CLI Reference - Targets

Managing Targets

assoc-target-item

Create an association between target and item

Usage
akeyless assoc-target-item \
--target-name <The target to associate> \
--name <The item to associate> \ 
--vault-name <Name of the vault used> \ 
--key-operations <List of allowed operations for the key>
Parameters
ParameterDescription
-t, --target-name(Mandatory) The target to associate
-n, --name(Mandatory) The item to associate
--vault-nameName of the vault used. (Relevant only for Classic Key and target association. Required for azure targets)
--key-operationsA list of allowed operations for the key. (Relevant only for Classic Key and target association. Required for azure targets)
--project-idProject id of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--location-idLocation id of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--keyring-nameKeyring name of the GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--purposePurpose if the key in GCP KMS. (Relevant only for Classic Key and target association. Required for gcp targets)
--kms-algorithmAlgorithm of the key in GCP KMS. (Relevant only for Classic Key and target association, Required for gcp targets)
--tenant-secret-typeThe tenant secret type [Data/SearchIndex/Analytics]. (Relevant only for Classic Key and target association. Required for salesforce targets)
--multi-region[=false]Set to 'true' to create a multi-region managed key. (Relevant only for Classic Key AWS targets)
--regionsThe list of regions in which to create a copy of the key. (Relevant only for Classic Key AWS targets). To specify multiple regions use argument multiple times: --regions us-east-1 --regions us-west-1

delete-assoc-target-item

Delete an association between target and item

Usage
akeyless delete-assoc-target-item \
--name <Item name> \
--assoc-id <Association id to be deleted. Not required if target name specified> \
--target-name <The target name with which association will be deleted>
Parameters
ParameterDescription
-n , --name(Mandatory) Item name
--id, --assoc-idThe association id to be deleted. Not required if target name specified
-t, --target-nameThe target name with which association will be deleted

delete-target

Delete a target

Usage
akeyless delete-target \
--name <Target name> \
--target-version <Target Version>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-v, --target-versionTarget version
--force-deletion[=false]Delete target even if it has associated items
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

delete-targets

Delete multiple targets from a given path

Usage
akeyless delete-target \
--path <Path to delete the targets from>
Parameters
ParameterDescription
-p, --path(Mandatory) Path to delete the targets from
--force-deletion[=false]Delete target even if it has associated items

get-target

Get target

Usage
akeyless get-target --name <Target name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--show-versions[=false]Include all target versions in reply

get-target-details

Get target details

Usage
akeyless get-target-details --name <Target Name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-v, --target-versionTarget version
--show-versions[=false]Include all target versions in reply

list-targets

List of all targets in the account

Parameters
ParameterDescription
--filterFilter by target name or part of it
-t, --typeThe target types list of the requested targets. In case it is empty, all types of targets will be returned. Options: [hanadb cassandra aws ssh gke eks mysql mongodb snowflake mssql redshift artifactory azure rabbitmq k8s venafi gcp oracle dockerhub ldap github chef web salesforce postgres]
--pagination-tokenNext page reference
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

Creating Targets

create-aws-target

Creates a new AWS target

Usage
akeyless create-aws-target \
--name <Target name> \
--access-key-id <AWS access key ID> \
--access-key <AWS secret access key> \
--region <AWS region>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--access-key-id(Mandatory) AWS access key ID
--access-key(Mandatory) AWS secret access key
--session-tokenRequired only for temporary security credentials retrieved using STS
--region [=us-east-2]AWS region
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-azure-target

Creates a new azure target

Usage
akeyless create-azure-target \
--name <Target name> \ 
--client-id <Azure client/application id> \
--client-secret <Azure client secret> \
--tenant-id <Azure tenant id> 
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--client-id(Mandatory) Azure client/application id
--tenant-idAzure tenant id
--client-secret(Mandatory) Azure client secret
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
--subscription-idAzure Subscription Id
--resource-group-nameThe Resource Group name in your Azure Subscription
--resource-nameThe name of the relevant Resource
-k, --keyKey name. The key is used to encrypt the target secret value. If the key name is not specified, the account default protection key is used
--descriptionTarget description

