CLI Reference

This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:

$ akeyless -h
akeyless <command> -h, --help
akeyless <command> --debug

Download and install

Update Akeyless CLI

$ Akeyless update

AKEYLESS CLI, Version x.x.x is up-to-date

Static secrets

create-secret

Create new static secrets and configure their values.

Usage

akeyless create-secret --name mySecret1 --value MyPasswordString

Mandatory Options

--name Assign a unique name to the secret.

--value Enter the value of the secret, which is the password string.

Optional

-m, --metadata This is especially handy when the name of the secret is generic or not specific enough.

-t, --tag Use tags as an extra tool for organizing and searching secrets. If the tag you want hasn't yet been created, you can add it as part of secret creation. Use commas to create or indicate mutiple tags: -t Tag1 -t Tag2

-k, --key Choose an Encryption Key to be used to encrypt your secret. Leave the field empty in order to use the default (protectionKey) system key.

--multilineThe provided value is a multiline value (separated by '\n')

update-secret-val

Update the password for an existing static secret.

Usage

akeyless update-secret-val --name mySecret1 --value "new value"

Mandatory Options

--name Enter the name of the existing secret that you want to update.

--value Enter the new value for the secret, which is the password string.

Optional

-k, --key Choose an Encryption Key to be used to encrypt your secret. Leave the field empty in order to use the default (protectionKey) system key.

--multiline The provided value is a multiline value (separated by '\n').

--new-version Create a new version for the secret when updating additional values.
For other data, such as metadata or tags, use update-item as described in Commands for all items and objects.

get-secret-value

Retrieve the password of a given secret.

Usage

akeyless get-secret-value --name mySecret1

Mandatory Options

--name Enter the name of the existing secret that you want to update.

Optional

--version Get the value of a specific version of the secret.
See Updating and versioning static secrets for information about this value.

show-versions

akeyless describe-item --name NAME --show-versions

Show the list of versions for a specified static or dynamic secret. See Commands for all items and objects and also Updating and versioning static secrets for details.

rollback-secret

Replace the current version with a previously used version of the static secret password.

Usage

akeyless rollback-secret -n /secret1 --old-version 2

Mandatory Options

--name Path to secret.

--old-version Enter the number of the previous version to which you want to roll the secret back. This version must be older than the current version.

delete item

To delete any secret, key, certificate or role. See Commands for all items and objects for details.

Usage

akeyless delete-item -n <path/to/item>

Mandatory Options

-n, --name Path to item to be deleted

Optional

--version The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days The number of days to wait before deleting the item (relevant for keys only). By default 7 days.

--delete-immediately When delete-in-days=-1, must be set, by default set to false.

Encryption keys

create-key

Create a new encryption key.

Usage

akeyless create-key -n <Path/to/Key> -a <algorithm>

Mandatory Options

-n, --name Key name/path.

-a, --alg Algorithm type [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048]

Optional

-m, --metadata Metadata about the key.

-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-s, --split-level The number of fragments that the item will be split into (not includes customer fragment). Default is 2.

-f, --customer-frg-id The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

rotate-key

Rotates an existing key, creating a new version of it.

Usage

akeyless rotate-key -n <Path/to/key>

Mandatory Options

-n, --name Key name/path.

Optional

--auto-rotate Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation.

--rotation-interval The number of days to wait between every automatic key rotation (7-365).

get-rsa-public

Obtain the public key from a specific RSA private key

Usage

akeyless get-rsa-public -n <RSA_private_Key_name>

Mandatory Options

-n, --name Name of RSA key to extract the public key from.

upload-pkcs12

Upload a PKCS#12 key and certificates

Usage

akeyless upload-pkcs12 -n <Path/to/Key> --in <location/of/pkcs12>

Mandatory Options

-n, --name Name of key to be created.

-i, --in PKCS#12 input file (private key and certificate only).

-p, --passphrase Passphrase to unlock the pkcs#12 bundle.

Optional

-m, --metadata Metadata about the key.

-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-s, --split-level The number of fragments that the item will be split into (not includes customer fragment). Default is 2.

-f, --customer-frg-id The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

-c, --cert Path to a file that contain the certificate in a PEM format. If this parameter is not empty, the certificate will be taken from here and not from the PKCS#12 input file.

upload-rsa

Upload RSA key

Usage

akeyless upload-rsa -n <path/to/Key> -a <algorithm> -p <RSA\Private\Key\Path>

Mandatory Options

-n, --name Name of key to be created.

-a, --alg Key type. options: [RSA1024, RSA2048].

-p, --rsa-key-file-path RSA private key file path.

Optional

--rsa-key-data RSA private key data, base64 encoded.

-m, --metadata Metadata about the key.

-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-s, --split-level The number of fragments that the item will be split into (not includes customer fragment). Default is 2.

-f, --customer-frg-id The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment).

-c, --cert Path to a file that contain the certificate in PEM format.

--cert-file-data Certificate in a PEM format.

encrypt

Encrypts plaintext into ciphertext by using an AES key

Usage

akeyless encrypt -k < Path to Key> -p <Data to be encrypted>

Mandatory Options

-k, --key-name The name of the key to use in the encryption process.

-p, --plaintext Data to be encrypted.

Optional

-X, --encryption-context Name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail.

encrypt-file

Encrypts a file by using an AES key

Usage

akeyless encrypt-file -k <Key Name> -i <Path/to/file>

Mandatory Options

-k, --key-name The name of the key to use in the encryption process.

-i, --in Path to the file to be encrypted. If not provided, the content will be taken from stdin.

Optional

-o, --out Path to the output file. If not provided, the output will be sent to stdout.

-X, --encryption-context Name-value pair that specifies the encryption context to be used for authenticated encryption. If used here, the same value must be supplied to the decrypt command or decryption will fail.

encrypt-pkcs1

Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5

Usage

akeyless encrypt-pkcs1 -k <key Name> -p <Data to encrypt>

Mandatory Options

-k, --key-name The name of the key to use in the encryption process.

-p, --plaintext Data to be encrypted.

decrypt

Decrypts ciphertext into plaintext by using an AES key

Usage

akeyless decrypt -k <Key Name> -c <Ciphertext to be decrypt>

Mandatory Options

-k, --key-name The name of the key to use in the decryption process.

