CLI Reference - KMIP
This section outlines the CLI commands relevant to KMIP.
General Flags:
--profile, --token
: Use a specific profile (located at $HOME/.akeyless/profiles
) or a temp access token
--uid-token
: The universal identity token, Required only for universal_identity authentication
-h, --help
: Display help information
--json[=false]
: Set output format to JSON
--jq-expression
: JQ expression to filter result output
--no-creds-cleanup[=false]
: Do not clean local temporary expired creds
client-delete-rule
client-delete-rule
Delete an RBAC rule from a client
Usage
akeyless kmip-client-delete-rule \
--path <Access path> \
--name <KMIP client name> \
--client-id <KMIP client ID> \
--gateway-url <API Gateway URL:8000>
Flags
-p, --path
: Required, Access path, e.g /* or /some-key
-n, --name
: KMIP client name (either name or id are required)
-i, --client-id
: KMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
client-set-rule
client-set-rule
Add a new RBAC rule to a client
Supported capabilities are:
DENY
CREATE
REGISTER
REKEY
LOCATE
GET
GET_ATTRIBUTES
ACTIVATE
REVOKE
DESTROY
Usage
akeyless kmip-client-set-rule \
--path <Access path> \
--capability <Access capability> \
--name <KMIP client name> \
--client-id <KMIP client ID> \
--gateway-url <API Gateway URL:8000>
Flags
-p, --path
: Required, Access path, e.g /* or /some-key
-c, --capability
: Required, Access capability (see command description for supported values)
-n, --name
: KMIP client name (either name or id are required)
-i, --client-id
: KMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
create-client
create-client
Create a new KMIP client
Ussage
akeyless kmip-create-client \
--name <Client name> \
--certificate-ttl <Server certificate TTL in days (Deafult = 90)> \
--gateway-url <API Gateway URL:8000>
Flags
-n, --name
: Required, Client name
-t, --certificate-ttl[=90]
: Client certificate TTL in days
-p, --output-file-folder
: Folder path to save client certificate files (for example, '.'). Two files are created: .key and .cert
-a, --activate-keys-on-creation"h-0": "
: If set to 'true', newly created keys on the client will be set to an 'active' state
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
delete-client
delete-client
Delete a KMIP client
Flags
-n, --name
: KMIP client name (either name or id are required)
-i, --client-id
: KMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
describe-client
describe-client
Show KMIP client details
Flags
-n, --name
: KMIP client name (either name or id are required)
-i, --client-id
: KMIP client ID (either name or id are required)
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
describe-server
describe-server
Show KMIP environment details
Flags
-u, --gateway-url[=http://localhost:8000]
: Gateway URL (Configuration Management port).
list-clients
list-clients
Show existing KMIP clients
Flags
-u, --gateway-url[=http://localhost:8000]
: Gateway URL (Configuration Management port).
renew-client-certificate
renew-client-certificate
Renew KMIP client certificate
Flags
-n, --name
: KMIP client name (either name or id are required)
-i, --client-id
: KMIP client ID (either name or id are required)
-p, --output-file-folder
: Folder path to save client certificate files (for example, '.'). Two files are created: .key and .cert
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
renew-server-certificate
renew-server-certificate
Renew KMIP server certificate
Flags
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
server-delete
server-delete
Delete the kmip server (allowed only if it has no clients nor associated items)
Flags
-u, --gateway-url[=http://localhost:8000]\<c
: Gateway URL (Configuration Management port).
server-setup
server-setup
Create a new KMIP environment
Usage
akeyless kmip-server-setup \
--hostname <KMPI server hostname> \
--certificate-ttl <Server certificate TTL in days (Deafult = 90)> \
--root <Root path of KMIP Objects> \
--gateway-url <API Gateway URL:8000>
Flags
-n, --hostname
: Required, Hostname of this KMIP server
-t, --certificate-ttl[=90]
: Server certificate TTL in days
-r, --root
: Required, Root path of KMIP Objects
-p, --output-file-folder
: Folder path to save CA certificate file (for example, '.'). A new file will be created in that folder: ca.cert.
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
server-move
server-move
Move the root location of the kmip server and all associated items to a new root location
Usage
akeyless kmip-server-move \
--new-root <New root for the kmip server> \
--gateway-url <API Gateway URL:8000>
Flags
-u, --gateway-url[=http://localhost:8000]
: Gateway URL (Configuration Management port).
-n, --new-root
: Required, New root for the kmip server
set-server-state
set-server-state
Set the server state to enabled/disabled
Usage
akeyless kmip-set-server-state \
--state <Enabled / Disabled> \
--gateway-url <API Gateway URL:8000>
Flags
-s, --state
: Required, Make the server enabled or disabled [use 'enabled' or 'disabled']
-u, --gateway-url[=http://localhost:8000]
: API Gateway URL (Configuration Management port)
Info
Writing commands - generating secrets
The default Akeyless Vault behavior is that the write commands (generate secrets) are performed to the main region of Akeyless Vault, while the read commands (fetch secrets) are performed on the nearest region to you, in order to minimize latency.
If you wish to change that, in order to work only with the master region, please add
optimize_dns_disable=true in the settings file.
Updated 4 months ago