CLI Reference - Access Roles

Access Roles

create-role

Creates a new role

Please note: mandatory values for this command: -n, --name

Usage
akeyless create-role --name <Role Name>
Parameters
ParameterDescription
-n, --name(Mandatory) Role name
--descriptionRole description.
--audit-accessAllow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods.
--analytics-accessAllow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--gw-analytics-accessAllow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--sra-reports-accessAllow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported.
--profile,--tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

get-role

Get role details

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-role -n <Role Name>
Parameters
ParameterDescription
-n, --name(Mandatory) Role name.
--profile,--tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe Universal Identity token. You need to be authenticated and authorized to manage access roles, so, when working with SDKs, authentication is usually performed using Universal Identity tokens.

update-role

Update role details

Please note: mandatory values for this command: -n, --name

Usage
akeyless update-role -n <Role name> \
--new-name <New role name>
Parameters
ParameterDescription
-n, --name(Mandatory) Role name.
--new-nameNew role name.
--description[=default_description]A new role description, if not given, the existing description will remain.
--audit-accessAllow this role to view audit logs. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view audit logs produced by the same auth methods.
--analytics-accessAllow this role to view analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--gw-analytics-accessAllow this role to view gw analytics. Currently only 'none', 'own' and 'all' values are supported, allowing associated auth methods to view reports produced by the same auth methods.
--sra-reports-accessAllow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

list-roles

List of all roles in the account

Parameters
ParameterDescription
--filterFilter by role name or part of it
--pagination-tokenNext page reference
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

reverse-rbac

See which authentication methods have access to a particular object

Please note: mandatory values for this command: -n, --name, -t, --type

Usage
akeyless reverse-rbac \
--path <path to an object> \
--type <object type>
Parameters
ParameterDescription
-p, --path(Mandatory) Path to an object
-t, --type(Mandatory) Type of object (item, am, role, target)

delete-role

Delete a role

Please note: mandatory values for this command: -n, --name

Usage
akeyless delete-role --name <Role Name>
Parameters
ParameterDescription
-n, --name(Mandatory) Role name.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

delete-roles

Delete multiple roles from a given path

Please note: mandatory values for this command: -p, --path

Usage
akeyless delete-roles --path <Path\to\roles>
Parameters
ParameterDescription
-p, --path(Mandatory) Path to delete the auth methods from
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

describe-permissions

See which authentication methods have access to a particular object

Please note: mandatory values for this command: -p, --path, -t, --type

Usage
akeyless describe-permissions \
--path <Path/to/object> \
--type <Type of object (item, am, role, target)>

Parameters

ParameterDescription
-p, --path(Mandatory) Path to an object
-t, --type(Mandatory) Type of object (item, am, role, target)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authenticat

describe-sub-claims

Get the sub-claims associated with the provided token or authentication profile

Parameters

ParametersDescription
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

set-role-rule

Set a rule to a role

Please note: mandatory values for this command: -r, --role-name, -p, --path, -c, --capability

Usage
akeyless set-role-rule \
--role-name <Role Name> \
--path <Role Path> \
--rule-type <item-rule, target-rule, role-rule, auth-method-rule>
--capability <Permission>
Parameters
ParameterDescription
-r, --role-name(Mandatory) The role name to be updated
-p, --path(Mandatory if -f, --file is not given) The path the rule refers to
-c, --capability(Mandatory if -f, --file is not given) List of the approved/denied capabilities in the path options: [read, create, update, delete, list, deny]
--rule-type[=item-rule]item-rule, target-rule, role-rule, auth-method-rule.
A type of the item for which permissions are defined. Possible values: item-rule - for Secrets & Keys, target-rule - for Targets, role-rule - for Access Roles, auth-method-rule - for Authentication Methods. By default, permissions are set only for Secrets & Keys.
-f, --filePath to a JSON file containing the multiple rules as described here. This parameter replaces the capability, path and rule-type parameters.
--ttlThe time (in minutes) until the rule expires. If not used the rule will apply until manually removed.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

delete-role-rule

Delete a rule from a role

Please note: mandatory values for this command: -r, --role-name, -p, --path

Usage
akeyelss delete-role-rule \
--role-name <Role Name> \
--path <Role Path>
Parameters
ParameterDescription
-r, --role-name(Mandatory) The role name to be updated
-p, --path(Mandatory) The path the rule refers to
--rule-type[=item-rule]item-rule, role-rule, auth-method-rule, search-rule, reports-rule, gw-reports-rule or sra-reports-rule.
A type of the item for which permissions are deleted. Possible values: item-rule - for Secrets & Keys, target-rule - for Targets, role-rule - for Access Role, auth-method-rule - for Authentication Methods. By default, permissions are deleted only for Secrets & Keys.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

assoc-role-am

Create an association between role and auth method

Please note: mandatory values for this command: -r, --role-name, -a, --am-name

Usage
akeyless assoc-role-am \
--role-name <Role Name> \
--am-name <Auth Name>
Parameters
ParameterDescription
-r, --role-name(Mandatory) The role to associate
-a, --am-name(Mandatory) The auth method to associate
-s, --sub-claimskey/val of sub claims, e.g group='admins','developers'
-c, --case-sensitive[=true]Treat sub claims as case-sensitive
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

delete-assoc

Delete an association between role and auth method

Please note: mandatory values for this command: -a, --assoc-id

Usage
akeyless delete-assoc --assoc-id <association ID to be deleted>
Parameters
ParameterDescription
-a, --assoc-id(Mandatory) The association id to be deleted
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-assoc

Update the sub-claims of an association between the role and the auth method.

Please note: mandatory values for this command: -a, --assoc-id

Usage
akeyless update-assoc --assoc-id <association ID to be updated>
Parameters
ParameterDescription
-a, --assoc-id(Mandatory) The association id to be updated
-s, --sub-claimskey/val of sub claims, e.g group=admins,developers
-c, --case-sensitive[=true]Treat sub claims as case-sensitive
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication