CLI Reference - Dynamic Secrets

Dynamic Secrets

get-dynamic-secret-value

Gets dynamic secret value

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-dynamic-secret-value \
--name <Dynamic Secret Name> \
--target <Target Name>
Parameters
ParameterDescription
-n, --name(Mandatory) Dynamic secret name
--hostHost
--targetTarget Name
--argsOptional arguments as key=value pairs or JSON strings, e.g - "--args=csr=base64_encoded_csr --args=common_name=bar" or --args='{"csr":"base64_encoded_csr"}. It is possible to combine both formats.' [role_arn,username,csr,common_name]
--timeout[=15]timeout in seconds
--jq-expressionJQuery expression to filter result output

Create Producer

gateway-create-producer-artifactory

Creates Artifactory producer

Please note: mandatory values for this command: -n, --name, -s, --artifactory-token-scope, -a, --artifactory-token-audience

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-artifactory \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances>
akeyless gateway-create-producer-artifactory \
--name <Dynamic Secret Name> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--base-url <Artifactory REST URL> \
--artifactory-admin-name <Artifactory Admin username> \
--artifactory-admin-pwd <Artifactory Admin API Key or password>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-s, --artifactory-token-scope(Mandatory) Token scope provided as a space-separated list, for example: member-of-groups:readers
-a, --artifactory-token-audience A space-separated list of other Artifactory instances or services that should accept this token, for example: [email protected]
-a, --artifactory-token-audience(Mandatory) A space-separated list of other Artifactory instances or services that should accept this token, for example: [email protected]*
--target-nameName of existing target to use in producer creation
-b, --base-urlArtifactory REST URL, must end with artifactory postfix
-r, --artifactory-admin-nameAdmin name
-p, --artifactory-admin-pwdAdmin API Key/Password
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
Default = http://localhost:8000
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
Default = 60m
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-ping

Creates a Ping dynamic secret producer

There are 2 possible ways to run this command - using a target or aninline connection

Usage
akeyless gateway-create-producer-ping \
--name <Producer Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL>' \
--ping-client-authentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
akeyless gateway-create-producer-ping \
--name <Producer Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--ping-url <https://my-pf-server.com> \
--ping-privileged-user <Username> \
--ping-password <Password>\
--ping-client-authentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--ping-urlPing URL
-s, --ping-privileged-userPing Federate privileged user
-p, --ping-passwordPing Federate privileged user password
-i, --ping-administrative-port[=9999]Ping Federate administrative port
-j, --ping-authorization-port[=9031]Ping Federate authorization port
-t, --ping-client-authentication-type[=CLIENT_SECRET]OAuth Client Authentication Type [CLIENT_SECRET, PRIVATE_KEY_JWT, CLIENT_TLS_CERTIFICATE]
--ping-issuer-dnIssuer DN of trusted CA certificate that imported into Ping Federate server. You may select "Trust Any" to trust all the existing issuers in Ping Federate server. Used in conjunction with --ping-cert-subject-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method)
--ping-cert-subject-dnThe subject DN of the client certificate. If no explicit value is given, the producer will create CA certificate and matched client certificate and return it as value. Used in conjunction with --ping-issuer-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method)
-f, --ping-enforce-replay-prevention[=false]Determines whether PingFederate requires a unique signed JWT from the client for each action (relevant for PRIVATE_KEY_JWT authentication method)
--ping-jwksBase64-encoded JSON Web Key Set (JWKS). If no explicit value is given, the producer will create JWKs and matched signed JWT (Sign Algo: RS256) and return it as value (relevant for PRIVATE_KEY_JWT authentication method)
--ping-jwks-urlThe URL of the JSON Web Key Set (JWKS). If no explicit value is given, the producer will create JWKs and matched signed JWT and return it as value (relevant for PRIVATE_KEY_JWT authentication method)
--ping-signing-algoThe signing algorithm that the client must use to sign its request objects [RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512] If no explicit value is given, the client can use any of the supported signing algorithms (relevant for PRIVATE_KEY_JWT authentication method)
-g, --ping-grant-typesOAuth client grant types [IMPLICIT, AUTHORIZATION_CODE, CLIENT_CREDENTIALS, TOKEN_EXCHANGE, REFRESH_TOKEN, ASSERTION_GRANTS, PASSWORD, RESOURCE_OWNER_CREDENTIALS]. If no explicit value is given, AUTHORIZATION_CODE will be selected as default. For multiple values repeat this flag.
-r, --ping-redirect-urisURI to which the OAuth authorization server may redirect the resource owner's user agent after authorization is obtained. At least one redirection URI is required for the AUTHORIZATION_CODE and IMPLICIT grant types. For multiple values repeat this flag.
-d, --ping-atm-idSet a specific Access Token Management (ATM) instance for the created OAuth Client by providing the ATM Id. If no explicit value is given, the default pingfederate server ATM will be set.
-o, --ping-restricted-scopesLimit the OAuth client to specific scopes. For multiple values repeat this flag.
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-e, --producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]The time from dynamic secret creation to expiration.
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-certificate-automation

Creates a Certificate Automation dynamic secret producer to create certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-create-certificate-automation \
    --name <Dynamic Secret Name> \
  --gateway-url <API Gateway URL:8000> \
  --venafi-use-tpp <Required in TTP> \
  --venafi-access-token <Venafi Access Token> \
  --venafi-refresh-token <Venafi Refresh Token> \
  --venafi-baseurl <TPP Enviornment BASE URL> \
  --venafi-zone <Venafi Zone>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-z, --venafi-zoneVenafi Zone
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
Default = http://localhost:8000
--venafi-api-keyVenafi API key (Relevant when using Venafi Cloud)
--venafi-use-tppWhen connecting to TPP this flag is required
--venafi-access-tokenVenafi Access Token to use to access the TPP environment (Relevant when using TPP)
--venafi-refresh-tokenVenafi Refresh Token to use when the Access Token is expired (Relevant when using TPP)
--venafi-baseurlBase URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/
--sign-using-akeyless-pkicreating certificates using Akeyless PKI
--root-first-in-chainroot first in chain
--store-private-keystore private key in Akeyless
--auto-generated-folderauto generated folder
--signer-key-namesigner key name
--allowed-domainsallowed domains
--allow-subdomainsallow subdomains
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=2160h]User TTL in time.Duration format (2160h / 129600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (1440h). For more information - https://cert-manager.io/docs/usage/certificate/
Default = 2160h
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--admin-creds-rotation[=false]Enable automatic admin credentials rotation
Default = false
--admin-creds-rotation-interval[=0]Admin credentials rotation interval (days)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-aws