create-db-target

Creates a new DB target

Usage
akeyless create-db-target \
--name <Target name> \
--db-type <mysql/mssql/hanadb/postgres/mongodb/snowflake/oracle/cassandra/redshift/redis> \ 
--user-name <Database user name> \ 
--host <Database host> \ 
--pwd <Database password> \
--port <Database port> \
--db-name <Database name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--db-type(Mandatory) Database type: mysql/mssql/hanadb/postgres/mongodb/snowflake/oracle/cassandra/redshift/redis
-k, --keyKey name. The key will be used to encrypt the target secret value. If the key name is not specified, the account default protection key is used
--user-nameDatabase user name
--hostDatabase host
--pwdDatabase password
--portDatabase port
--db-nameDatabase name
--snowflake-api-private-keyRSA Private key (base64 encoded)
--snowflake-api-private-key-file-nameThe path to the file containing the private key
--snowflake-api-private-key-passphrasesThe Private key passphrase
--db-server-certificatesSet of root certificate authorities in base64 encoding used by clients to verify server certificates
--db-server-nameServer name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address
--azure-client-idAzure client id (relevant for "cloud-service-provider" only)
--azure-tenant-idAzure tenant id (relevant for "cloud-service-provider" only)
--azure-client-secretAzure client secret (relevant for "cloud-service-provider" only)
--cloud-service-providerCloud service provider (currently only supports Azure)
--connection-type[=credentials]Type of connection to mssql database [credentials/cloud-identity]
--ssl[=false]Enable/Disable SSL [true/false]
--ssl-certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--snowflake-accountSnowflake account name
--oracle-service-nameoracle db service name
--mongodb-atlasFlag, set database type to "mongodb" and the flag to "true" to create Mongo Atlas target
--mongodb-default-auth-dbMongoDB server default authentication database
--mongodb-uri-optionsMongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)
--mongodb-atlas-project-idMongoDB Atlas project ID
--mongodb-atlas-api-public-keyMongoDB Atlas public key
--mongodb-atlas-api-private-keyMongoDB Atlas private key
--descriptionTarget description

create-eks-target

Creates a new EKS target

Usage
akeyless create-eks-target \
--name <Target name> \
--eks-cluster-name <EKS cluster name> \ 
--eks-cluster-endpoint <EKS cluster endpoint> \
--eks-cluster-ca-cert <EKS cluster base-64 encoded certificate> \ 
--eks-access-key-id <EKS access key ID> \ 
--eks-secret-access-key <EKS secret access key> \ 
--eks-region <EKS region> \ 
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-e, --eks-cluster-name(Mandatory) EKS cluster name
-c, --eks-cluster-endpoint(Mandatory) EKS cluster endpoint (i.e., https:// of the cluster)
-t, --eks-cluster-ca-cert(Mandatory) EKS cluster base-64 encoded certificate
-i, --eks-access-key-idEKS access key ID
-s, --eks-secret-access-keyEKS secret access key
-g, --use-gw-cloud-identityUse the GW's Cloud IAM
--eks-region[=us-east-2]EKS region
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.
--descriptionTarget description

create-gcp-target

Creates a new GCP target

Usage
akeyless create-gcp-target \
--name <Target name> \
--gcp-key-file-path <Path to file with the base64-encoded service account private key> \
--gcp-key <Base64-encoded service account private key text> \ 
--use-gw-cloud-identity <Use the GWs Cloud IAM> \
--key <Key name> 
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--gcp-key-file-pathPath to file with the base64-encoded service account private key
--gcp-keyBase64-encoded service account private key text
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-gke-target

Creates a new GKE target

Usage
akeyless create-gke-target \
--name <Target name> \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base-64 encoded cluster certificate> \
--gke-account-key-file-path <File path to GKE service account key> \
--gke-cluster-name <GKE cluster name> \
--key <Key name> 
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-a, --gke-account-emailGKE service account email
-e, --gke-cluster-endpointGKE cluster endpoint, i.e., cluster URI https://<DNS/IP>
-c, --gke-cluster-ca-certGKE Base-64 encoded cluster certificate
--gke-account-key-file-pathFile path to GKE service account key
--gke-cluster-nameGKE cluster name
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
--descriptionTarget description

create-k8s-target

Creates a new K8S target

Usage
akeyless create-k8s-target \
--name <Target name> \
--k8s-cluster-endpoint <K8S Cluster endpoint> \
--k8s-cluster-ca-cert <K8S Cluster certificate> \
--k8s-cluster-token <K8S Cluster authentication token> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-e, --k8s-cluster-endpoint(Mandatory) K8S Cluster endpoint. https:// , <DNS / IP> of the cluster
-c, --k8s-cluster-ca-cert(Mandatory) K8S Cluster certificate. Base 64 encoded certificate
-t, --k8s-cluster-token(Mandatory) K8S Cluster authentication token
-i, --use-gw-service-accountUse GW's service account. Boolean when provided only name is required
--k8s-auth-type[=token]K8S auth type, [token/certificate]
--k8s-client-certificateContent of the k8 client certificate (PEM format) in a Base64 format
--k8s-client-certificate-filePath to a file that contain the k8s client private key in PEM format
--k8s-client-keyContent of the k8 client private key (PEM format) in a Base64 format
--k8s-client-key-filePath to a file that contain the k8s client private key in PEM format
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.
--descriptionDescription of the object

create-rabbitmq-target

Creates a new RabbitMQ target

Usage
akeyless create-rabbitmq-target \
--name <Target name> \
--user <RabbitMQ server user> \
--uri <RabbitMQ server URI> \
--pwd <RabbitMQ server password> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--user(Mandatory) RabbitMQ server user
--pwdRabbitMQ server password
--uri(Mandatory) RabbitMQ server URI
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-ssh-target

