CLI Reference - Dynamic Secrets

Dynamic Secrets

This section outlines the CLI commands relevant to Dynamic Secrets.

Dynamic secrets are secrets that are generated every time they are accessed, using permissions you've defined in advance. In this way, users can access a resource for a temporary period with a defined set of permissions.

You can create a dynamic secret using an existing target or manually enter the connection settings.

General Flags:

--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token: The universal identity token, Required only for universal_identity authentication

-h, --help: Display help information

--json[=false]: Set output format to JSON

--jq-expression: JQ expression to filter result output

--no-creds-cleanup[=false]: Do not clean local temporary expired creds

Create a dynamic secret

akeyless dynamic-secret create

Command to create a Dynamic Secret

Flags

artifactory: Creates Artifactory dynamic secret

aws: Creates AWS dynamic secret

azure: Creates Azure AD dynamic secret

cassandra: Creates Cassandra dynamic secret

chef: Creates Chef dynamic secret

custom: Creates a Custom webhook dynamic secret

dockerhub: Creates a Dockerhub dynamic secret

eks: Creates Amazon Elastic Kubernetes Service (Amazon EKS) dynamic secret

gcp: Creates Google Cloud Provider (GCP) dynamic secret

github: Creates Github dynamic secret that support tokens creation with fixed ttl of 60 minutes

gke: Creates Google Kubernetes Engine (GKE) dynamic secret

hanadb: Creates HanaDB dynamic secret

k8s: Creates Native Kubernetes Service dynamic secret

ldap: Creates LDAP dynamic secret

mongodb: Creates a MongoDB/MongoDB Atlas dynamic secret

mssql: Creates Microsoft SQL Server

mysql: Creates MySQL dynamic secret

oracledb: Creates Oracle DB dynamic secret

ping: Creates Ping Federate dynamic secret

postgresql: Creates PostgreSQL dynamic secret

rabbitmq: Creates RabbitMQ dynamic secret

rdp: Creates RDP dynamic secret

redis: Creates Redis dynamic secret

redshift: Creates Redshift dynamic secret

snowflake: Creates Snowflake dynamic secret

venafi: Creates a Venafi dynamic secret to create certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI

artifactory

Creates Artifactory Dynamic Secret

Usage
akeyless dynamic-secret create artifactory  \
--name <Dynamic Secret Name> \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--target-name <Target Name> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) 
akeyless dynamic-secret create artifactory \
--name <Dynamic Secret Name> \
--artifactory-token-scope *<Space-separated list of scopes> \
--artifactory-token-audience *<Space-separated list of instances> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) \
--base-url <Artifactory REST URL> \
--artifactory-admin-name <Artifactory Admin username> \
--artifactory-admin-pwd <Artifactory Admin API Key or password>
Flags

-n, --name: Required, Dynamic Secret name

-s, --artifactory-token-scope: Required, Token scope provided as a space-separated list, for example: member-of-groups:readers

-a, --artifactory-token-audience: Required, A space-separated list of other Artifactory instances or services that should accept this token, for example: jfrt@*

--target-name: Name of existing target to use in Dynamic Secret creation

-b, --base-url: Artifactory REST URL, must end with artifactory postfix

-r, --artifactory-admin-name: Admin name

-p, --artifactory-admin-pwd: Admin API Key/Password

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL \nDefault = 60m

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--delete-protection: Protection from accidental deletion of this item, [true/false]

aws

Creates AWS Dynamic Secret

Usage
akeyless dynamic-secret create aws \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_userassumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
akeyless dynamic-secret create aws \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_userassumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs> \
--aws-access-key-id <Access ID> \
--aws-access-secret-key <Access Key> \
--aws-region <Region>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-i, --aws-access-key-id: Access Key ID

-s, --aws-access-secret-key: Access Secret Key

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port) \nDefault = http://localhost:8000

--aws-access-mode: The types of credentials to retrieve from AWS. Options:[iam_user,assume_role]

--aws-region[=us-east-]: Region \nDefault = us-east-

--aws-user-policies: Policy ARN(s). Multiple values should be separated by comma

aws-user-groups: UserGroup name(s). Multiple values should be separated by comma

--aws-role-arns: AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma

--aws-user-console-access=[false] : Enable AWS User console access \nDefault = false

--aws-user-programmatic-access[=true]: Enable AWS User programmatic access \nDefault = true

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL \nDefault = 60m

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--admin-creds-rotation[=false]: Enable automatic admin credentials rotation \nDefault = flase

--admin-creds-rotation-interval='0': Admin credentials rotation interval (days)

