CLI Reference - Dynamic Secrets
Dynamic Secrets
get-dynamic-secret-value
get-dynamic-secret-value
Gets dynamic secret value
Please note: mandatory values for this command: -n, --name
Usage
akeyless get-dynamic-secret-value \
--name <Dynamic Secret Name> \
--target <Target Name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Dynamic secret name |
--host | Host |
--target | Target Name |
--args | Optional arguments as key=value pairs or JSON strings, e.g - "--args=csr=base64_encoded_csr --args=common_name=bar" or --args='{"csr":"base64_encoded_csr"}. It is possible to combine both formats.' [role_arn,username,csr,common_name] |
--timeout[=15] | timeout in seconds |
--jq-expression | JQuery expression to filter result output |
Create Producer
gateway-create-producer-artifactory
gateway-create-producer-artifactory
Creates Artifactory producer
Please note: mandatory values for this command: -n, --name, -s, --artifactory-token-scope, -a, --artifactory-token-audience
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-artifactory \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances>
akeyless gateway-create-producer-artifactory \
--name <Dynamic Secret Name> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--base-url <Artifactory REST URL> \
--artifactory-admin-name <Artifactory Admin username> \
--artifactory-admin-pwd <Artifactory Admin API Key or password>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-s, --artifactory-token-scope | (Mandatory) Token scope provided as a space-separated list, for example: member-of-groups:readers -a, --artifactory-token-audience A space-separated list of other Artifactory instances or services that should accept this token, for example: [email protected] |
-a, --artifactory-token-audience | (Mandatory) A space-separated list of other Artifactory instances or services that should accept this token, for example: [email protected]* |
--target-name | Name of existing target to use in producer creation |
-b, --base-url | Artifactory REST URL, must end with artifactory postfix |
-r, --artifactory-admin-name | Admin name |
-p, --artifactory-admin-pwd | Admin API Key/Password |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) Default = http://localhost:8000 |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL Default = 60m |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-ping
gateway-create-producer-ping
Creates a Ping dynamic secret producer
There are 2 possible ways to run this command - using a target or aninline connection
Usage
akeyless gateway-create-producer-ping \
--name <Producer Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL>' \
--ping-client-authentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
akeyless gateway-create-producer-ping \
--name <Producer Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--ping-url <https://my-pf-server.com> \
--ping-privileged-user <Username> \
--ping-password <Password>\
--ping-client-authentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--ping-url | Ping URL |
-s, --ping-privileged-user | Ping Federate privileged user |
-p, --ping-password | Ping Federate privileged user password |
-i, --ping-administrative-port[=9999] | Ping Federate administrative port |
-j, --ping-authorization-port[=9031] | Ping Federate authorization port |
-t, --ping-client-authentication-type[=CLIENT_SECRET] | OAuth Client Authentication Type [CLIENT_SECRET, PRIVATE_KEY_JWT, CLIENT_TLS_CERTIFICATE] |
--ping-issuer-dn | Issuer DN of trusted CA certificate that imported into Ping Federate server. You may select "Trust Any" to trust all the existing issuers in Ping Federate server. Used in conjunction with --ping-cert-subject-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method) |
--ping-cert-subject-dn | The subject DN of the client certificate. If no explicit value is given, the producer will create CA certificate and matched client certificate and return it as value. Used in conjunction with --ping-issuer-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method) |
-f, --ping-enforce-replay-prevention[=false] | Determines whether PingFederate requires a unique signed JWT from the client for each action (relevant for PRIVATE_KEY_JWT authentication method) |
--ping-jwks | Base64-encoded JSON Web Key Set (JWKS). If no explicit value is given, the producer will create JWKs and matched signed JWT (Sign Algo: RS256) and return it as value (relevant for PRIVATE_KEY_JWT authentication method) |
--ping-jwks-url | The URL of the JSON Web Key Set (JWKS). If no explicit value is given, the producer will create JWKs and matched signed JWT and return it as value (relevant for PRIVATE_KEY_JWT authentication method) |
--ping-signing-algo | The signing algorithm that the client must use to sign its request objects [RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512] If no explicit value is given, the client can use any of the supported signing algorithms (relevant for PRIVATE_KEY_JWT authentication method) |
-g, --ping-grant-types | OAuth client grant types [IMPLICIT, AUTHORIZATION_CODE, CLIENT_CREDENTIALS, TOKEN_EXCHANGE, REFRESH_TOKEN, ASSERTION_GRANTS, PASSWORD, RESOURCE_OWNER_CREDENTIALS]. If no explicit value is given, AUTHORIZATION_CODE will be selected as default. For multiple values repeat this flag. |
-r, --ping-redirect-uris | URI to which the OAuth authorization server may redirect the resource owner's user agent after authorization is obtained. At least one redirection URI is required for the AUTHORIZATION_CODE and IMPLICIT grant types. For multiple values repeat this flag. |
-d, --ping-atm-id | Set a specific Access Token Management (ATM) instance for the created OAuth Client by providing the ATM Id. If no explicit value is given, the default pingfederate server ATM will be set. |
-o, --ping-restricted-scopes | Limit the OAuth client to specific scopes. For multiple values repeat this flag. |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
-e, --producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | The time from dynamic secret creation to expiration. |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-certificate-automation
gateway-create-producer-certificate-automation
Creates a Certificate Automation dynamic secret producer to create certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-create-certificate-automation \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--venafi-use-tpp <Required in TTP> \
--venafi-username <TPP Username> \
--venafi-password <TPP Password> \
--venafi-baseurl <TPP Enviornment BASE URL> \
--venafi-zone <Venafi Zone>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-z, --venafi-zone | Venafi Zone |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) Default = http://localhost:8000 |
--venafi-api-key | Venafi API key (Relevant when using Venafi Cloud) |
--venafi-use-tpp | When connecting to TPP this flag is required |
--venafi-username | Venafi Username (Relevant when using TPP) |
--venafi-password | Venafi Password (Relevant when using TPP) |
--venafi-baseurl | Base URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/ |
--sign-using-akeyless-pki | creating certificates using Akeyless PKI |
--root-first-in-chain | root first in chain |
--store-private-key | store private key in Akeyless |
--auto-generated-folder | auto generated folder |
--signer-key-name | signer key name |
--allowed-domains | allowed domains |
--allow-subdomains | allow subdomains |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=2160h] | User TTL in time.Duration format (2160h / 129600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (1440h). For more information - https://cert-manager.io/docs/usage/certificate/ Default = 2160h |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--admin-creds-rotation[=false] | Enable automatic admin credentials rotation Default = false |
--admin-creds-rotation-interval[=0] | Admin credentials rotation interval (days) |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-aws
gateway-create-producer-aws
Creates AWS producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-aws \