Creates a new SSH target

Usage
akeyless create-ssh-target \
--name <Target name> \
--host <SSH host name> \
--port <SSH port (Default = 22)> \
--ssh-username <SSH username> \
--ssh-password <SSH password to rotate> \
--private-key-path <SSH private key file path> \
--private-key <SSH private key> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--descriptionTarget description
--hostSSH host name
--port[=22]SSH port
--ssh-usernameSSH username
--ssh-passwordSSH password to rotate
--private-key-pathSSH private key file path
--private-keySSH private key
--private-key-passwordSSH private key password
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

create-web-target

Creates a new web target

Usage
akeyless create-web-target \
--name <Target name> \
--url <Web target URL> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-u, --url(Mandatory) Web target URL
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-artifactory-target

Creates a new Artifactory target

Usage
akeyless create-artifactory-target \
--name <Target name> \
--base-url <Artifactory REST URL, must end with artifactory postfix> \
--artifactory-admin-name <Admin name> \
--artifactory-admin-pwd <Admin API Key/Password> \
--key <Key name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
-b, --base-url(Mandatory) Artifactory REST URL, must end with artifactory postfix
-a, --artifactory-admin-name(Mandatory) Admin name
-p, --artifactory-admin-pwd(Mandatory) Admin API Key/Password
-k, --key The name of a key used to encrypt the target secret value (if empty, the account default protectionKey key will be used)
--descriptionTarget description

create-ping-target

Creates a new Ping target

Usage
akeyless create-ping-target \
--name <Target name> \
--ping-url <Ping url> \
--privileged-user <Username> \
--password <Pasword>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
-u, --ping-url(Mandatory) Ping URL
-s, --privileged-user(Mandatory) Privileged user name
-p, --password(Mandatory) Privileged user Password
-i, --administrative-port[=9999]Ping Federate administrative port
-j, --authorization-port[=9031]Ping Federate authorization port
-k, --key The name of a key used to encrypt the target secret value (if empty, the account default protectionKey key will be used)
--descriptionTarget description

create-ldap-target

Creates a new LDAP target

Usage
akeyless create-ldap-target \
--name <Target name> \
--ldap-url <LDAP Server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password for LDAP Bind DN> \
--server-type <Set Ldap server type (Deafult = OpenLDAP)> \
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--token-expiration <token-expiration> \
--key <Key name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
-l, --ldap-url(Mandatory) LDAP Server URL
-b, --bind-dn(Mandatory) LDAP Bind DN
-p, --bind-dn-password(Mandatory) Password for LDAP Bind DN
-s, --server-type[=OpenLDAP]Set Ldap server type, Options:[OpenLDAP, ActiveDirectory]. Default is OpenLDAP
-t, --ldap-ca-certLDAP base-64 encoded CA Certificate
--token-expiration--token-expiration
-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-github-target

Creates a new GitHub target

Usage
akeyless create-github-target \
--name <Target name> \
--github-app-id <Github application id> \
--github-app-private-key <Github application private key (base64 encoded key)> \
--github-base-url <Github base url (Deafult = https://api.github.com/> \
--key <Key name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--github-app-idGithub application id
--github-app-private-keyGithub application private key (base64 encoded key)
--github-base-url[=https://api.github.com/]Github base url
--descriptionTarget description
-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used.

create-dockerhub-target

Creates a new Docker Hub target

Usage
akeyless create-dockerhub-target \
--name <Target name> \
--dockerhub-usernam <Username for docker repository> \
--dockerhub-password <Password for docker repository> \
--key <Key name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--dockerhub-username(Mandatory) Username for docker repository
--dockerhub-password(Mandatory) Password for docker repository
-k, --key Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-salesforce-target

