CLI Reference
This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:
akeyless -h
akeyless <command> -h, --help
akeyless <command> --debug
Update Akeyless CLI
Akeyless update
AKEYLESS CLI, Version x.x.x is up-to-date
Commands for all items and objects
describe-item
describe-item
Returns the item details, which vary depending on the type of item.
Usage
akeyless describe-item --name ItemName
akeyless describe-item --name ItemName --version VersionNumber
akeyless describe-item --name ItemName --show-versions
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
-n, --name | Y | Item name. |
--version | Version number. | |
--show-versions[=false] | Include all item versions in reply, by default set to false. |
Output
With only --name specified, the command returns all details about the specified item except for its version.
When a version number is specified, the command returns all details about the specified item for the specified version.
When --show-versions is specified, the command returns all details about the specified item including a full list of versions, their creation dates, and their encryption keys for any version for which a key other than the default was used.
update-item
update-item
Update item name, metadata or tags.
Secret versioning
No updates made with
update-itemcan be saved as part of new versions, which means that these changes override existing data. If you wish to track these updates as part of secret versioning, first create a new version withupdate-version-val. You can create a new version value using the same value for the current version if you don't want to actually change the value. Thereafter, runupdate-item.
Usage
akeyless update-item --name ExistingNameofSecret --new-name NewName
akeyless update-item --name NameofSecret --new-metadata UpdateDescription
akeyless update-item --name NameofSecret --add-tag NewTagAdded
akeyless update-item --name NameofSecret --rm-tag Tag1
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
-n, --name | Y | The current name of the item. |
--new-name | The name that should now be assigned to the item. | |
--new-metadata[=default_metadata] | The new description for the item. | |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2. | |
--rm-tag | List of the existing tags that should be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2. | |
--delete-protection[=false] | Protection from accidental deletion of a secret. Possible values: [true/false] |
delete-item
delete-item
Delete an item or an item version
Usage
akeylees delete-item -n <Path\to\item>
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
-n, --name | Y | Item name. |
--version[=-1] | The specific version you want to delete - 0=last version, -1=entire item with all versions (default). | |
--delete-in-days[=7] | The number of days to wait before deleting the item (relevant for keys only). | |
--delete-immediately[=false] | When delete-in-days=-1, must be set. | |
accessibility | In case of an item in a user's personal folder [regular/personal] | |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token. | |
--uid-token | The universal identity token. It is required only for universal_identity authentication. |
delete-items
delete-items
Delete multiple items from a given path
akeyless delete-items -p <Path\do\delete\items>
list-items
list-items
Returns a list of all accessible items
Usage
akeyless list-items
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
-t, --type | The item types list of the requested items. In case it is empty, all types of items will be returned. options: [key, static-secret, dynamic-secret]. | |
--ItemsTypes | ||
--filter | Filter by item name or part of it. | |
--tag | Filter by item tag. | |
--path | Path to folder. | |
--pagination-token | Next page reference. |
move-objects
move-objects
Move/Rename objects.
Usage
akeyless move-objects -s <source> -t <target>
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
-s, --source | Y | Source path to move the objects from. |
--t, --target | Y | Target path to move the objects to. |
-o, --objects-type[=item] | The objects type to move (item/auth_method/role). |
configure
configure
Configure client profile.
Usage
akeyless configure
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
--profile[=default] | V | The profile name to be configured. |
--access-id | Mandatory if access-type is not specified | Access ID. |
--access-key | Mandatory if access-type is not specified | Access Key. |
--access-type[=access_key] | Access Type (access_key/password/azure_ad/saml/oidc/aws_iam/gcp/k8s) | |
--admin-password | Password (relevant only for access-type=password). | |
--admin-email | Email (relevant only for access-type=password). | |
--oidc-sp | OIDC Service Provider (relevant only for access-type=oidc, inferred if empty), supported SPs: google, github | |
--azure_ad_object_id | Azure Active Directory ObjectId (relevant only for access-type=azure_ad) | |
--gcp-audience[=akeyless.io] | GCP audience to use in signed JWT (relevant only for access-type=gcp) | |
--gateway-url | Gateway URL for the K8S authenticated (relevant only for access-type=k8s) | |
--k8s-auth-config-name | The K8S Auth config name (relevant only for access-type=k8s) | |
--k8s-token-path[=/var/run/secrets/kubernetes.io/serviceaccount/token] | An optional path to a projected service account token inside the pod, for use instead of the default service account token.. (relevant only for access-type=k8s) | |
--cert-file-name | Name of the cert file to use (relevant only for access-type=cert) | |
--cert-data | Certificate data encoded in base64. Used if file was not provided. (relevant only for access-type=cert in Curl Context) | |
--key-file-name | Name of the private key file to use (relevant only for access-type=cert) | |
--key-data | Private key data encoded in base64. Used if file was not provided.(relevant only for access-type=cert in Curl Context) | |
-h, --help | display help information | |
--json[=false] | Default false | Set output format to JSON |
--no-creds-cleanup[=false] | Default false | Do not clean local temporary expired creds |
unconfigure
unconfigure
Remove Configuration of client profile.