--name <secret name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
akeyless gateway-create-producer-aws \
--name <secret name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs> \
--aws-access-key-id <Access ID> \
--aws-access-secret-key <Access Key> \
--aws-region <Region>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-i, --aws-access-key-id | Access Key ID |
-s, --aws-access-secret-key | Access Secret Key |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) Default = http://localhost:8000 |
--aws-access-mode | The types of credentials to retrieve from AWS. Options:[iam_user,assume_role] |
--aws-region[=us-east-2] | Region Default = us-east-2 |
--aws-user-policies | Policy ARN(s). Multiple values should be separated by comma |
---aws-user-groups | UserGroup name(s). Multiple values should be separated by comma |
--aws-role-arns | AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma |
--aws-user-console-access=[false] | Enable AWS User console access Default = false |
--aws-user-programmatic-access[=true] | Enable AWS User programmatic access Default = true |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL Default = 60m |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--admin-creds-rotation[=false] | Enable automatic admin credentials rotation Default = flase |
--admin-creds-rotation-interval='0' | Admin credentials rotation interval (days) |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-aws-account-id | The aws account id |
--secure-access-aws-native-cli | The aws native cli |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion Default = false |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion Default = false |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=true] | Enable Web Secure Remote Access Default = true |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-azure
gateway-create-producer-azure
Creates Azure AD producer
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim>
akeyless gateway-create-producer-azure \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim> \
--azure-tenant-id <Azure Tenant ID> \
--azure-client-id <Azure Client ID> \
--azure-client-secret <Azure AD Client Secret>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--azure-tenant-id | Azure Tenant ID |
--azure-client-id | Azure Client ID (Application ID) |
--azure-client-secret | Azure AD Client Secret |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) Default = http://localhost:8000 |
--azure-user-portal-access[=false] | Enable Azure AD user portal access Default = false |
--azure-user-programmatic-access[=true] | Enable Azure AD user programmatic access Default = True. |
--azure-app-obj-id | Azure App Object ID (required if selected programmatic access) |
--azure-user-principal-name | Azure AD User Principal Name (required if selected Portal access) |
--azure-user-group-obj-id | Azure AD User Group Object ID (required if selected Portal access) |
--azure-user-role-template-id | Azure AD User Role Template ID (required if selected Portal access) |
--producer-encryption-key-name | Encrypt producer with following key |
--fixed-user-only[=false] | Allow access using externally (IdP) provided username Default = false. |
--fixed-user-claim-keyname | For externally provided users, denotes the key-name of IdP claim to extract username from |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-web[=true] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token</code | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-eks
gateway-create-producer-eks
Creates Amazon Elastic Kubernetes Service (Amazon EKS) producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN>
akeyless gateway-create-producer-eks \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--eks-cluster-name | EKS cluster name. Must match the EKS cluster name you want to connect to |
--eks-cluster-endpoint | EKS Cluster endpoint. https:// , <DNS / IP> of the cluster |
--eks-cluster-ca-cert | EKS Cluster certificate. Base 64 encoded certificate |
--eks-access-key-id | EKS Access Key ID |
--eks-secret-access-key | EKS Secret Access Key |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--eks-region[=us-east-2] | EKS Region |
--eks-assume-role | Role ARN. Role to assume when connecting to the EKS cluster |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-cluster-endpoint | The K8s cluster endpoint URL |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access. |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-gke
gateway-create-producer-gke
Creates Google Kubernetes Engine (GKE) producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-gke \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
akeyless gateway-create-producer-gke \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gke-account-email <GKE service account email> \
--gke-account-key <GKE service account Key>
--gke-cluster-endpoint <GKE cluster endpoint URL> \
--gke-cluster-ca-cert <Base64-encoded GKE cluster CA certificate> \
--gke-cluster-name <GKE cluster name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--gke-account-email | GKE service account email |
--gke-cluster-endpoint | GKE cluster endpoint, i.e., cluster URI https://<DNS/IP>. |
--gke-cluster-ca-cert | GKE Base-64 encoded cluster certificate |
--gke-account-key-file-path | File path to GKE service account key |
--gke-account-key | GKE service account key |
--gke-cluster-name | GKE cluster name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-cluster-endpoint | The K8s cluster endpoint URL |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access. |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token. |
--uid-token | The universal identity token. It is required only for the universal_identity authentication. |
gateway-create-producer-gcp
gateway-create-producer-gcp
Creates Google Cloud Provider (GCP) producer
Please note: mandatory values for this command: -n, --name, -s, --service-account-type[=fixed]
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-gcp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>
akeyless gateway-create-producer-gcp \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm> \
--gcp-sa-email <GCP Service Account Email> \
--gcp-key-file-path <GCP Service Account Private Key>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--gcp-cred-type[=token] | Credentials type, options are [token, key] |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--gcp-key-file-path | Path to file with the Base64-encoded service account private key |
--gcp-key | Base64-encoded service account private key text |
--gcp-token-scopes | Access token scopes list, e.g. scope1,scope2 |
--gcp-key-algo | Service account key algorithm, e.g. KEY_ALG_RSA_1024 |
--user-ttl='60m' | User TTL (<=60m for access token) |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--producer-encryption-key-name | Dynamic producer encryption key |
-s, --service-account-type[=fixed] | (Mandatory) The type of the gcp dynamic secret. Options[fixed, dynamic] |
-e, --gcp-sa-email | The email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed) |
--role-binding | Role binding definitions in json format |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-cassandra
gateway-create-producer-cassandra
Create Cassandra producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-cassandra \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
akeyless gateway-create-producer-cassandra \
--name <path to your secret> \
--gateway-url <API Gateway URL:8000> \
--cassandra-hosts <Cassandra host> \
--cassandra-port <Cassandra port> \
--cassandra-username <Cassandra username> \
--cassandra-password <password> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Target name |
--cassandra-hosts | Cassandra hosts names or IP addresses, comma separated |
--cassandra-username | Cassandra superuser user name |
--cassandra-password | Cassandra superuser password |
--cassandra-port[=9042] | Cassandra port |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';] | Cassandra Creation Statements |
