CLI Reference
This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:
akeyless -h
akeyless <command> -h, --help
akeyless <command> --debug
Update Akeyless CLI
Akeyless update
AKEYLESS CLI, Version x.x.x is up-to-date
describe-item
describe-item
Gets the item details
Parameters
Parameter | Description |
---|---|
-n, --name | Item name |
-d, --display-id | The display ID of the item |
-I, --item-id | Item ID of the item |
gateway-details | Display Gateway information |
--show-versions "data" | Include all item versions in reply |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The Universal Identity (UID) token, Required only for universal_identity authentication |
Output
With only --name
specified, the command returns all details about the specified item except for its version.
When a version number is specified, the command returns all details about the specified item for the specified version.
When --show-versions
is specified, the command returns all details about the specified item including a full list of versions, their creation dates, and their encryption keys for any version for which a key other than the default was used.
update-item
update-item
Update item name and description
Please note: mandatory values for this command: -n, --name
Critical
Secret versioning
No updates made with
update-item
can be saved as part of new versions, which means that these changes override existing data. If you wish to track these updates as part of secret versioning, first create a new version withupdate-version-val
. You can create a new version value using the same value for the current version if you don't want to actually change the value. Thereafter, runupdate-item
.
Usage
akeyless update-item --name <Item name> \
--new-name <New item name>
Parameters
Parameter | Description |
---|---|
-n, --name | (Mandatory) Current item name |
--new-name | New item name |
--description[=default_metadata] | Description of the object |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, "0-1": "**(M |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-bastion-api | Bastion's SSH control API endpoint. E.g. https://my.bastion:9900 (relevant only for ssh cert issuer) |
--secure-access-bastion-ssh | Bastion's SSH server. E.g. my.bastion:22 (relevant only for ssh cert issuer) |
--secure-access-ssh-creds-user | SSH username to connect to target server, must be in 'Allowed Users' list (relevant only for ssh cert issuer) |
--secure-access-use-internal-bastion | Use internal SSH Bastion |
--secure-access-ssh-creds | Secret values contains SSH Credentials, either Private Key or Password em name", "h-0": " (relevant only for Static-Secret or Rotated-secret) |
--secure-access-host | Target servers for connections, For multiple values repeat this flag |
--secure-access-add-host | List of the new hosts that will be attached to SRA servers host. To specify multiple tags use argument multiple times: --secure-access-add-host host1 --secure-access-add-host host2 |
--secure-access-rm-host | List of the existent hosts that will be removed from SRA servers host. To specify multiple tags use argument multiple times: --secure-access-rm-host host1 --secure-access-rm-host host2 |
--secure-access-url | Destination URL to inject secrets |
--secure-access-web-browsing | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-rdp-domain | Required when the Dynamic Secret is used for a domain user (relevant only for RDP Dynamic-Secret) |
--secure-access-rdp-user | Override the RDP Domain username |
--secure-access-rdp-domain | Required when the Dynamic Secret is used for a domain user (relevant only for RDP Dynamic-Secret) |
--secure-access-rdp-user | Override the RDP Domain username |
--secure-access-allow-external-user | Allow providing external user for a domain users (Mandatory)** |
--secure-access-db-schema | The DB schema (relevant only for DB Dynamic-Secret) |
--secure-access-db-name | The DB name (relevant only for DB Dynamic-Secret) |
--secure-access-aws-account-id | The AWS account id (relevant only for AWS Dynamic-Secret) |
--secure-access-aws-region | The AWS region (relevant only for AWS Dynamic-Secret) |
--secure-access-aws-native-cli | The AWS native cli (relevant only for AWS Dynamic-Secret) |
--secure-access-cluster-endpoint | The K8s cluster endpoint URL (relevant only for EKS/GKE/K8s Dynamic-Secret) |
--secure-access-dashboard-url | The K8s dashboard url (relevant only for K8s Dynamic-Secret) |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access (relevant only for EKS/GKE/K8s Dynamic-Secret) |
--rotate-after-disconnect[=false] | Rotate the value of the secret after SRA session ends (Mandatory)** Curre (relevant only for Rotated-secret on SRA) |
--delete-protection | Protection from accidental deletion of this item, (Mandatory)** C |
-c, --cert-file-path | Path to a file that contain the certificate in a PEM format. Used for updating RSA keys' certificates. |
--cert-file-data | PEM Certificate in a Base64 format. Used for updating RSA keys' certificates. |
--accessibility "data": | In case of an item in a user's personal folder (Mandatory)** Curr |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
set-item-state
set-item-state
Set an item's state (Enabled, Disabled)
Note: mandatory values for this command: -n, --name
, -s, --desired-state
Usage
akeyless set-item-state --name <Current item name> \
--desired-state <Desired item state [Enabled, Disabled]>
Parameters
Parameter | Description |
---|---|
-n, --name | (Mandatory) Current item name |
-s, --desired-state | (Mandatory) Desired item state |
--version[=0] | The specific version you want to update: 0=item level state (default) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The Universal Identity (UID) token, Required only for universal_identity authentication |
get-tags
get-tags
Gets tags
Please note: mandatory values for this command: -n, --name
Usage
akeyless get-tags --name <Item Name>
Parameters
Parameter | Description |
---|---|
-n, --name | (Mandatory) The item name |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
update-account-settings
update-account-settings
Updates account settings.