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-aws-account-id: The aws account id

--secure-access-aws-native-cli: The aws native cli

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion \nDefault = false

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion \nDefault = false

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=true]: Enable Web Secure Remote Access \nDefault = true

--delete-protection: Protection from accidental deletion of this item, [true/false]

azure

Creates Azure AD Dynamic Secret

Usage
akeyless dynamic-secret create azure \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <truefalse> \
--azure-user-programmatic-access <truefalse> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <truefalse> \
--fixed-user-claim-keyname <Key name of the IdP claim>
akeyless dynamic-secret create azure \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <truefalse> \
--azure-user-programmatic-access <truefalse> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <truefalse> \
--fixed-user-claim-keyname <Key name of the IdP claim> \
--azure-tenant-id <Azure Tenant ID> \
--azure-client-id <Azure Client ID> \
--azure-client-secret <Azure AD Client Secret>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--azure-tenant-id: Azure Tenant ID

--azure-client-id: Azure Client ID (Application ID)

--azure-client-secret: Azure AD Client Secret

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--azure-user-portal-access[=false]: Enable Azure AD user portal access \nDefault = false

--azure-user-programmatic-access[=true]: Enable Azure AD user programmatic access \nDefault = True.

--azure-app-obj-id: Azure App Object ID (required if selected programmatic access)

--azure-user-principal-name: Azure AD User Principal Name (required if selected Portal access)

--azure-user-group-obj-id : Azure AD User Group Object ID (required if selected Portal access)

--azure-user-role-template-id: Azure AD User Role Template ID (required if selected Portal access)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--fixed-user-only[=false]: Allow access using externally (IdP) provided username \nDefault = false

--fixed-user-claim-keyname: For externally provided users, denotes the key-name of IdP claim to extract username from

--user-ttl[=60m] : User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-web[=true]: Enable Web Secure Remote Access

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

cassandra

Create Cassandra Dynamic Secret

Usage
akeyless dynamic-secret create cassandra  \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--cassandra-statements CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';
akeyless dynamic-secret create cassandra  \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--cassandra-hosts <Cassandra host> \
--cassandra-port <Cassandra port> \
--cassandra-username <Cassandra username> \
--cassandra-password <password> \
--cassandra-statements CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Target name

--cassandra-hosts: Cassandra hosts names or IP addresses, comma separated

--cassandra-username: Cassandra superuser user name

--cassandra-password: Cassandra superuser password

--cassandra-port[=904]: Cassandra port

-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)

--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';]: Cassandra Creation Statements

--user-ttl[=60m]: User TTL (<=60m for access token)

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--Dynamic Secret-encryption-key-name: Dynamic Dynamic Secret encryption key

--ssl[=false]: Enable/Disable SSL [true/false]

--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)

--password-length: The length of the password to be generated

--delete-protection : Protection from accidental deletion of this item, [true/false]

chef

Creates Chef Dynamic Secret

Usage
akeyless dynamic-secret create chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations>
akeyless dynamic-secret create chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--chef-orgs <Chef organizations> \
--chef-server-username <Chef server username> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--skip-ssl <truefalse>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-c, --chef-server-username: Chef server username

-y, --chef-server-key: Chef server key

-s, --chef-server-url: Chef server URL

-g, --chef-orgs: Chef organizations

--skip-ssl[=true]: Skip SSL

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m] : User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

custom

Creates a custom webhook-based dynamic secret

Usage
akeyless dynamic-secret create custom \
--name <Dynamic Secret Name> \
--create-sync-url <'https://example.com/sync/create:Port'> \
--revoke-sync-url <'https://example.com/sync/revoke:Port'> \
--gateway-url <API Gateway URL:8000> 
Flags

-n, --name: Required, Dynamic Secret name

--create-sync-url: Required, URL of an endpoint that implements /sync/create method

--revoke-sync-url: Required, URL of an endpoint that implements /sync/revoke method

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--rotate-sync-url: URL of an endpoint that implements /sync/rotate method

--payload: Secret payload to be sent with each create/revoke webhook request

--timeout-sec[=60]: Maximum allowed time in seconds for the webhook to return the results

--enable_admin_rotation[=false]: Enable automatic admin credentials rotation

--admin_rotation_interval_days: Rotation period in days

--delete-protection: Protection from accidental deletion of this item, [true/false]

dockerhub

Creates a Dockerhub Dynamic Secret

Usage
akeyless dynamic-secret create dockerhub \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read'
akeyless dynamic-secret create dockerhub \
--name *<Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-token-scopes <'repo:admin,repo:write,repo:read,repo:public_read'> \      
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--dockerhub-username: Username for docker repository

--dockerhub-password: password for docker repository

--dockerhub-token-scopes : Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read'

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--user-ttl[=60m] : User TTL (<=60m for access token)

--tag: A list of tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2 .