Creates AWS producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-aws \
--name <secret name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
akeyless gateway-create-producer-aws \
--name <secret name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs> \
--aws-access-key-id <Access ID> \
--aws-access-secret-key <Access Key> \
--aws-region <Region>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-i, --aws-access-key-idAccess Key ID
-s, --aws-access-secret-keyAccess Secret Key
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
Default = http://localhost:8000
--aws-access-modeThe types of credentials to retrieve from AWS. Options:[iam_user,assume_role]
--aws-region[=us-east-2]Region
Default = us-east-2
--aws-user-policiesPolicy ARN(s). Multiple values should be separated by comma
---aws-user-groupsUserGroup name(s). Multiple values should be separated by comma
--aws-role-arnsAWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma
--aws-user-console-access=[false] Enable AWS User console access
Default = false
--aws-user-programmatic-access[=true]Enable AWS User programmatic access
Default = true
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
Default = 60m
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--admin-creds-rotation[=false]Enable automatic admin credentials rotation
Default = flase
--admin-creds-rotation-interval='0'Admin credentials rotation interval (days)
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-aws-account-idThe aws account id
--secure-access-aws-native-cliThe aws native cli
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
Default = false
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
Default = false
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=true]Enable Web Secure Remote Access
Default = true
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-azure

Creates Azure AD producer

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim>
akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim> \
--azure-tenant-id <Azure Tenant ID> \
--azure-client-id <Azure Client ID> \
--azure-client-secret <Azure AD Client Secret>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--azure-tenant-idAzure Tenant ID
--azure-client-idAzure Client ID (Application ID)
--azure-client-secretAzure AD Client Secret
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
Default = http://localhost:8000
--azure-user-portal-access[=false]Enable Azure AD user portal access
Default = false
--azure-user-programmatic-access[=true]Enable Azure AD user programmatic access
Default = True.
--azure-app-obj-idAzure App Object ID (required if selected programmatic access)
--azure-user-principal-nameAzure AD User Principal Name (required if selected Portal access)
--azure-user-group-obj-id Azure AD User Group Object ID (required if selected Portal access)
--azure-user-role-template-idAzure AD User Role Template ID (required if selected Portal access)
--producer-encryption-key-nameEncrypt producer with following key
--fixed-user-only[=false]Allow access using externally (IdP) provided username
Default = false.
--fixed-user-claim-keynameFor externally provided users, denotes the key-name of IdP claim to extract username from
--user-ttl[=60m] User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=true]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-eks

Creates Amazon Elastic Kubernetes Service (Amazon EKS) producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN>
akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--eks-cluster-nameEKS cluster name. Must match the EKS cluster name you want to connect to
--eks-cluster-endpointEKS Cluster endpoint. https:// , <DNS / IP> of the cluster
--eks-cluster-ca-certEKS Cluster certificate. Base 64 encoded certificate
--eks-access-key-idEKS Access Key ID
--eks-secret-access-key EKS Secret Access Key
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--eks-region[=us-east-2]EKS Region
--eks-assume-roleRole ARN. Role to assume when connecting to the EKS cluster
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-cluster-endpointThe K8s cluster endpoint URL
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access.
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-gke

Creates Google Kubernetes Engine (GKE) producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-gke \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
akeyless gateway-create-producer-gke \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gke-account-email <GKE service account email> \
--gke-account-key <GKE service account Key>
--gke-cluster-endpoint <GKE cluster endpoint URL> \
--gke-cluster-ca-cert <Base64-encoded GKE cluster CA certificate> \
--gke-cluster-name <GKE cluster name>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--gke-account-emailGKE service account email
--gke-cluster-endpointGKE cluster endpoint, i.e., cluster URI https://<DNS/IP>.
--gke-cluster-ca-certGKE Base-64 encoded cluster certificate
--gke-account-key-file-pathFile path to GKE service account key
--gke-account-keyGKE service account key
--gke-cluster-nameGKE cluster name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-cluster-endpointThe K8s cluster endpoint URL
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access.
--secure-access-bastion-issuer Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.
--uid-tokenThe universal identity token. It is required only for the universal_identity authentication.

gateway-create-producer-gcp

Creates Google Cloud Provider (GCP) producer

Please note: mandatory values for this command: -n, --name, -s, --service-account-type[=fixed]

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-gcp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>
akeyless gateway-create-producer-gcp \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm> \
--gcp-sa-email <GCP Service Account Email> \
--gcp-key-file-path <GCP Service Account Private Key>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--gcp-cred-type[=token]Credentials type, options are [token, key]
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--gcp-key-file-path Path to file with the Base64-encoded service account private key
--gcp-keyBase64-encoded service account private key text
--gcp-token-scopesAccess token scopes list, e.g. scope1,scope2
--gcp-key-algoService account key algorithm, e.g. KEY_ALG_RSA_1024
--user-ttl='60m'User TTL (<=60m for access token)
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--producer-encryption-key-nameDynamic producer encryption key
-s, --service-account-type[=fixed](Mandatory) The type of the gcp dynamic secret. Options[fixed, dynamic]
-e, --gcp-sa-emailThe email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed)
--role-bindingRole binding definitions in json format
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-cassandra

Create Cassandra producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-cassandra  \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
akeyless gateway-create-producer-cassandra  \
--name <path to your secret> \
--gateway-url <API Gateway URL:8000> \
--cassandra-hosts <Cassandra host> \
--cassandra-port <Cassandra port> \
--cassandra-username <Cassandra username> \
--cassandra-password <password> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameTarget name
--cassandra-hostsCassandra hosts names or IP addresses, comma separated
--cassandra-usernameCassandra superuser user name
--cassandra-passwordCassandra superuser password
--cassandra-port[=9042]Cassandra port
-u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port)
--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';]Cassandra Creation Statements
--user-ttl[=60m]User TTL (<=60m for access token)
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--producer-encryption-key-nameDynamic producer encryption key
--delete-protection Protection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-hanadb