Note: The operation is allowed only for admin user
Parameters
Parameter | Description |
---|---|
--company-name | Update Company Name of account |
--phone | Update Phone number of account |
--address | Update Address of account |
--city | Update City of account |
--country | Update Country of account |
--postal-code | Update Postal Code of account |
--jwt-ttl-default | default jwt ttl for auth method authentication (in minutes) |
--jwt-ttl-min | minimum allowed jwt ttl for auth method authentication (in minutes) |
--jwt-ttl-max | maximum allowed jwt ttl for auth method authentication (in minutes) |
--item-type | Associated with max-versions. |
--max-versions | Maximum versions of a given item-type, valid range ter", . When item version exceeds this number, the oldest versions will be deleted. |
--default-versioning | If set to true, new item version will be created on each update |
--dp-enable-classic-key-protection | Set to update protection with classic keys state meter", |
--password-policy-password-length | Password length between 5 - to 50 characters |
--password-policy-contains-capital-letters | Password must contain capital letters |
--password-policy-contains-lower-letters | Password must contain lower case letters |
--password-policy-contains-numbers | Password must contain numbers |
--password-policy-contains-special-characters | Password must contain special characters |
--items-deletion-protection | Set to update the default behaviour of new items creations deletion protection attribute [true/false] |
--default-key-name | Set the account default key based on the DFC key item name. Use "set-original-akeyless-default-key" to revert to using the original default key of the account. Empty string will change nothing. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
get-account-settings
get-account-settings
Get account settings
Parameters
Parameter | Description |
---|---|
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
delete-item
delete-item
Delete an item or an item version
Please note: mandatory values for this command: -n, --name
Usage
akeylees delete-item -n <Item name>
Parameters
Parameter | Description |
---|---|
-n, --name | (Mandatory) Item name |
--version[=-1] | The specific version you want to delete - 0=last version, -1=entire item with all versions (default) |
--delete-in-days "day" | The number of days to wait before deleting the item (relevant for keys only) |
--delete-immediately[=false] | When delete-in-days=-1, must be set |
--accessibility[=regular] | In case of an item in a user's personal folder [regular/personal] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
delete-items
delete-items
Deletes multiple items from a given path
Note: mandatory values for this command: -n, --name
Usage
akeyless delete-items -p <Path\do\delete\items>
Parameters
Parameter | Description |
---|---|
-p, --path | (Mandatory) Path to delete the items from |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
list-items
list-items
List of all accessible items
Parameters
Parameter | Description |
---|---|
-t, --type | The item types list of the requested items. In case it is empty, all types of items will be returned, options: [key, static-secret, dynamic-secret, rotated-secret, ssh-cert-issuer, pki-cert-issuer, classic-key] |
--sub-types | Optional the items sub types |
--filter | Filter by item name or part of it |
--tag | Filter by item tag |
--sra-only[=false] | Filter by items with SRA functionality enabled |
--path | Path to folder |
--pagination-token | Next page reference |
--auto-pagination[=enabled] | Retrieve all items using pagination, when disabled retrieving only first 1000 items |
--minimal-view | Show only basic information of the items |
--accessibility[=regular] | In case of an item in a user's personal folder, options: [regular/personal] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
list-sra-bastions
list-sra-bastions
List of all Secure Remote Access (SRA) Bastions in the account
Parameters
Parameters | Description |
---|---|
--only-allowed-urls[=false] | Filter the response to show only bastions allowed URLs |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
move-objects
move-objects
Moves/Renames objects
Note: mandatory values for this command: -s, --source, -t, --target
Usage
akeyless move-objects --source <Source path to move the objects from> \
--target <Target path to move the objects to> \
--objects-type <The objects type to move (item/auth_method/role)>
Parameters
Parameter | Description |
---|---|
-s, --source | (Mandatory) Source path to move the objects from |