-c, --ciphertext Ciphertext to be decrypted in base64 encoded format.

Optional

-X, --encryption-context The encryption context. If this was specified in the encrypt command, it must be specified here or the decryption operation will fail.

decrypt-file

Decrypts a file by using an AES key

Usage

akeyless decrypt-file --key-name <key name> --in <file to decrypt>

Mandatory Options

--key-name The name of the key to use in the decryption process.

--in File to be decrypted.

decrypt-pkcs1

Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5

Usage

akeyless decrypt-pkcs1 -k <RSA Key Name> -c <Ciphertxt to decrypt>

Mandatory Options

-k, --key-name The name of the RSA key to use in the decryption process.

-c, --ciphertext Ciphertext to be decrypted in base64 encoded format.

sign-pkcs1

Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5

Usage

akeyless sign-pkcs1 -k <RSA signing key name> -m <Message to sign>

Mandatory Options

-k, --key-name The name of the RSA key to use in the signing process.

-m, --message The message to be signed.

verify-pkcs1

Verifies an RSA PKCS#1 v1.5 signature.

Usage

akeyless verify-pkcs1 -k <RSA Key> -m <message to verify> -s <message signature>

Mandatory Options

-k, --key-name The name of the RSA key to use in the verification process.

-m, --message The message to be verified.

-s, --signature The message's signature.

gen-customer-fragment

Generate customer fragment

Usage

akeyless gen-customer-fragment

Optional

--description The Customer Fragment Description.

Delete a key

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

set-item-state

Indicate whether the item should be enabled or disabled.

Usage

akeyless set-item-state -n <Item name> -s <Desired state>

Mandatory Options

-n, --name Current item name.

-s, --desired-state Indicate whether to enable or disable the item.

Optional

--version The specific version you want to update: 0=item level state (default).

SSH certificates

get-ssh-certificate

Generates SSH certificate.

Usage

akeyless get-ssh-certificate -s <Username to sign> -c <Cert issuer name>

Mandatory Options

-s , --cert-username The username to sign in the SSH certificate.

-c, --cert-issuer-name The name of the SSH certificate issuer.

Optional

-p, --public-key-file-path SSH public key.

-o, --outfile Output file path with the certificate. If not provided, and public-key-file-path used, the file with the certificate will be created in the same location of the provided public key with the -cert extension.

--public-key-data SSH public key file contents. If this option is used, the certificate will be printed to stdout.

create-ssh-cert-issuer

Creates a new SSH certificate issuer.

Usage

akeyless create-ssh-cert-issuer -n <Cert issuer name> -s <Signing Key> -a <Allowed users> -t <Cert TTL>

Mandatory Options

-n, --name SSH certificate issuer name.

-s, --signer-key-name A key to sign the certificate with.

-a, --allowed-users Users allowed to fetch the certificate, e.g root,ubuntu.

-t, --ttl The requested Time To Live for the certificate, in seconds.

Optional

-p, --principals Signed certificates with principal, e.g example_role1,example_role2.

-x, --extensions Signed certificates with extensions, e.g permit-port-forwarding="" .

-m, --metadata A metadata about the issuer.

Delete a certificate

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

PKI certificates

get-pki-certificate

Generates PKI certificate.

Usage

akeyless get-pki-certificate -c <name of PKI issuer> -k <client Public or Private Key>

Mandatory Options

-c, --cert-issuer-name The name of the PKI certificate issuer.

-k, --key-file-path The client public or private key file path (in case of a private key, it will be use to extract the public key).

Optional

--common-name The common name to be included in the PKI certificate.

--alt-names The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

--uri-sans The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

-o, --outfile Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension.

create-pki-cert-issuer

Creates a new PKI certificate issuer.

Usage

akeyless create-pki-cert-issuer -n <PKI issuer name> -s <Siging Key> -t <TTL>

Mandatory Options

-n, --name PKI certificate issuer name.

-s, --signer-key-nameA key to sign the certificate with.

-t, --ttl The requested Time To Live for the certificate, in seconds.

Optional

--allowed-domains A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list).

--allowed-uri-sans A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list).

--allow-subdomains If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains.

--not-enforce-hostnames If set, any names are allowed for CN and SANs in the certificate and not only a valid host name.

--allow-any-name If set, clients can request certificates for any CN.

--not-require-cn If set, clients can request certificates without a CN.

--server-flag If set, certificates will be flagged for server auth use.

--client-flag If set, certificates will be flagged for client auth use.

--code-signing-flag If set, certificates will be flagged for code signing use.

--key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment] A comma-separated string or list of key usages.

--organization-units A comma-separated list of organizational units (OU) that will be set in the issued certificate.

--organizations A comma-separated list of organizations (O) that will be set in the issued certificate.

--country A comma-separated list of the country that will be set in the issued certificate.

--locality A comma-separated list of the locality that will be set in the issued certificate.

--province A comma-separated list of the province that will be set in the issued certificate.

--street-addressA comma-separated list of the street address that will be set in the issued certificate.

--postal-code A comma-separated list of the postal code that will be set in the issued certificate.

-m, --metadata A metadata about the issuer.

get-kube-exec-creds

Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer.

Usage

akeyless get-kube-exec-creds -c <PKI cert issuer name> -k <Public or Private Key file path>

Mandatory Options

-c, --cert-issuer-name The name of the PKI certificate issuer.

-k, --key-file-path The client public or private key file path (in case of a private key, it will be use to extract the public key).

Optional

--common-name The common name to be included in the PKI certificate.

--alt-names The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

--uri-sansThe URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

-o, --outfile Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension.

Delete a certificate

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Commands for all items and objects

describe-item

Returns the item details, which varies depending on the type of item.

Usage

akeyless describe-item --name ItemName 
akeyless describe-item --name ItemName --version VersionNumber
akeyless describe-item --name ItemName --show-versions

Mandatory Options

-n, --name

Optional

--show-versions[=false] Include all item versions in reply, by default set to false.

Output

With only --name specified, the command returns all details about the specified item except for its version.

When a version number is specified, the command returns all details about the specified item for the specified version.

