CLI Reference - Authentication

Authentication

auth

Authenticates to the service and returns a token to be used as a profile to execute the CLI without the need for re-authentication.

Usage
akeyless auth --<Auth Method>
Parameters

Parameter

Description

--access-id

Akeyless Access ID.

--access-type[=access_key]

Access Type (access_key/password/saml/ldap/azure_ad/aws_iam/universal_identity/jwt/gcp).

--access-key

Access key (relevant only for access-type=access_key).

--cloud-id

The cloud identity (relevant only for access-type=azure_ad,aws_iam,gcp).

--uid_token

The universal_identity token (relevant only for access-type=universal_identity).

--jwt

The JSON Web Token (relevant only for access-type=jwt/oidc).

--admin-password

Password (relevant only for access-type=password).

--admin-email

Email (relevant only for access-type=password).

--oidc-sp

OIDC Service Provider (relevant only for access-type=oidc). Supported SPs: Google, GitHub.

--ldap_proxy_url

Address URL for LDAP proxy (relevant only for access-type=ldap).

--username

LDAP username (relevant only for access-type=ldap).

--password

LDAP password (relevant only for access-type=ldap).

--gcp-audience[=akeyless.io]

GCP audience to use in signed JWT (relevant only for access-type=gcp).

--gateway-url

Gateway URL for the K8s authentication (relevant only for access-type=k8s).

--k8s-auth-config-name

The K8s Auth config name (relevant only for access-type=k8s).

--k8s-service-account-token

The K8S service account token.

--cert-file-name

Name of the cert file to use (relevant only for access-type=cert).

--cert-data

Certificate data encoded in base64. Used if the certificate file was not provided (relevant only for access-type=cert).

--key-file-name

Name of the private key file to use (relevant only for access-type=cert).

--key-data

Private key data encoded in base64. Used if the key file was not provided (relevant only for access-type=cert).

--debug

Set to true for a printout of the authorization JWTs.

create-auth-method

Creates a new Authentication Method object in the Account.

Usage
akeyless create-auth-method -n <Auth Method>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

The name of the created Authentication Method object

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--force-sub-claims

Role association must include sub-claims.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-azure-ad

Creates a new Authentication Method object that will allow the user to authenticate using Azure Active Directory credentials.

Usage
akeyless create-auth-method-azure-ad -n <Auth Name> --bound-tenant-id <AZ tenant id >
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication Method name.

-b, --bound-tenant-id

**Y**

The Azure tenant id that the access is restricted to.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--issuer[=https://sts.windows.net/---bound_tenant_id---]

Issuer URL.

--jwks-uri[=https://login.microsoftonline.com/common/discovery/keys]

The URL to the JSON Web Key Set (JWKS) that contains the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

--audience[=https://management.azure.com/]

The audience in the JWT.

--bound-spid

A list of service principal IDs that the access is restricted to.

--bound-group-id

A list of group ids that the access is restricted to.

--bound-sub-id

A list of subscription ids that the access is restricted to.

--bound-rg-id

A list of resource groups that the access is restricted to.

--bound-providers

A list of resource providers that the access is restricted to (e.g, Microsoft.Compute, Microsoft.ManagedIdentity, etc).

--bound-resource-types

A list of resource types that the access is restricted to (e.g, virtualMachines, userAssignedIdentities, etc).

--bound-resource-names

A list of resource names that the access is restricted to (e.g, a virtual machine name, scale set name, etc).

--bound-resource-id

A list of full resource ids that the access is restricted to.

--force-sub-claims

Role association must include sub-claims.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-aws-iam

Creates a new Authentication Method object that will allow the user to authenticate using AWS IAM credentials.

Usage
akeyless create-auth-method-aws-iam -n <Auth Name> --bound-aws-account-id <account Id>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

--bound-aws-account-id

**Y**

A list of AWS Account IDs that the access is restricted to.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--sts-url[=https://sts.amazonaws.com]

STS URL.

--bound-arn

A list of full ARNs that the access is restricted to.

--bound-role-name

A list of full role-name that the access is restricted to.

--bound-role-id

A list of full role ids that the access is restricted to.

--bound-resource-id

A list of full resource ids that the access is restricted to.

