This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:
$ akeyless -h
akeyless <command> -h, --help
-h, --help display help information
--debug[=false] Turn on debug logging
Use the CLI as follows:
Static secrets
Encryption keys
SSH certificates
PKI certificates
Commands for all items and objects
Authentication
Dynamic secrets
Roles
Static secrets
create-secret
Create new static secrets and configure their values.
Synopsis
akeyless create-secret --name mySecret1 --value
Options
Output
update-secret
Update existing static secrets and configure their values.
Synopsis
akeyless update-secret-val --name mySecret1 --value "new value"
Options
Output
get-secret-value
Update existing static secrets and configure their values.
Synopsis
akeyless get-secret-value --name mySecret1
--access-id Access ID
--access-type[=access_key] Access Type (access_key/password/saml/ldap/azure_ad/aws_iam/universal_identity/jwt)
--access-key Access key (relevant only for access-type=access_key)
--cloud-id The cloued identity (relevant only for access-type=azure_ad,awd_im)
--uid_token The universal_identity token (relevant only for access-type=universal_identity)
--jwt The Json Web Token (relevant only for access-type=jwt/oidc)
--admin-password Password (relevant only for access-type=password)
--admin-email Email (relevant only for access-type=password)
--ldap_proxy_url Address URL for LDAP proxy (relevant only for access-type=ldap)
--username LDAP username (relevant only for access-type=ldap)
--password LDAP password (relevant only for access-type=ldap)
Options
Output
get-secret-value Get static secret value
update-secret-val Update static secret value
rollback-secret
Encryption keys
create-key
Update existing static secrets and configure their values.
Synopsis
Options
-n, --name Key name
-a, --alg Key type. options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048]
-m, --metadata Metadata about the key
-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2] The number of fragments that the item will be split into (not includes customer fragment)
-f, --customer-frg-id The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment)
--profile Use a specific profile from your ~/.akeyless/profiles folder
--username Required only when the authentication process requires a username and password
--password Required only when the authentication process requires a username and password
--uid-token The universal identity token, Required only for universalidentity authentication
-h, --help display help information
--debug[=false] Turn on debug logging
####Output
###rotate-key
Rotates an existing key, creating a new version of it
####Synopsis
####Options
####Output
_get-rsa-public Obtain the public key from a specific RSA private key
upload-pkcs12 Upload a PKCS#12 key and certificates
upload-rsa Upload RSA key
encrypt Encrypts plaintext into ciphertext by using an AES key
encrypt-file Encrypts a file by using an AES key
encrypt-pkcs1 Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5
decrypt Decrypts ciphertext into plaintext by using an AES key
decrypt-file Decrypts a file by using an AES key
decrypt-pkcs1 Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5
sign-pkcs1 Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5
verify-pkcs1 Verifies an RSA PKCS#1 v1.5 signature
gen-customer-fragment Generate customer fragment
SSH certificates
get-ssh-certificate
Generates SSH certificate.
Synopsis
Options
Output
create-ssh-cert-issuer
Creates a new SSH certificate issuer.
Synopsis
Options
Output
PKI certificates
get-pki-certificate
Generates PKI certificate.
Synopsis
Options
Output
create-pki-cert-issuer
Creates a new PKI certificate issuer.
Synopsis
Options
Output
get-kube-exec-creds
Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer.
Synopsis
Options
Output
Commands for all items and objects
describe-item Returns the item details
update-item Update item name and metadata
set-item-state Set an item's state (Enabled, Disabled)
delete-item Delete an item or an item version
delete-items Delete multiple items from a given path
list-items Returns a list of all accessible items
move-objects Move/Rename objects
-s, --source Source path to move the objects from
-t, --target Target path to move the objects to
-o, --objects-type[=item] The objects type to move (item/auth_method/role)
Authentication
auth Authenticate to the service and returns a token to be used as a profile to execute the CLI without the need for re-authentication
create-auth-method Create a new Auth Method in the account
create-auth-method-azure-ad Create a new Auth Method that will be able to authenticate using Azure Active Directory credentials
create-auth-method-aws-iam Create a new Auth Method that will be able to authenticate using AWS IAM credentials
create-auth-method-oauth2 Create a new Auth Method that will be able to authenticate using OpenId/OAuth2
create-auth-method-ldap Create a new Auth Method that will be able to authenticate using LDAP
create-auth-method-saml Create a new Auth Method that will be able to authenticate using SAML
create-auth-method-universal-identity Create a new Auth Method that will be able to authenticate using Akeyless Universal Identity
get-auth-method Returns an information about the Auth Method
list-auth-methods Returns a list of all the Auth Methods in the account
delete-auth-method Delete the Auth Method
delete-auth-methods Delete multiple auth methods from a given path
reverse-rbac See which authentication methods have access to a particular object
configure Configure client profile.
unconfigure Remove Configuration of client profile.
Dynamic secrets
create-dynamic-secret Creates a new dynamic secret item
get-dynamic-secret-value Get dynamic secret value
rollback-secret
Roles
create-role Creates a new role
get-role Get role details
update-role Update role details
list-roles Returns a list of all roles in the account
delete-role Delete a role
delete-roles Delete multiple roles from a given path
set-role-rule Set a rule to a role
delete-role-rule Delete a rule from a role
assoc-role-am Create an association between role and auth method
delete-assoc Delete an association between role and auth method
Akeyless universal token
uid-list-children List the token children ids of Akeyless Universal Identity
uid-revoke-token Revoke token using Akeyless Universal Identity
uid-generate-token Generate a new token using Akeyless Universal Identity
uid-rotate-token Rotate token using Akeyless Universal Identity(aliases rotate-token,uid-send-manual-rotate-ack)
uid-create-child-token Create a new child token using Akeyless Universal Identity
get-cloud-identity Get Cloud Identity Token (relevant only for access-type=azure_ad,aws_iam)
Writing commands - generating secrets
The default Akeyless Vault behavior is that the write commands (generate secrets) are performed to the main region of Akeyless Vault, while the read commands (fetch secrets) are performed on the nearest region to you, in order to minimize latency.
If you wish to change that, in order to work only with the master region, please add
optimise_dns_disable=true in the settings file.
Updated about 3 hours ago