--Dynamic Secret-encryption-key-name: Dynamic Dynamic Secret encryption key

--delete-protection: Protection from accidental deletion of this item, [true/false].

eks

Creates Amazon Elastic Kubernetes Service (Amazon EKS) Dynamic Secret

Usage
akeyless dynamic-secret create eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN>
akeyless dynamic-secret create eks \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--eks-cluster-name: EKS cluster name. Must match the EKS cluster name you want to connect to

--eks-cluster-endpoint: EKS Cluster endpoint. https:// , <DNS / IP> of the cluster

--eks-cluster-ca-cert: EKS Cluster certificate. Base 64 encoded certificate

--eks-access-key-id: EKS Access Key ID

--eks-secret-access-key : EKS Secret Access Key

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--eks-region[=us-east-]: EKS Region

--eks-assume-role: Role ARN. Role to assume when connecting to the EKS cluster

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-cluster-endpoint: The K8s cluster endpoint URL

--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access.

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

gcp

Creates Google Cloud Provider (GCP) Dynamic Secret

Usage
akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--service-account-type <fixed/dynamic> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email> \
--gcp-cred-type <tokenkey> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>
akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--service-account-type <fixed, dynamic> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email> \
--gcp-cred-type <tokenkey> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm> \
--gcp-sa-email <GCP Service Account Email> \
--gcp-key-file-path <GCP Service Account Private Key>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--gcp-cred-type[=token]: Credentials type, options are [token, key]

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--gcp-key-file-path : Path to file with the Base64-encoded service account private key

--gcp-key: Base64-encoded service account private key text

--gcp-token-scopes: Access token scopes list, e.g. scope,scope

--gcp-key-algo: Service account key algorithm, e.g. KEY_ALG_RSA_04

--user-ttl='60m': User TTL (<=60m for access token)

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--Dynamic Secret-encryption-key-name: Dynamic Dynamic Secret encryption key

-s, --service-account-type[=fixed]: Required, The type of the gcp dynamic secret. Options[fixed, dynamic]

-e, --gcp-sa-email: The email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed)

--role-binding: Role binding definitions in json format

--delete-protection: Protection from accidental deletion of this item, [true/false]

github

Creates Github Dynamic Secret that support tokens creation with fixed ttl of 60 minutes

Usage
akeyless dynamic-secret create github \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID>
akeyless dynamic-secret create github \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID> \
--github-app-id <Your GitHub application ID> \
--github-app-private-key <Base64-encoded application private key> \
--github-base-url <Github base URL>
Flags

-n, --name: Required, Dynamic Secret name

--installation-id: Github application installation id

--installation-organization: Optional, instead of installation id, set a GitHub organization name

--installation-repository : Optional, instead of installation id, set a GitHub repository <owner>/<repo-name>

--target-name: Name of existing target to use in Dynamic Secret creation

--github-app-id: Github application id

--github-app-private-key: Github application private key (base64 encoded key)

--github-base-url[=https://api.github.com/]: Github base URL

-p, --token-permissions: Tokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - -p contents=read -p issues=write or -p '{content:read}'

-r, --token-repositories: Tokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use the argument multiple times: -r RepoName -r RepoName

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--delete-protection: Protection from accidental deletion of this item, [true/false]

gke

Creates Google Kubernetes Engine (GKE) Dynamic Secret

Usage
akeyless dynamic-secret create gke \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> 
akeyless dynamic-secret create gke \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000>  \
--gke-account-email <GKE service account email> \
--gke-account-key <GKE service account Key> \
--gke-cluster-endpoint <GKE cluster endpoint URL> \
--gke-cluster-ca-cert <Base64-encoded GKE cluster CA certificate> \
--gke-cluster-name <GKE cluster name>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--gke-account-email: GKE service account email

--gke-cluster-endpoint: GKE cluster endpoint, i.e., cluster URI https\://\<DNS/IP>

--gke-cluster-ca-cert: GKE Base-64 encoded cluster certificate

--gke-account-key-file-path: File path to GKE service account key

--gke-account-key: GKE service account key

--gke-cluster-name: GKE cluster name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-cluster-endpoint: The K8s cluster endpoint URL

--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access

--secure-access-bastion-issuer : Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token