--bound-user-name

A list of full user-name that the access is restricted to.

--bound-user-id

A list of full user ids that the access is restricted to.

--force-sub-claims

Role association must include sub-claims.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-oauth2

Creates a new Auth Method that will allow the user to authenticate using OpenId/OAuth2.

Usage
akeyless create-auth-method-oauth2 -n <Auth Name> --jwks-uri <URL to JWKS> -u <unique ID>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication Method name.

--jwks-uri

**Y**

The URL to the JSON Web Key Set (JWKS) that contains the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

-u, --unique-identifier

**Y**

A unique identifier (ID) value should be configured for OAuth2, LDAP, and SAML authentication method types and is usually a value such as the email, username, or UPN. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured and is used to distinguish between different users from within the same organization.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--bound-clients-ids

The clients' ids that the access is restricted to.

--issuer

Issuer URL.

--audience

The audience in the JWT.

--force-sub-claims

Role association must include sub-claims.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-k8s

Creates a new Authentication Method object that will allow the user to authenticate using Kubernetes.

Usage
akeyless create-auth-method-k8s -n <Auth Name> --public-key-file-path <Path\To\Public\Key>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

--public-key-file-path

**Y**

A path to the public key for the Kubernetes authentication method (RSA2048).

--public-key

**Y**

Base64-encoded public key content.

--gen-key[=true]

**Y**

If this flag is set to true, there is no need to manually provide a public key for the Kubernetes authentication method. Instead, a public/private key pair will be generated as part of the command, and the private part of the key will be returned (the private key is required for the K8S Authentication Config in the Akeyless Gateway).

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--force-sub-claims

Sub-claims must be used for role association.

--audience

The audience in the Kubernetes JWT that the access is restricted to.

--bound-sa-names

A list of service account names that the access is restricted to.

--bound-pod-names

A list of pod names that the access is restricted to.

--bound-namespaces

A list of namespaces that the access is restricted to.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

gateway-create-k8s-auth-config

Creates a K8s authentication config.

Usage
akeyless gateway-create-k8s-auth-config  --name k8s-conf \
--gateway-url <https://Your-GW-URL>:8000 \
--access-id $ACCESS_ID \
--signing-key $PRV_KEY \
--k8s-host=<https://Your-K8s-Cluster-IP:8443> \
--token-reviewer-jwt $SA_JWT_TOKEN \
--k8s-ca-cert $CA_CERT \
--k8s-issuer $K8S_ISSUER
akeyless gateway-create-k8s-auth-config  --name k8s-conf-rancher \
--gateway-url <https://Your-GW-URL>:8000 \
--access-id $ACCESS_ID \
--signing-key $PRV_KEY \
--cluster-api-type rancher \
--k8s-host=<https://Rancher Host>:443 \
--k8s-ca-cert $CA_CERT \
--k8s-issuer $K8S_ISSUER \
--rancher-api-key <API_KEY> \
--rancher-cluster-id <CLUSTER_ID> \
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

K8S Auth config name.

--access-id

**Y**

The Access ID of the Kubernetes authentication method.

--signing-key

The private key (in base64-encoded PEM format) associated with the public key defined in the Kubernetes auth.

--token-exp[=300]

Expiration time (in seconds) of the Akeyless Kube Auth Method token.

--cluster-api-type[=native_k8s]

Cluster access type. Available options: native_k8s, rancher.

--k8s-host

The URL of the Kubernetes API server.

--k8s-ca-cert

Base-64 encoded certificate used to call into the Kubernetes API.

--token-reviewer-jwt

A Kubernetes service account JWT used to access the TokenReview API to validate other JWTs (relevant for "native_k8s" only).

--rancher-api-key

The API Key used to access the TokenReview API to validate other JWTs (relevant for "rancher" only).

--rancher-cluster-id

The cluster ID as defined in Rancher (relevant for "rancher" only).

--k8s-issuer[=kubernetes/serviceaccount]

The Kubernetes JWT issuer name. If not set, kubernetes/serviceaccount will be used as an issuer.

--config-encryption-key-name

A key to encrypt K8S Auth config.

-u, --gateway-url[=http://localhost:8000]

Akeyless Gateway URL (with the Configuration Management port).