--t, --target | (Mandatory) Target path to move the objects to |
-o, --objects-type[=item] | The objects type to move (item/auth_method/role) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
configure
configure
Configure client profile
Usage
akeyless configure
Parameters
Parameter | Description |
---|---|
--profile[=default] | The profile name to be configure |
--access-id | Access ID |
--access-key | Access Key |
--access-type[=access_key] | Access Type, options: (access_key/password/azure_ad/saml/oidc/aws_iam/gcp/k8s) |
--admin-password | Password (relevant only for access-type=password) |
--admin-email | Email (relevant only for access-type=password) |
--oidc-sp | OIDC Service Provider (relevant only for access-type=oidc, inferred if empty), supported SPs: google, github |
--azure_ad_object_id | Azure Active Directory ObjectId (relevant only for access-type=azure_ad) |
--gcp-audience "data": { | GCP audience to use in signed JWT (relevant only for access-type=gcp) |
--gateway-url | Gateway URL for the K8S authenticated (relevant only for access-type=k8s) |
--k8s-auth-config-name | The K8S Auth config name (relevant only for access-type=k8s) |
--k8s-token-path[=/var/run/secrets/kubernetes.io/serviceaccount/token] | An optional path to a projected service account token inside the pod, for use instead of the default service account token (relevant only for access-type=k8s) |
--cert-file-name | Name of the certificate file to use (relevant only for access-type=cert) |
--cert-data | Certificate data encoded in base64. Used if file was not provided. (relevant only for access-type=cert in Curl Context) |
--key-file-name | Name of the private key file to use (relevant only for access-type=cert) |
--key-data | Private key data encoded in base64. Used if file was not provided (relevant only for access-type=cert in Curl Context) |
unconfigure
unconfigure
Remove configuration of client profile
Usage
akeyless unconfigure --profile <Profile name>
Gateway configuration
gateway-get-config
gateway-get-config
Gets gateway configuration details
Parameters
Parameter | Description |
---|---|
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
gateway-list-allowed-management-access
gateway-list-allowed-management-access
Returns available allowed-management-access
Parameters
Parameter | Description |
---|---|
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
gateway-migrate-personal-items
gateway-migrate-personal-items
Migrates personal items from external vault
Parameters
Parameter | Description |
---|---|
-u, --gateway-url[=http://localhost:18888] | API Gateway URL (Akeyless UI port) |
-t, --type[=1password] | Migration provider type, Current supported options: [1password] |
-k, --protection-key | The name of a key that used to encrypt the secret value |
-l, --target-location | Target location in your Akeyless personal folder for migrated secrets |
--1password-url | 1Password sign-in address for your account |
--1password-email | 1Password user email |
--1password-password | 1Password password for the given user's email |
--1password-secret-key | User's 1Password Secret Key |
--1password-vaults | Optional list of 1Password vaults to migrate items from; can be used multiple times (--1password-vaults vault1 --1password-vaults vault2), If not provided, all non-private vaults will be migrated |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
gateway-migration-status
gateway-migration-status
Gets migration Status
Parameters
Parameter | Description |
---|---|
-n, --name | Migration name to display |
-i, --id | Optional, instead of migration name, set a Migration ID (Can be retrieve with gateway-list-migration command) |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
akeyless list-gateways
akeyless list-gateways
List of all Gateways in the account
Parameters
Parameter | Description |
---|---|
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
gateway-update-tls-cert
gateway-update-tls-cert
Updates Gateway TLS certificate
Parameters
Parameter | Description |
---|---|
--cert-data | TLS Certificate (base64 encoded), this flag is ignored if --cert-file-name is supplied. |
--cert-file-name | Path to the file containing the TLS Certificate, this flag is ignored if --cert-data is supplied |
--key-data | TLS Private Key (base64 encoded), this flag is ignored if --key-file-name is supplied |
--key-file-name | Path to the file containing the TLS Private Key, this flag is ignored if --key-data is supplied |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
add-gw-access-id
add-gw-access-id
Adds Sub-Admins to the list of who can access Gateway
Parameters
Parameter | Description |
