CLI Reference - Authentication

Authentication

auth

This command authenticates to Akeyless and saves the temporary token so that it can be used again until the token expires without the need to re-authenticate every time.

Parameters
ParameterDescription
--access-idAccess ID
--access-type[=access_key]Access Type (access_key/password/saml/ldap/k8s/azure_ad/oidc/aws_iam/universal_identity/jwt/gcp/cert)
--access-key Access key (relevant only for access-type=access_key).
--cloud-id The cloud identity (relevant only for access-type=azure_ad,aws_iam,gcp).
--uid_token The universal_identity token (relevant only for access-type=universal_identity).
--jwtThe JSON Web Token (relevant only for access-type=jwt/oidc).
--admin-passwordPassword (relevant only for access-type=password).
--admin-emailEmail (relevant only for access-type=password).
--oidc-spOIDC Service Provider (relevant only for access-type=oidc, inferred if empty), supported SPs: google, github
--ldap_proxy_urlAddress URL for LDAP proxy (relevant only for access-type=ldap).
--username LDAP username (relevant only for access-type=ldap).
--password LDAP password (relevant only for access-type=ldap).
--gcp-audience[=akeyless.io]GCP audience to use in signed JWT (relevant only for access-type=gcp).
--gateway-urlGateway URL for the K8S authenticated (relevant only for access-type=k8s)
--k8s-auth-config-nameThe K8s Auth config name (relevant only for access-type=k8s).
--k8s-service-account-tokenThe K8S service account token.
--cert-file-nameName of the cert file to use (relevant only for access-type=cert).
--cert-dataCertificate data encoded in base64. Used if file was not provided. (relevant only for access-type=cert)
--key-file-nameName of the private key file to use (relevant only for access-type=cert).
--key-dataPrivate key data encoded in base64. Used if file was not provided.(relevant only for access-type=cert)
--debugSet to true for a printout of the authorization JWTs.

create-auth-method

Create a new API Key Auth Method in the account

Please note: mandatory values for this command: -n, --name

Usage
akeyless create-auth-method --name <Auth method name>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date).
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-azure-ad

Create a new Auth Method that will be able to authenticate using Azure Active Directory credentials

Please note: mandatory values for this command: -n, --name, -b, --bound-tenant-id.

Usage
akeyless create-auth-method-azure-ad \
--name <Auth method name> \
--bound-tenant-id <AZ tenant id > \
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-b, --bound-tenant-id(Mandatory) The Azure tenant id that the access is restricted to
--issuerIssuer URL (=https://sts.windows.net/---bound_tenant_id---)
--jwks-uri(Mandatory) The URL to the JSON Web Key Set (JWKS) that containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server (=`https://login.microsoftonline.com/common/discovery/keys)
--audience[=https://management.azure.com/]The audience in the JWT
--bound-spidA list of service principal IDs that the access is restricted to
--bound-group-idA list of group ids that the access is restricted to
--bound-sub-idA list of subscription ids that the access is restricted to
--bound-rg-idA list of resource groups that the access is restricted to
--bound-providersA list of resource providers that the access is restricted to (e.g, Microsoft.Compute, Microsoft.ManagedIdentity, etc)
--bound-resource-typesA list of resource types that the access is restricted to (e.g, virtualMachines, userAssignedIdentities, etc)
--bound-resource-namesA list of resource names that the access is restricted to (e.g, a virtual machine name, scale set name, etc)
--bound-resource-idA list of full resource ids that the access is restricted to
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-aws-iam

Create a new Auth Method that will be able to authenticate using AWS IAM credentials

Please note: mandatory values for this command: -n, --name, -b, --bound-aws-account-id