Creates a new Salesforce target

Usage
akeyless create-salesforce-target \
--name <Target name> \
--tenant-url <Url of the Salesforce tenant> \
--client-id <Client ID of the oauth2 app to use for connecting to Salesforce> \
--email <The email of the user attached to the oauth2 app used for connecting to Salesforce> \
--auth-flow <type of the auth flow ('jwt' / 'user-password') \
--client-secret <Client secret of the oauth2 app to use for connecting to Salesforce> 
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
-u, --tenant-url(Mandatory) Url of the Salesforce tenant
-i, --client-id(Mandatory) Client ID of the oauth2 app to use for connecting to Salesforce
-e, --email(Mandatory) The email of the user attached to the oauth2 app used for connecting to Salesforce
-a, --auth-flow(Mandatory) type of the auth flow ('jwt' / 'user-password')
-s, --client-secretClient secret of the oauth2 app to use for connecting to Salesforce (required for password flow)
-f, --app-private-key-file-nameName of the of file containing a PEM private key of the connected app (relevant for JWT auth only)
--app-private-key-dataBase64 encoded PEM of the connected app private key (relevant for JWT auth only)
-p, --passwordThe password of the user attached to the oauth2 app used for connecting to Salesforce (required for user-password flow)
-o, --security-tokenThe security token of the user attached to the oauth2 app used for connecting to Salesforce (required for user-password flow)
--ca-cert-file-nameName of a file containing a PEM certificate to use when uploading new key to Salesforce
--ca-cert-dataBase64 encoded PEM cert to use when uploading a new key to Salesforce. Used if file name was not provided.
--ca-cert-namename of the certificate in Salesforce tenant to use when uploading new key
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--descriptionTarget description

create-linked-target

Creates a new Linked Target which can inherit credentials from existing Targets

Usage
akeyless create-linked-target \
-n <linked target name> \
-p <parent target> \
-s <hosts>
Parameters
ParameterDescription
-n, --name(Mandatory) Name for the linked target
-s, --hosts(Mandatory) A comma-separated list of server hosts and server descriptions joined by a semicolon ';' (i.e. 'server-dev.com;My Dev server,server-prod.com;My Prod server description')
-p, --parent-target-name(Mandatory) The parent Target name from which to inherit credentials
--descriptionDescription of the object
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

create-windows-target

Creates a new Windows Target

Usage
akeyless create-windows-target \
-n <Windows target name> \
-s <hostname> \
-u <username> \
-p <password>
Parameters
ParameterDescription
-n, --name(Mandatory) Name for the Windows target
-s, --hostname(Mandatory) Server hostname or IP Address
-u, --username (Mandatory) Privileged username
-p, --password(Mandatory) Privileged user password
-d, --domainUser domain name
-r, --port[=5986]Windows Server WinRM port, by default, set to 5986 for Https
--use-tls[=true]Enable/Disable TLS for WinRM over HTTPS [true/false]
--certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
-k, --keyKey name. The key is used to encrypt the target secret value. If the key name is not specified, the account default protection key is used
--descriptionDescription of the object

create-zerossl-target

Creates a new ZeroSSL Target

Usage
akeyless create-zerossl-target \
--name <Target Name> \
--api-key <API Key of the ZeroSSLTarget account> \
--imap-username <Username to access the IMAP service> \
--imap-password <Password to access the IMAP service> \
--imap-fqdn <FQDN of the IMAP service> \
--imap-validation-imap <Email address to send the validation email>
Parameters
ParametersDescription
-n, --name(Mandatory) Name for the ZeroSSL target
--api-key(Mandatory) ZeroSSL API Key, can be found under your ZeroSSL account in the Developer section
--imap-username(Mandatory) An email address of the user registered to the IMAP service
--imap-password(Mandatory) IMAP APP-Password
imap-fqdn(Mandatory) IMAP FQDN, for example: imap.gmail.com
--imap-validation-emailThe domain owner email address that certificate validation mail will be sent to, needs to be one of the following: [email protected], [email protected], [email protected], [email protected], [email protected]
-timeout[=5m]-Timeout for certificate validation.
--imap-port[=993]Port of the IMAP service
-k, --keyKey name. The key will be used to encrypt the target item.
--descriptionDescription of the object

###

create-globalsign-target

Creates a new GlobalSign Target

Usage
akeyless create-globalsign-target \
--name <Target Name> \
--username <Username> \
--password <Password> \
--profile-id <Profile ID> \
--contact-first-name <Domain owner first name> \
--contact-last-name <Domain owner last name> \
--contact-phone <Domain owner Telephone> \
--contact-email <Domain owner Email> 
Parameters
ParametersDescription
-n, --name(Mandatory) Name for the GlobalSign target
-u, --username(Mandatory) Username of the GlobalSign GCC account
-p, --password(Mandatory) Passwordof the GlobalSign GCC account
-i, --profile-id(Mandatory) Profile ID of the GlobalSign GCC account
-f, --contact-first-name(Mandatory) First name of the GlobalSign GCC account contact
-l, --contact-last-name(Mandatory) Last name of the GlobalSign GCC account contact
--contact-phone(Mandatory) Telephone of the GlobalSign GCC account contact
-e, --contact-email(Mandatory) Email of the GlobalSign GCC account contact
--timeout[=5]Timeout for certificate validation.
-k, --keyKey name. The key will be used to encrypt the target item.
--descriptionDescription of the object

