CLI Reference

This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:

akeyless -h
akeyless <command> -h, --help
akeyless <command> --debug

Update Akeyless CLI

Akeyless update

AKEYLESS CLI, Version x.x.x is up-to-date

describe-item

Gets the item details

Parameters
ParameterDescription
-n, --nameItem name
-d, --display-idThe display ID of the item
-I, --item-idItem ID of the item
gateway-detailsDisplay Gateway information
--show-versions "data"Include all item versions in reply
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe Universal Identity (UID) token, Required only for universal_identity authentication
Output

With only --name specified, the command returns all details about the specified item except for its version.

When a version number is specified, the command returns all details about the specified item for the specified version.

When --show-versions is specified, the command returns all details about the specified item including a full list of versions, their creation dates, and their encryption keys for any version for which a key other than the default was used.

update-item

Update item name and description

Please note: mandatory values for this command: -n, --name

❗️

Critical

Secret versioning

No updates made with update-item can be saved as part of new versions, which means that these changes override existing data. If you wish to track these updates as part of secret versioning, first create a new version with update-version-val. You can create a new version value using the same value for the current version if you don't want to actually change the value. Thereafter, run update-item.

Usage
akeyless update-item --name <Item name> \
--new-name <New item name>
Parameters
ParameterDescription
-n, --name(Mandatory) Current item name
--new-nameNew item name
--description[=default_metadata]Description of the object
--add-tagList of the new tags that will be attached to this item.
To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tagList of the existent tags that will be removed from this item.
To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--secure-access-enableEnable/Disable secure remote access, "0-1": "**(M
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-bastion-apiBastion's SSH control API endpoint. E.g. https://my.bastion:9900
(relevant only for ssh cert issuer)
--secure-access-bastion-sshBastion's SSH server. E.g. my.bastion:22
(relevant only for ssh cert issuer)
--secure-access-ssh-creds-userSSH username to connect to target server, must be in 'Allowed Users' list (relevant only for ssh cert issuer)
--secure-access-use-internal-bastionUse internal SSH Bastion
--secure-access-ssh-credsSecret values contains SSH Credentials, either Private Key or Password em name", "h-0": " (relevant only for Static-Secret or Rotated-secret)
--secure-access-hostTarget servers for connections, For multiple values repeat this flag
--secure-access-add-hostList of the new hosts that will be attached to SRA servers host.
To specify multiple tags use argument multiple times: --secure-access-add-host host1 --secure-access-add-host host2
--secure-access-rm-hostList of the existent hosts that will be removed from SRA servers host.
To specify multiple tags use argument multiple times: --secure-access-rm-host host1 --secure-access-rm-host host2
--secure-access-urlDestination URL to inject secrets
--secure-access-web-browsingSecure browser via Akeyless Web Access Bastion
--secure-access-web-proxyWeb-Proxy via Akeyless Web Access Bastion
--secure-access-rdp-domainRequired when the Dynamic Secret is used for a domain user
(relevant only for RDP Dynamic-Secret)
--secure-access-rdp-userOverride the RDP Domain username
--secure-access-rdp-domainRequired when the Dynamic Secret is used for a domain user
(relevant only for RDP Dynamic-Secret)
--secure-access-rdp-userOverride the RDP Domain username
--secure-access-allow-external-userAllow providing external user for a domain users (Mandatory)**
--secure-access-db-schemaThe DB schema (relevant only for DB Dynamic-Secret)
--secure-access-db-nameThe DB name (relevant only for DB Dynamic-Secret)
--secure-access-aws-account-idThe AWS account id (relevant only for AWS Dynamic-Secret)
--secure-access-aws-regionThe AWS region (relevant only for AWS Dynamic-Secret)
--secure-access-aws-native-cliThe AWS native cli (relevant only for AWS Dynamic-Secret)
--secure-access-cluster-endpointThe K8s cluster endpoint URL
(relevant only for EKS/GKE/K8s Dynamic-Secret)
--secure-access-dashboard-urlThe K8s dashboard url (relevant only for K8s Dynamic-Secret)
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access
(relevant only for EKS/GKE/K8s Dynamic-Secret)
--rotate-after-disconnect[=false]Rotate the value of the secret after SRA session ends (Mandatory)** Curre
(relevant only for Rotated-secret on SRA)
--delete-protectionProtection from accidental deletion of this item, (Mandatory)** C
-c, --cert-file-pathPath to a file that contain the certificate in a PEM format.
Used for updating RSA keys' certificates.
--cert-file-dataPEM Certificate in a Base64 format. Used for updating RSA keys' certificates.
--accessibility "data":In case of an item in a user's personal folder (Mandatory)** Curr
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

set-item-state

Set an item's state (Enabled, Disabled)

Note: mandatory values for this command: -n, --name, -s, --desired-state

Usage
akeyless set-item-state --name <Current item name> \
--desired-state <Desired item state [Enabled, Disabled]>
Parameters
ParameterDescription
-n, --name(Mandatory) Current item name
-s, --desired-state(Mandatory) Desired item state
--version[=0]The specific version you want to update: 0=item level state (default)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe Universal Identity (UID) token, Required only for universal_identity authentication

get-tags

Gets tags

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-tags --name <Item Name>

Parameters

ParameterDescription
-n, --name(Mandatory) The item name
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

update-account-settings

Updates account settings.