Usage
akeyless create-auth-method-aws-iam \
--name <Auth method name> \
--bound-aws-account-id <AWS account Id> \
--bound-arn <A list of full arns that the access is restricted to> \
--bound-role-name <A list of full role-name that the access is restricted to> \
--bound-role-id <A list of full role ids that the access is restricted to>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-b, --bound-aws-account-id(Mandatory) A list of AWS account-IDs that the access is restricted to
--sts-url[=https://sts.amazonaws.com]STS URL
--bound-arnA list of full arns that the access is restricted to
--bound-role-nameA list of full role-name that the access is restricted to
--bound-role-idA list of full role ids that the access is restricted to
--bound-resource-idA list of full resource ids that the access is restricted to
--bound-user-nameA list of full user-name that the access is restricted to
--bound-user-idA list of full user ids that the access is restricted to
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-gcp

Create a new Auth Method that will be able to authenticate using GCP IAM Service Account credentials or GCE instance credentials

Please note: mandatory values for this command: -n, --name, -t, --type, -a, --audience=

Usage
akeyless create-auth-method-gcp \
--name <Auth method name> \
--type <iam|gce> \
--service-account-creds-file </path/to/service account creds.json> \
--audience <audience to verify in the JWT received by the client>
Parameters
ParameterDescribe
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-t, --type(Mandatory) The type of the GCP Auth Method (iam/gce)
-a, --audience[=akeyless.io](Mandatory) The audience to verify in the JWT received by the client
--service-account-creds-fileService Account creds key file path
--service-account-creds-dataService Account creds data, base64 encoded
--bound-projectsA list of GCP project IDs. Clients must belong to any of the provided projects in order to authenticate. For multiple values repeat this flag
--bound-service-accountsA list of Service Accounts. Clients must belong to any of the provided service accounts in order to authenticate. For multiple values repeat this flag
--bound-zonesGCE only. A list of zones. GCE instances must belong to any of the provided zones in order to authenticate. For multiple values repeat this flag
--bound-regionsGCE only. A list of regions. GCE instances must belong to any of the provided regions in order to authenticate. For multiple values repeat this flag
--bound-labelsGCE only. A list of GCP labels formatted as "key:value" pairs that must be set on instances in order to authenticate. For multiple values repeat this flag. If this is added, the --service-account-creds-file or --service-account-creds-data parameter becomes mandatory.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

get-cloud-identity

Get Cloud Identity Token (relevant only for access-type=azure_ad, aws_iam, gcp)

Parameters
ParameterDescription
--cloud-providerCloud provider (azure_ad/aws_iam/gcp)
--azure_ad_object_idAzure Active Directory ObjectId (relevant only for access-type=azure_ad)
--gcp-audience[=akeyless.io]GCP audience to use in signed JWT (relevant only for access-type=gcp)
--url_safeEscapes the token so it can be safely placed inside a URL query

create-auth-method-oauth2

Create a new Auth Method that will be able to authenticate using OAuth2

Please note: mandatory values for this command: -n, --name, -j, --jwks-uri, -u, --unique-identifier

Usage
akeyless create-auth-method-oauth2 \
--name <Auth method name> \
--jwks-uri <URL to JWKS> \
--unique-identifier <unique ID> \
--issuer <issuer URL> \
--audience <The audience in the JWT>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-j, --jwks-uri(Mandatory) The URL to the JSON Web Key Set (JWKS) that containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or UPNfor example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization
--bound-clients-idsThe clients ids that the access is restricted to
--issuerIssuer URL
--audienceThe audience in the JWT
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-saml

Create a new Auth Method that will be able to authenticate using SAML

Please note: mandatory values for this command: -n, --name, -u, --unique-identifier

Usage
akeyless create-auth-method-saml \
--name <Auth method name> \
--unique-identifier <Unique ID> \
--allowed-redirect-uri <Allowed redirect URIs after the authentication> \
--idp-metadata-url <IDP metadata url>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or UPN for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization
--idp-metadata-urlIDP metadata url
--allowed-redirect-uriAllowed redirect URIs after the authentication (default is https://console.akeyless.io/login-saml to enable SAML via Akeyless Console and http://127.0.0.1:* to enable SAML via akeyless CLI)
--idp-metadata-xml-file-pathIDP metadata xml file path
--idp-metadata-xml-dataIDP metadata as xml encoded in base64
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-oidc

Creates a new Authentication Method object that will allow the user to authenticate using OIDC