--user-ttl[=60m] | User TTL (<=60m for access token) |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--producer-encryption-key-name | Dynamic producer encryption key |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-hanadb
gateway-create-producer-hanadb
Creates HanaDB producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-hanadb \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--hanadb-creation-statements "CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}};" \
--hanadb-revocation-statements "DROP USER {{name}};"
akeyless gateway-create-producer-hanadb \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--hana-dbname <HanaDB name> \
--hanadb-username <HanaDB admin username> \
--hanadb-password <HanaDB admin password> \
--hanadbt-host <HanaDB host> \
--hanadb-port <HanaDB port> \
--hanadb-creation-statements "CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}};" \
--hanadb-revocation-statements "DROP USER {{name}};"
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-d, --hana-dbname | Hana DB Name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--hanadb-username | HanaDB user |
--hanadb-password | HanaDB password |
--hanadb-host[=127.0.0.1] | HanaDB host name |
--hanadb-port[=443] | HanaDB port |
--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD "{{password}}"; GRANT "MONITOR ADMIN" TO {{name}};] | HanaDB Creation Statements |
--hanadb-revocation-statements[=DROP USER {{name}};] | HanaDB Revocation Statements |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag. |
--secure-access-db-schema | The db schema |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-oracle
gateway-create-producer-oracle
Creates Oracle DB producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-oracle \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
akeyless gateway-create-producer-oracle \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-service-name <Your Oracle DB Service name > \
--oracle-username <Oracle DB admin username> \
--oracle-password <Oracle DB admin password> \
--oracle-host <Your Oracle DB host> \
--oracle-port <Oracle DB port> \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY "{{password}}"; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-d, --oracle-service-name | Oracle service name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--oracle-username | Oracle user |
--oracle-password | Oracle password |
--oracle-host[=127.0.0.1] | Oracle host name |
--oracle-port[=1521] | Oracle port |
--oracle-statements | Oracle Creation Statements |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--db-server-certificates | the set of root certificate authorities in base64 encoding that clients use when verifying server certificates |
--db-server-name | Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address |
--secure-access-enable[=false] | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag. |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-redshift
gateway-create-producer-redshift
Creates Redshift producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-redshift \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
--ssl "<fales|true>"
akeyless gateway-create-producer-redshift \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-db-name <Redshift DB name> \
--redshift-username <Redshift DB admin username> \
--redshift-password <Redshift DB admin password> \
--redshift-host <Redshift DB host> \
--redshift-port <Redshift DB port> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--redshift-db-name | Redshift DB name |
-u, --gateway-url[=http://localhost:8000] | Gateway url |
--redshift-username | redshiftL user |
--redshift-password | Redshift password |
--redshift-host[=127.0.0.1] | Redshift host name |
--redshift-port[=5439] | Redshift port |
--redshift-statements[=CREATE USER "{{username}}" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{username}}";] | Redshift Creation Statements |
--ssl[=false] | Enable/Disable SSL [true/false] |
--enc-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag. |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-mongo
gateway-create-producer-mongo
Creates a MongoDB/MongoDB Atlas producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-roles <New User Role>
akeyless gateway-create-producer-mongo \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-roles <New User Role> \
--mongodb-name <MongoDB name> \
--mongodb-username <MongoDB server admin username> \
--mongodb-password <MongoDB server admin password> \
--mongodb-host-port <host:port>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--mongodb-roles[=[]] | MongoDB roles (e.g. MongoDB:[{"role":"readWrite", "db": "sales"}], MongoDB Atlas:[{"roleName" : "readWrite", "databaseName": "sales"}]) |
--mongodb-custom-data | MongoDB custom data (e.g. {"team":"blue"}) |
--mongodb-server-uri | MongoDB server URI (e.g. mongodb://user:[email protected]:27017/admin?replicaSet=mySet) |
--mongodb-username | MongoDB server username |
--mongodb-password | MongoDB server password |
--mongodb-host-port | host:port (e.g. my.mongo.db:27017) |
--mongodb-default-auth-db | MongoDB server default authentication database |
--mongodb-uri-options | MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB) |
--mongodb-atlas-project-id | MongoDB Atlas project ID |
--mongodb-atlas-api-public-key | MongoDB Atlas public key |
--mongodb-atlas-api-private-key | MongoDB Atlas private key |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL (e.g. 60s, 60m, 60h) |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag. |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-mssql
gateway-create-producer-mssql
Creates Microsoft SQL Server
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-create-producer-mssql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-creation-statements "CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}';"
--mssql-revocation-statements "DROP LOGIN '{{name}}';"
akeyless gateway-create-producer-mssql \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-creation-statements "CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}';" \
--mssql-revocation-statements "DROP LOGIN '{{name}}';" \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MSSQL Server admin user> \
--mssql-password <MSSQL Server admin password> \
--mssql-host <MSSQL Server host name> \
--mssql-port <MSSQL Server port>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--mssql-dbname | MSSQL Server DB Name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--mssql-username | MS SQL Server user |
--mssql-password | MS SQL Server password |
--mssql-host[=127.0.0.1] | MS SQL Server host name |
--mssql-port[=1433] | MS SQL Server port |
--mssql-creation-statements[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';] | MSSQL Server Creation Statements |
--mssql-revocation-statements[=DROP LOGIN [{{name}}];] | MSSQL Server Revocation Statements |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion. |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag. |
--secure-access-db-schema | The db schema |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-mysql
gateway-create-producer-mysql
Creates MySQL producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-mysql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-statements "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';"
akeyless gateway-create-producer-mysql \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-statements "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';" \
--mysql-dbname <MySQL DB Name > \
--mysql-host <MySQL host> \
--mysql-port <MySQL port> \
--mysql-username <MySQL admin username> \
--mysql-password <MySQL admin password>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--mysql-dbname | MySQL DB name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--mysql-username | MySQL user |
--mysql-password | MySQL password |
--mysql-host[=127.0.0.1] | MySQL host name |
--mysql-port[=3306] | MySQL port |
--mysql-statements | MySQL Creation Statements |