Note: The operation is allowed only for admin user

Parameters
ParameterDescription
--company-nameUpdate Company Name of account
--phoneUpdate Phone number of account
--addressUpdate Address of account
--cityUpdate City of account
--countryUpdate Country of account
--postal-codeUpdate Postal Code of account
--jwt-ttl-defaultdefault jwt ttl for auth method authentication (in minutes)
--jwt-ttl-minminimum allowed jwt ttl for auth method authentication (in minutes)
--jwt-ttl-maxmaximum allowed jwt ttl for auth method authentication (in minutes)
--item-typeAssociated with max-versions.
--max-versionsMaximum versions of a given item-type, valid range ter",
. When item version exceeds this number, the oldest versions will be deleted.
--default-versioningIf set to true, new item version will be created on each update
--dp-enable-classic-key-protectionSet to update protection with classic keys state meter",
--password-policy-password-lengthPassword length between 5 - to 50 characters
--password-policy-contains-capital-lettersPassword must contain capital letters
--password-policy-contains-lower-lettersPassword must contain lower case letters
--password-policy-contains-numbersPassword must contain numbers
--password-policy-contains-special-charactersPassword must contain special characters
--items-deletion-protectionSet to update the default behaviour of new items creations deletion protection attribute [true/false]
--default-key-nameSet the account default key based on the DFC key item name. Use "set-original-akeyless-default-key" to revert to using the original default key of the account. Empty string will change nothing.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

get-account-settings

Get account settings

Parameters
ParameterDescription
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

delete-item

Delete an item or an item version

Please note: mandatory values for this command: -n, --name

Usage
akeylees delete-item -n <Item name>
Parameters
ParameterDescription
-n, --name(Mandatory) Item name
--version[=-1]The specific version you want to delete - 0=last version, -1=entire item with all versions (default)
--delete-in-days "day"The number of days to wait before deleting the item (relevant for keys only)
--delete-immediately[=false]When delete-in-days=-1, must be set
--accessibility[=regular]In case of an item in a user's personal folder [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

delete-items

Deletes multiple items from a given path

Note: mandatory values for this command: -n, --name

Usage
akeyless delete-items -p <Path\do\delete\items>

Parameters

ParameterDescription
-p, --path(Mandatory) Path to delete the items from
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

list-items

List of all accessible items

Parameters
ParameterDescription
-t, --typeThe item types list of the requested items. In case it is empty, all types of items will be returned, options: [key, static-secret, dynamic-secret, rotated-secret, ssh-cert-issuer, pki-cert-issuer, classic-key]
--sub-typesOptional the items sub types
--filterFilter by item name or part of it
--tagFilter by item tag
--sra-only[=false]Filter by items with SRA functionality enabled
--pathPath to folder
--pagination-tokenNext page reference
--auto-pagination[=enabled]Retrieve all items using pagination, when disabled retrieving only first 1000 items
--minimal-viewShow only basic information of the items
--accessibility[=regular]In case of an item in a user's personal folder, options: [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

list-sra-bastions

List of all Secure Remote Access (SRA) Bastions in the account

Parameters

ParametersDescription
--only-allowed-urls[=false]Filter the response to show only bastions allowed URLs
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

move-objects

Moves/Renames objects

Note: mandatory values for this command: -s, --source, -t, --target

Usage
akeyless move-objects --source <Source path to move the objects from> \
--target <Target path to move the objects to> \
--objects-type <The objects type to move (item/auth_method/role)>
Parameters
ParameterDescription
-s, --source(Mandatory) Source path to move the objects from
--t, --target(Mandatory) Target path to move the objects to
-o, --objects-type[=item]The objects type to move (item/auth_method/role)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

configure

Configure client profile

Usage
akeyless configure
Parameters
ParameterDescription
--profile[=default]The profile name to be configure
--access-idAccess ID
--access-keyAccess Key
--access-type[=access_key]Access Type, options: (access_key/password/azure_ad/saml/oidc/aws_iam/gcp/k8s)
--admin-passwordPassword (relevant only for access-type=password)
--admin-emailEmail (relevant only for access-type=password)
--oidc-spOIDC Service Provider (relevant only for access-type=oidc, inferred if empty), supported SPs: google, github
--azure_ad_object_idAzure Active Directory ObjectId
(relevant only for access-type=azure_ad)
--gcp-audience "data": {GCP audience to use in signed JWT
(relevant only for access-type=gcp)
--gateway-urlGateway URL for the K8S authenticated
(relevant only for access-type=k8s)
--k8s-auth-config-nameThe K8S Auth config name
(relevant only for access-type=k8s)
--k8s-token-path[=/var/run/secrets/kubernetes.io/serviceaccount/token]An optional path to a projected service account token inside the pod, for use instead of the default service account token (relevant only for access-type=k8s)
--cert-file-nameName of the certificate file to use
(relevant only for access-type=cert)
--cert-dataCertificate data encoded in base64. Used if file was not provided. (relevant only for access-type=cert in Curl Context)
--key-file-nameName of the private key file to use
(relevant only for access-type=cert)
--key-dataPrivate key data encoded in base64. Used if file was not provided (relevant only for access-type=cert in Curl Context)