Please note: mandatory values for this command: -n, --name, -u, --unique-identifier

Usage
akeyless create-auth-method-oidc \
--name <Auth method name> \
--unique-identifier <Unique ID> \
--issuer <Issuer URL> \
--client-id <Client ID> \
--client-secret <Client Secret>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--issuerIssuer URL
--client-idClient ID
--client-secretClient Secret
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OIDC, OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization
--allowed-redirect-uriAllowed redirect URIs after the authentication (default is https://console.akeyless.io/login-oidc to enable OIDC via Akeyless Console and http://127.0.0.1:* to enable OIDC via akeyless CLI)
--require-scopesrequired scopes that the oidc method will request from the oidc provider and the user must approve
--required-scopes-prefixa prefix to add to all required-scopes when requesting them from the oidc server (for example, azures` Application ID URI)
--audienceAudience claim to be used as part of the authentication flow. In case set, it must match the one configured on the Identity Provider`s Application
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-k8s

Creates a new Authentication Method object that will allow the user to authenticate using Kubernetes

Please note: mandatory values for this command: -n, --name

Usage
akeyless create-auth-method-k8s \
--name <Auth method name> \
--public-key-file-path <Path\To\Public\Key> \
--bound-pod-names <list of pods name> \
--bound-namespaces <list of namespaces that the access is restricted to> \
--public-key <Base64-encoded or PEM formatted public key data> \
--audience <The audience in the Kubernetes JWT that the access is restricted to>
Parameters
ParameterDescription
-n, --name*Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-p, --public-key-file-pathIn case the gen-key parameter set to false, path to a public key for K8S authentication method is required [RSA2048]
--public-key Base64-encoded or PEM formatted public key data
--audienceThe audience in the Kubernetes JWT that the access is restricted to
--bound-sa-namesA list of service account names that the access is restricted to
--bound-pod-namesA list of pod names that the access is restricted to
--bound-namespacesA list of namespaces that the access is restricted to
--gen-key[=true]Automatically generate key-pair for K8S configuration. If set to false, a public key needs to be provided
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-create-k8s-auth-config

Creates K8S Auth config

Please note: mandatory values for this command: -n, --name, --access-id

Usage
akeyless gateway-create-k8s-auth-config  --name k8s-conf \
--gateway-url <API Gateway URL:8000> \
--access-id <Access_ID> \
--signing-key <Private_Key> \
--k8s-host <https://Your-K8s-Cluster-IP:8443> \
--token-reviewer-jwt <SA_JWT_TOKEN> \
--k8s-ca-cert <CA_CERT> \
--k8s-issuer <K8S_ISSUER>
akeyless gateway-create-k8s-auth-config  --name k8s-conf-rancher \
--gateway-url <https://Your-GW-URL>:8000 \
--access-id $ACCESS_ID \
--signing-key $PRV_KEY \
--cluster-api-type rancher \
--k8s-host=<https://Rancher Host>:443 \
--k8s-ca-cert $CA_CERT \
--k8s-issuer $K8S_ISSUER \
--rancher-api-key <API_KEY> \
--rancher-cluster-id <CLUSTER_ID> \
Parameters
ParameterDescription
-n, --name (Mandatory) K8S Auth config name
--access-id(Mandatory) The Access ID of the Kubernetes auth method
--signing-keyThe private key (base64 encoded) associated with the public key defined in the Kubernetes auth
--token-exp[=300] Time in seconds of expiration of the Akeyless Kube Auth Method token
--cluster-api-type[=native_k8s]Cluster access type. options: native_k8s, rancher
--k8s-hostThe URL of the kubernetes API server
--k8s-ca-cert The CA Certificate (base64 encoded) to use to call into the kubernetes API server
--token-reviewer-jwt A Kubernetes service account JWT used to access the TokenReview API to validate other JWTs (relevant for "native_k8s" only)
--rancher-api-keyThe API Key used to access the TokenReview API to validate other JWTs (relevant for "rancher" only)
--rancher-cluster-idThe cluster ID as defined in Rancher (relevant for "rancher" only)
--k8s-issuer[=kubernetes/serviceaccount]The Kubernetes JWT issuer name. If not set, this <kubernetes/serviceaccount> will be used by default
--disable-issuer-validationDisable issuer validation true/false
--config-encryption-key-nameEncrypt K8S Auth config with following key
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-tokenThe universal identity token. It is required only for universal_identity authentication

gateway-get-k8s-auth-config

Gets K8S Auth config

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-get-k8s-auth-config \
--name <K8S Auth config name> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) K8S Auth config name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-ldap