create-globalsign-atlas-target

Creates a new GlobalSign Atlas target

Usage
akeyless create-globalsign-atlas-target \
--name <Target Name> \
--api-key <GlobalSign Atlas API Key> \ 
--api-secret <GlobalSign Atlas API Secret> 
Parameters
ParameterDescription
-n, --name(Mandatory) Target Name
-a, --api-key(Mandatory) API Key of the GlobalSign Atlas account
-s, --api-secret(Mandatory) API Secret of the GlobalSign Atlas account
--mtls-cert-file-pathPath to the Mutual TLS Certificate of the GlobalSign Atlas account, either mtls-cert-file-path or tls-cert-data-base64 must be supplied
--mtls-cert-data-base64Mutual TLS Certificate contents of the GlobalSign Atlas account encoded in base64, either mtls-cert-file-path or mtls-cert-data-base64 must be supplied
--mtls-key-file-pathPath to the Mutual TLS Key of the GlobalSign Atlas account, either mtls-key-file-path or mtls-key-data-base64 must be supplied
--mtls-key-data-base64Mutual TLS Key contents of the GlobalSign Atlas account encoded in base64, either mtls-key-file-path or mtls-key-data-base64 must be supplied
--timeout[=5m]Timeout waiting for certificate validation
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used

Updating Targets

update-target-details

Update target details

Parameters

ParameterDescription
-h, --helpdisplay help information

update-artifactory-target

updates a new artifactory target

Usage
akeyless update-artifactory-target \
--name <Target name> \
--base-url <Artifactory REST URL> \
--artifactory-admin-name <Admin name> \
--artifactory-admin-pwd <Admin API Key/Password> \
--new-name <New target name> \
--key <Key name>

Parameters

ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
-b, --base-url(Mandatory) Artifactory REST URL, must end with artifactory postfix
-a, --artifactory-admin-name(Mandatory) Admin name
-p, --artifactory-admin-pwd(Mandatory) Admin API Key/Password
--descriptionTarget description
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-aws-target

Updates an existing aws target

Usage
akeyless update-aws-target \
--name <Target name> \
--new-name <New target name> \
--access-key-id <AWS access key ID> \
--access-key <AWS secret access key> \
--region <AWS rigion (Default = us-east-2)> \
--use-gw-cloud-identity <Use the GWs Cloud IAM> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--new-nameNew target name
--descriptionTarget description
--access-key-idAWS access key ID
--access-keyAWS secret access key
--session-tokenRequired only for temporary security credentials retrieved using STS
--region[=us-east-2]AWS region
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-azure-target

Updates an existing azure target

Usage
akeyless update-azure-target \
--name <Target name> \
--new-name <New target name> \
--client-id <Azure client/application id> \
--tenant-id <Azure tenant id> \
--client-secret <Azure client secret> \
--use-gw-cloud-identity <Use the GWs Cloud IAM> \
--subscription-id <Azure Subscription Id> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--new-nameNew target name
--descriptionTarget description
--client-idAzure client/application id
--tenant-idAzure tenant id
--client-secretAzure client secret
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
--subscription-idAzure Subscription Id
--resource-group-nameThe Resource Group name in your Azure Subscription
--resource-nameThe name of the relevant Resource
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-db-target

Update an existing db target

Usage
akeyless update-db-target \
--name <Target name> \
--db-type *<mysql/mssql/postgres/mongodb/snowflake/cassandra/oracle/redshift/redis> \
--new-name <New target name> \
--user-name <Database user name> \
--host <Database host> \
--pwd <Database password> \
--port <Database port> \
--db-name <Database name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
-t, --db-type(Mandatory) Database type: mysql/mssql/postgres/mongodb/snowflake/cassandra/oracle/redshift/redis
--new-nameNew target name
--descriptionTarget description
--user-nameDatabase user name
--hostDatabase host
--pwdDatabase password
--portDatabase port
--db-nameDatabase name
--db-server-certificatesSet of root certificate authorities in base64 encoding used by clients to verify server certificates
--db-server-nameServer name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address
--snowflake-accountSnowflake account name
--mongodb-atlasFlag, set database type to "mongodb" and the flag to "true" to create Mongo Atlas target
--mongodb-default-auth-dbMongoDB server default authentication database
--mongodb-uri-optionsMongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)
--mongodb-atlas-project-idMongoDB Atlas project ID
--mongodb-atlas-api-public-keyMongoDB Atlas public key
--mongodb-atlas-api-private-keyMongoDB Atlas private key
--ssl[=false]Enable/Disable SSL [true/false]
--ssl-certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-eks-target

