The number of fragments that the item will be split into (not includes customer fragment)
-f, --customer-frg-id The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment)
--profile Use a specific profile from your ~/.akeyless/profiles folder
--username Required only when the authentication process requires a username and password
--password Required only when the authentication process requires a username and password
--uid-token The universal identity token, Required only for universal_identity authentication
-h, --help display help information
--debug[=false] Turn on debug logging

Output

rotate-key

Rotates an existing key, creating a new version of it

Synopsis

Options

Output

get-rsa-public

Obtain the public key from a specific RSA private key

upload-pkcs12

Upload a PKCS#12 key and certificates

upload-rsa

Upload RSA key

encrypt

Encrypts plaintext into ciphertext by using an AES key

encrypt-file

Encrypts a file by using an AES key

encrypt-pkcs1

Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5

decrypt

Decrypts ciphertext into plaintext by using an AES key

decrypt-file

Decrypts a file by using an AES key

decrypt-pkcs1

Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5

sign-pkcs1

Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5

verify-pkcs1

Verifies an RSA PKCS#1 v1.5 signature

gen-customer-fragment

Generate customer fragment

Delete a key

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

set-item-state

Indicate whether the item should be enabled or disabled.

####Mandatory Options
--name
Current item name

-s, --desired-state
Indicate whether to enable or disable the item.

Optional

--version
The specific version you want to update.

SSH certificates

get-ssh-certificate

Generates SSH certificate.

Synopsis

Options

Output

create-ssh-cert-issuer

Creates a new SSH certificate issuer.

Synopsis

Options

Output

Delete a certificate

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

PKI certificates

get-pki-certificate

Generates PKI certificate.

Synopsis

Options

Output

create-pki-cert-issuer

Creates a new PKI certificate issuer.

Synopsis

Options

Output

get-kube-exec-creds

Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer.

Synopsis

Options

Output

Delete a certificate

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Commands for all items and objects

describe-item

Returns the item details, which varies depending on the type of item.

Synopsis

akeyless describe-item --name ItemName 
akeyless describe-item --name ItemName --version VersionNumber
akeyless describe-item --name ItemName --show-versions

Mandatory Options

--name

Optional

--version
Specific item version to describe

--show-versions[=false]
Include all item versions in reply

Output

With only --name specified, the command returns all details about the specified item except for its version.

When a version number is specified, the command returns all details about the specified item for the specified version.

When --show-versions is specified, the command returns all details about the specified item including a full list of versions, their creation dates and their encryption keys for any version for which a key other than the default was used.

update-item

Update item name, metadata or tags.

❗️

Secret versioning

No updates made with update-item can be saved as part of new versions, which means that these changes override existing data. If you wish to track these updates as part of secret versioning, first create a new version with update-version-val. You can create a new version value using the same value for the current version if you don't wish to actually change the value. Thereafter, run update-item.

Synopsis

akeyless update-item --name ExistingNameofSecret --new-name NewName
akeyless update-item --name NameofSecret --new-metadata UpdateDescription
akeyless update-item --name NameofSecret --add-tag NewTagAdded
akeyless update-item --name NameofSecret --rm-tag Tag1

Mandatory Options

--name
The current name of the item

Optional

--new-name
The name that should now be assigned to the item.

--new-metadata[=default_metadata]
The new description for the item.

--add-tag
List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2

--rm-tag
List of the existing tags that should be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2

Output

The item was successfully updated

delete-item

Delete an item or an item version

-n, --name *Item name
--version[=-1] The specific version you want to delete - 0=last version, -1=entire item with all versions (default)
--delete-in-days[=7] The number of days to wait before deleting the item (relevant for keys only)
--delete-immediately[=false] When delete-in-days=-1, must be set

delete-items

Delete multiple items from a given path

list-items

Returns a list of all accessible items

move-objects

Move/Rename objects
-s, --source Source path to move the objects from
-t, --target Target path to move the objects to
-o, --objects-type[=item] The objects type to move (item/auth_method/role)

Authentication

auth

Authenticate to the service and returns a token to be used as a profile to execute the CLI without the need for re-authentication

Options

  --access-id                  Access ID
  --access-type[=access_key]   Access Type (access_key/password/saml/ldap/azure_ad/aws_iam/universal_identity/jwt)
  --access-key                 Access key (relevant only for access-type=access_key)
  --cloud-id                   The cloued identity (relevant only for access-type=azure_ad,awd_im)
  --uid_token                  The universal_identity token (relevant only for access-type=universal_identity)
  --jwt                        The Json Web Token (relevant only for access-type=jwt/oidc)
  --admin-password             Password (relevant only for access-type=password)
  --admin-email                Email (relevant only for access-type=password)
  --ldap_proxy_url             Address URL for LDAP proxy (relevant only for access-type=ldap)
  --username                   LDAP username (relevant only for access-type=ldap)
  --password                   LDAP password (relevant only for access-type=ldap)

Synopsis

Options

Output

create-auth-method

Create a new Auth Method in the account

create-auth-method-azure-ad

Create a new Auth Method that will be able to authenticate using Azure Active Directory credentials

create-auth-method-aws-iam

Create a new Auth Method that will be able to authenticate using AWS IAM credentials

create-auth-method-oauth2

Create a new Auth Method that will be able to authenticate using OpenId/OAuth2

create-auth-method-ldap

Create a new Auth Method that will be able to authenticate using LDAP

create-auth-method-saml

Create a new Auth Method that will be able to authenticate using SAML

create-auth-method-universal-identity

Create a new Auth Method that will be able to authenticate using Akeyless Universal Identity

get-auth-method

Returns an information about the Auth Method

list-auth-methods

Returns a list of all the Auth Methods in the account

delete-auth-method

Delete the Auth Method

delete-auth-methods

Delete multiple auth methods from a given path

reverse-rbac

See which authentication methods have access to a particular object

configure

Configure client profile.

unconfigure

Remove Configuration of client profile.

Dynamic secrets

create-dynamic-secret Creates a new dynamic secret item
get-dynamic-secret-value Get dynamic secret value

Delete the static secret

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Roles

create-role

Creates a new role

get-role

Get role details

update-role

Update role details

list-roles

Returns a list of all roles in the account

delete-role

Delete a role

delete-roles

Delete multiple roles from a given path

set-role-rule

Set a rule to a role

delete-role-rule

Delete a rule from a role

assoc-role-am

Create an association between role and auth method

delete-assoc

Delete an association between role and auth method

Delete a role

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Akeyless universal token

uid-list-children

List the token children ids of Akeyless Universal Identity

uid-revoke-token

Revoke token using Akeyless Universal Identity

uid-generate-token

Generate a new token using Akeyless Universal Identity

uid-rotate-token

Rotate token using Akeyless Universal Identity(aliases rotate-token,uid-send-manual-rotate-ack)

uid-create-child-token

Create a new child token using Akeyless Universal Identity

get-cloud-identity

Get Cloud Identity Token (relevant only for access-type=azure_ad,aws_iam)

Delete a token

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

📘

Writing commands - generating secrets

The default Akeyless Vault behavior is that the write commands (generate secrets) are performed to the main region of Akeyless Vault, while the read commands (fetch secrets) are performed on the nearest region to you, in order to minimize latency.
If you wish to change that, in order to work only with the master region, please add
optimise_dns_disable=true in the settings file.

Updated 2 months ago

CLI reference

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.