Usage
akeyless unconfigure --profile <Profile name>
Classic Key Commands
The following commands are specific to classic key usage.
Create a Classic Key
Create a Classic Key
Create a classic key with various parameters.
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
| -n, --name | V | Classic Key name |
| -a, --alg | V | Key type |
| -u, --gateway-url= | V (or default http://localhost:8000) | API Gateway URL (Configuration Management port) |
| --key-data | Base64-encoded classic key value provided by user | |
| -c, --cert | Path to a file that contain the certificate in a PEM format | |
| --cert-file-data | PEM Certificate in a Base64 format | |
| -m, --metadata | Metadata about the classic key | |
| -t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 | |
| -k, --protection-key-name | If not specified, account default key will be used | The name of the key that protects the classic key value |
| -p, --key-file-path | Path to file with the classic key value provided by user | |
| --delete-protection | Default false | Protection from accidental deletion of this item |
| --profile, --token | Use a specific profile from your akeyless/profiles/folder or a temporary token | |
| --uid-token | The universal identity token, Required only for universal_identity authentication | |
| -h, --help | display help information | |
| --json= | Default false | Set output format to JSON |
| --no-creds-cleanup= | Default false | Do not clean local temporary expired creds |
Usage
akeyless create-classic-key --name classickey --alg RSA2048
Associate a Classic Key
Associate a Classic Key
Associate a Classic Key with an existing target with the following parameters. Please note that some parameters are only relevant for specific target types.
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
| -t, --target-name | V | The target to associate |
| -n, --name | V | The item to associate |
| --vault-name | Name of the vault used. (Required for Azure targets) | |
| --key-operations | A list of allowed operations for the key. (Required for Azure targets) | |
| --project-id | Project id of the GCP KMS. (Required for gcp targets) | |
| --location-id | Location id of the GCP KMS. (Required for gcp targets) | |
| --keyring-name | Keyring name of the GCP KMS. (Required for gcp targets) | |
| --purpose | Purpose if the key in GCP KMS. (Required for gcp targets) | |
| --kms-algorithm | Algorithm of the key in GCP KMS. (Required for gcp targets) | |
| --tenant-secret-type | The tenant secret type [Data/SearchIndex/Analytics]. (Required for salesforce targets) | |
| --multi-region= | Default false | Set to 'true' to create a multi-region managed key. (Relevant only for Classic Key AWS targets) |
| --regions | The list of regions in which to create a copy of the key. (Relevant only for Classic Key AWS targets). To specify multiple regions use argument multiple times: --regions us-east-1 --regions us-west-1 | |
| --profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token | |
| --uid-token | The universal identity token, Required only for universal_identity authentication | |
| -h, --help | display help information | |
| --json= | Default false | Set output format to JSON |
| --no-creds-cleanup= | Default false | Do not clean local temporary expired creds |
Usage
akeyless assoc-target-item --target-name awstarg --name classickey
Break Association with a Classic Key
Break Association with a Classic Key
Break Association between a Classic Key and an associated target with the following parameters.
Parameters
| Parameter | Mandatory | Description |
|---|---|---|
| -n, --name | V | Item name |
| --id, --assoc-id | Not required if target name specified | The association id to be deleted. |
| -t, --target-name | Not required if association id is specified. | The target name with which association will be deleted |
| --profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token | |
| --uid-token | The universal identity token, Required only for universal_identity authentication | |
| -h, --help | display help information | |
| --json= | Default false | Set output format to JSON |
| --no-creds-cleanup= | Default false | Do not clean local temporary expired creds |
Usage
akeyless delete-assoc-target-item --target-name awstarg --name classickey
Updated 3 days ago