--ssl[=false] | Enable/Disable SSL [true/false] |
--ssl-certificate | SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA) |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--db-server-certificates | the set of root certificate authorities in base64 encoding that clients use when verifying server certificates |
--db-server-name | Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-postgresql
gateway-create-producer-postgresql
Creates PostgreSQL producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
akeyless gateway-create-producer-postgresql \
--name <New Secret Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-db-name <PostgreSQL DB name> \
--postgresql-username <PostgreSQL DB admin username> \
--postgresql-password <PostgreSQL DBadmin password> \
--postgresql-host <PostgreSQL DB host> \
--postgresql-port <PostgreSQL DB port> \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--postgresql-db-name | PostgreSQL DB name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--postgresql-username | PostgreSQL user |
--postgresql-password | PostgreSQL password |
--postgresql-host[=127.0.0.1] | PostgreSQL host name |
--postgresql-port[=5432] | PostgreSQL port |
--postgresql-statements[=CREATE USER "{{name}}" WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";GRANT CONNECT ON DATABASE postgres TO "{{name}}";GRANT USAGE ON SCHEMA public TO "{{name}}";] | PostgreSQL Creation Statements |
--postgresql-revoke-statement[=REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER "{{name}}";] | PostgreSQL Revocation Statement |
--enc-key-name | Encrypt producer with following key |
--ssl[=false] | Enable/Disable SSL [true/false] |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion. |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag. |
--secure-access-db-schema | The db schema |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-rabbitmq
gateway-create-producer-rabbitmq
Creates RabbitMQ producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission>
akeyless gateway-create-producer-rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-server-uri <RabbitMQ server URI> \
--rabbitmq-admin-user <RabbitMQ server admin> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--rabbitmq-server-uri | RabbitMQ server URI |
--rabbitmq-user-conf-permission | User configuration permission, for example:[.*,queue-name] |
--rabbitmq-user-write-permission | User write permission, for example:[.*,queue-name] |
--rabbitmq-user-read-permission | User read permission, for example:[.*,queue-name] |
--rabbitmq-admin-user | RabbitMQ server user |
--rabbitmq-admin-pwd | RabbitMQ server password |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--rabbitmq-user-vhost | User Virtual Host |
--rabbitmq-user-tags | Comma separated list of tags to apply to user |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion. |
--secure-access-url | Destination URL to inject secrets. |
--secure-access-web[=true] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-rdp
gateway-create-producer-rdp
Creates RDP producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-create-producer-rdp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name>
akeyless gateway-create-producer-rdp \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-host-port <RDP port> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--rdp-user-groups | RDP UserGroup name(s). Multiple values should be separated by comma |
--rdp-host-name | RDP Host name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--rdp-admin-name | RDP Admin name |
--rdp-admin-pwd | RDP Admin password |
--rdp-host-port[=22] | RDP Host port |
--fixed-user-only[=false] | Allow access using externally (IdP) provided username |
--producer-encryption-key-name | Encrypt producer with following key |
--warn-user-before-expiration | Display message to user before TTL expires (min) |
--allow-user-extend-session | Allow user to extend session periodically (min) |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-rdp-domain | Required when the Dynamic Secret is used for a domain user |
--secure-access-rdp-user | Override the RDP Domain username |
--secure-access-host | Target servers for connections., For multiple values repeat this flag. |
--secure-access-allow-external-user[=false] | Allow providing external user for a domain users |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-snowflake
gateway-create-producer-snowflake
Creates Snowflake producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-snowflake \
--name <New Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name>
akeyless gateway-create-producer-snowflake \
--name <Secret Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account <Snowflake account name> \
--username <Snowflake username> \
--password <Snowflake password> \
--db-name <Database to which the generated credentials are restricted>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--account | Snowflake account name |
--account-username | Snowflake account user name |
--account-password | Snowflake account password |
--db-name | The DB the generated credentials are restricted to |
--role | Role to be assigned to the generated credentials |
--warehouse | The warehouse the generated credentials are restricted to |
--snowflake-api-private-key | RSA Private key (base64 encoded), if this is provided, flag --snowflake-api-private-key-file-name is ignored |
--snowflake-api-private-key-file-name | The path to the file containing the private key, if this is provided, flag --snowflake-api-private-key is ignored |
--snowflake-api-private-key-passphrase | The Private key passphrase |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--user-ttl[=24h] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-ldap
gateway-create-producer-ldap
Creates LDAP producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-ldap \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--user-dn <User Base DN>
akeyless gateway-create-producer-ldap \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--ldap-url <LDAP server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password>\
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--user-dn <User Base DN>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--ldap-url | LDAP Server URL |
--user-dn | User Base DN |
--user-attribute | LDAP User Attribute |
-t, --ldap-ca-cert | LDAP base-64 encoded CA Certificate |
--bind-dn | LDAP Bind DN |
--bind-dn-password | Password for LDAP Bind DN |
--external-username[=false] | Externally provided username |
--token-expiration | LDAP token expiration in seconds |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-github
gateway-create-producer-github
Creates Github producer that support tokens creation with fixed ttl of 60 minutes
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection.
Usage
akeyless gateway-create-producer-github \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID>
akeyless gateway-create-producer-github \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID> \
--github-app-id <Your GitHub application ID> \
--github-app-private-key <Base64-encoded application private key> \
--github-base-url <Github base URL>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--installation-id | Github application installation id |
--installation-repository | Optional, instead of installation id, set a GitHub repository '/' |
--target-name | Name of existing target to use in producer creation |
--github-app-id | Github application id |
--github-app-private-key | Github application private key (base64 encoded key) |
--github-base-url[=https://api.github.com/] | Github base url |
-p, --token-permissions | Tokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - "-p contents=read -p issues=write" or -p '{"content":"read"}' |
-r, --token-repositories | Tokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName1 -r RepoName2 |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-dockerhub
gateway-create-producer-dockerhub
Creates a Dockerhub producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection.