Creates HanaDB producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-hanadb \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--hanadb-creation-statements "CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}};" \
--hanadb-revocation-statements "DROP USER {{name}};"
akeyless gateway-create-producer-hanadb \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--hana-dbname <HanaDB name> \
--hanadb-username <HanaDB admin username> \
--hanadb-password <HanaDB admin password> \
--hanadbt-host <HanaDB host> \
--hanadb-port <HanaDB port> \
--hanadb-creation-statements "CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}};" \
--hanadb-revocation-statements "DROP USER {{name}};"
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-d, --hana-dbnameHana DB Name
-u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port)
--hanadb-usernameHanaDB user
--hanadb-passwordHanaDB password
--hanadb-host[=127.0.0.1]HanaDB host name
--hanadb-port[=443]HanaDB port
--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD "{{password}}"; GRANT "MONITOR ADMIN" TO {{name}};]HanaDB Creation Statements
--hanadb-revocation-statements[=DROP USER {{name}};]HanaDB Revocation Statements
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag.
--secure-access-db-schemaThe db schema
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-oracle

Creates Oracle DB producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-oracle \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \ 
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
akeyless gateway-create-producer-oracle \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-service-name <Your Oracle DB Service name > \
--oracle-username <Oracle DB admin username> \
--oracle-password <Oracle DB admin password> \
--oracle-host <Your Oracle DB host> \
--oracle-port <Oracle DB port> \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-d, --oracle-service-nameOracle service name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--oracle-usernameOracle user
--oracle-passwordOracle password
--oracle-host[=127.0.0.1]Oracle host name
--oracle-port[=1521]Oracle port
--oracle-statementsOracle Creation Statements
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60mUser TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--db-server-certificatesthe set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-nameServer name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
--secure-access-enable[=false]Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host Target DB servers for connections., For multiple values repeat this flag.
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-redshift

Creates Redshift producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-redshift \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
--ssl "<fales|true>"
akeyless gateway-create-producer-redshift \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-db-name <Redshift DB name> \
--redshift-username <Redshift DB admin username> \
--redshift-password <Redshift DB admin password> \
--redshift-host <Redshift DB host> \
--redshift-port <Redshift DB port> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
Parameters
ParameterDescription
-n, --name (Mandatory) Producer name
--target-name Name of existing target to use in producer creation
--redshift-db-nameRedshift DB name
-u, --gateway-url[=http://localhost:8000] Gateway url
--redshift-usernameredshiftL user
--redshift-passwordRedshift password
--redshift-host[=127.0.0.1]Redshift host name
--redshift-port[=5439] Redshift port
--redshift-statements[=CREATE USER "{{username}}" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{username}}";]Redshift Creation Statements
--ssl[=false]Enable/Disable SSL [true/false]
--enc-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag.
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-mongo

Creates a MongoDB/MongoDB Atlas producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-roles <New User Role>
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-roles <New User Role> \
--mongodb-name <MongoDB name> \
--mongodb-username <MongoDB server admin username> \
--mongodb-password <MongoDB server admin password> \
--mongodb-host-port <host:port>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-name Name of existing target to use in producer creation
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--mongodb-roles[=[]]MongoDB roles (e.g. MongoDB:[{"role":"readWrite", "db": "sales"}], MongoDB Atlas:[{"roleName" : "readWrite", "databaseName": "sales"}])
--mongodb-custom-dataMongoDB custom data (e.g. {"team":"blue"})
--mongodb-server-uriMongoDB server URI (e.g. mongodb://user:[email protected]:27017/admin?replicaSet=mySet)
--mongodb-usernameMongoDB server username
--mongodb-passwordMongoDB server password
--mongodb-host-porthost:port (e.g. my.mongo.db:27017)
--mongodb-default-auth-dbMongoDB server default authentication database
--mongodb-uri-optionsMongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)
--mongodb-atlas-project-idMongoDB Atlas project ID
--mongodb-atlas-api-public-keyMongoDB Atlas public key
--mongodb-atlas-api-private-keyMongoDB Atlas private key
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL (e.g. 60s, 60m, 60h)
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag.
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-mssql

Creates Microsoft SQL Server

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-create-producer-mssql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-creation-statements "CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}';"
--mssql-revocation-statements "DROP LOGIN '{{name}}';"
akeyless gateway-create-producer-mssql \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-creation-statements "CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}';" \
--mssql-revocation-statements "DROP LOGIN '{{name}}';" \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MSSQL Server admin user> \
--mssql-password <MSSQL Server admin password> \
--mssql-host <MSSQL Server host name> \
--mssql-port <MSSQL Server port>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-name Name of existing target to use in producer creation
--mssql-dbnameMSSQL Server DB Name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--mssql-usernameMS SQL Server user
--mssql-passwordMS SQL Server password
--mssql-host[=127.0.0.1]MS SQL Server host name
--mssql-port[=1433]MS SQL Server port
--mssql-creation-statements[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';]MSSQL Server Creation Statements
--mssql-revocation-statements[=DROP LOGIN [{{name}}];]MSSQL Server Revocation Statements
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion.
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag.
--secure-access-db-schemaThe db schema
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-mysql

Creates MySQL producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-mysql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-statements "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';"
akeyless gateway-create-producer-mysql \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-statements "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';" \
--mysql-dbname <MySQL DB Name > \
--mysql-host <MySQL host> \
--mysql-port <MySQL port> \
--mysql-username <MySQL admin username> \
--mysql-password <MySQL admin password>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--mysql-dbnameMySQL DB name
-u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port)
--mysql-usernameMySQL user
--mysql-passwordMySQL password
--mysql-host[=127.0.0.1]MySQL host name
--mysql-port[=3306]MySQL port
--mysql-statementsMySQL Creation Statements
--ssl[=false]Enable/Disable SSL [true/false]
--ssl-certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--db-server-certificatesthe set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-nameServer name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-postgresql

Creates PostgreSQL producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-db-name <PostgreSQL DB name> \
--postgresql-username <PostgreSQL DB admin username> \
--postgresql-password <PostgreSQL DBadmin password> \
--postgresql-host <PostgreSQL DB host> \
--postgresql-port <PostgreSQL DB port> \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--postgresql-db-namePostgreSQL DB name
-u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port)
--postgresql-usernamePostgreSQL user
--postgresql-passwordPostgreSQL password
--postgresql-host[=127.0.0.1]PostgreSQL host name
--postgresql-port[=5432]PostgreSQL port
--postgresql-statements[=CREATE USER "{{name}}" WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";GRANT CONNECT ON DATABASE postgres TO "{{name}}";GRANT USAGE ON SCHEMA public TO "{{name}}";]PostgreSQL Creation Statements
--postgresql-revoke-statement[=REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER "{{name}}";]PostgreSQL Revocation Statement
--enc-key-nameEncrypt producer with following key
--ssl[=false]Enable/Disable SSL [true/false]
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion.
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag.
--secure-access-db-schemaThe db schema
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-rabbitmq