Creates a new Authentication Method object that will allow the user to authenticate using LDAP

Please note: mandatory values for this command: -n, --name

Usage
akeyless create-auth-method-ldap \
--name <Auth method name> \
--public-key-file-path <Path\To\Public\Key>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-p, --public-key-file-pathA path to a public key generated for LDAP authentication method on Akeyless [RSA2048]
--public-key-dataA public key generated for LDAP authentication method on Akeyless [RSA2048] in Base64 or PEM format
--unique-identifier[=users]A unique identifier (ID) value should be configured for LDAP, OAuth2 and SAML authentication method types and is usually a value such as the email, username, or UPN for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization
--gen-key[=true]Automatically generate key-pair for LDAP configuration. If set to false, a public key needs to be provided
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-universal-identity

Create a new Auth Method that will be able to authenticate using Akeyless Universal Identity

Please note: mandatory values for this command: -n, --name

Usage
akeyless create-auth-method-universal-identity \
--name <Auth method name> \
--ttl <Token TTL> \
--deny-rotate <Deny from the token to rotate> \
--deny-inheritance <Deny from root to create children>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--deny-rotateDeny from the token to rotate
--deny-inheritanceDeny from root to create children
--ttl[=60]Token TTL (has the value that configured in Akeyless console > Authentication settings)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-auth-method-cert

Create a new Auth Method that will be able to authenticate using a client certificate

Please note: mandatory values for this command: -n, --name, -u, --unique-identifier

Usage
akeyless create-auth-method-cert \
--name <Auth method name> \
--unique-identifier <Unique ID> \
--certificate-file-name </Path/To/File/signing_certificate.pem> \
--certificate-data <The certificate data in base64, if no file was provided> \
--bound-common-names <A list of names. At least one must exist in the Common Name>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--certificate-dataThe certificate data in base64, if no file was provided
--certificate-file-nameThe path to the file containing the CA certificate
--bound-common-namesA list of names. At least one must exist in the Common Name. Supports globbing
--bound-dns-sansA list of DNS names. At least one must exist in the SANs. Supports globbing
--bound-email-sansA list of Email Addresses. At least one must exist in the SANs. Supports globbing
--bound-uri-sansA list of URIs. At least one must exist in the SANs. Supports globbing
--bound-organizational-unitsA list of Organizational Units names. At least one must exist in the OU field
--bound-extensionsA list of extensions formatted as oid:value. Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on value
--revoked-cert-idsA list of revoked cert ids
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OIDC, OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

validate-token

Checks the provided token’s validity and its TTL

Please note: mandatory values for this command: -t, --token

Usage
akeyless validate-token --token <Token to validate>

revoke-creds

This command will permanently revoke the credentials associated with the provided token or profile

Parameters

ParametersDescription
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

get-auth-method

Get Auth Method details

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-auth-method -n <Auth method name>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

list-auth-methods

List details of all the Auth Methods in the account

Usage
akeyless list-auth-methods \
--type <Auth method type> \
--filter <Filter by auth method name or part of it>
Parameters
ParameterDescription
-t, --typeThe auth method types list of the requested method. In case it is empty, all types of auth method will be returned. options: [api_key, azure_ad, oauth2/jwt, saml2, ldap, aws_iam, oidc, universal_identity, gcp, k8s, cert]
--filterFilter by auth method name or part of it
--pagination-tokenNext page reference
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

delete-auth-method

Delete the Auth Method

Please note: mandatory values for this command: -n, --name

Usage
akeyless delete-auth-method -n <Auth method name>
Parameters
ParameterDescription
-n, --name(Mandatory) Auth Method name
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

delete-auth-methods

Delete multiple auth methods from a given path

Please note: mandatory values for this command: -p, --path

Usage
akeyless delete-auth-methods -p <Path to auth methods>
Parameters
ParameterDescription
-p, --path(Mandatory) path to delete the auth methods from
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-delete-k8s-auth-config