Updates an existing eks target

Usage

akeyless update-eks-target \
--name <Target Name> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster Endpoint> \
--eks-cluster-ca-cert <EKS Cluster Certificate \
--eks-access-key-id <EKS Access ID> \
--eks-secret-access-key <EKS Secret Access Key> \
--new-name <New target name> \
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
-c, --eks-cluster-name(Mandatory) EKS cluster name
-e, --eks-cluster-endpoint(Mandatory) EKS cluster endpoint (i.e., https:// of the cluster)
-r, --eks-cluster-ca-cert(Mandatory) EKS cluster base-64 encoded certificate
-i, --eks-access-key-id(Mandatory) EKS access key ID
-s, --eks-secret-access-key(Mandatory) EKS secret access key
-g, --use-gw-cloud-identityUse the GW's Cloud IAM
--new-nameNew target name
--descriptionTarget description
--eks-region[=us-east-2]EKS region
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-gcp-target

Update an existing gcp target

Please note: mandatory values for this command: -n, --name

Usage

akeyless update-gcp-target \
--name <Target Name> \
--new-name <New target name> \
--gcp-key-file-path <Path to file with the base64-encoded service account private key> \
--gcp-key <Base64-encoded service account private key text> \
--use-gw-cloud-identity <Use the GWs Cloud IAM> \
--key <Key name>
Parameters
ParameterDescription
-n , --name(Mandatory) Target name
--new-nameNew target name
--descriptionTarget description
--gcp-key-file-pathPath to file with the base64-encoded service account private key
--gcp-keyBase64-encoded service account private key text
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-gke-target

Updates an existing gke target

Usage

akeyless update-gke-target \
--name <Target Name> \
--new-name <New target name> \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base-64 encoded cluster certificate> \
--gke-account-key-file-path <File path to GKE service account key> \
--gke-account-key <GKE service account key> \
--gke-cluster-name <GKE cluster name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
-a, --gke-account-emailGKE service account email
-e, --gke-cluster-endpointGKE cluster endpoint, i.e., cluster URI https://<DNS/IP>
-c, --gke-cluster-ca-certGKE Base-64 encoded cluster certificate
--gke-account-key-file-pathFile path to GKE service account key
--gke-account-keyGKE service account key
--gke-cluster-nameGKE cluster name
--new-nameNew target name
-i, --use-gw-cloud-identityUse the GW's Cloud IAM
--descriptionTarget description
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-k8s-target

Updates an existing k8s target

Usage
akeyless update-k8s-target \
--name <Target Name> \
--k8s-cluster-endpoint <K8S Cluster endpoint> \
--k8s-cluster-ca-cert <K8S Cluster certificate> \
--k8s-cluster-token <K8S Cluster authentication token> \
--new-name <New target name> 
Parameters
ParameterDescription
, --name(Mandatory) Target name
-e, --k8s-cluster-endpoint(Mandatory) K8S Cluster endpoint. https:// , <DNS / IP> of the cluster
-c, --k8s-cluster-ca-cert(Mandatory) K8S Cluster certificate. Base 64 encoded certificate
-t, --k8s-cluster-token(Mandatory) K8S Cluster authentication token
-i, --use-gw-service-accountUse the GW's service account
--k8s-auth-type[=token]K8S auth type, [token/certificate]
--k8s-client-certificateContent of the k8 client certificate (PEM format) in a Base64 format
--k8s-client-certificate-filePath to a file that contain the k8s client certificate in PEM format
--k8s-client-keyContent of the k8 client private key (PEM format) in a Base64 format
--k8s-client-key-file</codePath to a file that contain the k8s client private key in PEM format
--new-nameNew target name
--descriptionTarget description
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-rabbitmq-target

Update an existing new rabbitmq target

Usage
akeyless update-rabbitmq-target \
--name <Target Name> \
--new-name <New target name> \
--user <RabbitMQ server user> \
--pwd <RabbitMQ server password> \
--uri <RabbitMQ server URI> \
--key <Key name>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
--descriptionTarget description
--userRabbitMQ server user
--pwdRabbitMQ server password
--uriRabbitMQ server URI
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-ssh-target

Update an existing ssh target

Usage
akeyless update-ssh-target \
--name <Target Name> \
--new-name <New target name> \
--host <SSH host name> \
--port <SSH port (Deafult = 22)> \
--ssh-username <SSH username> \
--ssh-password <SSH password to rotate> \
--private-key-path <SSH private key file path> \
--private-key <SSH private key>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
--descriptionTarget description
--hostSSH host name
--port[=22]SSH port
--ssh-usernameSSH username
--ssh-passwordSSH password to rotate
--private-key-pathSSH private key file path
--private-keySSH private key
--private-key-passwordSSH private key password
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-target