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

create-auth-method-ldap

Creates a new Authentication Method object that will allow the user to authenticate using LDAP.

Usage
akeyless create-auth-method-ldap -n <Auth Name> --public-key-file-path <Path\To\Public\Key>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

-u, --unique-identifier

**Y**

A unique identifier (ID) value should be configured for OAuth2, LDAP, and SAML authentication method types and is usually a value such as the email, username, or UPN. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured and is used to distinguish between different users from within the same organization.

--public-key-file-path

**Y**

A path to the public key for the LDAP authentication method (RSA2048).

--public-key-data

Base64-encoded public key content.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--force-sub-claims

Sub-claims must be used for role association.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-saml

Creates a new Authentication Method object that will allow the user to authenticate using SAML.

Usage
akeyless create-auth-method-saml -n <Auth Name> -u <Unique ID>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

-u, --unique-identifier

**Y**

A unique identifier (ID) value should be configured for OAuth2, LDAP, and SAML authentication method types and is usually a value such as an email, username, or UPN. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured and is used to distinguish between different users from within the same organization.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--force-sub-claims

Sub-claims must be used for role association.

--allowed-redirect-uri

Allowed redirect URIs after the authentication (default is https://console.akeyless.io/login-oidc to enable SAML via Akeyless Console and http://127.0.0.1:* to enable SAML via Akeyless CLI).

--idp-metadata-url

IDP metadata URL.

--idp-metadata-xml-file-path

A path to the IDP metadata XML file.

--idp-metadata-xml-data

A base64-encoded content of the IDP metadata XML file.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-oidc

Creates a new Authentication Method object that will allow the user to authenticate using OIDC.

Usage
akeyless create-auth-method-oidc -n <Auth Name> -u <Unique ID> --issuer <Issuer URL> --client-id <Client ID> --client-secret <Client Secret>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

-u, --unique-identifier

**Y**

A unique identifier (ID) value should be configured for OAuth2, LDAP, and SAML authentication method types and is usually a value such as an email, username, or UPN. Whenever a user logs in with a token, these authentication types issue a "sub claim" that contains details uniquely identifying that user. This sub claim includes a key containing the ID value that you configured and is used to distinguish between different users from within the same organization.

--issuer

**Y**

Issuer URL

--client-id

**Y**

Client ID

--client-secret

**Y**

Client secret

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--force-sub-claims

Role association must include sub-claims.

--require-scopes

Required scopes that the OIDC authentication method will request from the OIDC provider and the user must approve.

--required-scopes-prefix

A prefix to add to all required scopes when requesting them from the OIDC server (for example, Azure's Application ID URI).

--allowed-redirect-uri

Allowed redirect URIs after the authentication (default is https://console.akeyless.io/login-oidc to enable OIDC via Akeyless Console and http://127.0.0.1:* to enable OIDC via Akeyless CLI).

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-universal-identity

Creates a new Authentication Method object that will allow the user to authenticate using Akeyless Universal Identity.

Usage
akeyless create-auth-method-universal-identity -n <Auth Name>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

--ttl

**Y**

Token TTL.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--deny-rotate

Deny from the token to rotate.

--deny-inheritance

Deny from root to create children.

--force-sub-claims

Role association must include sub-claims.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-gcp

Creates a new Authentication Method object that will allow the user to authenticate using GCP IAM Service Account credentials or GCE instance credentials.

Usage
akeyless create-auth-method-gcp -n <Auth Name> -t <type of GCP iam/gce> --audience <audience to verify in the JWT>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

-t, --type

**Y**

The type of the GCP Auth Method (iam/gce).

-a, --audience[=akeyless.io]

**Y**

The audience to verify in the JWT received by the client.

--access-expires[=0]

Access expiration date in Unix timestamp (select 0 for access without expiry date).

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--service-account-creds-file

Service Account creds key file path.

--service-account-creds-data

Service Account creds data, base64 encoded.

--bound-projects

A list of GCP project IDs. Clients must belong to any of the provided projects in order to authenticate. For multiple values repeat this flag.

--bound-service-accounts

IAM only. A list of Service Accounts. Clients must belong to any of the provided service accounts in order to authenticate. For multiple values repeat this flag.