Usage
akeyless gateway-create-producer-dockerhub \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read'
akeyless gateway-create-producer-dockerhub \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read' \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--dockerhub-username | Username for docker repository |
--dockerhub-password | password for docker repository |
--dockerhub-token-scopes | Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read' |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--user-ttl[=60m] | User TTL (<=60m for access token) |
--tag | A list of tags attached to this secret. To specify multiple tags use the argument multiple times: --tag Tag1 --tag Tag2 . |
--producer-encryption-key-name | Dynamic producer encryption key |
--delete-protection | Protection from accidental deletion of this item, [true/false]. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token. |
--uid-token | The universal identity token. It is required only for the universal_identity authentication. |
gateway-create-producer-k8s
gateway-create-producer-k8s
Creates Native Kubernetes Service producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-create-producer-k8s \
--name <secret name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account>
akeyless gateway-create-producer-k8s \
--name <secret name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account> \
--k8s-cluster-endpoint <Cluster Endpoint URL> \
--k8s-cluster-ca-cert <Base64-encoded cluster CA certificate> \
--k8s-cluster-token ${TOKEN}
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-e, --k8s-cluster-endpoint | K8S Cluster endpoint. https:// , <DNS / IP> of the cluster |
-c, --k8s-cluster-ca-cert | K8S Cluster certificate. Base 64 encoded certificate |
-t, --k8s-cluster-token | K8S Cluster authentication token |
-s, --k8s-service-account | K8S ServiceAccount to extract token from |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--k8s-namespace[=default] | K8S Namespace where the ServiceAccount exists |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-cluster-endpoint | The K8s cluster endpoint |
--secure-access-dashboard-url | The K8s dashboard url |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-chef
gateway-create-producer-chef
Creates Chef producer
Please note: mandatory values for this command: -n, --name
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations>
akeyless gateway-create-producer-chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations> \
--chef-server-username <Chef server username> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--skip-ssl <true|false>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-c, --chef-server-username | Chef server username |
-y, --chef-server-key | Chef server key |
-s, --chef-server-url | Chef server URL |
-g, --chef-orgs | Chef organizations |
--skip-ssl[=true] | Skip SSL |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-create-producer-custom
gateway-create-producer-custom
Creates a custom webhook-based dynamic secret
Please note: mandatory values for this command: -n, --name, --create-sync-url, --revoke-sync-url
There are 2 possible ways to run this command - Using target or inline connection
Usage
akeyless gateway-create-producer-custom \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--create-sync-url 'https://example.com/sync/create:Port' \
--revoke-sync-url 'https://example.com/sync/revoke:Port' \
--revoke-sync-url 'https://example.com/sync/rotate:Port'
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--create-sync-url | (Mandatory) URL of an endpoint that implements /sync/create method |
--revoke-sync-url | (Mandatory) URL of an endpoint that implements /sync/revoke method |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--rotate-sync-url | URL of an endpoint that implements /sync/rotate method |
--payload | Secret payload to be sent with each create/revoke webhook request |
--timeout-sec[=60] | Maximum allowed time in seconds for the webhook to return the results |
--enable_admin_rotation[=false] | Enable automatic admin credentials rotation |
--admin_rotation_interval_days | Rotation period in days |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
Update Producer
gateway-update-producer-artifactory
gateway-update-producer-artifactory
Updates Artifactory producer
Please note: mandatory values for this command: -n, --name, -s, --artifactory-token-scope, -a, --artifactory-token-audience
Usage
akeyless gateway-update-producer-artifactory \
--name <Dynamic Secret Name> \
--new-name <Producer New name>
--gateway-url <API Gateway URL:8000> \
--Target-name <Target Name> \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--producer-encryption-key-name <Encrypt producer with following key>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
-s, --artifactory-token-scope | (Mandatory) Token scope provided as a space-separated list, for example: member-of-groups:readers |
-a, --artifactory-token-audience | (Mandatory) A space-separated list of other Artifactory instances or services that should accept this token, for example: [email protected]* |
--target-name | Name of existing target to use in producer creation |
-b, --base-url | Artifactory REST URL, must end with artifactory postfix |
-r, --artifactory-admin-name | Admin name |
-p, --artifactory-admin-pwd | Admin API Key/Password |
u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-aws
gateway-update-producer-aws
Updates AWS producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-aws \
--name <secret name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_user|assumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-i, --aws-access-key-id | Access Key ID |
-s, --aws-access-secret-key | Access Secret Key |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--aws-access-mode | The types of credentials to retrieve from AWS. Options:[iam_user,assume_role] |
--aws-region[=us-east-2] | Region |
--aws-user-policies | Policy ARN(s). Multiple values should be separated by comma |
--aws-user-groups | UserGroup name(s). Multiple values should be separated by comma |
--aws-role-arns | AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma |
--aws-user-console-access[=false] | Enable AWS User console access |
--aws-user-programmatic-access[=true] | Enable AWS User programmatic access |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--admin-creds-rotation[=false] | Enable automatic admin credentials rotation |
--admin-creds-rotation-interval[=0] | Admin credentials rotation interval (days) |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-aws-account-id | The aws account id |
--secure-access-aws-native-cli | The aws native cli |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=true] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-azure
gateway-update-producer-azure
Updates Azure AD producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-azure \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <true|false> \
--azure-user-programmatic-access <true|false> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <true|false> \
--fixed-user-claim-keyname <Key name of the IdP claim>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-t, --azure-tenant-id | Azure Tenant ID |
-i, --azure-client-id | Azure Client ID (Application ID) |
-s, --azure-client-secret | Azure AD Client Secret |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--azure-user-portal-access[=false] | Enable Azure AD user portal access |
--azure-user-programmatic-access[=false] | Enable Azure AD user programmatic access |
--azure-app-obj-id | Azure App Object ID (required if selected programmatic access) |
--azure-user-principal-name | Azure AD User Principal Name (required if selected Portal access) |
--azure-user-group-obj-id | Azure AD User Group Object ID (required if selected Portal access) |
--azure-user-role-template-id | Azure AD User Role Template ID (required if selected Portal access) |
--producer-encryption-key-name | Encrypt producer with following key |
--fixed-user-only[=false] | Allow access using externally (IdP) provided username |
--fixed-user-claim-keyname | For externally provided users, denotes the key-name of IdP claim to extract username from |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-web[=true] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-cassandra
gateway-update-producer-cassandra
Update Cassandra producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-cassandra \
--name <Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--cassandra-hosts <Cassandra hosts names or IP addresses, comma separated> \
--cassandra-username <Cassandra superuser user name> \
--cassandra-password <Cassandra superuser password> \
--cassandra-statements "CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';"
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Target name |
--cassandra-hosts | Cassandra hosts names or IP addresses, comma separated |
--cassandra-username | Cassandra superuser user name |
--cassandra-password | Cassandra superuser password |
--cassandra-port[=9042] | Cassandra port |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';] | Cassandra Creation Statements |