Update target

Usage
akeyless update-target \
--name <Target Name> \ 
--new-name <New target name>
Parameters
ParameterDescription
-n. --name(Mandatory) Target name
--new-nameNew Target name
--description[=default_description]New target description, if none is given, the existing description will remain

update-web-target

Update an existing web target

Usage
akeyless update-web-target \
--name <Target Name> \
--new-name <New target name> \
--url <Web target URL>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
--descriptionTarget description
-u, --urlWeb target URL
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-salesforce-target

Updates the Salesforce target

Usage
akeyless update-salesforce-target \
--name <Target name> \
--tenant-url <URL of the Salesforce tenant> \
--client-id <Client ID of the oauth2 app to use for connecting to Salesforce> \
--email <The email of the user attached to the oauth2 app used for connecting to Salesforce> \
--auth-flow <type of the auth flow ('jwt' / 'user-password')> \
--new-name <New target name> \
--client-secret <Client secret of the oauth2 app to use for connecting to Salesforce>
Parameters
ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
-u, --tenant-url(Mandatory) Url of the Salesforce tenant
-i, --client-id(Mandatory) Client ID of the oauth2 app to use for connecting to Salesforce
-e, --email(Mandatory) The email of the user attached to the oauth2 app used for connecting to Salesforce
-a, --auth-flow(Mandatory) type of the auth flow ('jwt' / 'user-password')
-s, --client-secretClient secret of the oauth2 app to use for connecting to Salesforce (required for password flow)
-f, --app-private-key-file-nameName of the of file containing a PEM private key of the connected app (relevant for JWT auth only)
--app-private-key-dataBase64 encoded PEM of the connected app private key (relevant for JWT auth only)
-p, --passwordThe password of the user attached to the oauth2 app used for connecting to Salesforce (required for user-password flow)
-o, --security-tokenThe security token of the user attached to the oauth2 app used for connecting to Salesforce (required for user-password flow)
--ca-cert-file-nameName of a file containing a PEM certificate to use when uploading new key to Salesforce
--ca-cert-dataBase64 encoded PEM cert to use when uploading a new key to Salesforce. Used if file name was not provided.
--ca-cert-namename of the certificate in Salesforce tenant to use when uploading new key
--descriptionTarget description
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-dockerhub-target

updates an existing dockerhub target

Usage
akeyless update-dockerhub-target \
--name <Target Name> \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository> \
--new-name <New target name>

Parameters

ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
--dockerhub-username(Mandatory) Username for docker repository
--dockerhub-password(Mandatory) Password for docker repository
--descriptionTarget description
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-github-target

updates a new github target

Usage
akeyless update-github-target \
--name <Target Name> \
--new-name <New target name> \
--github-app-id <Github application id> \
--github-app-private-key <Github application private key> \
--github-base-url <Github base url (Deafult = https://api.github.com>

Parameters

ParameterDescription
-n, --name(Mandatory) Target name
--new-nameNew target name
--github-app-idGithub application id
--github-app-private-keyGithub application private key (base64 encoded key)
--github-base-url[=https://api.github.com/]Github base url
--descriptionTarget description
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-ldap-target

updates a new ldap target

Usage
akeyless update-ldap-target \
--name <Target Name> \
--ldap-url <LDAP Serve URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password for LDAP Bind DN> \
--new-name <New target name> \
--server-type <Set Ldap server type, Options:[OpenLDAP, ActiveDirectory]>

Parameters

ParameterDescription
-n, --name(Mandatory) Target name
-l, --ldap-url(Mandatory) LDAP Server URL
-b, --bind-dn(Mandatory) LDAP Bind DN
-p, --bind-dn-password(Mandatory) Password for LDAP Bind DN
-s, --server-typeSet Ldap server type, Options:[OpenLDAP, ActiveDirectory]
--new-nameNew target name
--descriptionTarget description
-t, --ldap-ca-certLDAP base-64 encoded CA Certificate
--token-expirationLDAP token expiration in seconds
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--update-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings

update-linked-target

Update an existing Liked Target

Usage
akeyless update-linked-target \
--name <linked target name> \
--new-name <new name> \
--parent <parent target> \
--hostss <hosts>
Parameters
ParameterDescription
-n, --name(Mandatory) The name of the existing Linked Target
--new-nameNew name for the Linked Target
-s, --hostsA comma-separated list of server hosts and server descriptions joined by a semicolon ';' (i.e. 'server-dev.com;My Dev server,server-prod.com;My Prod server description')
-p, --parent-target-nameThe parent Target name from which to inherit credentials
--descriptionDescription of the object

