CLI Reference - Authentication

📘

NOTE

Looking for a specific command? Use the Table of Contents on the right. ===>

Authentication

auth

Authenticates to the service and returns a token to be used as a profile to execute the CLI without the need for re-authentication.

Usage
akeyless auth --<Auth Method>
Parameters

Parameter

Description

--access-id

Akeyless Access ID.

--access-type[=access_key]

Access Type (access_key/password/saml/ldap/azure_ad/aws_iam/universal_identity/jwt/gcp).

--access-key

Access key (relevant only for access-type=access_key).

--cloud-id

The cloud identity (relevant only for access-type=azure_ad,aws_iam,gcp).

--uid_token

The universal_identity token (relevant only for access-type=universal_identity).

--jwt

The JSON Web Token (relevant only for access-type=jwt/oidc).

--admin-password

Password (relevant only for access-type=password).

--admin-email

Email (relevant only for access-type=password).

--ldap_proxy_url

Address URL for LDAP proxy (relevant only for access-type=ldap).

--username

LDAP username (relevant only for access-type=ldap).

--password

LDAP password (relevant only for access-type=ldap).

--gcp-audience[=akeyless.io]

GCP audience to use in signed JWT (relevant only for access-type=gcp).

create-auth-method

Creates a new Authentication Method object in the Account.

Usage
akeyless create-auth-method -n <Auth Method>
Parameters

Parameter

Description

-n, --name

The name of the created Authentication Method object.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR whitelist with the IPs that the access is restricted to.

create-auth-method-azure-ad

Creates a new Authentication Method object that will allow the user to authenticate using Azure Active Directory credentials.

Usage
akeyless create-auth-method-azure-ad -n <Auth Name> --bound-tenant-id <AZ tenant id >
Mandatory Parameters

Parameter

Description

-n, --name

Authentication Method name.

---bound-tenant-id

The Azure tenant id that the access is restricted to.

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR allowlist of the IPs that the access is restricted to.

--issuer[=https://sts.windows.net/---bound_tenant_id---]

Issuer URL.

--jwks-uri[=https://login.microsoftonline.com/common/discovery/keys]

The URL to the JSON Web Key Set (JWKS) that contains the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

--audience[=https://management.azure.com/]

The audience in the JWT.

--bound-spid

A list of service principal IDs that the access is restricted to.

--bound-group-id

A list of group ids that the access is restricted to.

--bound-sub-id

A list of subscription ids that the access is restricted to.

--bound-rg-id

A list of resource groups that the access is restricted to.

--bound-providers

A list of resource providers that the access is restricted to (e.g, Microsoft.Compute, Microsoft.ManagedIdentity, etc).

--bound-resource-types

A list of resource types that the access is restricted to (e.g, virtualMachines, userAssignedIdentities, etc).

--bound-resource-names

A list of resource names that the access is restricted to (e.g, a virtual machine name, scale set name, etc).

--bound-resource-id

A list of full resource ids that the access is restricted to.

create-auth-method-aws-iam

Creates a new Authentication Method object that will allow the user to authenticate using AWS IAM credentials.

Usage
akeyless create-auth-method-aws-iam -n <Auth Name> --bound-aws-account-id <account Id>
Mandatory Parameters

Parameter

Description

-n, --name

Authentication method name.

--bound-aws-account-id

A list of AWS Account IDs that the access is restricted to.

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR allowlist of the IPs that the access is restricted to

--sts-url[=https://sts.amazonaws.com]

sts URL.

--bound-arn

A list of full ARNs that the access is restricted to.

--bound-role-name

A list of full role-name that the access is restricted to.

--bound-role-id

A list of full role ids that the access is restricted to.

--bound-resource-id

A list of full resource ids that the access is restricted to.

--bound-user-name

A list of full user-name that the access is restricted to.

--bound-user-id

A list of full user ids that the access is restricted to.

create-auth-method-oauth2

Creates a new Auth Method that will allow the user to authenticate using OpenId/OAuth2.

Usage
akeyless create-auth-method-oauth2 -n <Auth Name> --jwks-uri <URL to JWKS> -u <unique ID>
Mandatory Parameters

Parameter

Description

-n, --name

Authentication Method name.

--jwks-uri

The URL to the JSON Web Key Set (JWKS) that contains the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

-u, --unique-identifier

A unique identifier (ID) value should be configured for OAuth2, LDAP, and SAML authentication method types and is usually a value such as the email, username, or UPN for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured and is used to distinguish between different users from within the same organization.