--user-ttl[=60m] | User TTL (<=60m for access token) |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--producer-encryption-key-name | Dynamic producer encryption key |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-certificate-automation
gateway-update-producer-certificate-automation
Updates a Certificate Automation dynamic secret producer to update certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-certificate-automation \
--name <Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--venafi-zone <Venafi Zone> \
--venafi-api-key <Venafi API key (Relevant when using Venafi Cloud)>\
--venafi-use-tpp <When connecting to TPP this flag is required> \
--venafi-username <Venafi Username (Relevant when using TPP)>
--venafi-password <Venafi password (Relevant when using TPP)>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-z, --venafi-zone | Venafi Zone |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--venafi-api-key | Venafi API key (Relevant when using Venafi Cloud) |
--venafi-use-tpp | When connecting to TPP this flag is required |
--venafi-username | Venafi Username (Relevant when using TPP) |
--venafi-password | Venafi Password (Relevant when using TPP) |
--venafi-baseurl | Base URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/ |
--sign-using-akeyless-pki | creating certificates using Akeyless PKI |
--root-first-in-chain | root first in chain |
--store-private-key | store private key in Akeyless |
--auto-generated-folder | auto generated folder |
--signer-key-name | signer key name |
--allowed-domains | allowed domains |
--allow-subdomains | allow subdomains |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=2160h] | User TTL in time.Duration format (2160h / 129600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (1440h). For more information - https://cert-manager.io/docs/usage/certificate/ |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--admin-creds-rotation[=false] | Enable automatic admin credentials rotation |
--admin-creds-rotation-interval[=0] | Admin credentials rotation interval (days) |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-chef
gateway-update-producer-chef
Updates Chef producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-chef \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--producer-encryption-key-name <Encrypt producer with following key>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-c, --chef-server-username | Chef server username |
-y, --chef-server-key | Chef server key |
-s, --chef-server-url | Chef server URL |
-g, --chef-orgs | Chef organizations |
--skip-ssl[=true] | Skip SSL |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-custom
gateway-update-producer-custom
Updates a custom webhook based dynamic secret producer
Please note: mandatory values for this command: -n, --name, -c, --create-sync-url, -r, --revoke-sync-url
Usage
akeyless gateway-update-producer-custom \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--gateway-url <API Gateway URL:8000> \
--create-sync-url <https://example.com/sync/create:Port> \
--revoke-sync-url <https://example.com/sync/revoke:Port> \
--producer-encryption-key-name <Encrypt producer with following key> \
--rotate-sync-url <URL of an endpoint that implements /sync/rotate method>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
-c, --create-sync-url | (Mandatory) URL of an endpoint that implements /sync/create method |
-r, --revoke-sync-url | (Mandatory) URL of an endpoint that implements /sync/revoke method |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--rotate-sync-url | URL of an endpoint that implements /sync/rotate method |
--payload | Secret payload to be sent with each create/revoke webhook request |
--timeout-sec[=60] | Maximum allowed time in seconds for the webhook to return the results |
--enable_admin_rotation[=false] | Enable automatic admin credentials rotation |
--admin_rotation_interval_days | Rotation period in days |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-dockerhub
gateway-update-producer-dockerhub
Updates a Dockerhub producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-dockerhub \
--name (Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--dockerhub-username | Username for docker repository |
--dockerhub-password | Password for docker repository |
--dockerhub-token-scopes | Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read' |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--user-ttl[=60m] | User TTL (<=60m for access token) |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--producer-encryption-key-name | Dynamic producer encryption key |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-eks
gateway-update-producer-eks
Updates Amazon Elastic Kubernetes Service (Amazon EKS) producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-eks \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN>\
--eks-cluster-name <EKS cluster name. Must match the EKS cluster name you want to connect to> \
--eks-cluster-endpoint <EKS Cluster endpoint> \
--eks-cluster-ca-cert <EKS Cluster certificate. Base 64 encoded certificate> \
--eks-access-key-id <EKS Access Key ID> \
--eks-secret-access-key <EKS Secret Access Key>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-c, --eks-cluster-name | EKS cluster name. Must match the EKS cluster name you want to connect to |
-e, --eks-cluster-endpoint | EKS Cluster endpoint. https:// , <DNS / IP> of the cluster |
-r, --eks-cluster-ca-cert | EKS Cluster certificate. Base 64 encoded certificate |
--eks-access-key-id | EKS Access Key ID |
--eks-secret-access-key | EKS Secret Access Key |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--eks-region[=us-east-2] | EKS Region |
--eks-assume-role | Role ARN. Role to assume when connecting to the EKS cluster |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-cluster-endpoint | The K8s cluster endpoint URL |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-gcp
gateway-update-producer-gcp
Updates Google Cloud Provider (GCP) producer
Please note: mandatory values for this command: -n, --name, -s, --service-account-type[=fixed]
Usage
akeyless gateway-update-producer-gcp \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-key-file-path <Path to file with the Base64-encoded service account private key> \
--gcp-key <Base64-encoded service account private key text> \
--gcp-token-scopes <Access token scopes list> \
--gcp-key-algo <Service account key algorithm>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-t, --gcp-cred-type[=token] | Credentials type, options are [token, key] |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--gcp-key-file-path | Path to file with the Base64-encoded service account private key |
--gcp-key | Base64-encoded service account private key text |
--gcp-token-scopes | Access token scopes list, e.g. scope1,scope2 |
--gcp-key-algo | Service account key algorithm, e.g. KEY_ALG_RSA_1024 |
--user-ttl[=60m] | User TTL (<=60m for access token) |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--producer-encryption-key-name | Dynamic producer encryption key |
-s, --service-account-type[=fixed] | (Mandatory) The type of the gcp dynamic secret. Options[fixed, dynamic] |
-e, --gcp-sa-email | The email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed) |
--role-binding | Role binding definitions in json format |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-github
gateway-update-producer-github
Updates Github producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-github \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID> \
--installation-repository <instead of installation id, set a GitHub repository> \
--github-app-id <Github application id> \
--github-app-private-key <Github application private key (base64 encoded key)> \
--github-base-url <Github base url (Deafult = https://api.github.com/)
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--installation-id | Github application installation id |
--installation-repository | Optional, instead of installation id, set a GitHub repository '/' |
--target-name | Name of existing target to use in producer creation |
--github-app-id | Github application id |
--github-app-private-key | Github application private key (base64 encoded key) |
--github-base-url[=https://api.github.com/] | Github base url |
-p, --token-permissions | Tokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - "-p contents=read -p issues=write" or -p '{"content":"read"}' |
-r, --token-repositories | Tokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName1 -r RepoName2 |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-gke
gateway-update-producer-gke
Updates Google Kubernetes Engine (GKE) producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-gke \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base-64 encoded cluster certificate> \
--gke-account-key-file-path <File path to GKE service account key> \
--gke-account-key <GKE service account key> \
--gke-cluster-name <GKE cluster name>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-a, --gke-account-email | GKE service account email |
-e, --gke-cluster-endpoint | GKE cluster endpoint, i.e., cluster URI https://<DNS/IP> |