Deletes K8S Auth config

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-delete-k8s-auth-config \
--name <Auth config name> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) K8S Auth config name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method

Update a new API Key Auth Method in the account

Please note: mandatory values for this command: -n, --name

Usage
akeyless update-auth-method --name <Auth method>
Parameters
ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-k8s-auth-config

Updates the K8s Auth config

Please note: mandatory values for this command: -n, --name, --access-id, --new-name

Usage

akeyless gateway-update-k8s-auth-config \
--name <Auth name> \
--new-name <config new-name> \
--access-id <access-id> \
--k8s-host <kubernetes API server URL> \
--k8s-ca-cert <CA Certificate (base64 encoded) to use to call into the kubernetes API server>
Parameters
ParameterDescription
-n, --name(Mandatory) K8S Auth config name
--access-id(Mandatory) The access ID of the Kubernetes auth method
--signing-keyThe private key (base64 encoded) associated with the public key defined in the Kubernetes auth
--token-exp[=300]Time in seconds of expiration of the Akeyless Kube Auth Method token
--cluster-api-type[=native_k8s]Cluster access type. options: [native_k8s, rancher]
--k8s-hostThe URL of the kubernetes API server
--k8s-ca-certThe CA Certificate (base64 encoded) to use to call into the kubernetes API server
--token-reviewer-jwtA Kubernetes service account JWT used to access the TokenReview API to validate other JWTs (relevant for "native_k8s" only)
--rancher-api-keyThe api key used to access the TokenReview API to validate other JWTs (relevant for "rancher" only)
--rancher-cluster-id The cluster id as define in rancher (relevant for "rancher" only)
--k8s-issuer=[kubernetes/serviceaccount]The Kubernetes JWT issuer name. If not set, this <kubernetes/serviceaccount> will be used by default.
--disable-issuer-validationDisable issuer validation true/false
--config-encryption-key-nameEncrypt K8S Auth config with following key
-u, --gateway-url=[http://localhost:8000]API Gateway URL (Configuration Management port)
--new-name(Mandatory) K8S Auth config new-name
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-ldap-auth-config

Updates LDAP Auth config

Usage
akeyless gateway-update-ldap-auth-config \
--ldap-enable <Enabling ldap authentication> \
--access-id <access ID of the Ldap auth method> \
--signing-key-file-name <path/to/PRV/key> \
--ldap-url <LDAP Server URL> \
--ldap-ca-cert <LDAP CA Certificate (base64 encoded)> \
--ldap-ca-cert-file-name <the path to the file containing the CA certificate>

Parameters

ParameterDescription
--ldap-enableEnabling ldap authentication
--access-idThe access ID of the Ldap auth method
--signing-key-dataThe private key (base64 encoded), associated with the public key defined in the Ldap auth
--signing-key-file-namethe path to the file containing the private key
--ldap-urlLDAP Server URL, e.g. ldap://planetexpress.com:389
-t, --ldap-ca-certLDAP CA Certificate (base64 encoded)
--ldap-ca-cert-file-namethe path to the file containing the CA certificate
--anonymous-searchEnable LDAP Anonymous Search
--bind-dnLDAP Bind DN
--bind-dn-passwordPassword for LDAP Bind DN
--user-dnUser Base DN
--user-attributeLDAP User Attribute
--group-dnBase DN to perform group membership search
--group-filterGo template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username]
--group-attrLDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-aws-iam

Update a new Auth Method that will be able to authenticate using AWS IAM credentials

Please note: mandatory values for this command: -n, --name, -b, --bound-aws-account-id