---|---|
-c, --cluster-name | (Mandatory) The name of the updated cluster |
-a, --access-id | (Mandatory) The access id to be able to access the gateway |
-s, --sub-claims | key/val of sub claims, e.g group=admins,developers |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
-h, --help | Display help information |
--json[=false] | Set output format to JSON |
--jq-expression | jq expression to filter result output |
--no-creds-cleanup[=false] | Do not clean local temporary expired credentials |
delete-gw-access-id
delete-gw-access-id
Deletes Sub-Admins from the list of who can access Gateway
Parameters
Parameter | Description |
---|---|
-c, --cluster-name | (Mandatory) The name of the updated cluster |
-a, --access-id | (Mandatory) The access id to be able to access the gateway |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
-h, --help | Display help information |
--json[=false] | Set output format to JSON |
--jq-expression | jq expression to filter result output |
--no-creds-cleanup[=false] | Do not clean local temporary expired credentials |
delete-gateway-cluster
delete-gateway-cluster
Deletes gateway cluster
Parameters
Parameter | Description |
---|---|
-c, --cluster-name | (Mandatory) Gateway Cluster, e.g. acc-abcd12345678/p-123456789012/defaultCluster |
--force | Deletes cluster even if there is an active gateway or associated secrets. All Gateway secrets will be deleted |
Event Center
The following commands have to do with the Akeyless platform's Event Center functionality.
create-event-forwarder
create-event-forwarder
Creates a forwarder that will send you notifications of selected events
Parameters
Parameter | Description |
---|---|
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
-n, --name | (Mandatory) Unique event forwarder name |
--forwarder-type | (Mandatory) Event Forwarder type [servicenow, email] |
--runner-type[=immediate] | (Mandatory) Event Forwarder runner type [immediate, periodic] |
--every | Rate of periodic runner repetition in hours |
-s, --event-source-locations | A comma-separated list of event sources to forward event about, for example: /abc/def, /abc/qqq/* |
--event-source-type[=item] | Event source type [item, target] |
--host | Host (relevant only for "servicenow" Event Forwarder) |
--admin-name | Admin name (relevant only for "servicenow" Event Forwarder) |
--admin-pwd | Admin Password (relevant only for "servicenow" Event Forwarder) |
--email-to | A comma seperated list of email addresses to send event to (relevant only for "email" Event Forwarder) |
-k, --key | Key name. The key will be used to encrypt the Event Forwarder secret value. If key name is not specified, the account default protection key is used |
--description | Description of the Event Forwarder |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
-h, --help | Display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired credentials |
update-event-forwarder
update-event-forwarder
Updates an existing forwarder
Parameters
Parameter | Description |
---|---|
-n, --name | Unique event forwarder name |
--new-name | New Event Forwarder name |
--event-source-locations | New comma-separated list of event sources to forward event about, for example: /abc/def,/abc/qqq/* |
--event-types | New comma-separated list of types of events to notify about [request-access, certificate-pending-expiration, certificate-expired] |
--host | Host (relevant only for "servicenow" Event Forwarder) |
--admin-name | Admin name (relevant only for "servicenow" Event Forwarder) |
--email-to | A comma separated list of email addresses to send event to (relevant only for "email" Event Forwarder) |
--enable[=true] | Enable/Disable Event Forwarder [true/false] |
--description[=default_description] | Description of the object |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
-h, --help | Display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired credentials |
get-event-forwarder
get-event-forwarder
Fetches info on an existing forwarder
Parameters
Parameter | Description |
---|---|
-n, --name | Unique event forwarder name. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
-h, --help | Display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired credentials |
delete-event-forwarder
delete-event-forwarder
Deletes an existing forwarder
Parameters
Parameter | Description |
---|---|
-n, --name | Unique event forwarder name. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The UID token, Required only for universal_identity authentication |
-h, --help | Display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired credentials |
Updated 13 days ago