Creates RabbitMQ producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission>
akeyless gateway-create-producer-rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-server-uri <RabbitMQ server URI> \
--rabbitmq-admin-user <RabbitMQ server admin> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--rabbitmq-server-uriRabbitMQ server URI
--rabbitmq-user-conf-permissionUser configuration permission, for example:[.*,queue-name]
--rabbitmq-user-write-permissionUser write permission, for example:[.*,queue-name]
--rabbitmq-user-read-permissionUser read permission, for example:[.*,queue-name]
--rabbitmq-admin-userRabbitMQ server user
--rabbitmq-admin-pwdRabbitMQ server password
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--rabbitmq-user-vhostUser Virtual Host
--rabbitmq-user-tagsComma separated list of tags to apply to user
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion.
--secure-access-urlDestination URL to inject secrets.
--secure-access-web[=true]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-rdp

Creates RDP producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-create-producer-rdp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name>
akeyless gateway-create-producer-rdp \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-host-port <RDP port> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--rdp-user-groups RDP UserGroup name(s). Multiple values should be separated by comma
--rdp-host-nameRDP Host name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--rdp-admin-nameRDP Admin name
--rdp-admin-pwdRDP Admin password
--rdp-host-port[=22]RDP Host port
--fixed-user-only[=false]Allow access using externally (IdP) provided username
--producer-encryption-key-nameEncrypt producer with following key
--warn-user-before-expirationDisplay message to user before TTL expires (min)
--allow-user-extend-sessionAllow user to extend session periodically (min)
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-rdp-domainRequired when the Dynamic Secret is used for a domain user
--secure-access-rdp-userOverride the RDP Domain username
--secure-access-hostTarget servers for connections., For multiple values repeat this flag.
--secure-access-allow-external-user[=false]Allow providing external user for a domain users
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-snowflake

Creates Snowflake producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-snowflake \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name>
akeyless gateway-create-producer-snowflake \
--name <Secret Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account <Snowflake account name> \
--username <Snowflake username> \
--password <Snowflake password> \
--db-name <Database to which the generated credentials are restricted>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--accountSnowflake account name
--account-usernameSnowflake account user name
--account-passwordSnowflake account password
--db-nameThe DB the generated credentials are restricted to
--roleRole to be assigned to the generated credentials
--warehouseThe warehouse the generated credentials are restricted to
--snowflake-api-private-keyRSA Private key (base64 encoded), if this is provided, flag --snowflake-api-private-key-file-name is ignored
--snowflake-api-private-key-file-nameThe path to the file containing the private key, if this is provided, flag --snowflake-api-private-key is ignored
--snowflake-api-private-key-passphraseThe Private key passphrase
-u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port)
--user-ttl[=24h]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-ldap

Creates LDAP producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-ldap \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--user-dn <User Base DN>
akeyless gateway-create-producer-ldap \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--ldap-url <LDAP server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password>\
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--user-dn <User Base DN>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--ldap-urlLDAP Server URL
--user-dnUser Base DN
--user-attributeLDAP User Attribute
-t, --ldap-ca-certLDAP base-64 encoded CA Certificate
--bind-dnLDAP Bind DN
--bind-dn-passwordPassword for LDAP Bind DN
--external-username[=false]Externally provided username
--token-expirationLDAP token expiration in seconds
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m] User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-github

Creates Github producer that support tokens creation with fixed ttl of 60 minutes

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection.

Usage
akeyless gateway-create-producer-github \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID>
akeyless gateway-create-producer-github \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID> \
--github-app-id <Your GitHub application ID> \
--github-app-private-key <Base64-encoded application private key> \
--github-base-url <Github base URL>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--installation-idGithub application installation id
--installation-repository Optional, instead of installation id, set a GitHub repository '/'
--target-nameName of existing target to use in producer creation
--github-app-idGithub application id
--github-app-private-key Github application private key (base64 encoded key)
--github-base-url[=https://api.github.com/]Github base url
-p, --token-permissionsTokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - "-p contents=read -p issues=write" or -p '{"content":"read"}'
-r, --token-repositoriesTokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName1 -r RepoName2
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-dockerhub

Creates a Dockerhub producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection.

Usage
akeyless gateway-create-producer-dockerhub \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read'
akeyless gateway-create-producer-dockerhub \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read' \      
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--dockerhub-usernameUsername for docker repository
--dockerhub-passwordpassword for docker repository
--dockerhub-token-scopes Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read'
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--user-ttl[=60m] User TTL (<=60m for access token)
--tagA list of tags attached to this secret. To specify multiple tags use the argument multiple times: --tag Tag1 --tag Tag2 .
--producer-encryption-key-nameDynamic producer encryption key
--delete-protectionProtection from accidental deletion of this item, [true/false].
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.
--uid-tokenThe universal identity token. It is required only for the universal

Creates Native Kubernetes Service producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-create-producer-k8s \ 
--name <secret name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account>
akeyless gateway-create-producer-k8s \ 
--name <secret name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account> \
--k8s-cluster-endpoint <Cluster Endpoint URL> \
--k8s-cluster-ca-cert <Base64-encoded cluster CA certificate> \
--k8s-cluster-token ${TOKEN}
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-e, --k8s-cluster-endpointK8S Cluster endpoint. https:// , <DNS / IP> of the cluster
-c, --k8s-cluster-ca-certK8S Cluster certificate. Base 64 encoded certificate
-t, --k8s-cluster-tokenK8S Cluster authentication token
-s, --k8s-service-accountK8S ServiceAccount to extract token from
--k8s-service-account-type[=fixed]K8S ServiceAccount type [fixed, dynamic].
--k8s-namespace[=default]K8S Namespace where the ServiceAccount exists.(relevant only for service-account-type=fixed)
--k8s-allowed-namespaces[=*]Comma-separated list of allowed K8S namespaces for the generated ServiceAccount (relevant only for k8s-service-account-type=dynamic)
--k8s-predefined-role-nameThe pre-existing Role or ClusterRole name to bind the generated ServiceAccount to (relevant only for k8s-service-account-type=dynamic)
--k8s-predefined-role-typeSpecifies the type of the pre-existing K8S role [Role, ClusterRole] (relevant only for k8s-service-account-type=dynamic)
--k8s-rolebinding-yaml-defPath to yaml file that contains definitions of K8S role and role binding (relevant only for k8s-service-account-type=dynamic)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m] User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-cluster-endpointThe K8s cluster endpoint
--secure-access-dashboard-urlThe K8s dashboard url
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-chef