Usage
akeyless update-auth-method-aws-iam \
--name <Auth method name> \
--new-name <Auth method new name> \
--bound-aws-account-id <Accessble AWS account`s IDs>

Parameters

ParameterDescription
--new-nameAuth method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-b, --bound-aws-account-id(Mandatory) A list of AWS account-IDs that the access is restricted to
--sts-url[=https://sts.amazonaws.com]STS URL
--bound-arnA list of full arns that the access is restricted to
--bound-role-nameA list of full role-name that the access is restricted to
--bound-role-idA list of full role ids that the access is restricted to
--bound-resource-idA list of full resource ids that the access is restricted to
--bound-user-nameA list of full user-name that the access is restricted to
--bound-user-idA list of full user ids that the access is restricted to
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-azure-ad

Update a new Auth Method that will be able to authenticate using Azure Active Directory credentials

Please note: mandatory values for this command: -n, --name, -b, --bound-tenant-id

Usage
akeyless update-auth-method-azure-ad \
--name <Auth method name> \
--new-name <Auth method new name> 
--bound-tenant-id <Azure tenant id that the access is restricted to>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-b, --bound-tenant-id(Mandatory) The Azure tenant id that the access is restricted to
--issuer[=https://sts.windows.net/---bound_tenant_id---]Issuer URL
--jwks-uri[=https://login.microsoftonline.com/common/discovery/keys]The URL to the JSON Web Key Set (JWKS) that containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.
--audience[=https://management.azure.com/]The audience in the JWT
--bound-spidA list of service principal IDs that the access is restricted to
--bound-group-idA list of group ids that the access is restricted to
--bound-sub-idA list of subscription ids that the access is restricted to
--bound-rg-idA list of resource groups that the access is restricted to
--bound-providersA list of resource providers that the access is restricted to (e.g, Microsoft.Compute, Microsoft.ManagedIdentity, etc)
--bound-resource-typesA list of resource types that the access is restricted to (e.g, virtualMachines, userAssignedIdentities, etc)
--bound-resource-namesA list of resource names that the access is restricted to (e.g, a virtual machine name, scale set name, etc).
--bound-resource-idA list of full resource ids that the access is restricted to
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-cert

Update a new Auth Method that will be able to authenticate using a client certificate.

Please note: mandatory values for this command: -n, --name, -u, --unique-identifier

Usage
akeyless update-auth-method-cert \
--name <Auth method name> \
--new-name <Auth method new name> \
--unique-identifier <Unique ID>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--certificate-dataThe certificate data in base64, if no file was provided.
--certificate-file-namethe path to the file containing the CA certificate
--bound-common-namesA list of names. At least one must exist in the Common Name. Supports globbing.
--bound-dns-sansA list of DNS names. At least one must exist in the SANs. Supports globbing.
--bound-email-sansA list of Email Addresses. At least one must exist in the SANs. Supports globbing.
--bound-uri-sansA list of URIs. At least one must exist in the SANs. Supports globbing.
--bound-organizational-unitsA list of Organizational Units names. At least one must exist in the OU field.
--bound-extensionsA list of extensions formatted as oid:value. Expects the extension value to be some type of ASN1 encoded string. All values much match. Supports globbing on value.
--revoked-cert-idsA list of revoked cert ids
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OIDC, OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-gcp

Update a new Auth Method that will be able to authenticate using GCP IAM Service Account credentials or GCE instance credentials

Please note: mandatory values for this command: -n, --name, -t, --type, -a, --audience[=akeyless.io]