When --show-versions is specified, the command returns all details about the specified item including a full list of versions, their creation dates and their encryption keys for any version for which a key other than the default was used.

update-item

Update item name, metadata or tags.

❗️

Secret versioning

No updates made with update-item can be saved as part of new versions, which means that these changes override existing data. If you wish to track these updates as part of secret versioning, first create a new version with update-version-val. You can create a new version value using the same value for the current version if you don't wish to actually change the value. Thereafter, run update-item.

Usage

akeyless update-item --name ExistingNameofSecret --new-name NewName
akeyless update-item --name NameofSecret --new-metadata UpdateDescription
akeyless update-item --name NameofSecret --add-tag NewTagAdded
akeyless update-item --name NameofSecret --rm-tag Tag1

Mandatory Options

-n, --name The current name of the item.

Optional

--new-name The name that should now be assigned to the item.

--new-metadata[=default_metadata] The new description for the item.

--add-tag List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2.

--rm-tag List of the existing tags that should be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2.

delete-item

Delete an item or an item version

Usage

akeyeles delete-item -n <Path\to\item>

Mandatory Options

-n, --name Item name.

Optional

--version[=-1] The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days[=7] The number of days to wait before deleting the item (relevant for keys only).
--delete-immediately[=false] When delete-in-days=-1, must be set.

delete-items

Delete multiple items from a given path

akeyless delete-items -p <Path\do\delete\items>

list-items

Returns a list of all accessible items
####Usage

akeyless list-items

Optional

-t, --type The item types list of the requested items. In case it is empty, all types of items will be returned. options: [key, static-secret, dynamic-secret].

--ItemsTypes

--filter Filter by item name or part of it.

--tagFilter by item tag.

--pathPath to folder.

--pagination-token Next page reference.

move-objects

Move/Rename objects.
####Usage

akeyless move-objects -s <soruce> -t <target>

Mandatory Options

-s, --source Source path to move the objects from.

--t, --target Target path to move the objects to.

Optional

-o, --objects-type[=item] The objects type to move (item/auth_method/role).

Authentication

auth

Authenticate to the service and returns a token to be used as a profile to execute the CLI without the need for re-authentication.

Usage

akeyless auth --<Auth Method>

Options

-access-id Akeyless Access ID.

--access-type[=access_key] Access Type (access_key/password/saml/ldap/azure_ad/aws_iam/universal_identity/jwt/gcp).

--access-key Access key (relevant only for access-type=access_key).

--cloud-id The cloud identity (relevant only for access-type=azure_ad,aws_iam,gcp).

--uid_token The universal_identity token (relevant only for access-type=universal_identity).

--jwt The Json Web Token (relevant only for access-type=jwt/oidc).

--admin-password Password (relevant only for access-type=password).

--admin-email Email (relevant only for access-type=password).

--ldap_proxy_url Address URL for LDAP proxy (relevant only for access-type=ldap).

--username LDAP username (relevant only for access-type=ldap).

--password LDAP password (relevant only for access-type=ldap).

--gcp-audience[=akeyless.io] GCP audience to use in signed JWT (relevant only for access-type=gcp).

create-auth-method

Create a new Auth Method in the account

Usage

akeyless create-auth-method -n <Auth Method>

Options

-n, --name Auth Method name.

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ipsA CIDR whitelist with the IPs that the access is restricted to.

create-auth-method-azure-ad

Create a new Auth Method that will be able to authenticate using Azure Active Directory credentials

Usage

akeyless create-auth-method-azure-ad -n <Auth Name> --bound-tenant-id <AZ tenant id >

Mandatory Options

-n, --name Auth Method name.

---bound-tenant-id The Azure tenant id that the access is restricted to.

Optional

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

--issuer[=https://sts.windows.net/---bound_tenant_id---] Issuer URL.

--jwks-uri[=https://login.microsoftonline.com/common/discovery/keys]The URL to the JSON Web Key Set (JWKS) that containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

--audience[=https://management.azure.com/] The audience in the JWT.

--bound-spid A list of service principal IDs that the access is restricted to.

--bound-group-id A list of group ids that the access is restricted to.

--bound-sub-id A list of subscription ids that the access is restricted to.

--bound-rg-id A list of resource groups that the access is restricted to.

--bound-providers A list of resource providers that the access is restricted to (e.g, Microsoft.Compute, Microsoft.ManagedIdentity, etc).

--bound-resource-types A list of resource types that the access is restricted to (e.g, virtualMachines, userAssignedIdentities, etc).

--bound-resource-namesA list of resource names that the access is restricted to (e.g, a virtual machine name, scale set name, etc).

--bound-resource-id A list of full resource ids that the access is restricted to.

create-auth-method-aws-iam

Create a new Auth Method that will be able to authenticate using AWS IAM credentials.

Usage

akeyless create-auth-method-aws-iam -n <Auth Name> --bound-AWS-account-id <account Id>

Mandatory Options

-n, --name Auth method name.

--bound-AWS-account-id A list of AWS account-IDs that the access is restricted to.

Optional

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

--sts-url[=https://sts.amazonaws.com] sts URL.

--bound-arn A list of full ARNs that the access is restricted to.

--bound-role-name A list of full role-name that the access is restricted to.

--bound-role-id A list of full role ids that the access is restricted to.

--bound-resource-id A list of full resource ids that the access is restricted to.

--bound-user-name A list of full user-name that the access is restricted to.

--bound-user-id A list of full user ids that the access is restricted to.

create-auth-method-oauth2

Create a new Auth Method that will be able to authenticate using OpenId/OAuth2

Usage

akeyless create-auth-method-oauth2 -n <Auth Name> --jwks-uri <URL to JWKS> -u <unique ID>

Mandatory Options

-n, --name Auth Method name.

--jwks-uriThe URL to the JSON Web Key Set (JWKS) that containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

-u, --unique-identifier A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.

Optional

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

--bound-clients-ids The clients ids that the access is restricted to.

--issuer Issuer URL.

--audience The audience in the JWT.

create-auth-method-ldap

Create a new Auth Method that will be able to authenticate using LDAP

Usage

akeyless create-auth-method-ldap -n <Auth Name> --public-key-file-path <Path\To\Public\Key>

Mandatory Options

-n, --name Auth method name.

