The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

CLI reference

This section describes the available CLI commands that you can use when working with Akeyless.
If you need help in context, check out the help from the terminal:

$ akeyless -h
akeyless <command> -h, --help
  -h, --help                       display help information
      --debug[=false]              Turn on debug logging

Use the CLI as follows:
Static secrets
Encryption keys
SSH certificates
PKI certificates
Commands for all items and objects
Authentication
Dynamic secrets
Roles

Static secrets

create-secret

Create new static secrets and configure their values.

Synopsis

akeyless create-secret --name mySecret1 --value

Options

Output

update-secret

Update existing static secrets and configure their values.

Synopsis

akeyless update-secret-val --name mySecret1 --value "new value"

Options

Output

get-secret-value

Update existing static secrets and configure their values.

Synopsis

akeyless get-secret-value --name mySecret1
       --access-id                  Access ID
      --access-type[=access_key]   Access Type (access_key/password/saml/ldap/azure_ad/aws_iam/universal_identity/jwt)
      --access-key                 Access key (relevant only for access-type=access_key)
      --cloud-id                   The cloued identity (relevant only for access-type=azure_ad,awd_im)
      --uid_token                  The universal_identity token (relevant only for access-type=universal_identity)
      --jwt                        The Json Web Token (relevant only for access-type=jwt/oidc)
      --admin-password             Password (relevant only for access-type=password)
      --admin-email                Email (relevant only for access-type=password)
      --ldap_proxy_url             Address URL for LDAP proxy (relevant only for access-type=ldap)
      --username                   LDAP username (relevant only for access-type=ldap)
      --password                   LDAP password (relevant only for access-type=ldap)

Options

Output

get-secret-value Get static secret value
update-secret-val Update static secret value
rollback-secret

Encryption keys

create-key

Update existing static secrets and configure their values.

Synopsis

Options

-n, --name Key name
-a, --alg
Key type. options: [AES128GCM, AES256GCM, AES128SIV, AES256SIV, RSA1024, RSA2048]
-m, --metadata Metadata about the key
-t, --tag List of the tags attached to this key. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-s, --split-level[=2] The number of fragments that the item will be split into (not includes customer fragment)
-f, --customer-frg-id The customer fragment ID that will be used to create the key (if empty, the key will be created independently of a customer fragment)
--profile Use a specific profile from your ~/.akeyless/profiles folder
--username Required only when the authentication process requires a username and password
--password Required only when the authentication process requires a username and password
--uid-token The universal identity token, Required only for universalidentity authentication
-h, --help display help information
--debug[=false] Turn on debug logging
####Output
###rotate-key
Rotates an existing key, creating a new version of it
####Synopsis
####Options
####Output
_get-rsa-public
Obtain the public key from a specific RSA private key
upload-pkcs12 Upload a PKCS#12 key and certificates
upload-rsa Upload RSA key
encrypt Encrypts plaintext into ciphertext by using an AES key
encrypt-file Encrypts a file by using an AES key
encrypt-pkcs1 Encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5

decrypt Decrypts ciphertext into plaintext by using an AES key
decrypt-file Decrypts a file by using an AES key
decrypt-pkcs1 Decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5

sign-pkcs1 Calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5
verify-pkcs1 Verifies an RSA PKCS#1 v1.5 signature

gen-customer-fragment Generate customer fragment

SSH certificates

get-ssh-certificate

Generates SSH certificate.

Synopsis

Options

Output

create-ssh-cert-issuer

Creates a new SSH certificate issuer.

Synopsis

Options

Output

PKI certificates

get-pki-certificate

Generates PKI certificate.

Synopsis

Options

Output

create-pki-cert-issuer

Creates a new PKI certificate issuer.

Synopsis

Options

Output

get-kube-exec-creds

Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer.

Synopsis

Options

Output

Commands for all items and objects

describe-item Returns the item details
update-item Update item name and metadata
set-item-state Set an item's state (Enabled, Disabled)
delete-item Delete an item or an item version
delete-items Delete multiple items from a given path
list-items Returns a list of all accessible items
move-objects Move/Rename objects

-s, --source Source path to move the objects from
-t, --target
Target path to move the objects to
-o, --objects-type[=item] The objects type to move (item/auth_method/role)

Authentication

auth Authenticate to the service and returns a token to be used as a profile to execute the CLI without the need for re-authentication
create-auth-method Create a new Auth Method in the account
create-auth-method-azure-ad Create a new Auth Method that will be able to authenticate using Azure Active Directory credentials
create-auth-method-aws-iam Create a new Auth Method that will be able to authenticate using AWS IAM credentials
create-auth-method-oauth2 Create a new Auth Method that will be able to authenticate using OpenId/OAuth2
create-auth-method-ldap Create a new Auth Method that will be able to authenticate using LDAP
create-auth-method-saml Create a new Auth Method that will be able to authenticate using SAML
create-auth-method-universal-identity Create a new Auth Method that will be able to authenticate using Akeyless Universal Identity
get-auth-method Returns an information about the Auth Method
list-auth-methods Returns a list of all the Auth Methods in the account
delete-auth-method Delete the Auth Method
delete-auth-methods Delete multiple auth methods from a given path
reverse-rbac See which authentication methods have access to a particular object
configure Configure client profile.
unconfigure Remove Configuration of client profile.

Dynamic secrets

create-dynamic-secret Creates a new dynamic secret item
get-dynamic-secret-value Get dynamic secret value
rollback-secret

Roles

create-role Creates a new role
get-role Get role details
update-role Update role details
list-roles Returns a list of all roles in the account
delete-role Delete a role
delete-roles Delete multiple roles from a given path
set-role-rule Set a rule to a role
delete-role-rule Delete a rule from a role
assoc-role-am Create an association between role and auth method
delete-assoc Delete an association between role and auth method

Akeyless universal token

uid-list-children List the token children ids of Akeyless Universal Identity
uid-revoke-token Revoke token using Akeyless Universal Identity
uid-generate-token Generate a new token using Akeyless Universal Identity
uid-rotate-token Rotate token using Akeyless Universal Identity(aliases rotate-token,uid-send-manual-rotate-ack)
uid-create-child-token Create a new child token using Akeyless Universal Identity
get-cloud-identity Get Cloud Identity Token (relevant only for access-type=azure_ad,aws_iam)

📘

Writing commands - generating secrets

The default Akeyless Vault behavior is that the write commands (generate secrets) are performed to the main region of Akeyless Vault, while the read commands (fetch secrets) are performed on the nearest region to you, in order to minimize latency.
If you wish to change that, in order to work only with the master region, please add
optimise_dns_disable=true in the settings file.

Updated about 3 hours ago

CLI reference


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.