CLI Reference

This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:

akeyless -h
akeyless <command> -h, --help
akeyless <command> --debug

Update Akeyless CLI

Akeyless update

AKEYLESS CLI, Version x.x.x is up-to-date

Commands for all items and objects

describe-item

Returns the item details, which vary depending on the type of item.

Usage
akeyless describe-item --name ItemName 
akeyless describe-item --name ItemName --version VersionNumber
akeyless describe-item --name ItemName --show-versions
Parameters
ParameterMandatoryDescription
-n, --name

Y

Item name.
--versionVersion number.
--show-versions[=false]Include all item versions in reply, by default set to false.
Output

With only --name specified, the command returns all details about the specified item except for its version.

When a version number is specified, the command returns all details about the specified item for the specified version.

When --show-versions is specified, the command returns all details about the specified item including a full list of versions, their creation dates, and their encryption keys for any version for which a key other than the default was used.

update-item

Update item name, metadata or tags.

❗️

Secret versioning

No updates made with update-item can be saved as part of new versions, which means that these changes override existing data. If you wish to track these updates as part of secret versioning, first create a new version with update-version-val. You can create a new version value using the same value for the current version if you don't want to actually change the value. Thereafter, run update-item.

Usage
akeyless update-item --name ExistingNameofSecret --new-name NewName
akeyless update-item --name NameofSecret --new-metadata UpdateDescription
akeyless update-item --name NameofSecret --add-tag NewTagAdded
akeyless update-item --name NameofSecret --rm-tag Tag1
Parameters
ParameterMandatoryDescription
-n, --name

Y

The current name of the item.
--new-nameThe name that should now be assigned to the item.
--new-metadata[=default_metadata]The new description for the item.
--add-tagList of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2.
--rm-tagList of the existing tags that should be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2.
--delete-protection[=false]Protection from accidental deletion of a secret. Possible values: [true/false]

delete-item

Delete an item or an item version

Usage
akeylees delete-item -n <Path\to\item>
Parameters
ParameterMandatoryDescription
-n, --name

Y

Item name.
--version[=-1] The specific version you want to delete - 0=last version, -1=entire item with all versions (default).
--delete-in-days[=7] The number of days to wait before deleting the item (relevant for keys only).
--delete-immediately[=false]When delete-in-days=-1, must be set.
accessibilityIn case of an item in a user's personal folder [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.
--uid-tokenThe universal identity token. It is required only for universal_identity authentication.

delete-items

Delete multiple items from a given path

akeyless delete-items -p <Path\do\delete\items>

list-items

Returns a list of all accessible items

Usage
akeyless list-items
Parameters
ParameterMandatoryDescription
-t, --type The item types list of the requested items. In case it is empty, all types of items will be returned. options: [key, static-secret, dynamic-secret].
--ItemsTypes
--filterFilter by item name or part of it.
--tagFilter by item tag.
--pathPath to folder.
--pagination-tokenNext page reference.

move-objects

Move/Rename objects.

Usage
akeyless move-objects -s <source> -t <target>
Parameters
ParameterMandatoryDescription
-s, --source

Y

Source path to move the objects from.
--t, --target

Y

Target path to move the objects to.
-o, --objects-type[=item]The objects type to move (item/auth_method/role).

configure

Configure client profile.