--public-key-file-path A public key generated for LDAP authentication method on Akeyless [RSA2048].

Optional

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

create-auth-method-saml

Create a new Auth Method that will be able to authenticate using SAML

Usage

akeyless create-auth-method-saml -n <Auth Name> -u <Unique ID>

Mandatory Options

-n, --name Auth method name.

-u, --unique-identifier A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.

Optional

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

--idp-metadata-url IDP metadata url.

--idp-metadata-xml-file-path IDP metadata xml file path.

create-auth-method-universal-identity

Create a new Auth Method that will be able to authenticate using Akeyless Universal Identity

Usage

akeyless create-auth-method-universal-identity -n <Auth Name>

Mandatory Options

-n, --name Auth method name.

Optional

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

--deny-rotateDeny from the token to rotate.

--deny-inheritance Deny from root to create children.

--ttlToken TTL.

create-auth-method-gcp

Create a new Auth Method that will be able to authenticate using GCP IAM Service Account credentials or GCE instance credentials.

Usage

akeyless create-auth-method-gcp -n <Auth Name> -t <type of GCP iam/gce> --audience <audience to verify in the JWT>

Mandatory Options

-n, --name Auth method name.

-t, --type The type of the GCP Auth Method (iam/gce).

--audience[=akeyless.io] The audience to verify in the JWT received by the client.

Optional:

--access-expires[=0] Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips A CIDR whitelist of the IPs that the access is restricted to.

--service-account-creds-file Service Account creds key file path.

--service-account-creds-data Service Account creds data, base64 encoded.

--bound-projects A list of GCP project IDs. Clients must belong to any of the provided projects in order to authenticate. For multiple values repeat this flag.

--bound-service-accounts IAM only. A list of Service Accounts. Clients must belong to any of the provided service accounts in order to authenticate. For multiple values repeat this flag.

--bound-zones GCE only. A list of zones. GCE instances must belong to any of the provided zones in order to authenticate. For multiple values repeat this flag.

--bound-regions GCE only. A list of regions. GCE instances must belong to any of the provided regions in order to authenticate. For multiple values repeat this flag.

--bound-labels GCE only. A list of GCP labels formatted as "key:value" pairs that must be set on instances in order to authenticate. For multiple values repeat this flag.

get-auth-method

Returns an information about the Auth Method

Usage

akeyless get-auth-method -n <Auth method name>

list-auth-methods

Returns a list of all the Auth Methods in the account

Usage

akeyless list-auth-methods

Optional

--pagination-token Next page reference.

delete-auth-method

Delete the Auth Method

Usage

akeyless delete-auth-method -n <Auth Method Name>

Mandatory Options

-n, --name

delete-auth-methods

Delete multiple auth methods from a given path

Usage

akeyless delete-auth-methods -p <Path to auth methods>

Mandatory Options

-p, --path Path to delete the auth methods from.

reverse-rbac

See which authentication methods have access to a particular object

Usage

akeyless reverse-rbac -p <path to an object>  -t <object type>

Mandatory Options

-p, --path Path to an object.

-t, --type Type of object (item, am=auth method, role).

configure

Configure client profile.

Usage

akeyless configure

Options

---profile The profile name to be configure.

--access-id Access ID.

--access-key Access Key.

--access-type[=access_key] Access Type (access_key/password/azure_ad/saml/ldap/aws_iam).

--admin-password Password (relevant only for access-type=password).

--admin-email Email (relevant only for access-type=password).

--ldap_proxy_url Address URL for ldap proxy (relevant only for access-type=ldap)

--azure_ad_object_id Azure Active Directory ObjectId (relevant only for access-type=azure_ad)

--gcp-audience[=akeyless.io] GCP audience to use in signed JWT (relevant only for access-type=gcp)

unconfigure

Remove Configuration of client profile.

Usage

akeyless unconfigure --profile <Profile name>

Dynamic secrets

create-dynamic-secret

Creates a new dynamic secret item

Usage

akeyless create-dynamic-secret -n <Dynamic Secret Name>

Options

-n, --name Dynamic secret name.

-m, --metadata[=None] Metadata about the dynamic secret.

-t, --tag List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-k, --key The name of a key that used to encrypt the dynamic secret values (if empty, the account default protection Key will be used).

get-dynamic-secret-value

Get dynamic secret value

Usage

akeyless get-dynamic-secret-value -n <Dynamic Secret Name>

Delete dynamic secret

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Roles

create-role

Creates a new role

Usage

akeyless create-role -n <Role Name>

Options

-n, --name Role name.

--comment Comment about the role.

get-role

Get role details

Usage

akeyless get-role -n <Role Name>

update-role

Update role details

Usage

akeyless update-role -n <Role name>

Options

-n, --name Role name.

--new-name New role name.

--new-comment new comment about the role.

--audit-access Allow this role to view audit logs. Currently only 'none' and 'self' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods.

--analytics-access Allow this role to view analytics. Currently only 'none' and 'self' values are supported, allowing associated auth methods to view reports produced by the same auth methods.

list-roles

Returns a list of all roles in the account

Usage

akeyless list-roles --pagination-token

delete-role

Delete a role

Usage

akeyless delete-role -n <Role Name>

delete-roles

Delete multiple roles from a given path

Usage

akeyless delete-roles -p <Path\to\roles>

set-role-rule

Set a rule to a role

Usage

akeyless set-role-rule -r <Role Name> -p <Role Path> -c <capabilties>

Mandatory Options

-r, --role-name The role name to be updated.

-p, --path The path the rule refers to.

-c, --capability List of the approved/denied capabilities in the path options: [read, create, update, delete, list, deny].

Optional

--rule-type[=item-rule] Item-rule, role-rule or auth-method-rule.

delete-role-rule

Delete a rule from a role

Usage

akeyelss delete-role-rule -r <Role Name> -p <Role Path>

Mandatory Options

-r, --role-name The role name to be updated.

-p, --path The path the rule refers to.