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR whitelist of the IPs that the access is restricted to.

--bound-clients-ids

The clients' ids that the access is restricted to.

--issuer

Issuer URL.

--audience

The audience in the JWT.

create-auth-method-ldap

Creates a new Authentication Method object that will allow the user to authenticate using LDAP.

Usage
akeyless create-auth-method-ldap -n <Auth Name> --public-key-file-path <Path\To\Public\Key>
Mandatory Parameters

Parameter

Description

-n, --name

Authentication method name.

--public-key-file-path

A public key generated for the LDAP authentication method on Akeyless [RSA2048]

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR allowlist of the IPs that the access is restricted to.

create-auth-method-saml

Creates a new Authentication Method object that will allow the user to authenticate using SAML.

Usage
akeyless create-auth-method-saml -n <Auth Name> -u <Unique ID>
Mandatory Parameters

Parameter

Description

-n, --name

Authentication method name.

-u, --unique-identifier

A unique identifier (ID) value should be configured for OAuth2, LDAP, and SAML authentication method types and is usually a value such as an email, username, or UPN for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured and is used to distinguish between different users from within the same organization.

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR allowlist of the IPs that the access is restricted to.

--idp-metadata-url

IDP metadata URL.

--idp-metadata-xml-file-path

IDP metadata xml file path.

create-auth-method-universal-identity

Creates a new Authentication Method object that will allow the user to authenticate using Akeyless Universal Identity.

Usage
akeyless create-auth-method-universal-identity -n <Auth Name>
Mandatory Parameters

Parameter

Description

-n, --name

Authentication method name.

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR allowlist of the IPs that the access is restricted to.

--deny-rotate

Deny from the token to rotate.

--deny-inheritance

Deny from root to create children.

--ttl

Token TTL.

create-auth-method-gcp

Creates a new Authentication Method object that will allow the user to authenticate using GCP IAM Service Account credentials or GCE instance credentials.

Usage
akeyless create-auth-method-gcp -n <Auth Name> -t <type of GCP iam/gce> --audience <audience to verify in the JWT>
Mandatory Parameters

Parameter

Description

-n, --name

Authentication method name.

-t, --type

The type of the GCP Auth Method (iam/gce).

--audience[=akeyless.io]

The audience to verify in the JWT received by the client.

Optional Parameters

Parameter

Description

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A CIDR whitelist of the IPs that the access is restricted to.

--service-account-creds-file

Service Account creds key file path.

--service-account-creds-data

Service Account creds data, base64 encoded.

--bound-projects

A list of GCP project IDs. Clients must belong to any of the provided projects in order to authenticate. For multiple values repeat this flag.

--bound-service-accounts

IAM only. A list of Service Accounts. Clients must belong to any of the provided service accounts in order to authenticate. For multiple values repeat this flag.

--bound-zones

GCE only. A list of zones. GCE instances must belong to any of the provided zones in order to authenticate. For multiple values repeat this flag.

--bound-regions

GCE only. A list of regions. GCE instances must belong to any of the provided regions in order to authenticate. For multiple values repeat this flag.

--bound-labels

GCE only. A list of GCP labels is formatted as "key:value" pairs that must be set on instances in order to authenticate. For multiple values repeat this flag.

create-auth-method-cert

Creates a new Authentication Method object that will allow the user to authenticate using PKI certificates.

Usage
akeyless create-auth-method-cert -n AuthMethodName -u UniqueIdentifierValue --certificate-file-name /Path/To/File/signing_certificate.pem
Mandatory Parameters

Parameter

Description

-n, --name

Authentication method name.

-u, --unique-identifier

A "unique identifier" parameter plays the same role as a "sub-claim" in OIDC, OAuth2, LDAP, and SAML authentication method types. It contains details that allow the system to uniquely identify the user (e.g. to distinguish between different users from within the same organization).

Optional Parameters

Parameter

Description

-h, --help

Displays help information.

--access-expires[=0]

Access expiration date (in the Unix timestamp format). Specify 0 for access without expiration date.

--bound-ips

A CIDR allowlist with the IPs that the access is restricted to.

--force-sub-claims

When associating an Access Role with this authentication method, sub-claims must be considered.

--jwt-ttl[=0]

Credentials expiration time in minutes. If the value is not set, default account settings are used. (To check for the default account settings, run the get-account-settings command in the CLI.)

--certificate-data

The CA certificate data in Base64 format (if no file was provided).

--certificate-file-name

The path to the file containing the CA certificate.