Creates Chef producer

Please note: mandatory values for this command: -n, --name

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations>
akeyless gateway-create-producer-chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations> \
--chef-server-username <Chef server username> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--skip-ssl <true|false>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-c, --chef-server-usernameChef server username
-y, --chef-server-keyChef server key
-s, --chef-server-urlChef server URL
-g, --chef-orgsChef organizations
--skip-ssl[=true]Skip SSL
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m] User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-custom

Creates a custom webhook-based dynamic secret

Please note: mandatory values for this command: -n, --name, --create-sync-url, --revoke-sync-url

There are 2 possible ways to run this command - Using target or inline connection

Usage
akeyless gateway-create-producer-custom \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--create-sync-url 'https://example.com/sync/create:Port' \
--revoke-sync-url 'https://example.com/sync/revoke:Port' \
--revoke-sync-url 'https://example.com/sync/rotate:Port'
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--create-sync-url(Mandatory) URL of an endpoint that implements /sync/create method
--revoke-sync-url(Mandatory) URL of an endpoint that implements /sync/revoke method
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--rotate-sync-urlURL of an endpoint that implements /sync/rotate method
--payloadSecret payload to be sent with each create/revoke webhook request
--timeout-sec[=60]Maximum allowed time in seconds for the webhook to return the results
--enable_admin_rotation[=false]Enable automatic admin credentials rotation
--admin_rotation_interval_daysRotation period in days
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-producer-redis

Creates a redis producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-create-producer-redis \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--username <Redis Username> \
--password <Redis Password>
Parameters
ParametersDescription
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-u, --gateway-urlAPI Gateway URL
--usernameRedis username
--passwordRedis password
--host[=127.0.0.1]Redis host
--port[=6379]Redis port
--acl-rulesA JSON array list of redis ACL rules to attach to the created user. For available rules see the ACL CAT command https://redis.io/commands/acl-cat. If omitted the user will have access to read all keys (["~*", "[email protected]"])
--ssl[=false]Enable/Disable SSL [true/false]
--ssl-certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagAdd tags attached to this object. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]

Update Producer

gateway-update-producer-artifactory

Updates Artifactory producer

Please note: mandatory values for this command: -n, --name, -s, --artifactory-token-scope, -a, --artifactory-token-audience

Usage
akeyless gateway-update-producer-artifactory \
--name <Dynamic Secret Name> \
--new-name <Producer New name>
--gateway-url <API Gateway URL:8000> \
--Target-name <Target Name> \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--producer-encryption-key-name <Encrypt producer with following key>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
-s, --artifactory-token-scope(Mandatory) Token scope provided as a space-separated list, for example: member-of-groups:readers
-a, --artifactory-token-audience(Mandatory) A space-separated list of other Artifactory instances or services that should accept this token, for example: [email protected]*
--target-nameName of existing target to use in producer creation
-b, --base-urlArtifactory REST URL, must end with artifactory postfix
-r, --artifactory-admin-nameAdmin name
-p, --artifactory-admin-pwdAdmin API Key/Password
u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-aws

Updates AWS producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-aws \
--name <secret name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-i, --aws-access-key-idAccess Key ID
-s, --aws-access-secret-keyAccess Secret Key
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--aws-access-modeThe types of credentials to retrieve from AWS. Options:[iam_user,assume_role]
--aws-region[=us-east-2]Region
--aws-user-policiesPolicy ARN(s). Multiple values should be separated by comma
--aws-user-groupsUserGroup name(s). Multiple values should be separated by comma
--aws-role-arnsAWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma
--aws-user-console-access[=false]Enable AWS User console access
--aws-user-programmatic-access[=true]Enable AWS User programmatic access
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--admin-creds-rotation[=false]Enable automatic admin credentials rotation
--admin-creds-rotation-interval[=0]Admin credentials rotation interval (days)
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-aws-account-idThe aws account id
--secure-access-aws-native-cliThe aws native cli
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=true]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-azure

Updates Azure AD producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-azure \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-t, --azure-tenant-idAzure Tenant ID
-i, --azure-client-idAzure Client ID (Application ID)
-s, --azure-client-secretAzure AD Client Secret
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--azure-user-portal-access[=false]Enable Azure AD user portal access
--azure-user-programmatic-access[=false]Enable Azure AD user programmatic access
--azure-app-obj-idAzure App Object ID (required if selected programmatic access)
--azure-user-principal-nameAzure AD User Principal Name (required if selected Portal access)
--azure-user-group-obj-idAzure AD User Group Object ID (required if selected Portal access)
--azure-user-role-template-idAzure AD User Role Template ID (required if selected Portal access)
--producer-encryption-key-nameEncrypt producer with following key
--fixed-user-only[=false]Allow access using externally (IdP) provided username
--fixed-user-claim-keynameFor externally provided users, denotes the key-name of IdP claim to extract username from
--user-ttl[=60m]User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=true]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-cassandra

Update Cassandra producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-cassandra  \
--name <Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--cassandra-hosts <Cassandra hosts names or IP addresses, comma separated> \
--cassandra-username <Cassandra superuser user name> \
--cassandra-password <Cassandra superuser password> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameTarget name
--cassandra-hostsCassandra hosts names or IP addresses, comma separated
--cassandra-usernameCassandra superuser user name
--cassandra-passwordCassandra superuser password
--cassandra-port[=9042]Cassandra port
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';]Cassandra Creation Statements
--user-ttl[=60m]User TTL (<=60m for access token)
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--producer-encryption-key-nameDynamic producer encryption key
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-certificate-automation

Updates a Certificate Automation dynamic secret producer to update certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-certificate-automation  \
--name <Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--venafi-zone <Venafi Zone> \
--venafi-api-key <Venafi API key (Relevant when using Venafi Cloud)>\
--venafi-use-tpp <When connecting to TPP this flag is required> \
--venafi-access-token <Venafi Access Token>
--venafi-refresh-token <Venafi Refresh Token>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-z, --venafi-zoneVenafi Zone
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--venafi-api-keyVenafi API key (Relevant when using Venafi Cloud)
--venafi-use-tppWhen connecting to TPP this flag is required
--venafi-access-tokenVenafi Access Token to use to access the TPP environment (Relevant when using TPP)
--venafi-refresh-tokenVenafi Refresh Token to use when the Access Token is expired (Relevant when using TPP)
--venafi-baseurlBase URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/
--sign-using-akeyless-pkicreating certificates using Akeyless PKI
--root-first-in-chainroot first in chain
--store-private-keystore private key in Akeyless
--auto-generated-folderauto generated folder
--signer-key-namesigner key name
--allowed-domainsallowed domains
--allow-subdomainsallow subdomains
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=2160h]User TTL in time.Duration format (2160h / 129600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (1440h). For more information - https://cert-manager.io/docs/usage/certificate/
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--admin-creds-rotation[=false]Enable automatic admin credentials rotation
--admin-creds-rotation-interval[=0]Admin credentials rotation interval (days)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-chef