Optional

--rule-type[=item-rule] Item-rule, role-rule or auth-method-rule.

assoc-role-am

Create an association between role and auth method

Usage

akeyless assoc-role-am -r <Role Name> -a <Auth Name>

Mandatory Options

-r, --role-name The role name to be updated.

-a, --am-name The auth method to associate.

Optional

-s, --sub-claims Key/val of sub claims, e.g group=admins,developers

delete-assoc

Delete an association between role and auth method

akeyless delete-assoc -a <association id to be deleted>

Akeyless Universal Identity

uid-list-children

List the token children ids of Akeyless Universal Identity

Usage

akeyless uid-list-children -n <UID Auth Method Name>

uid-revoke-token

Revoke token using Akeyless Universal Identity

Usage

akeyless uid-revoke-token --revoke-type revokeAll --revoke-token <UID Token ID>

Mandatory Options

--revoke-type revokeSelf/revokeAll (delete only this token/this token and his children).

--revoke-token The universal identity token/token-id to revoke.

Optional

-n, --auth-method-name The universal identity auth method name.

uid-generate-token

Generate a new token using Akeyless Universal Identity

Usage

akeyless uid-generate-token -n <UID Auth Name>

uid-rotate-token

Rotate token using Akeyless Universal Identity(aliases rotate-token,uid-send-manual-rotate-ack)

Options

-t, --token, --uid-token The Universal identity token.

--fork Create a new child token with default parameters.

--send-manual-ack-token The new rotated token to send manual ack for (with uid-token=the-orig-token).

--with-manual-ack Disable automatic ack.

-o, --output-file \ -i, --input-file Path to the output\input file.

uid-create-child-token

Create a new child token using Akeyless Universal Identity

Options

--child-deny-rotate Deny from new child to rotate.

--child-deny-inheritanceDeny from new child to create their own children.

--child-ttlNew child token TTL.

--comment New Token comment.

--uid-tokenThe universal identity token, Required only for universal_identity authentication.

-n, --auth-method-name The universal identity auth method name, required only when uid-token is not provided.

--tid, --uid-token-id The ID of the uid-token, required only when uid-token is not provided.

get-cloud-identity

Get Cloud Identity Token (relevant only for access-type=azure_ad,aws_iam,gcp)

Options

--azure_ad_object_id Azure Active Directory ObjectId (relevant only for access-type=azure_ad).

--gcp-audience[=akeyless.io] GCP audience to use in signed JWT (relevant only for access-type=gcp).

--url_safe Escapes the token so it can be safely placed inside a URL query.

Delete a token

Use delete-item to delete any secret, key, certificate or role. See Commands for all items and objects for details.

Akeyless Producers

Usage

To work with Akeyless producers from CLI the flag -u, --gateway-url Akeyless GW URL (Configuration management port) should be set. As well as the -n, --name Producer name.

gateway-create-producer-artifactory

Creates Artifactory producer.

Mandatory Options

--base-url Artifactory REST URL, must end with artifactory postfix.

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--artifactory-token-scope Token scope provided as a space-separated list, for example: member-of-groups:readers.

--artifactory-token-audience A space-separate list of the other Artifactory instances or services that should accept this token., for example: [email protected]* .

Optional

--artifactory-admin-name Admin name.

--artifactory-admin-pwd Admin API Key/Password.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-aws

Creates AWS producer.

Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--aws-access-mode The types of credentials to retrieve from AWS. Options:[iam_user,assume_role].

--aws-access-key-id Access Key ID.

--aws-access-secret-key Access Secret Key.

--aws-region[=us-east-2] AWS region.

--aws-user-policies Policy ARN(s). Multiple values should be separated by comma.

---aws-user-groups UserGroup name(s). Multiple values should be separated by comma.

--aws-role-arns AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma.

--aws-user-console-access[=false] Enable AWS User console access.

--aws-user-programmatic-access[=true] Enable AWS User programmatic access.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

--admin-creds-rotation[=false] Enable automatic admin credentials rotation.

--admin-creds-rotation-interval[=0] Admin credentials rotation interval (days).

gateway-create-producer-azure

Creates Azure AD producer.

Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--azure-tenant-id Azure Tenant ID.

--azure-client-id Azure Client ID (Application ID).

--azure-client-secret Azure AD Client Secret.

--azure-user-portal-access[=false] Enable Azure AD user portal access.

--azure-user-programmatic-access[=true] Enable Azure AD user programmatic access.

--azure-app-obj-id Azure App Object ID (required if selected programmatic access).

--azure-user-principal-name Azure AD User Principal Name (required if selected Portal access).

--azure-user-group-obj-id Azure AD User Group Object ID (required if selected Portal access).

--azure-user-role-template-id Azure AD User Role Template ID (required if selected Portal access).

gateway-create-producer-eks

Creates Amazon Elastic Kubernetes Service (Amazon EKS) producer.

Mandatory Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--eks-cluster-name EKS cluster name. Must match the EKS cluster name you want to connect to.

--eks-cluster-endpoint EKS Cluster endpoint. https:// , <DNS / IP> of the cluster.

--eks-cluster-ca-cert EKS Cluster certificate. Base 64 encoded certificate.

Optional

--eks-access-key-id EKS Access Key ID.

--eks-secret-access-key EKS Secret Access Key.

--eks-region[=us-east-2] EKS Region.

--eks-assume-role Role ARN. Role to assume when connecting to the EKS cluster.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-gke

Creates Google Kubernetes Engine (GKE) producer.

Mandatory Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--gke-account-email GKE service account email.

--gke-account-key-file-path File path to GKE Service Account Key. File path to RSA private key generated for this account to access.

--gke-cluster-endpoint GKE Cluster endpoint. https:// , <DNS / IP> of the cluster.

--gke-cluster-ca-cert GKE Cluster certificate. Base 64 encoded certificate.

Optional

--gke-cluster-name GKE Cluster name.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-gcp

Creates Google Cloud Provider (GCP) producer.

Mandatory Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--gcp-sa-email GCP service account email.

--gcp-cred-type[=token] Credentials type, options are [token, key].

Optional

--gcp-key-file-path Path to file with the Base64-encoded service account private key.

--gcp-key Base64-encoded service account private key text.

--gcp-token-scopes Access token scopes list, e.g. scope1,scope2.