-c, --gke-cluster-ca-cert | GKE Base-64 encoded cluster certificate |
--gke-account-key-file-path | File path to GKE service account key |
--gke-account-key | GKE service account key |
--gke-cluster-name | GKE cluster name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-cluster-endpoint | The K8s cluster endpoint URL |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-hanadb
gateway-update-producer-hanadb
Updates HanaDB producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-hanadb \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--hanadb-username <HanaDB user>
--hanadb-password <--hanadb-password> \
--hanadb-host <HanaDB host name (Deafult = 127.0.0.1) \
--hanadb-port <HanaDB port (Deafult = 443) \
--producer-encryption-key-name <Encrypt producer with following key>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--hanadb-username | HanaDB user |
--hanadb-password | HanaDB password |
--hanadb-host[=127.0.0.1] | HanaDB host name |
--hanadb-port[=443] | HanaDB port |
--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD "{{password}}"; GRANT "MONITOR ADMIN" TO {{name}};] | HanaDB Creation Statements |
--hanadb-revocation-statements[=DROP USER {{name}};] | HanaDB Revocation Statements |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
--secure-access-db-schema | The db schema |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-k8s
gateway-update-producer-k8s
Updates Native Kubernetes Service producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-k8s \
--new-name <Producer New name> \
--name <secret name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account> \
--k8s-cluster-endpoint <K8S Cluster endpoint> \
--k8s-cluster-ca-cert <K8S Cluster certificate. Base 64 encoded certificate> \
--k8s-cluster-token <K8S Cluster authentication token> \
--k8s-service-account <K8S ServiceAccount to extract token from> \
--k8s-namespace <K8S Namespace where the ServiceAccount exists (Deafult = default)>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-e, --k8s-cluster-endpoint | K8S Cluster endpoint. https:// , <DNS / IP> of the cluster |
-c, --k8s-cluster-ca-cert | K8S Cluster certificate. Base 64 encoded certificate |
-t, --k8s-cluster-token | K8S Cluster authentication token |
-s, --k8s-service-account | K8S ServiceAccount to extract token from |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--k8s-namespace[=default] | K8S Namespace where the ServiceAccount exists |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-cluster-endpoint | The K8s cluster endpoint |
--secure-access-dashboard-url | The K8s dashboard url |
--secure-access-allow-port-forwading | Enable Port forwarding while using CLI access |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-ldap
gateway-update-producer-ldap
Updates LDAP producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-ldap \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--ldap-url <User Base DN> \
--user-attribute <LDAP User Attribute> \
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password for LDAP Bind DN>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--ldap-url | User Base DN |
--user-attribute | LDAP User Attribute |
-t, --ldap-ca-cert | LDAP base-64 encoded CA Certificate |
--bind-dn | LDAP Bind DN |
--bind-dn-password | Password for LDAP Bind DN |
--external-username[=false] | Externally provided username |
--token-expiration | LDAP token expiration in seconds |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
-delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-mongo
gateway-update-producer-mongo
Updates a MongoDB/MongoDB Atlas producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-mongo \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-name <MongoDB name> \
--mongodb-custom-data <MongoDB custom data>\
--mongodb-username <MongoDB server username> \
--mongodb-password <MongoDB server password> \
--mongodb-host-port <host port>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) |
--target-name | Name of existing target to use in producer creation |
--mongodb-name | MongoDB name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--mongodb-roles[=[]] | MongoDB roles (e.g. MongoDB:[{"role":"readWrite", "db": "sales"}], MongoDB Atlas:[{"roleName" : "readWrite", "databaseName": "sales"}]) |
--mongodb-custom-data | MongoDB custom data (e.g. {"team":"blue"}) |
--mongodb-server-uri | MongoDB server URI (e.g. mongodb://user:[email protected]:27017/admin?replicaSet=mySet) |
--mongodb-username | MongoDB server username |
--mongodb-password | MongoDB server password |
--mongodb-host-port | host:port (e.g. my.mongo.db:27017) |
--mongodb-default-auth-db | MongoDB server default authentication database |
--mongodb-uri-options | MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB) |
--mongodb-atlas-project-id | MongoDB Atlas project ID |
--mongodb-atlas-api-public-key | MongoDB Atlas public key |
--mongodb-atlas-api-private-key | MongoDB Atlas private key |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL (e.g. 60s, 60m, 60h) |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-mssql
gateway-update-producer-mssql
Updates Microsoft SQL Server
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-mssql \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MS SQL Server user> \
--mssql-password <MS SQL Server password> \
--mssql-host <MS SQL Server host name (Deafult = 127.0.0.1) > \
--mssql-port <MS SQL Server port (Deafult = 1433) >
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) |
--target-name | Name of existing target to use in producer creation |
-d, --mssql-dbname | MSSQL Server DB Name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--mssql-username | MS SQL Server user |
--mssql-password | MS SQL Server password |
--mssql-host[=127.0.0.1] | MS SQL Server host name |
--mssql-port[=1433] | MS SQL Server port |
--mssql-creation-statements[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';] | MSSQL Server Creation Statements |
--mssql-revocation-statements[=DROP LOGIN [{{name}}];] | MSSQL Server Revocation Statements |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
--secure-access-db-schema | The db schema |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-mysql
gateway-update-producer-mysql
Updates MySQL producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-mysql \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-username <MySQL user> \
--mysql-password <MySQL password> \
--mysql-host <MySQL host name (Deafult = 127.0.0.1) > \
--mysql-port <MySQL port Deafult = 3306) >
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-d, --mysql-dbname | MySQL DB name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--mysql-username | MySQL user |
--mysql-password | MySQL password |
--mysql-host[=127.0.0.1] | MySQL host name |
--mysql-port[=3306] | MySQL port |
--mysql-statements | MySQL Creation Statements |
--ssl[=false] | Enable/Disable SSL [true/false] |
--ssl-certificate | SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA) |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--db-server-certificates | the set of root certificate authorities in base64 encoding that clients use when verifying server certificates |
--db-server-name | Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-oracle
gateway-update-producer-oracle
Updates Oracle DB producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-oracle \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-username <Oracle user> \
--oracle-password <Oracle password> \
--oracle-host <Oracle host name (Deafult = 127.0.0.1) > \
--oracle-port <Oracle port (Default = 1521)
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-d, --oracle-service-name | Oracle service name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--oracle-username | Oracle user |
--oracle-password | Oracle password |
--oracle-host[=127.0.0.1] | Oracle host name |
--oracle-port[=1521] | Oracle port |
--oracle-statements | Oracle Creation Statements |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--db-server-certificates | the set of root certificate authorities in base64 encoding that clients use when verifying server certificates |
--db-server-name | Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address |
--secure-access-enable[=false] | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-postgresql
gateway-update-producer-postgresql
Updates PostgreSQL producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-postgresql \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-username <PostgreSQL user> \
--postgresql-password <PostgreSQL password> \
--postgresql-host <PostgreSQL host name (Deafult = 127.0.0.1) > \
--postgresql-port <PostgreSQL port (Deafult = 5432) > \
--postgresql-statements 'CREATE USER "{{name}}" WITH PASSWORD "{{password}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"; GRANT CONNECT ON DATABASE postgres TO "{{name}}"; GRANT USAGE ON SCHEMA public TO "{{name}}";' \
--postgresql-revoke-statement 'REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = "{{name}}"; DROP USER "{{name}}";'
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-d, --postgresql-db-name | PostgreSQL DB name |