Usage
akeyless configure
Parameters
ParameterMandatoryDescription
--profile[=default]VThe profile name to be configured.
--access-idMandatory if access-type is not specifiedAccess ID.
--access-keyMandatory if access-type is not specifiedAccess Key.
--access-type[=access_key]Access Type (access_key/password/azure_ad/saml/oidc/aws_iam/gcp/k8s)
--admin-passwordPassword (relevant only for access-type=password).
--admin-emailEmail (relevant only for access-type=password).
--oidc-spOIDC Service Provider (relevant only for access-type=oidc, inferred if empty), supported SPs: google, github
--azure_ad_object_idAzure Active Directory ObjectId (relevant only for access-type=azure_ad)
--gcp-audience[=akeyless.io]GCP audience to use in signed JWT (relevant only for access-type=gcp)
--gateway-urlGateway URL for the K8S authenticated (relevant only for access-type=k8s)
--k8s-auth-config-nameThe K8S Auth config name (relevant only for access-type=k8s)
--k8s-token-path[=/var/run/secrets/kubernetes.io/serviceaccount/token]An optional path to a projected service account token inside the pod, for use instead of the default service account token.. (relevant only for access-type=k8s)
--cert-file-nameName of the cert file to use (relevant only for access-type=cert)
--cert-dataCertificate data encoded in base64. Used if file was not provided. (relevant only for access-type=cert in Curl Context)
--key-file-nameName of the private key file to use (relevant only for access-type=cert)
--key-dataPrivate key data encoded in base64. Used if file was not provided.(relevant only for access-type=cert in Curl Context)
-h, --helpdisplay help information
--json[=false]Default falseSet output format to JSON
--no-creds-cleanup[=false]Default falseDo not clean local temporary expired creds

unconfigure

Remove Configuration of client profile.

Usage

akeyless unconfigure --profile <Profile name>

Classic Key Commands

The following commands are specific to classic key usage.

Create a Classic Key

Create a classic key with various parameters.

Parameters
ParameterMandatoryDescription
-n, --nameVClassic Key name
-a, --algVKey type
-u, --gateway-url=V (or default http://localhost:8000)API Gateway URL (Configuration Management port)
--key-dataBase64-encoded classic key value provided by user
-c, --certPath to a file that contain the certificate in a PEM format
--cert-file-dataPEM Certificate in a Base64 format
-m, --metadataMetadata about the classic key
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-k, --protection-key-nameIf not specified, account default key will be usedThe name of the key that protects the classic key value
-p, --key-file-pathPath to file with the classic key value provided by user
--delete-protectionDefault falseProtection from accidental deletion of this item
--profile, --tokenUse a specific profile from your akeyless/profiles/folder or a temporary token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpdisplay help information
--json=Default falseSet output format to JSON
--no-creds-cleanup=Default falseDo not clean local temporary expired creds

Usage

akeyless create-classic-key --name classickey --alg RSA2048

Associate a Classic Key

Associate a Classic Key with an existing target with the following parameters. Please note that some parameters are only relevant for specific target types.

Parameters
ParameterMandatoryDescription
-t, --target-nameVThe target to associate
-n, --nameVThe item to associate
--vault-nameName of the vault used. (Required for Azure targets)
--key-operationsA list of allowed operations for the key. (Required for Azure targets)
--project-idProject id of the GCP KMS. (Required for gcp targets)
--location-idLocation id of the GCP KMS. (Required for gcp targets)
--keyring-nameKeyring name of the GCP KMS. (Required for gcp targets)
--purposePurpose if the key in GCP KMS. (Required for gcp targets)
--kms-algorithmAlgorithm of the key in GCP KMS. (Required for gcp targets)
--tenant-secret-typeThe tenant secret type [Data/SearchIndex/Analytics]. (Required for salesforce targets)
--multi-region=Default falseSet to 'true' to create a multi-region managed key. (Relevant only for Classic Key AWS targets)
--regionsThe list of regions in which to create a copy of the key. (Relevant only for Classic Key AWS targets). To specify multiple regions use argument multiple times: --regions us-east-1 --regions us-west-1
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpdisplay help information
--json=Default falseSet output format to JSON
--no-creds-cleanup=Default falseDo not clean local temporary expired creds

Usage

akeyless assoc-target-item --target-name awstarg --name classickey

Break Association with a Classic Key

Break Association between a Classic Key and an associated target with the following parameters.

Parameters
ParameterMandatoryDescription
-n, --nameVItem name
--id, --assoc-idNot required if target name specifiedThe association id to be deleted.
-t, --target-nameNot required if association id is specified.The target name with which association will be deleted
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpdisplay help information
--json=Default falseSet output format to JSON
--no-creds-cleanup=Default falseDo not clean local temporary expired creds

Usage

akeyless delete-assoc-target-item --target-name awstarg --name classickey