--gcp-key-algo Service account key algorithm, e.g. KEY_ALG_RSA_1024.

--user-ttl[=60m] User TTL (<=60m for access token).

--producer-encryption-key-nameDynamic producer encryption key

--profile Use a specific profile from your akeyless/profiles/ folder.

--username Required only when the authentication process requires a username and password.

--password Required only when the authentication process requires a username and password.

--uid-token The universal identity token, Required only for universal_identity authentication.

gateway-create-producer-mongo

Creates a MongoDB/MongoDB Atlas producer.

Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--mongodb-roles[=[]]MongoDB roles (e.g. MongoDB:[{"role":"readWrite", "db": "sales"}], MongoDB Atlas:[{"roleName" : "readWrite", "databaseName": "sales"}]).

--mongodb-server-uri MongoDB server uri (e.g. mongodb://akeyless:[email protected]:27017/admin?replicaSet=mySet.

--mongodb-username MongoDB server username.

--mongodb-passwordMongoDB server password.

--mongodb-host-porthost:port (e.g. 1.2.3.4:8089).

--mongodb-default-auth-db MongoDB server default authentication database.

--mongodb-uri-options MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB).

--mongodb-atlas-project-id MongoDB Atlas project ID.

--mongodb-atlas-api-public-key MongoDB Atlas public key.

--mongodb-atlas-api-private-key MongoDB Atlas private key.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-mssql

Creates Microsoft SQL Server.

Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--mssql-dbname MSSQL Server DB Name.

--mssql-username MS SQL Server user.

--mssql-password MS SQL Server password.

--mssql-host[=127.0.0.1] MS SQL Server host name.

--mssql-port[=1433] MS SQL Server port.

--mssql-creation-statements[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';] MSSQL Server Creation Statements.

--mssql-revocation-statements[=DROP LOGIN [{{name}}];] MSSQL Server Revocation Statements.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-mysql

Create MySQL producer.

Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--mysql-dbname MySQL DB name.

--mysql-username MySQL user.

--mysql-password MySQL password.

--mysql-host[=127.0.0.1] MySQL host name.

--mysql-port[=3306] MySQL port.

--mysql-statements MySQL Creation Statements.

--db-server-certificates The set of root certificate authorities in base64 encoding that clients use when verifying server certificates.

--db-server-name Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-postgresql

Creates PostgreSQL producer.

Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--postgresql-db-name PostgreSQL DB name.

--postgresql-username PostgreSQL user.

--postgresql-password PostgreSQL password.

--postgresql-host[=127.0.0.1] PostgreSQL host name.

--postgresql-port[=5432] PostgreSQL port.

--postgresql-statements[=CREATE USER "{{name}}" WITH PASSWORD '{{password}}' VALID UNTIL '2022-01-01';GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";GRANT CONNECT ON DATABASE postgres TO "{{name}}";GRANT USAGE ON SCHEMA public TO "{{name}}";] PostgreSQL Creation Statements.

--enc-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-rabbitmq

Creates RabbitMQ producer.

Mandatory Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--rabbitmq-server-uri RabbitMQ server URI.

--rabbitmq-user-conf-permission User configuration permission, for example:[.*,queue-name].

--rabbitmq-user-write-permission User write permission, for example:[.*,queue-name].

--rabbitmq-user-read-permission User read permission, for example:[.*,queue-name].

Optional

--rabbitmq-admin-user RabbitMQ server user.

--rabbitmq-admin-pwd RabbitMQ server password.

--rabbitmq-user-vhost User Virtual Host.

--rabbitmq-user-tags Comma separated list of tags to apply to user.

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-rdp

Creates an RDP dynamic secret.

Mandatory Options

-u, --gateway-url: The URL of your Akeyless Gateway (configuration management port).

-n, --name: A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--rdp-user-groups : A comma-separated list of the RDP user group(s) to which new users should be added.

--rdp-host-name: The hostname or IP address of the target Windows server.

Optional

--rdp-admin-name: The username of an administrator user with sufficient permissions to create users, groups, and so on.

--rdp-admin-pwd: The administrator user password.

--rdp-host-port[=22]: The SSH port for the connection, by default 22.

--fixed-user-only[=false]: Define as true to create the same user each time the secret is requested.

--producer-encryption-key-name: The encryption key with which to encrypt the dynamic secret (if your system includes multiple encryption keys).

--user-ttl[=60m]: The length of time for which the credentials generated by the dynamic secret are valid.

gateway-create-producer-snowflake

Creates a dynamic secret that generates access credentials for Snowflake.

Mandatory Options

-u, --gateway-url: The URL of your Akeyless Gateway (configuration management port).

-n, --name: A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--account: The Snowflake account name in xy12345.region.cloud_provider format.

--db-name: The name of the target Snowflake database.

Optional

--role: The Snowflake role to be assigned to temporary users.

--warehouse: The name of the target Snowflake warehouse.

--user-ttl: The length of time for which the credentials generated by the dynamic secret are valid, by default 60 (minutes).

--profile: The specific Akeyless profile to use to execute the command.

--username: The username for a Snowflake user administrator (with the USERADMIN role or higher).

--password: The password for the Snowflake user administrator account.

--uid-token: The universal identity token. This value is only required if you use universal_identity authentication.

gateway-create-producer-venafi

Creates Venafi producer.

Mandatory Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--venafi-api-key Venafi API key.

--venafi-zone Venafi Zone.

Optional

--creating-cert-using-pki Creating certificates using Akeyless PKI.

--root-first-in-chain Root chain.

--store-private-key Store private key in Akeyless.

--auto-generated-folder Auto generated folder.

--issuer-name Issuer name.

--signer-key-name Signer key name.

--allowed-domains Allowed domains.

--allow-subdomains Allow subdomains.

--admin-creds-rotation[=false] Enable automatic admin credentials rotation.

--admin-creds-rotation-interval[=0] Admin credentials rotation interval (days).

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

gateway-create-producer-custom

Creates a custom webhook based dynamic secret producer.

Mandatory Options

-u, --gateway-url The URL of your Akeyless Gateway (configuration management port).

-n, --name A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.

--create-sync-url URL of an endpoint that implements /sync/create method.