Usage
akeyless update-auth-method-gcp \
--name <Auth method name> \
--new-name <Auth method new name> \
--type <GCP type method> \
--audience <The audience to verify in the JWT received by the client>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-t, --type(Mandatory) The type of the GCP Auth Method (iam/gce)
-a, --audience[=akeyless.io](Mandatory) The audience to verify in the JWT received by the client
--service-account-creds-fileService Account creds key file path
--service-account-creds-dataService Account creds data, base64 encoded
--bound-projectsA list of GCP project IDs. Clients must belong to any of the provided projects in order to authenticate. For multiple values repeat this flag.
--bound-service-accountsA list of Service Accounts. Clients must belong to any of the provided service accounts in order to authenticate. For multiple values repeat this flag.
--bound-zonesGCE only. A list of zones. GCE instances must belong to any of the provided zones in order to authenticate. For multiple values repeat this flag.
--bound-regionsGCE only. A list of regions. GCE instances must belong to any of the provided regions in order to authenticate. For multiple values repeat this flag.
--bound-labelsGCE only. A list of GCP labels formatted as "key:value" pairs that must be set on instances in order to authenticate. For multiple values repeat this flag. If this is added, the --service-account-creds-file or --service-account-creds-data parameter becomes mandatory.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-k8s

Update a new Auth Method that will be able to authenticate using Kubernetes

Please note: mandatory values for this command: -n, --name

Usage
akeyless update-auth-method-k8s \
--name <Auth method name> \
--new-name <Auth method new name> \
--public-key <Base64-encoded or PEM formatted public key data> \
--audience <The audience in the Kubernetes JWT that the access is restricted to>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-p, --public-key-file-pathIn case the gen-key parameter set to false, path to a public key for K8S authentication method is required [RSA2048]
--public-keyBase64-encoded or PEM formatted public key data
--audienceThe audience in the Kubernetes JWT that the access is restricted to
--bound-sa-namesA list of service account names that the access is restricted to
--bound-pod-namesA list of pod names that the access is restricted to
--bound-namespacesA list of namespaces that the access is restricted to
--gen-keyAutomatically generate key-pair for K8S configuration. If set to false, a public key needs to be provided
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-ldap

Update a new Auth Method that will be able to authenticate using LDAP
Please note: mandatory values for this command: -n, --name

Usage
akeyless update-auth-method-ldap \
--name <Auth method name> \
--new-name <Auth method new name> \
--public-key-file-path <Public/Key/Path> \
--public-key-data <A public key generated for LDAP authentication method>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-p, --public-key-file-pathA path to a public key generated for LDAP authentication method on Akeyless [RSA2048]
--public-key-dataA public key generated for LDAP authentication method on Akeyless [RSA2048] in Base64 or PEM format
--unique-identifier[=users]A unique identifier (ID) value should be configured for LDAP, OAuth2 and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.
--gen-keyAutomatically generate key-pair for LDAP configuration. If set to false, a public key needs to be provided
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-oauth2

Update a new Auth Method that will be able to authenticate using OAuth2

Please note: mandatory values for this command: -n, --name, -j, --jwks-uri, -u, --unique-identifier

Usage
akeyless update-auth-method-oauth2 \
--name <Auth method name> \
--jwks-uri <URL to the JSON Web Key Set> \
--unique-identifier <Unique ID>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-j, --jwks-uri(Mandatory) The URL to the JSON Web Key Set (JWKS) that containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.
--bound-clients-idsThe clients ids that the access is restricted to
--issuerIssuer URL
--audienceThe audience in the JWT
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-oidc

Update a new Auth Method that will be able to authenticate using OIDC

Please note: mandatory values for this command: -n, --name, -u, --unique-identifier

Usage
akeyless update-auth-method-oidc \
--name <Auth method name> \
--new-name <Auth method new name> \
--unique-identifier <Unique ID> \
--client-id <Client ID> \
--client-secret <Client Secret>
--issuer <Issuer URL>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--issuerIssuer URL
--client-idClient ID
--client-secretClient Secret
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization
--allowed-redirect-uriAllowed redirect URIs after the authentication (default is https://console.akeyless.io/login-oidc to enable OIDC via Akeyless Console and http://127.0.0.1:* to enable OIDC via akeyless CLI)
--required-scopesrequired scopes that the oidc method will request from the oidc provider and the user must approve
--required-scopes-prefixa prefix to add to all required-scopes when requesting them from the oidc server (for example, azures` Application ID URI)
--audienceAudience claim to be used as part of the authentication flow. In case set, it must match the one configured on the Identity Provider`s Application
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-saml

