CLI Reference - Access Roles
Access Roles
create-role
create-role
Creates a new role
Please note: mandatory values for this command: -n, --name
Usage
akeyless create-role --name <Role Name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Role name |
--description | Role description. |
--audit-access | Allow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods. |
--analytics-access | Allow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--gw-analytics-access | Allow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--sra-reports-access | Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
get-role
get-role
Get role details
Please note: mandatory values for this command: -n, --name
Usage
akeyless get-role -n <Role Name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Role name. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The Universal Identity token. You need to be authenticated and authorized to manage access roles, so, when working with SDKs, authentication is usually performed using Universal Identity tokens. |
update-role
update-role
Update role details
Please note: mandatory values for this command: -n, --name
Usage
akeyless update-role -n <Role name> \
--new-name <New role name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Role name. |
--new-name | New role name. |
--description[=default_description] | A new role description, if not given, the existing description will remain. |
--audit-access | Allow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods. |
--analytics-access | Allow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--gw-analytics-access | Allow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods. |
--sra-reports-access | Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
list-roles
list-roles
List of all roles in the account
Parameters
| Parameter | Description |
|---|---|
--filter | Filter by role name or part of it |
--pagination-token | Next page reference |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
reverse-rbac
reverse-rbac
See which authentication methods have access to a particular object
Please note: mandatory values for this command: -n, --name, -t, --type
Usage
akeyless reverse-rbac \
--path <path to an object> \
--type <object type>
delete-role
delete-role
Delete a role
Please note: mandatory values for this command: -n, --name
Usage
akeyless delete-role --name <Role Name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Role name. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
delete-roles
delete-roles
Delete multiple roles from a given path
Please note: mandatory values for this command: -p, --path
Usage
akeyless delete-roles --path <Path\to\roles>
Parameters
| Parameter | Description |
|---|---|
-p, --path | (Mandatory) Path to delete the auth methods from |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
describe-permissions
describe-permissions
See which authentication methods have access to a particular object
Please note: mandatory values for this command: -p, --path, -t, --type
Usage
akeyless describe-permissions \
--path <Path/to/object> \
--type <Type of object (item, am, role, target)>
Parameters
| Parameter | Description |
|---|---|
-p, --path | (Mandatory) Path to an object |
-t, --type | (Mandatory) Type of object (item, am, role, target) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authenticat |
describe-sub-claims
describe-sub-claims
Get the sub-claims associated with the provided token or authentication profile
Parameters
| Parameters | Description |
|---|---|
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
set-role-rule
set-role-rule
Set a rule to a role
Please note: mandatory values for this command: -r, --role-name, -p, --path, -c, --capability
Usage
akeyless set-role-rule \
--role-name <Role Name> \
--path <Role Path> \
--rule-type <item-rule, target-rule, role-rule, auth-method-rule>
--capability <Permission>
Parameters
| Parameter | Description |
|---|---|
-r, --role-name | (Mandatory) The role name to be updated |
-p, --path | (Mandatory if -f, --file is not given) The path the rule refers to |
-c, --capability | (Mandatory if -f, --file is not given) List of the approved/denied capabilities in the path options: [read, create, update, delete, list, deny] |
--rule-type[=item-rule] | item-rule, target-rule, role-rule, auth-method-rule. A type of the item for which permissions are defined. Possible values: item-rule - for Secrets & Keys, target-rule - for Targets, role-rule - for Access Roles, auth-method-rule - for Authentication Methods. By default, permissions are set only for Secrets & Keys. |
-f, --file | Path to a JSON file containing the multiple rules as described here. This parameter replaces the capability, path and rule-type parameters. |
--ttl | The time (in minutes) until the rule expires. If not used the rule will apply until manually removed. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
delete-role-rule
delete-role-rule
Delete a rule from a role
Please note: mandatory values for this command: -r, --role-name, -p, --path
Usage
akeyelss delete-role-rule \
--role-name <Role Name> \
--path <Role Path>
Parameters
| Parameter | Description |
|---|---|
-r, --role-name | (Mandatory) The role name to be updated |
-p, --path | (Mandatory) The path the rule refers to |
--rule-type[=item-rule] | item-rule, role-rule, auth-method-rule, search-rule, reports-rule, gw-reports-rule or sra-reports-rule. A type of the item for which permissions are deleted. Possible values: item-rule - for Secrets & Keys, target-rule - for Targets, role-rule - for Access Role, auth-method-rule - for Authentication Methods. By default, permissions are deleted only for Secrets & Keys. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
assoc-role-am
assoc-role-am
Create an association between role and auth method
Please note: mandatory values for this command: -r, --role-name, -a, --am-name
Usage
akeyless assoc-role-am \
--role-name <Role Name> \
--am-name <Auth Name>
Parameters
| Parameter | Description |
|---|---|
-r, --role-name | (Mandatory) The role to associate |
-a, --am-name | (Mandatory) The auth method to associate |
-s, --sub-claims | key/val of sub claims, e.g group='admins','developers' |
-c, --case-sensitive[=true] | Treat sub claims as case-sensitive |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
delete-assoc
delete-assoc
Delete an association between role and auth method
Please note: mandatory values for this command: -a, --assoc-id
Usage
akeyless delete-assoc --assoc-id <association ID to be deleted>
Parameters
| Parameter | Description |
|---|---|
-a, --assoc-id | (Mandatory) The association id to be deleted |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
update-assoc
update-assoc
Update the sub-claims of an association between the role and the auth method.
Please note: mandatory values for this command: -a, --assoc-id
Usage
akeyless update-assoc --assoc-id <association ID to be updated>
Parameters
| Parameter | Description |
|---|---|
-a, --assoc-id | (Mandatory) The association id to be updated |
-s, --sub-claims | key/val of sub claims, e.g group=admins,developers |
-c, --case-sensitive[=true] | Treat sub claims as case-sensitive |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
Updated 6 days ago