Updates Chef producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-chef \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--producer-encryption-key-name <Encrypt producer with following key>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-c, --chef-server-usernameChef server username
-y, --chef-server-keyChef server key
-s, --chef-server-urlChef server URL
-g, --chef-orgsChef organizations
--skip-ssl[=true]Skip SSL
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-custom

Updates a custom webhook based dynamic secret producer

Please note: mandatory values for this command: -n, --name, -c, --create-sync-url, -r, --revoke-sync-url

Usage
akeyless gateway-update-producer-custom \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--gateway-url <API Gateway URL:8000> \
--create-sync-url <https://example.com/sync/create:Port> \
--revoke-sync-url <https://example.com/sync/revoke:Port> \
--producer-encryption-key-name <Encrypt producer with following key> \
--rotate-sync-url <URL of an endpoint that implements /sync/rotate method>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
-c, --create-sync-url(Mandatory) URL of an endpoint that implements /sync/create method
-r, --revoke-sync-url(Mandatory) URL of an endpoint that implements /sync/revoke method
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--rotate-sync-urlURL of an endpoint that implements /sync/rotate method
--payloadSecret payload to be sent with each create/revoke webhook request
--timeout-sec[=60]Maximum allowed time in seconds for the webhook to return the results
--enable_admin_rotation[=false]Enable automatic admin credentials rotation
--admin_rotation_interval_daysRotation period in days
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-dockerhub

Updates a Dockerhub producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-dockerhub \
--name (Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--dockerhub-usernameUsername for docker repository
--dockerhub-passwordPassword for docker repository
--dockerhub-token-scopesComma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read'
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--user-ttl[=60m]User TTL (<=60m for access token)
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--producer-encryption-key-nameDynamic producer encryption key
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-eks

Updates Amazon Elastic Kubernetes Service (Amazon EKS) producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-eks \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN>\
--eks-cluster-name <EKS cluster name. Must match the EKS cluster name you want to connect to> \
--eks-cluster-endpoint <EKS Cluster endpoint> \
--eks-cluster-ca-cert <EKS Cluster certificate. Base 64 encoded certificate> \
--eks-access-key-id <EKS Access Key ID> \
--eks-secret-access-key <EKS Secret Access Key>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-c, --eks-cluster-nameEKS cluster name. Must match the EKS cluster name you want to connect to
-e, --eks-cluster-endpointEKS Cluster endpoint. https:// , <DNS / IP> of the cluster
-r, --eks-cluster-ca-certEKS Cluster certificate. Base 64 encoded certificate
--eks-access-key-idEKS Access Key ID
--eks-secret-access-keyEKS Secret Access Key
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--eks-region[=us-east-2]EKS Region
--eks-assume-roleRole ARN. Role to assume when connecting to the EKS cluster
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-cluster-endpointThe K8s cluster endpoint URL
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-gcp

Updates Google Cloud Provider (GCP) producer

Please note: mandatory values for this command: -n, --name, -s, --service-account-type[=fixed]

Usage
akeyless gateway-update-producer-gcp \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-key-file-path <Path to file with the Base64-encoded service account private key> \
--gcp-key <Base64-encoded service account private key text> \
--gcp-token-scopes <Access token scopes list> \
--gcp-key-algo <Service account key algorithm>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-t, --gcp-cred-type[=token]Credentials type, options are [token, key]
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--gcp-key-file-pathPath to file with the Base64-encoded service account private key
--gcp-keyBase64-encoded service account private key text
--gcp-token-scopesAccess token scopes list, e.g. scope1,scope2
--gcp-key-algoService account key algorithm, e.g. KEY_ALG_RSA_1024
--user-ttl[=60m]User TTL (<=60m for access token)
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--producer-encryption-key-nameDynamic producer encryption key
-s, --service-account-type[=fixed](Mandatory) The type of the gcp dynamic secret. Options[fixed, dynamic]
-e, --gcp-sa-emailThe email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed)
--role-bindingRole binding definitions in json format
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-github

Updates Github producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-github \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID> \
--installation-repository <instead of installation id, set a GitHub repository> \
--github-app-id <Github application id> \
--github-app-private-key <Github application private key (base64 encoded key)> \
--github-base-url <Github base url (Deafult = https://api.github.com/)
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--installation-idGithub application installation id
--installation-repositoryOptional, instead of installation id, set a GitHub repository '/'
--target-nameName of existing target to use in producer creation
--github-app-idGithub application id
--github-app-private-keyGithub application private key (base64 encoded key)
--github-base-url[=https://api.github.com/]Github base url
-p, --token-permissionsTokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - "-p contents=read -p issues=write" or -p '{"content":"read"}'
-r, --token-repositoriesTokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName1 -r RepoName2
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-gke

Updates Google Kubernetes Engine (GKE) producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-gke \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base-64 encoded cluster certificate> \
--gke-account-key-file-path <File path to GKE service account key> \
--gke-account-key <GKE service account key> \
--gke-cluster-name <GKE cluster name>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-a, --gke-account-emailGKE service account email
-e, --gke-cluster-endpointGKE cluster endpoint, i.e., cluster URI https://<DNS/IP>
-c, --gke-cluster-ca-certGKE Base-64 encoded cluster certificate
--gke-account-key-file-pathFile path to GKE service account key
--gke-account-keyGKE service account key
--gke-cluster-nameGKE cluster name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-cluster-endpointThe K8s cluster endpoint URL
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-hanadb

Updates HanaDB producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-hanadb \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--hanadb-username <HanaDB user>
--hanadb-password <--hanadb-password> \
--hanadb-host <HanaDB host name (Deafult = 127.0.0.1) \
--hanadb-port <HanaDB port (Deafult = 443) \
--producer-encryption-key-name <Encrypt producer with following key>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--hanadb-usernameHanaDB user
--hanadb-passwordHanaDB password
--hanadb-host[=127.0.0.1]HanaDB host name
--hanadb-port[=443]HanaDB port
--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD "{{password}}"; GRANT "MONITOR ADMIN" TO {{name}};]HanaDB Creation Statements
--hanadb-revocation-statements[=DROP USER {{name}};]HanaDB Revocation Statements
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
--secure-access-db-schemaThe db schema
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-k8s