Update a new Auth Method that will be able to authenticate using SAML

Please note: mandatory values for this command: -n, --name, -u, --unique-identifier

Usage
akeyless update-auth-method-saml \
--name <Auth method name> \
--new-name <Auth method new name> \
--unique-identifier <Unique ID> \
--allowed-redirect-uri <Allowed redirect URIs after the authentication>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
-u, --unique-identifier(Mandatory) A unique identifier (ID) value should be configured for OAuth2, LDAP and SAML authentication method types and is usually a value such as the email, username, or upn for example. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured, and is used to distinguish between different users from within the same organization.
--idp-metadata-urlIDP metadata url
--allowed-redirect-uriAllowed redirect URIs after the authentication (default is https://console.akeyless.io/login-saml to enable SAML via Akeyless Console and http://127.0.0.1:* to enable SAML via akeyless CLI)
--idp-metadata-xml-file-pathIDP metadata xml file path
--idp-metadata-xml-dataIDP metadata as xml encoded in base64
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-auth-method-universal-identity

Update a new Auth Method that will be able to authenticate using Akeyless Universal Identity

Please note: mandatory values for this command: -n, --name

Usage
akeyless update-auth-method-universal-identity \
--name <Auth method name> \
--new-name <Auth method new name> \
--deny-rotate <Deny from the token to rotate> \
--deny-inheritance <Deny from root to create children>

Parameters

ParameterDescription
--new-nameAuth Method new name
-n, --name(Mandatory) Auth Method name
--access-expires[=0]Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ipsA comma-separated CIDR block list to allow client access
--gw-bound-ipsA comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claimsenforce role-association must include sub claims
--jwt-ttl[=0]creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--deny-rotateDeny from the token to rotate
--deny-inheritanceDeny from root to create children
--ttl[=60]Token ttl (in minutes)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-get-ldap-auth-config

Gets Ldap Auth config

Parameters

ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

Akeyless Universal Identity

uid-list-children

List the token children ids of Akeyless Universal Identity

Usage
akeyless uid-list-children --auth-method-name <UID Auth Method Name>
Parameters
ParameterDescription
-n, --auth-method-nameThe universal identity auth method name, required only when uid-token is not provided
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

uid-revoke-token

Revoke token using Akeyless Universal Identity

Please note: mandatory values for this command: --revoke-type, --revoke-token

Usage
akeyless uid-revoke-token \
--revoke-type <revokeSelf/revokeAll> \
--revoke-token <UID Token ID> \
--auth-method-name <The universal identity auth method name>
Parameters
ParameterDescription
--revoke-type(Mandatory) revokeSelf/revokeAll (delete only this token/this token and his children)
--revoke-token(Mandatory) the universal identity token/token-id to revoke
-n, --auth-method-nameThe universal identity auth method name
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

uid-generate-token

Generate a new token using Akeyless Universal Identity

Please note: mandatory values for this command: --auth-method-name

Usage
akeyless uid-generate-token --auth-method-name <UID Auth Name>
Parameters
ParameterDescription
--auth-method-name(Mandatory) The universal identity authentication method name
--profile, --tokenUse a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

uid-rotate-token

Rotate Akeyless Universal Identity token

Parameters
ParameterDescription
-t, --token, --uid-tokenThe Universal identity token to rotate
--forkCreate a new child token with default parameters
--send-manual-ack-tokenThe new rotated token to send manual ack for (with uid-token=the-orig-token)
--with-manual-ackDisable automatic ack
-o, --output-filePath to the output file
-i, --input-filePath to the input file

uid-create-child-token

Create a new child token using Akeyless Universal Identity

Parameters
ParameterDescription
--child-deny-rotate Deny from new child to rotate
--child-deny-inheritanceDeny from new child to create their own children
--child-ttlNew child token TTL
--descriptionNew Token description
-n, --auth-method-nameThe universal identity auth method name, required only when uid-token is not provided
--tid, --uid-token-idThe ID of the uid-token, required only when uid-token is not provided
--profile or --tokenUse a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-tokenThe universal identity token. It is required only for universal_identity authentication