--revoke-sync-url URL of an endpoint that implements /sync/revoke method.

Optional

--producer-encryption-key-name Encrypt producer with following key.

--user-ttl[=60m] User TTL.

--payload Secret payload to be sent with each create/revoke webhook request.

--timeout-sec[=60] Maximum allowed time in seconds for the webhook to return the results.

--username Required only when the authentication process requires a username and password.

--password Required only when the authentication process requires a username and password.

--uid-token The universal identity token, Required only for universal_identity authentication.

gateway-delete-producer

Deletes producer.

Usage

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

gateway-get-producer

Return producer.

Usage

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

gateway-get-producer-tmp-creds

Return producer temporary credentials list.

Usage

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

gateway-list-producers

Return available producers.

Usage

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

gateway-revoke-producer-tmp-creds

Revoke producer temporary credentials.

Usage

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

--tmp-creds-id Temp Creds ID.

--soft-delete Use soft delete.

--host Host.

gateway-start-producer

Starts producer.

Usage.

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

gateway-stop-producer

Stops producer.

Usage.

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

gateway-update-producer-tmp-creds

Update ttl of producer temporary credentials.

Usage.

-u, --gateway-url[=http://localhost:8000]Akeyless Gateway URL (Configuration Management port).

-n, --name Producer name.

--tmp-creds-idTemp Creds ID.

--new-ttl-min New TTL in Minutes.

Akeyless Targets

assoc-target-item

Create an association between target and item.

Mandatory Options

-t, --target-name The target to associate.

-n, --name The item to associate.

create-aws-target

Creates a new AWS target.

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

access-key-id AWS access key ID.

--access-key AWS secret access key.

--region [=us-east-2] AWS region.

Optional

--session-token Required only for temporary security credentials retrieved using STS.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-azure-target

Creates a new Azure target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

--client-id Azure client/application id.

--tenant-id Azure tenant id.

--client-secret Azure client secret.

Optional

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-db-target

Creates a new DB target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

--db-type Database type: mysql/mssql/postgres/mongodb/snowflake/Oracle.

For each database type there are mandatory fields.
The following items are mandatory for MySQL, PostgreSQL, MSSSQL, and Oracle DB:

--user-name Database user name.

--host Database host.

--pwd Database password.

--port Database port.

For MySQL, MSSQL & PostgreSQL use:

--db-name Database name.

For Oracle DB use:
--oracle-service-name Oracle service name.

For MongoDB the following fields are mandatory:

--mongodb-username Privilege database user name with sufficient rights to create users.

--mongodb-password Password of the database privilege user name.

--mongodb-host-port Target database host name or IP address with port.

For Mongo Atlas:
--mongodb-atlas Flag, set database type to "mongodb" and the flag to "true" to create Mongo Atlas target.

--mongodb-atlas-project-id MongoDB Atlas project ID.

--db-name Database name.

--mongodb-atlas-api-public-key MongoDB Atlas public key.

--mongodb-atlas-api-private-key MongoDB Atlas private key.

For Snowflake:
--snowflake-account Snowflake account name.

--user-name Snowflake account user name.

--pwd Snowflake account password.

Optional

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

For MySQL:
--db-server-certificates Set of root certificate authorities in base64 encoding used by clients to verify server certificates.

--db-server-name Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address.

For MongoDB:
--mongodb-default-auth-db MongoDB server default authentication database.

--mongodb-server-uri MongoDB server URI (e.g. mongodb://akeyless:[email protected]:27017/admin?replicaSet=mySet .

--mongodb-uri-options MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB).

create-eks-target

Creates a new EKS target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

--eks-cluster-name EKS cluster name.

--eks-cluster-endpoint EKS cluster endpoint (i.e., https://<IP> of the cluster).

--eks-cluster-ca-cert EKS cluster base-64 encoded certificate.

--eks-access-key-id EKS access key ID.

--eks-secret-access-key EKS secret access key.

--eks-region[=us-east-2] EKS region.

Optional

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-gcp-target

Creates a new GCP target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

-e, --gcp-sa-email GCP service account email.

--gcp-key-file-path Path to file with the base64-encoded service account private key or --gcp-key Base64-encoded service account private key text.

Optional

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-gke-target

Creates a new GKE target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

--gke-account-email GKE service account email.

--gke-account-key-file-path File path to GKE service account key or --gke-account-key GKE service account key

--gke-cluster-endpoint GKE cluster endpoint, i.e., cluster URI https://<DNS/IP>.

--gke-cluster-ca-cert GKE Base-64 encoded cluster certificate.

--gke-cluster-name GKE cluster name

Optional

--gke-cluster-name GKE cluster name.

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-k8s-target

Creates a new K8S target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

-e, --k8s-cluster-endpoint K8S Cluster endpoint. https://<DNS / IP> of the cluster.

-c, --k8s-cluster-ca-cert K8S Cluster certificate. Base 64 encoded certificate.

-t, --k8s-cluster-token K8S Cluster authentication token.

Optional

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-rabbitmq-target

Creates a new RabbitMQ target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

--user RabbitMQ server user.

--pwd RabbitMQ server password.

--uri RabbitMQ server URI.

Optional

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-ssh-target

Creates a new SSH target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

--host SSH host name.

--port[=22] SSH port.

--ssh-username SSH username.

--ssh-password SSH password or --private-key-path SSH private key file path or --private-key SSH private key --private-key-password SSH private key password.

Optional

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-web-target

Creates a new web target

Mandatory Options

-n, --name A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

-u, --url Web target URL.

Optional

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

delete-assoc-target-item

Delete an association between target and item

Mandatory Options

-n, --name Target name.

Optional

--id, --assoc-id The association id to be deleted. Not required if target name specified.

-t, --target-name The target name with which association will be deleted.

delete-target

Delete a target

Mandatory Options

-n, --name Target name.

Optional

-v, --target-version Target version.

--enforce-deletion[=false] Delete target even if it has associated items.

delete-targets

Delete multiple targets from a given path

Mandatory Options

-p, --path Path to delete the targets from.

Optional

--enforce-deletion[=false] Delete target even if it has associated items.

get-target

Get target

Mandatory Options

-n, --name Target name.

