CLI Reference - Access Roles
This section outlines the CLI commands relevant to Access Roles.
General Flags
--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-token: The universal identity token, required only for universal_identity authentication
-h, --help: Display help information
--json[=false]: Set the output format to JSON
--jq-expression: Provide a jQuery expression to filter result output
--no-creds-cleanup[=false]: Do not clean local temporary expired credentials
assoc-role-am
assoc-role-amCreate an association between role and auth method
Usage
akeyless assoc-role-am \
--role-name <Role Name> \
--am-name <Auth Method Name>Flags
-r, --role-name: Required, The role to associate
-a, --am-name: Required, The auth method to associate
-s, --sub-claims: key/val of sub claims, e.g group='admins','developers'
-c, --case-sensitive[=true]: Treat sub claims as case-sensitive
create-role
create-roleCreates a new role
Usage
akeyless create-role name <Role Name>Flags
-n, --name: Required, Role name
--audit-access: Allow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods.
--analytics-access: Allow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--gw-analytics-access: Allow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--sra-reports-access: Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported.
--usage-reports-access: Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported.
--event-center-access: Allow this role to view Event Center. Currently only 'none', 'own' and 'all' values are supported.
--event-forwarders-access: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported.
--reverse-rbac-access: Allow this role to view Reverse RBAC. Supported values: 'own', 'all'.
description: Description of the object
--delete-protection: Protection from accidental deletion of this object, [true/false]
delete-assoc
delete-assocDelete an association between role and auth method
Usage
akeyless delete-assoc --assoc-id <association ID to be deleted>delete-role
delete-roleDelete a role
Usage
akeyless delete-role --name <Role Name>delete-role-rule
delete-role-ruleDelete a rule from a role
Usage
akeyelss delete-role-rule \
--role-name <Role Name> \
--path <Role Path>Flags
-r, --role-name: Required, The role name to be updated
-p, --path: Required, The path the rule refers to
--rule-type[=item-rule]: item-rule, role-rule, auth-method-rule, search-rule, reports-rule, gw-reports-rule or sra-reports-rule. \nA type of the item for which permissions are deleted. Possible values: item-rule - for Items, target-rule - for Targets, role-rule - for Access Role, auth-method-rule - for Authentication Methods. By default, permissions are deleted only for Items
delete-roles
delete-rolesDelete multiple roles from a given path
Usage
akeyless delete-roles --path <Path/to/roles>describe-permissions
describe-permissionsSee which authentication methods have access to a particular object
Usage
akeyless describe-permissions \
--path <Path/to/object> \
--type <Type of object (item, am, role, target)>describe-sub-claims
describe-sub-claimsGet the sub-claims associated with the provided token or authentication profile
describe-role-am-assoc
describe-role-am-assocDescribe role association details
Usage
akeyless describe-role-am-assoc \
--assoc-id <association-id>get-role
get-roleGet role details
Usage
akeyless get-role -n <Role Name>list-roles
list-rolesList of all roles in the account
Flags
filter: Filter by role name or part of it
--pagination-token: Next page reference
request-access
request-accessRequest a temporary access for an item, supporting Static Secret, and Targets
Usage
akeyless request-access \
--name <Item Name> \
--type <item type> \
--capability <read, update, delete>Flags
-n, --name: Required, Name of the item to which access is requested for
--type: Required, The type of item to which access is requested. The supported types are: [StaticSecret, Target]
-c, --capability: Required, List of the required capabilities, options: [read, update, delete]
--comment: Optional, comment about the request.
reverse-rbac
reverse-rbacSee which authentication methods have access to a particular object
Usage
akeyless reverse-rbac \
--path <path to an object> \
--type <object type>Flags
-p, --path: Required, Path to an object
-t, --type: Required, Type of object (item, am, role, target)
set-role-rule
set-role-ruleSet a rule to a role
Usage
akeyless set-role-rule \
--role-name <Role Name> \
--path <Role Path> \
--rule-type <item-rule, target-rule, role-rule, auth-method-rule> \
--capability <Permission>Flags
-r, --role-name: Required, The role name to be updated
-p, --path: (Mandatory if-f, file is not given) The path the rule refers to
-c, --capability: (Mandatory if-f, file is not given) List of the approved/denied capabilities in the path options: [read, create, update, delete, list, deny]
rule-type[=item-rule]: item-rule, target-rule, role-rule, auth-method-rule. \nA type of the item for which permissions are defined. Possible values: item-rule - for Items, target-rule - for Targets, role-rule - for Access Roles, auth-method-rule - for Authentication Methods. By default, permissions are set only for Items.
--ttl: The time (in minutes) until the rule expires. If not used the rule will apply until manually removed
-f, --file: Path to a JSON file containing the multiple rules as described here. This replaces the capability, path and rule-type
update-assoc
update-assocUpdate the sub-claims of an association between the role and the auth method.
Usage
akeyless update-assoc --assoc-id <association ID to be updated>Flags
-a, --assoc-id: Required, The association id to be updated
-s, --sub-claims: key/val of sub claims, e.g group=admins,developers
-c, --case-sensitive[=true]: Treat sub claims as case-sensitive
update-role
update-roleUpdate role details
Usage
akeyless update-role -n <Role name> \
--new-name <New role name>Flags
-n, --name: Required, Role name.
--new-name: New role name.
--audit-access: Allow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods.
--analytics-access: Allow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--gw-analytics-access: Allow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--sra-reports-access: Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported.
--usage-reports-access: Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported.
--event-center-access: Allow this role to view Event Center. Currently only 'none', 'own' and 'all' values are supported.
--event-forwarders-access: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported.
--reverse-rbac-access: Allow this role to view Reverse RBAC. Supported values: 'own', 'all'.
--description: Description of the object
--delete-protection: Protection from accidental deletion of this object, [true/false]
Updated 8 days ago