Updates Native Kubernetes Service producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-k8s \
--new-name <Producer New name> \
--name <secret name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account> \
--k8s-cluster-endpoint <K8S Cluster endpoint> \
--k8s-cluster-ca-cert <K8S Cluster certificate. Base 64 encoded certificate> \
--k8s-cluster-token <K8S Cluster authentication token> \
--k8s-service-account <K8S ServiceAccount to extract token from> \
--k8s-namespace <K8S Namespace where the ServiceAccount exists (Deafult = default)>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-e, --k8s-cluster-endpointK8S Cluster endpoint. https:// , <DNS / IP> of the cluster
-c, --k8s-cluster-ca-certK8S Cluster certificate. Base 64 encoded certificate
-t, --k8s-cluster-tokenK8S Cluster authentication token
-s, --k8s-service-accountK8S ServiceAccount to extract token from
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--k8s-namespace[=default]K8S Namespace where the ServiceAccount exists
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-cluster-endpointThe K8s cluster endpoint
--secure-access-dashboard-urlThe K8s dashboard url
--secure-access-allow-port-forwadingEnable Port forwarding while using CLI access
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-ldap

Updates LDAP producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-ldap \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--ldap-url <User Base DN> \
--user-attribute <LDAP User Attribute> \
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password for LDAP Bind DN>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--ldap-urlUser Base DN
--user-attributeLDAP User Attribute
-t, --ldap-ca-certLDAP base-64 encoded CA Certificate
--bind-dnLDAP Bind DN
--bind-dn-passwordPassword for LDAP Bind DN
--external-username[=false]Externally provided username
--token-expirationLDAP token expiration in seconds
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
--tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
-delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-mongo

Updates a MongoDB/MongoDB Atlas producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-mongo \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-name <MongoDB name> \
--mongodb-custom-data <MongoDB custom data>\
--mongodb-username <MongoDB server username> \
--mongodb-password <MongoDB server password> \
--mongodb-host-port <host port>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory)
--target-nameName of existing target to use in producer creation
--mongodb-nameMongoDB name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--mongodb-roles[=[]]MongoDB roles (e.g. MongoDB:[{"role":"readWrite", "db": "sales"}], MongoDB Atlas:[{"roleName" : "readWrite", "databaseName": "sales"}])
--mongodb-custom-dataMongoDB custom data (e.g. {"team":"blue"})
--mongodb-server-uriMongoDB server URI (e.g. mongodb://user:[email protected]:27017/admin?replicaSet=mySet)
--mongodb-usernameMongoDB server username
--mongodb-passwordMongoDB server password
--mongodb-host-porthost:port (e.g. my.mongo.db:27017)
--mongodb-default-auth-dbMongoDB server default authentication database
--mongodb-uri-optionsMongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)
--mongodb-atlas-project-idMongoDB Atlas project ID
--mongodb-atlas-api-public-keyMongoDB Atlas public key
--mongodb-atlas-api-private-keyMongoDB Atlas private key
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL (e.g. 60s, 60m, 60h)
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-mssql

Updates Microsoft SQL Server

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-mssql \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MS SQL Server user> \
--mssql-password <MS SQL Server password> \
--mssql-host <MS SQL Server host name (Deafult = 127.0.0.1) > \
--mssql-port <MS SQL Server port (Deafult = 1433) >
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory)
--target-nameName of existing target to use in producer creation
-d, --mssql-dbnameMSSQL Server DB Name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--mssql-usernameMS SQL Server user
--mssql-passwordMS SQL Server password
--mssql-host[=127.0.0.1]MS SQL Server host name
--mssql-port[=1433]MS SQL Server port
--mssql-creation-statements[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';]MSSQL Server Creation Statements
--mssql-revocation-statements[=DROP LOGIN [{{name}}];]MSSQL Server Revocation Statements
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
--secure-access-db-schemaThe db schema
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-mysql

Updates MySQL producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-mysql \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-username <MySQL user> \
--mysql-password <MySQL password> \
--mysql-host <MySQL host name (Deafult = 127.0.0.1) > \
--mysql-port <MySQL port Deafult = 3306) >
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-d, --mysql-dbnameMySQL DB name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--mysql-usernameMySQL user
--mysql-passwordMySQL password
--mysql-host[=127.0.0.1]MySQL host name
--mysql-port[=3306]MySQL port
--mysql-statementsMySQL Creation Statements
--ssl[=false]Enable/Disable SSL [true/false]
--ssl-certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--db-server-certificatesthe set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-nameServer name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-oracle

Updates Oracle DB producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-oracle \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-username <Oracle user> \
--oracle-password <Oracle password> \
--oracle-host <Oracle host name (Deafult = 127.0.0.1) > \
--oracle-port <Oracle port (Default = 1521)
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-d, --oracle-service-nameOracle service name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--oracle-usernameOracle user
--oracle-passwordOracle password
--oracle-host[=127.0.0.1]Oracle host name
--oracle-port[=1521]Oracle port
--oracle-statementsOracle Creation Statements
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--db-server-certificatesthe set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-nameServer name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
--secure-access-enable[=false]Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-postgresql

Updates PostgreSQL producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-postgresql \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-username <PostgreSQL user> \
--postgresql-password <PostgreSQL password> \
--postgresql-host <PostgreSQL host name (Deafult = 127.0.0.1) > \
--postgresql-port <PostgreSQL port (Deafult = 5432) > \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-d, --postgresql-db-namePostgreSQL DB name
-u, --gateway-url[=http://localhost:8000]Gateway url
--postgresql-usernamePostgreSQL user
--postgresql-passwordPostgreSQL password
--postgresql-host[=127.0.0.1]PostgreSQL host name
--postgresql-port[=5432]PostgreSQL port
--postgresql-statements[=CREATE USER "{{name}}" WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";GRANT CONNECT ON DATABASE postgres TO "{{name}}";GRANT USAGE ON SCHEMA public TO "{{name}}";]PostgreSQL Creation Statements
--postgresql-revoke-statement[=REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER "{{name}}";]PostgreSQL Revocation Statement
--enc-key-nameEncrypt producer with following key
--ssl[=false]Enable/Disable SSL [true/false]
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
--secure-access-db-schemaThe db schema
--secure-access-web[=false]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-rabbitmq