Optional

--show-versions[=false] Include all target versions in reply.

get-target-details

Get target details

Mandatory Options

-n, --name Target name.

Optional

-v, --target-version Target version.

--show-versions[=false] Include all target versions in reply.

list-targets

Returns a list of all targets in the account

update-aws-target

Updates an existing aws target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

update-azure-target

Updates an existing azure target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.
--update-version [=false] Boolean, set to true to update the target version.

update-db-target

Update an existing db target

Mandatory Options

-n , --name Target name

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--comment Comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

update-eks-target

Updates an existing eks target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--comment Comment about the target.

--eks-cluster-name EKS cluster name.

--eks-cluster-endpoint EKS cluster endpoint (i.e., https://<IP> of the cluster).

--eks-cluster-ca-cert EKS cluster base-64 encoded certificate.

--eks-access-key-id EKS access key ID.

--eks-secret-access-key EKS secret access key.

--eks-region[=us-east-2] EKS region.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

update-gcp-target

Update an existing gcp target

Mandatory Options

-n , --name Target name

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--comment Comment about the target.

--gcp-key-file-path Path to file with the base64-encoded service account private key.

--gcp-key Base64-encoded service account private key text.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

update-gke-target

Updates an existing gke target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--comment Comment about the target.

--gke-account-email GKE service account email.

--gke-account-key-file-path File path to GKE service account key.

--gke-account-key GKE service account key.

--gke-cluster-endpoint GKE cluster endpoint, i.e., cluster URI https://<DNS/IP>.

--gke-cluster-ca-cert GKE Base-64 encoded cluster certificate.

--gke-cluster-name GKE cluster name.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

update-k8s-target

Updates an existing k8s target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--comment Comment about the target.

-e, --k8s-cluster-endpoint K8S Cluster endpoint. https:// <DNS / IP> of the cluster.

-c, --k8s-cluster-ca-cert K8S Cluster certificate. Base 64 encoded certificate.

-t, --k8s-cluster-token K8S Cluster authentication token.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

update-rabbitmq-target

Update an existing new rabbitmq target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--comment Comment about the target.

--user RabbitMQ server user.

--pwd RabbitMQ server password.

--uri RabbitMQ server URI.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

update-ssh-target

Update an existing ssh target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--host SSH host name.

--port[=22] SSH port.

--ssh-username SSH username.

--ssh-password SSH password to rotate.

--private-key-path SSH private key file path.

--private-key SSH private key.

--private-key-password SSH private key password.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

update-target

Update target

Mandatory Options

-n , --name Target name.

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

--new-comment New comment about the target.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

update-web-target

Update an existing web target

Mandatory Options

-n , --name Target name

Optional

--new-name New target name.

--update-version [=false] Boolean, set to true to update the target version.

-u , --url Web target URL.

-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

Akeyless Rotated Secrets

create-rotated-secret

Creates a new rotated secret item

Mandatory Options

-u, --gateway-url[=http://localhost:8000] Akeyless Gateway URL (Configuration Management port).

-n, --name Secret name.

--target-name The target name to associate.

Optional

-m, --metadata Metadata about the secret.

-t, --tag List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2.

-k, --key The name of a key that used to encrypt the secret value (if empty, the account default protection Key key will be used)

--auto-rotate Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation.

--rotation-interval The number of days to wait between every automatic key rotation (1-365).

--rotation-hour The Hour of the rotation in UTC.

--rotator-type[=password] The rotator type password/target/api-key.

--rotator-creds-type[=use-self-creds] The credentials to connect with use-self-creds/use-target-creds

get-rotated-secret-value

Get rotated secret value

akeyless get-rotated-secret-value -n <path/to/rotated/secret>

Akeyless KMIP Server

kmip-set-server-state

Set the server state to enabled/disabled

Mandatory Options

-s, --state Enable or disable KMIP server [use 'enabled' or 'disabled'].

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

kmip-server-setup

Create a new KMIP environment

Mandatory Options

-n, --hostname Hostname of KMIP server.

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

Optional

-t, --certificate-ttl[=90] Server certificate TTL in days.

-r, --root[=/kmip/default] Root path of KMIP Objects.

-p, --output-file-folder Folder path to save CA certificate file (for example, '.'). A new file will be created in that folder: ca.cert.

kmip-renew-server-certificate

Renew KMIP server certificate

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

kmip-renew-client-certificate

Renew KMIP client certificate

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

-n, --name KMIP client name (either name or id are required).

-i, --client-id KMIP client ID (either name or id are required).

-p, --output-file-folder Folder path to save client certificate files (for example, '.'). Two files are created: .key and .cert .

kmip-list-clients

Show existing KMIP clients

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

kmip-describe-server

Show KMIP environment details

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

kmip-describe-client

Show KMIP client details

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

-n, --name KMIP client name (either name or id are required).

-i, --client-id KMIP client ID (either name or id are required).

kmip-delete-client

Delete a KMIP client

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

-n, --name KMIP client name (either name or id are required).

-i, --client-id KMIP client ID (either name or id are required).

kmip-create-client

Create a new KMIP client

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

-n, --name KMIP client name (either name or id are required).

-t, --certificate-ttl[=90] Server certificate TTL in days.

-p, --output-file-folder Folder path to save client certificate files (for example, '.'). Two files are created: .key and .cert .

kmip-client-set-rule

Add a new RBAC rule to a client.

-p, --path Access path, e.g /* or /some-key .

-c, --capability Access capability.

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

-n, --name KMIP client name (either name or id are required).

-i, --client-id KMIP client ID (either name or id are required).

kmip-client-delete-rule

Delete an RBAC rule from a client

-p, --path Access path, e.g /* or /some-key.

-u, --gateway-url[=http://localhost:8000] Gateway URL (Configuration Management port).

-n, --name KMIP client name (either name or id are required).

-i, --client-id KMIP client ID (either name or id are required).

📘

Writing commands - generating secrets

The default Akeyless Vault behavior is that the write commands (generate secrets) are performed to the main region of Akeyless Vault, while the read commands (fetch secrets) are performed on the nearest region to you, in order to minimize latency.
If you wish to change that, in order to work only with the master region, please add
optimize_dns_disable=true in the settings file.