--bound-common-names

A list of server names from the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-dns-sans

A list of DNS names from the SAN section of the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-email-sans

A list of Email Addresses from the SAN section of the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-uri-sans

A list of URIs from the SAN section of the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-organizational-units

A list of Organizational Units names from the certificate. This list needs to be considered during authentication.

--bound-extensions

A list of extensions formatted as "oid:value". Expects the extension value to be some type of an ASN1-encoded string. All values must match. Supports globbing (i.e. limited wildcard capability) on "value".

--revoked-cert-ids

A list of revoked certificates' IDs.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The Universal Identity token. You need to be authenticated and authorized to create a new authentication method, so, when working with SDKs, authentication is usually performed using Universal Identity tokens.

--json[=false]

Sets output format to JSON. It is used when working with SDKs.

get-cloud-identity

Get Cloud Identity Token (relevant only for access-type=azure_ad,aws_iam,gcp)

Parameters

Parameter

Mandatory

Description

--azure_ad_object_id

Azure Active Directory ObjectId (relevant only for access-type=azure_ad).

--gcp-audience[=akeyless.io]

GCP audience to use in signed JWT (relevant only for access-type=gcp).

--url_safe

Escapes the token so it can be safely placed inside a URL query.

delete-item

Use delete-item to delete any secret, key, certificate or role.

Usage
akeylees delete-item -n <Path\to\item>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Item name.

--version[=-1]

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days[=7]

The number of days to wait before deleting the item (relevant for keys only).

--delete-immediately[=false]

When delete-in-days=-1, must be set.

get-auth-method

Returns information about the Authentication Method object.

Usage
akeyless get-auth-method -n <Auth method name>
Mandatory Parameters

Parameter

Description

-n, --name

The name of the Authentication Method object about which you want to get the information.

list-auth-methods

Returns a list of all the Authentication Method objects in the Account.

Usage
akeyless list-auth-methods
Optional Parameters

Parameter

Description

--pagination-token

Next page reference.

delete-auth-method

Delete the Authentication Method object.

Usage
akeyless delete-auth-method -n <Auth Method Name>
Mandatory Parameters

Parameter

Description

-n, --name

The name of the Authentication Method object you want to delete.

delete-auth-methods

Delete multiple auth methods from a given path

Usage
akeyless delete-auth-methods -p <Path to auth methods>
Mandatory Parameters

Parameter

Description

-p, --path

Path to delete the auth methods from.

reverse-rbac

Shows which authentication method has access to a particular object.

Usage
akeyless reverse-rbac -p <path to an object>  -t <object type>
Mandatory Parameters

Parameter

Description

-p, --path

Path to an object.

-t, --type

Type of object (item, am=auth method, role).

Akeyless Universal Identity

uid-list-children

List the token children ids of Akeyless Universal Identity

Usage
akeyless uid-list-children -n <UID Auth Method Name>

uid-revoke-token

Revoke token using Akeyless Universal Identity

Usage
akeyless uid-revoke-token --revoke-type revokeAll --revoke-token <UID Token ID>
Parameters

Parameter

Mandatory

Description

--revoke-type

**Y**

revokeSelf/revokeAll (delete only this token/this token and his children).

--revoke-token

**Y**

The universal identity token/token-id to revoke.

-n, --auth-method-name

The universal identity auth method name.

uid-generate-token

Generate a new token using Akeyless Universal Identity

Usage
akeyless uid-generate-token -n <UID Auth Name>

uid-rotate-token

Rotate token using Akeyless Universal Identity(aliases rotate-token,uid-send-manual-rotate-ack)

Parameters

Parameter

Mandatory

Description

-t, --token, --uid-token

The Universal identity token.

--fork

Create a new child token with default parameters.

--send-manual-ack-token

The new rotated token to send manual ack for (with uid-token=the-orig-token).

--with-manual-ack

Disable automatic ack.

-o, --output-file \ -i, --input-file

Path to the output\input file.

uid-create-child-token

Create a new child token using Akeyless Universal Identity

Parameters

Parameter

Mandatory

Description

--child-deny-rotate

Deny from new child to rotate.

--child-deny-inheritance

Deny from new child to create their own children.

--child-ttl

New child token TTL.

--comment

New Token comment.

--uid-token

The universal identity token, Required only for universal_identity authentication.

-n, --auth-method-name

The universal identity auth method name, required only when uid-token is not provided.

--tid, --uid-token-id

The ID of the uid-token, required only when uid-token is not provided.


Did this page help you?