CLI Reference - Access Roles
Access Roles
create-role
create-role
Creates a new role
Usage
akeyless create-role --name <Role Name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Role name |
--description | Role description. |
--audit-access | Allow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods. |
--analytics-access | Allow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--gw-analytics-access | Allow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--sra-reports-access | Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. |
--usage-reports-access | Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported. |
get-role
get-role
Get role details
Usage
akeyless get-role -n <Role Name>
update-role
update-role
Update role details
Usage
akeyless update-role -n <Role name> \
--new-name <New role name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Role name. |
--new-name | New role name. |
--description[=default_description] | A new role description, if not given, the existing description will remain. |
--audit-access | Allow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods. |
--analytics-access | Allow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--gw-analytics-access | Allow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--sra-reports-access | Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. |
--usage-reports-access | Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported. |
list-roles
list-roles
List of all roles in the account
Parameters
| Parameter | Description |
|---|---|
--filter | Filter by role name or part of it |
--pagination-token | Next page reference |
reverse-rbac
reverse-rbac
See which authentication methods have access to a particular object
Usage
akeyless reverse-rbac \
--path <path to an object> \
--type <object type>
delete-role
delete-role
Delete a role
Usage
akeyless delete-role --name <Role Name>
delete-roles
delete-roles
Delete multiple roles from a given path
Usage
akeyless delete-roles --path <Path/to/roles>
describe-permissions
describe-permissions
See which authentication methods have access to a particular object
Usage
akeyless describe-permissions \
--path <Path/to/object> \
--type <Type of object (item, am, role, target)>
describe-sub-claims
describe-sub-claims
Get the sub-claims associated with the provided token or authentication profile
Parameters
| Parameters | Description |
|---|---|
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
set-role-rule
set-role-rule
Set a rule to a role
Usage
akeyless set-role-rule \
--role-name <Role Name> \
--path <Role Path> \
--rule-type <item-rule, target-rule, role-rule, auth-method-rule> \
--capability <Permission>
Parameters
| Parameter | Description |
|---|---|
-r, --role-name | (Mandatory) The role name to be updated |
-p, --path | (Mandatory if -f, --file is not given) The path the rule refers to |
-c, --capability | (Mandatory if -f, --file is not given) List of the approved/denied capabilities in the path options: [read, create, update, delete, list, deny] |
--rule-type[=item-rule] | item-rule, target-rule, role-rule, auth-method-rule. A type of the item for which permissions are defined. Possible values: item-rule - for Secrets & Keys, target-rule - for Targets, role-rule - for Access Roles, auth-method-rule - for Authentication Methods. By default, permissions are set only for Secrets & Keys. |
-f, --file | Path to a JSON file containing the multiple rules as described here. This parameter replaces the capability, path and rule-type parameters. |
--ttl | The time (in minutes) until the rule expires. If not used the rule will apply until manually removed. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
delete-role-rule
delete-role-rule
Delete a rule from a role
Usage
akeyelss delete-role-rule \
--role-name <Role Name> \
--path <Role Path>
Parameters
| Parameter | Description |
|---|---|
-r, --role-name | (Mandatory) The role name to be updated |
-p, --path | (Mandatory) The path the rule refers to |
--rule-type[=item-rule] | item-rule, role-rule, auth-method-rule, search-rule, reports-rule, gw-reports-rule or sra-reports-rule. A type of the item for which permissions are deleted. Possible values: item-rule - for Secrets & Keys, target-rule - for Targets, role-rule - for Access Role, auth-method-rule - for Authentication Methods. By default, permissions are deleted only for Secrets & Keys. |
assoc-role-am
assoc-role-am
Create an association between role and auth method
Usage
akeyless assoc-role-am \
--role-name <Role Name> \
--am-name <Auth Method Name>
Parameters
| Parameter | Description |
|---|---|
-r, --role-name | (Mandatory) The role to associate |
-a, --am-name | (Mandatory) The auth method to associate |
-s, --sub-claims | key/val of sub claims, e.g group='admins','developers' |
-c, --case-sensitive[=true] | Treat sub claims as case-sensitive |
delete-assoc
delete-assoc
Delete an association between role and auth method
Usage
akeyless delete-assoc --assoc-id <association ID to be deleted>
update-assoc
update-assoc
Update the sub-claims of an association between the role and the auth method.
Usage
akeyless update-assoc --assoc-id <association ID to be updated>
Parameters
| Parameter | Description |
|---|---|
-a, --assoc-id | (Mandatory) The association id to be updated |
-s, --sub-claims | key/val of sub claims, e.g group=admins,developers |
-c, --case-sensitive[=true] | Treat sub claims as case-sensitive |
request-access
request-access
Request a temporary access for an item, supporting Static Secret, and Targets
Usage
akeyless request-access \
--name <Item Name> \
--type <item type> \
--capability <read, update, delete>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Name of the item to which access is requested for |
--type | (Mandatory) The type of item to which access is requested. The supported types are: [StaticSecret, Target] |
-c, --capability | (Mandatory) List of the required capabilities, options: [read, update, delete] |
--comment | Optional, comment about the request. |
Updated 26 days ago