-u, --gateway-url[=http://localhost:8000] | Gateway url |
--postgresql-username | PostgreSQL user |
--postgresql-password | PostgreSQL password |
--postgresql-host[=127.0.0.1] | PostgreSQL host name |
--postgresql-port[=5432] | PostgreSQL port |
--postgresql-statements[=CREATE USER "{{name}}" WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";GRANT CONNECT ON DATABASE postgres TO "{{name}}";GRANT USAGE ON SCHEMA public TO "{{name}}";] | PostgreSQL Creation Statements |
--postgresql-revoke-statement[=REASSIGN OWNED BY "{{name}}" TO {{userHost}}; DROP OWNED BY "{{name}}"; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER "{{name}}";] | PostgreSQL Revocation Statement |
--enc-key-name | Encrypt producer with following key |
--ssl[=false] | Enable/Disable SSL [true/false] |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
--secure-access-db-schema | The db schema |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-rabbitmq
gateway-update-producer-rabbitmq
Updates RabbitMQ producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-rabbitmq \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-admin-user <RabbitMQ server user> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-s, --rabbitmq-server-uri | RabbitMQ server URI |
-c, --rabbitmq-user-conf-permission | User configuration permission, for example:[.*,queue-name] |
-w, --rabbitmq-user-write-permission | User write permission, for example:[.*,queue-name] |
-r, --rabbitmq-user-read-permission | User read permission, for example:[.*,queue-name] |
-a, --rabbitmq-admin-user | RabbitMQ server user |
-p, --rabbitmq-admin-pwd | RabbitMQ server password |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--rabbitmq-user-vhost | User Virtual Host |
--rabbitmq-user-tags | Comma separated list of tags to apply to user |
--producer-encryption-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion |
--secure-access-url | Destination URL to inject secrets |
--secure-access-web[=true] | Enable Web Secure Remote Access |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-rdp
gateway-update-producer-rdp
Updates RDP producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-rdp \
--name <Dynamic Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password> \
--rdp-host-port <RDP host port (Default = 22)>
Parameters
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-g, --rdp-user-groups | RDP UserGroup name(s). Multiple values should be separated by comma |
-r, --rdp-host-name | RDP Host name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--rdp-admin-name | RDP Admin name |
--rdp-admin-pwd | RDP Admin Password |
--rdp-host-port[=22] | RDP Host port |
--fixed-user-only[=false] | Allow access using externally (IdP) provided username |
--producer-encryption-key-name | Encrypt producer with following key |
--warn-user-before-expiration | Display message to user before TTL expires (min) |
--allow-user-extend-session | Allow user to extend session periodically (min) |
--user-ttl[=60m] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-rdp-domain | Required when the Dynamic Secret is used for a domain user |
--secure-access-rdp-user | Override the RDP Domain username |
--secure-access-host | Target servers for connections., For multiple values repeat this flag |
--secure-access-allow-external-user[=false] | Allow providing external user for a domain users |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-redshift
gateway-update-producer-redshift
Updates Redshift producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-redshift \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-username <redshiftL user> \
--redshift-password <Redshift password> \
--redshift-host <Redshift host name (Default = 127.0.0.1)> \
--redshift-port <Redshift port (Default = 5439)> \
--redshift-statements "CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';"
--ssl "<fales|true>"
Parameters
| Parameters | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
--redshift-db-name | Redshift DB name |
-u, --gateway-url[=http://localhost:8000] | Gateway url |
--redshift-username | redshiftL user |
--redshift-password | Redshift password |
--redshift-host[=127.0.0.1] | Redshift host name |
--redshift-port[=5439] | Redshift port |
--redshift-statements[=CREATE USER "{{username}}" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{username}}";] | Redshift Creation Statements |
--ssl[=false] | Enable/Disable SSL [true/false] |
--enc-key-name | Encrypt producer with following key |
--user-ttl[=60m] | User TTL |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-host | Target DB servers for connections., For multiple values repeat this flag |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-snowflake
gateway-update-producer-snowflake
Updates Snowflake producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-update-producer-snowflake \
--name <New Secret Name> \
--new-name <Producer New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account-username <Snowflake account user name> \
--account-password <Snowflake account password> \
--db-name <The DB the generated credentials are restricted to>
Parameter
| Parameter | Description |
|---|---|
--new-name | Producer New name |
-n, --name | (Mandatory) Producer name |
--target-name | Name of existing target to use in producer creation |
-a, --account | Snowflake account name |
--account-username | Snowflake account user name |
--account-password | Snowflake account password |
-d, --db-name | The DB the generated credentials are restricted to |
--role | Role to be assigned to the generated credentials |
--warehouse | The warehouse the generated credentials are restricted to |
--snowflake-api-private-key | RSA Private key (base64 encoded), if this is provided, flag --snowflake-api-private-key-file-name is ignored |
--snowflake-api-private-key-file-name | The path to the file containing the private key, if this is provided, flag --snowflake-api-private-key is ignored |
| --snowflake-api-private-key-passphrase` | The Private key passphrase |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--user-ttl[=24h] | User TTL |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-producer-tmp-creds
gateway-update-producer-tmp-creds
Update ttl of producer temporary credentials
Please note: mandatory values for this command: -n, --name, --tmp-creds-id, --new-ttl-min
Usage
akeyless gateway-update-producer-tmp-creds \
--name <Producer name> \
--tmp-creds-id <Temp Creds ID> \
--new-ttl-min <New TTL in Minutes> \
--gateway-url <API Gateway URL:8000> \
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-i, --tmp-creds-id | (Mandatory) Temp Creds ID |
-t, --new-ttl-min | (Mandatory) New TTL in Minutes |
-u, --gateway-url | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-delete-producer
gateway-delete-producer
Deletes producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-delete-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000> \
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-get-producer
gateway-get-producer
Get producer details
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-get-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-get-producer-tmp-creds
gateway-get-producer-tmp-creds
Get producer temporary credentials list
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-get-producer-tmp-creds \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token</code | The universal identity token, Required only for universal_identity authentication |
gateway-list-producers
gateway-list-producers
List available producers
Parameters
| Parameter | Description |
|---|---|
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-revoke-producer-tmp-creds
gateway-revoke-producer-tmp-creds
Revoke producer temporary credentials
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-revoke-producer-tmp-creds \
--name <Producer name> \
--tmp-creds-id <Temp Creds ID> \
--revoke-all <Revoke All Temp Creds> \
--gateway-url <API Gateway URL:8000> \
--soft-delete <Use soft-delete> \
--host <Host>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
--tmp-creds-id | Temp Creds ID |
--revoke-all | Revoke All Temp Creds |
-u, --gateway-url | API Gateway URL (Configuration Management port) |
--soft-delete | Use soft delete |
--host | Host |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token</code | The universal identity token, Required only for universal_identity authentication |
gateway-start-producer
gateway-start-producer
Starts producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-start-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-u, --gateway-url | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token</code | The universal identity token, Required only for universal_identity authentication |
gateway-stop-producer
gateway-stop-producer
Stops producer
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-stop-producer \
--name <Producer name> \
--gateway-url <API Gateway URL:8000>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Producer name |
-u, --gateway-url | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token</code | The universal identity token, Required only for universal_identity authentication |
Updated 8 days ago