Updates RabbitMQ producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-rabbitmq \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-admin-user <RabbitMQ server user> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-s, --rabbitmq-server-uriRabbitMQ server URI
-c, --rabbitmq-user-conf-permissionUser configuration permission, for example:[.*,queue-name]
-w, --rabbitmq-user-write-permissionUser write permission, for example:[.*,queue-name]
-r, --rabbitmq-user-read-permissionUser read permission, for example:[.*,queue-name]
-a, --rabbitmq-admin-userRabbitMQ server user
-p, --rabbitmq-admin-pwdRabbitMQ server password
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--rabbitmq-user-vhostUser Virtual Host
--rabbitmq-user-tagsComma separated list of tags to apply to user
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-urlDestination URL to inject secrets
--secure-access-web[=true]Enable Web Secure Remote Access
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-rdp

Updates RDP producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-rdp \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password> \
--rdp-host-port <RDP host port (Default = 22)>
Parameters
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-g, --rdp-user-groupsRDP UserGroup name(s). Multiple values should be separated by comma
-r, --rdp-host-nameRDP Host name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--rdp-admin-nameRDP Admin name
--rdp-admin-pwdRDP Admin Password
--rdp-host-port[=22]RDP Host port
--fixed-user-only[=false]Allow access using externally (IdP) provided username
--producer-encryption-key-nameEncrypt producer with following key
--warn-user-before-expirationDisplay message to user before TTL expires (min)
--allow-user-extend-sessionAllow user to extend session periodically (min)
--user-ttl[=60m]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-rdp-domainRequired when the Dynamic Secret is used for a domain user
--secure-access-rdp-userOverride the RDP Domain username
--secure-access-hostTarget servers for connections., For multiple values repeat this flag
--secure-access-allow-external-user[=false]Allow providing external user for a domain users
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-redshift

Updates Redshift producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-redshift \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-username <redshiftL user> \
--redshift-password <Redshift password> \
--redshift-host <Redshift host name (Default = 127.0.0.1)> \
--redshift-port <Redshift port (Default = 5439)> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
--ssl "<fales|true>"
Parameters
ParametersDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
--redshift-db-nameRedshift DB name
-u, --gateway-url[=http://localhost:8000]Gateway url
--redshift-usernameredshiftL user
--redshift-passwordRedshift password
--redshift-host[=127.0.0.1]Redshift host name
--redshift-port[=5439]Redshift port
--redshift-statements[=CREATE USER "{{username}}" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{username}}";]Redshift Creation Statements
--ssl[=false]Enable/Disable SSL [true/false]
--enc-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-hostTarget DB servers for connections., For multiple values repeat this flag
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-snowflake

Updates Snowflake producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-snowflake \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account-username <Snowflake account user name> \
--account-password <Snowflake account password> \
--db-name <The DB the generated credentials are restricted to>
Parameter
ParameterDescription
--new-nameProducer New name
-n, --name(Mandatory) Producer name
--target-nameName of existing target to use in producer creation
-a, --accountSnowflake account name
--account-usernameSnowflake account user name
--account-passwordSnowflake account password
-d, --db-nameThe DB the generated credentials are restricted to
--roleRole to be assigned to the generated credentials
--warehouseThe warehouse the generated credentials are restricted to
--snowflake-api-private-keyRSA Private key (base64 encoded), if this is provided, flag --snowflake-api-private-key-file-name is ignored
--snowflake-api-private-key-file-nameThe path to the file containing the private key, if this is provided, flag --snowflake-api-private-key is ignored
--snowflake-api-private-key-passphraseThe Private key passphrase
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--user-ttl[=24h]User TTL
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-tmp-creds

Update ttl of producer temporary credentials

Please note: mandatory values for this command: -n, --name, --tmp-creds-id, --new-ttl-min

Usage
akeyless gateway-update-producer-tmp-creds \
--name <Producer name> \
--tmp-creds-id <Temp Creds ID> \
--new-ttl-min <New TTL in Minutes> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-i, --tmp-creds-id(Mandatory) Temp Creds ID
-t, --new-ttl-min(Mandatory) New TTL in Minutes
-u, --gateway-urlAPI Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-producer-redis

Update Redis producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-update-producer-redis \
--name <Producer name> \
--new-name <Producer new name> \
--target-name <Target name> \
--gateway-url <API Gateway URL:8000> \
--username <Redis username> \
--password <Redis password>
Parameters
ParametersDescription
-n, --name(Mandatory) Producer name
--new-nameProducer New name
--targetName of existing target to use in producer creation
--gateway-urlAPI Gateway URL
--usernameRedis username
--passwordRedis password
--host[=127.0.0.1]Redis host
--port[=6379]Redis port
--acl-rulesA JSON array list of redis ACL rules to attach to the created user. For available rules see the ACL CAT command https://redis.io/commands/acl-cat. If omitted the user will have access to read all keys (["~*", "[email protected]"])
--ssl[=false]Enable/Disable SSL [true/false]
--ssl-certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--producer-encryption-key-nameEncrypt producer with following key
--user-ttl[=60m]User TTL
-t, --tagAdd tags attached to this object. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]

gateway-delete-producer

Deletes producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-delete-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-get-producer

Get producer details

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-get-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-get-producer-tmp-creds

Get producer temporary credentials list

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-get-producer-tmp-creds \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token</codeThe universal identity token, Required only for universal_identity authentication

gateway-list-producers

List available producers

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-revoke-producer-tmp-creds

Revoke producer temporary credentials

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-revoke-producer-tmp-creds \
--name <Producer name> \
--tmp-creds-id <Temp Creds ID> \
--revoke-all <Revoke All Temp Creds> \
--gateway-url <API Gateway URL:8000> \
--soft-delete <Use soft-delete> \
--host <Host>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
--tmp-creds-idTemp Creds ID
--revoke-allRevoke All Temp Creds
-u, --gateway-urlAPI Gateway URL (Configuration Management port)
--soft-deleteUse soft delete
--hostHost
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token</codeThe universal identity token, Required only for universal_identity authentication

gateway-start-producer

Starts producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-start-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-u, --gateway-urlAPI Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token</codeThe universal identity token, Required only for universal_identity authentication

gateway-stop-producer

Stops producer

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-stop-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-n, --name(Mandatory) Producer name
-u, --gateway-urlAPI Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token</codeThe universal identity token, Required only for universal_identity authentication