unconfigure

Remove configuration of client profile

Usage

akeyless unconfigure --profile <Profile name>

Gateway configuration

gateway-get-config

Gets gateway configuration details

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

gateway-list-allowed-management-access

Returns available allowed-management-access

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

gateway-migrate-personal-items

Migrates personal items from external vault

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:18888]API Gateway URL (Akeyless UI port)
-t, --type[=1password]Migration provider type, Current supported options: [1password]
-k, --protection-keyThe name of a key that used to encrypt the secret value
-l, --target-locationTarget location in your Akeyless personal folder for migrated secrets
--1password-url1Password sign-in address for your account
--1password-email1Password user email
--1password-password1Password password for the given user's email
--1password-secret-keyUser's 1Password Secret Key
--1password-vaultsOptional list of 1Password vaults to migrate items from; can be used multiple times (--1password-vaults vault1 --1password-vaults vault2), If not provided, all non-private vaults will be migrated
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

gateway-migration-status

Gets migration Status

Parameters
ParameterDescription
-n, --nameMigration name to display
-i, --idOptional, instead of migration name, set a Migration ID
(Can be retrieve with gateway-list-migration command)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles)
or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

akeyless list-gateways

List of all Gateways in the account

Parameters
ParameterDescription
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication

gateway-update-tls-cert

Updates Gateway TLS certificate

Parameters
ParameterDescription
--cert-dataTLS Certificate (base64 encoded), this flag is ignored if --cert-file-name is supplied.
--cert-file-namePath to the file containing the TLS Certificate, this flag is ignored if --cert-data is supplied
--key-dataTLS Private Key (base64 encoded), this flag is ignored if --key-file-name is supplied
--key-file-namePath to the file containing the TLS Private Key, this flag is ignored if --key-data is supplied
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)

add-gw-access-id

Adds Sub-Admins to the list of who can access Gateway

Parameters
ParameterDescription
-c, --cluster-name(Mandatory) The name of the updated cluster
-a, --access-id(Mandatory) The access id to be able to access the gateway
-s, --sub-claimskey/val of sub claims, e.g group=admins,developers
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionjq expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired credentials

delete-gw-access-id

Deletes Sub-Admins from the list of who can access Gateway

Parameters
ParameterDescription
-c, --cluster-name(Mandatory) The name of the updated cluster
-a, --access-id(Mandatory) The access id to be able to access the gateway
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionjq expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired credentials

delete-gateway-cluster

Deletes gateway cluster

Parameters
ParameterDescription
-c, --cluster-name(Mandatory) Gateway Cluster, e.g. acc-abcd12345678/p-123456789012/defaultCluster
--forceDeletes cluster even if there is an active gateway or associated secrets.
All Gateway secrets will be deleted

Event Center

The following commands have to do with the Akeyless platform's Event Center functionality.

create-event-forwarder

Creates a forwarder that will send you notifications of selected events

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-n, --name(Mandatory) Unique event forwarder name
--forwarder-type(Mandatory) Event Forwarder type [servicenow, email]
--runner-type[=immediate](Mandatory) Event Forwarder runner type [immediate, periodic]
--everyRate of periodic runner repetition in hours
-s, --event-source-locationsA comma-separated list of event sources to forward event about, for example: /abc/def, /abc/qqq/*
--event-source-type[=item]Event source type [item, target]
--hostHost (relevant only for "servicenow" Event Forwarder)
--admin-nameAdmin name (relevant only for "servicenow" Event Forwarder)
--admin-pwdAdmin Password (relevant only for "servicenow" Event Forwarder)
--email-toA comma seperated list of email addresses to send event to (relevant only for "email" Event Forwarder)
-k, --keyKey name. The key will be used to encrypt the Event Forwarder secret value. If key name is not specified, the account default protection key is used
--descriptionDescription of the Event Forwarder
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired credentials

update-event-forwarder

Updates an existing forwarder

Parameters
ParameterDescription
-n, --nameUnique event forwarder name
--new-nameNew Event Forwarder name
--event-source-locationsNew comma-separated list of event sources to forward event about, for example: /abc/def,/abc/qqq/*
--event-typesNew comma-separated list of types of events to notify about [request-access, certificate-pending-expiration, certificate-expired]
--hostHost (relevant only for "servicenow" Event Forwarder)
--admin-nameAdmin name (relevant only for "servicenow" Event Forwarder)
--email-toA comma separated list of email addresses to send event to
(relevant only for "email" Event Forwarder)
--enable[=true]Enable/Disable Event Forwarder [true/false]
--description[=default_description]Description of the object
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired credentials

get-event-forwarder

Fetches info on an existing forwarder

Parameters
ParameterDescription
-n, --nameUnique event forwarder name.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired credentials

delete-event-forwarder

Deletes an existing forwarder

Parameters
ParameterDescription
-n, --nameUnique event forwarder name.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe UID token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired credentials