update-windows-target

Update an existing Windows Target

Usage
akeyless update-windows-target \
--name <Windows target name> \
--hosts <hostname> \
--username <username> \
--password <password> \
--new-name <new name> 
Parameters
ParameterDescription
-n, --name(Mandatory) Name for the Windows target
--new-nameNew name for the Windows Target
-s, --hostname (Mandatory) Server hostname or IP Address
-u, --username(Mandatory) Privileged username
-p, --password(Mandatory) Privileged user password
-d, --domainUser domain name
-r, --port[=5986]Server WinRM port
--use-tls[=true]Enable/Disable TLS for WinRM over HTTPS [true/false]
--certificateSSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings
--descriptionDescription of the object

update-ZeroSSL-target

Update an existing ZeroSSL Target

Usage
akeyless update-zerossl-target \
--name <Target Name> \
--api-key <API Key of the ZeroSSLTarget account> \
--imap-username <Username to access the IMAP service> \
--imap-password <Password to access the IMAP service> \
--imap-fqdn <FQDN of the IMAP service> \
--imap-validation-imap <Email address to send the validation email> \
--new-name <New Name>
Parameters
ParametersDescription
-n, --name(Mandatory) Name for the ZeroSSL target
--api-key(Mandatory) ZeroSSL API Key, can be found under your ZeroSSL account in the Developer section
--imap-username(Mandatory) An email address of the user registered to the IMAP service
imap-password(Mandatory) IMAP APP-Password - for example, on Gmail Under Settings-> Security, click on 2-Step Verification and generate APP-Password (2-Step verification must be enabled)
--imap-fqdn(Mandatory) IMAP FQDN, for example imap.gmail.com
--imap-validation-emailThe domain owner email address that certificate validation mail will be sent to, needs to be one of the following: [email protected], [email protected], [email protected], [email protected], [email protected]
--imap-port[=993]Port of the IMAP service
--new-nameNew target name
-k, --keyKey name. The key will be used to encrypt the target secret value
--keep-prev-versionWhether to keep the previous version, options:[true, false], If not set, use default according to account settings
--descriptionDescription of the object

update-GlobalSign-target

Update an existing GlobalSign Target

Usage
akeyless update-globalsign-target \
--name <Target Name> \
--username <Username> \
--password <Password> \
--profile-id <Profile ID> \
--contact-first-name <Account owner first name> \
--contact-last-name <Account owner last name> \
--contact-phone <Account owner Telephone> \
--contact-email <Account owner email> \
--new-name <New Name>
Parameters
ParametersDescription
-n, --name(Mandatory) Target name
-u, --username(Mandatory) Username of the GlobalSign GCC account
-p, --password(Mandatory) Password of the GlobalSign GCC account
-i, --profile-id(Mandatory) Profile ID of the GlobalSign GCC account
-f, --contact-first-name(Mandatory) First name of the GlobalSign GCC account contact
-l, --contact-last-name(Mandatory) First name of the GlobalSign GCC account contact
--contact-phone(Mandatory) Telephone of the GlobalSign GCC account contact
-e, --contact-email(Mandatory) Email of the GlobalSign GCC account contact
--timeout[=5]Timeout waiting for certificate validation
--new-nameNew target name
-k, --keyKey name. The key will be used to encrypt the target secret value
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings
--descriptionDescription of the object

update-globalsign-atlas-target

Updates an existing GlobalSignAtlas target

Usage
akeyless update-globalsign-atlas-target \
--name <Target Name> \
--api-key <GlobalSign Atlas API Key> \
--api-secret <GlobalSign Atlas API Secret>
Parameters
ParameterDescription
-n, --name(Mandatory) Target Name
-a, --api-key(Mandatory) API Key of the GlobalSign Atlas account
-s, --api-secret(Mandatory) API Secret of the GlobalSign Atlas account
--mlts-cert-file-pathPath to the Mutual TLS Certificate of the GlobalSign Atlas account, either mtls-cert-file-path or tls-cert-data-base64 must be supplied
--mlts-cert-data-base64Mutual TLS Certificate contents of the GlobalSign Atlas account encoded in base64, either mtls-cert-file-path or mtls-cert-data-base64 must be supplied
--mlts-key-file-pathPath to the Mutual TLS Key of the GlobalSign Atlas account, either mtls-key-file-path or mtls-key-data-base64 must be supplied
--mlts-key-data-base64Mutual TLS Key contents of the GlobalSign Atlas account encoded in base64, either mtls-key-file-path or mtls-key-data-base64 must be supplied
--timeout[=5]Timeout waiting for certificate validation
--new-nameNew Target Name
-k, --keyKey name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used