--bound-zones

GCE only. A list of zones. GCE instances must belong to any of the provided zones in order to authenticate. For multiple values repeat this flag.

--bound-regions

GCE only. A list of regions. GCE instances must belong to any of the provided regions in order to authenticate. For multiple values repeat this flag.

--bound-labels

GCE only. A list of GCP labels is formatted as "key:value" pairs that must be set on instances in order to authenticate. For multiple values repeat this flag.

--force-sub-claims

Role association must include sub-claims.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

create-auth-method-cert

Creates a new Authentication Method object that will allow the user to authenticate using PKI certificates.

Usage
akeyless create-auth-method-cert -n AuthMethodName -u UniqueIdentifierValue --certificate-file-name /Path/To/File/signing_certificate.pem
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Authentication method name.

-u, --unique-identifier

**Y**

A "unique identifier" parameter plays the same role as a "sub-claim" in OIDC, OAuth2, LDAP, and SAML authentication method types. It contains details that allow the system to uniquely identify the user (e.g. to distinguish between different users from within the same organization).

--access-expires[=0]

Access expiration date (in the Unix timestamp format). Specify 0 for access without expiration date.

--bound-ips

A comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--gw-bound-ips

A comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the IP of the Gateway will be used in the logs.
Example: --gw-bound-ips "1.1.1.1/24,2.2.2.2/32"

--force-sub-claims

When associating an Access Role with this authentication method, sub-claims must be considered.

--jwt-ttl[=0]

Credentials expiration time in minutes. If the value is not set, default account settings are used. (To check for the default account settings, run the get-account-settings command in the CLI.)

--certificate-data

The CA certificate data in Base64 format (if no file was provided).

--certificate-file-name

The path to the file containing the CA certificate.

--bound-common-names

A list of server names from the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-dns-sans

A list of DNS names from the SAN section of the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-email-sans

A list of Email Addresses from the SAN section of the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-uri-sans

A list of URIs from the SAN section of the certificate. This list needs to be considered during authentication. Supports globbing (i.e. limited wildcard capability).

--bound-organizational-units

A list of Organizational Units names from the certificate. This list needs to be considered during authentication.

--bound-extensions

A list of extensions formatted as "oid:value". Expects the extension value to be some type of an ASN1-encoded string. All values must match. Supports globbing (i.e. limited wildcard capability) on "value".

--revoked-cert-ids

A list of revoked certificates' IDs.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The Universal Identity token. You need to be authenticated and authorized to create a new authentication method, so, when working with SDKs, authentication is usually performed using Universal Identity tokens.

--json[=false]

Sets output format to JSON. It is used when working with SDKs.

get-cloud-identity

Get Cloud Identity Token (relevant only for access-type=azure_ad,aws_iam,gcp)

Parameters

Parameter

Mandatory

Description

--azure_ad_object_id

Azure Active Directory ObjectId (relevant only for access-type=azure_ad).

--gcp-audience[=akeyless.io]

GCP audience to use in signed JWT (relevant only for access-type=gcp).

--url_safe

Escapes the token so it can be safely placed inside a URL query.

delete-item

Use delete-item to delete any secret, key, certificate or role.

Usage
akeylees delete-item -n <Path\to\item>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Item name.

--version[=-1]

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days[=7]

The number of days to wait before deleting the item (relevant for keys only).

--delete-immediately[=false]

When delete-in-days=-1, must be set.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

get-auth-method

Returns information about the Authentication Method object.

Usage
akeyless get-auth-method -n <Auth method name>
Parameters

Parameter

Description

Description

-n, --name

**Y**

The name of the Authentication Method object about which you want to get the information.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

gateway-get-k8s-auth-config

Returns information about the K8s Auth config.

Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

K8S Auth config name

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token, Required only for universal_identity authentication

list-auth-methods

Returns a list of all the Authentication Method objects in the Account.

Usage
akeyless list-auth-methods
Parameters

Parameter

Mandatory

Description

--pagination-token

Next page reference.

-t, --type

Return only authentication methods of the specified type. In case it is empty, all authentication methods will be returned. Possible values: [api_key, azure_ad, oauth2/jwt, saml2, ldap, aws_iam, oidc, universal_identity, gcp, k8s, cert]

--filter

Filter by the authentication method name or a part of it.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

delete-auth-method

Delete the Authentication Method object.

Usage
akeyless delete-auth-method -n <Auth Method Name>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

The name of the Authentication Method object you want to delete.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

delete-auth-methods

Delete multiple auth methods from a given path.

Usage
akeyless delete-auth-methods -p <Path to auth methods>
Parameters

Parameter

Mandatory

Description

-p, --path

**Y**

Path to delete the auth methods from.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

gateway-delete-k8s-auth-config

Deletes the K8s Auth config.

Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

K8S Auth config name

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token, Required only for universal_identity authentication.

gateway-update-k8s-auth-config

Updates the K8s Auth config.

Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

K8S Auth config name

--access-id

**Y**

The access ID of the Kubernetes auth method

--signing-key

The private key (in base64 encoded of the PEM format) associated with the public key defined in the Kubernetes auth

--token-exp[=300]

Time in seconds of expiration of the Akeyless Kube Auth Method token

--cluster-api-type[=native_k8s]

Cluster access type. options: [native_k8s, rancher]

--k8s-host

The URL of the kubernetes API server

--k8s-ca-cert

Base-64 encoded certificate to use to call into the kubernetes API

--token-reviewer-jwt

A Kubernetes service account JWT used to access the TokenReview API to validate other JWTs (relevant for "native_k8s" only)

--rancher-api-key

The api key used to access the TokenReview API to validate other JWTs (relevant for "rancher" only)

--rancher-cluster-id

The cluster id as define in rancher (relevant for "rancher" only)

--k8s-issuer[=kubernetes/serviceaccount]

The Kubernetes JWT issuer name. If not set, kubernetes/serviceaccount will use as an issuer.

--config-encryption-key-name

Encrypt K8S Auth config with following key

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--new-name

**Y**

K8S Auth config new-name

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication

reverse-rbac

Shows which authentication method has access to a particular object.

Usage
akeyless reverse-rbac -p <path to an object>  -t <object type>
Parameters

Parameter

Mandatory

Description

-p, --path

**Y**

Path to an object.

-t, --type

**Y**

Type of object (item, am=auth method, role, target).

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

Akeyless Universal Identity

uid-list-children

List the token children ids of Akeyless Universal Identity

Usage
akeyless uid-list-children -n <UID Auth Method Name>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

The universal identity authentication method name, required only when the uid-token is not provided.

--uid-token

The universal identity token. It is equired only for universal_identity authentication.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

uid-revoke-token

Revoke token using Akeyless Universal Identity

Usage
akeyless uid-revoke-token --revoke-type revokeAll --revoke-token <UID Token ID>
Parameters

Parameter

Mandatory

Description

--revoke-type

**Y**

revokeSelf/revokeAll (delete only this token/this token and its children).

--revoke-token

**Y**

The universal identity token/token-id to revoke.

-n, --auth-method-name

The universal identity auth method name.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

uid-generate-token

Generate a new token using Akeyless Universal Identity

Usage
akeyless uid-generate-token -n <UID Auth Name>
Parameters

Parameter

Mandatory

Description

--auth-method-name

**Y**

The universal identity authentication method name.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.

uid-rotate-token

Rotate token using Akeyless Universal Identity(aliases rotate-token,uid-send-manual-rotate-ack)

Parameters

Parameter

Mandatory

Description

-t, --token, --uid-token

The Universal identity token to rotate.

--fork

Create a new child token with default parameters.

--send-manual-ack-token

The new rotated token to send manual acknowledgment for (with uid-token=the-orig-token).

--with-manual-ack

Disable automatic acknowledgment.

-o, --output-file \ -i, --input-file

Path to the output\input file.

uid-create-child-token

Create a new child token using Akeyless Universal Identity

Parameters

Parameter

Mandatory

Description

--child-deny-rotate

Deny from new child to rotate.

--child-deny-inheritance

Deny from new child to create their own children.

--child-ttl

New child token TTL.

--comment

New Token comment.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

-n, --auth-method-name

The universal identity auth method name, required only when uid-token is not provided.

--tid, --uid-token-id

The ID of the uid-token, required only when uid-token is not provided.

--profile or --token

Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token.


Did this page help you?