--uid-token: The universal identity token. It is required only for the universal_identity authenticatio

hanadb

Creates HanaDB Dynamic Secret

Usage
akeyless dynamic-secret create hanadb \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--hanadb-creation-statements CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}}; \
--hanadb-revocation-statements DROP USER {{name}};
akeyless dynamic-secret create hanadb \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--hana-dbname <HanaDB name> \
--hanadb-username <HanaDB admin username> \
--hanadb-password <HanaDB admin password> \
--hanadbt-host <HanaDB host> \
--hanadb-port <HanaDB port> \
--hanadb-creation-statements CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}}; \
--hanadb-revocation-statements DROP USER {{name}};
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-d, --hana-dbname: Hana DB Name

-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)

--hanadb-username: HanaDB user

--hanadb-password: HanaDB password

--hanadb-host[=7.0.0.]: HanaDB host name

--hanadb-port[=443]: HanaDB port

--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD {{password}}; GRANT MONITOR ADMIN TO {{name}};]: HanaDB Creation Statements

--hanadb-revocation-statements[=DROP USER {{name}};]: HanaDB Revocation Statements

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer : Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.

--secure-access-db-schema: The db schema

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

k8s

Creates Native Kubernetes Service Dynamic Secret

Usage
akeyless dynamic-secret create k8s \ 
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account>
akeyless dynamic-secret create k8s \ 
--name <Dynamic Secret name> \
--gateway-url <API Gateway URL:8000> \
--k8s-service-account <service account> \
--k8s-cluster-endpoint <Cluster Endpoint URL> \
--k8s-cluster-ca-cert <Base64-encoded cluster CA certificate> \
--k8s-cluster-token ${TOKEN}

# Or using GW Service Account
akeyless dynamic-secret create k8s \ 
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--use-gw-service-account
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-e, --k8s-cluster-endpoint: K8S Cluster endpoint. <DNS / IP> of the cluster

-c, --k8s-cluster-ca-cert: K8S Cluster certificate. Base 64 encoded certificate

-t, --k8s-cluster-token: K8S Cluster authentication token

-s, --k8s-service-account: K8S ServiceAccount to extract token from

-i, --use-gw-service-account: Use GW's Service Account. Boolean, when provided, as part of the inline connection.

--k8s-service-account-type[=fixed]: K8S ServiceAccount type [fixed, dynamic].

--k8s-namespace[=default]: K8S Namespace where the ServiceAccount exists.(relevant only for service-account-type=fixed)

--k8s-allowed-namespaces[=*]: Comma-separated list of allowed K8S namespaces for the generated ServiceAccount (relevant only for k8s-service-account-type=dynamic)

--k8s-predefined-role-name: The pre-existing Role or ClusterRole name to bind the generated ServiceAccount to (relevant only for k8s-service-account-type=dynamic)

--k8s-predefined-role-type: Specifies the type of the pre-existing K8S role [Role, ClusterRole] (relevant only for k8s-service-account-type=dynamic)

--k8s-rolebinding-yaml-def: Path to yaml file that contains definitions of K8S role and role binding (relevant only for k8s-service-account-type=dynamic)

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m] : User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-cluster-endpoint: The K8s cluster endpoint

--secure-access-dashboard-url: The K8s dashboard url

--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

ldap

Creates LDAP Dynamic Secret

Usage
akeyless dynamic-secret create ldap \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--user-dn <User Base DN>
akeyless dynamic-secret create ldap \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--ldap-url <LDAP server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password> \
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--user-dn <User Base DN>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--ldap-url: LDAP Server URL

--user-dn: User Base DN

--user-attribute: LDAP User Attribute

-t, --ldap-ca-cert: LDAP base-64 encoded CA Certificate

--bind-dn: LDAP Bind DN

--bind-dn-password: Password for LDAP Bind DN

--external-username[=false]: Externally provided username

--token-expiration: LDAP token expiration in seconds

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m] : User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection : Protection from accidental deletion of this item, [true/false]

mongodb

Creates a MongoDB/MongoDB Atlas Dynamic Secret

Usage
akeyless dynamic-secret create mongodb \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-roles <New User Role>
akeyless dynamic-secret create mongodb \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-roles <New User Role> \
--mongodb-name <MongoDB name> \
--mongodb-username <MongoDB server admin username> \
--mongodb-password <MongoDB server admin password> \
--mongodb-host-port <host:port>
Flags

-n, --name: Required, Dynamic Secret name

--target-name : Name of existing target to use in Dynamic Secret creation

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--mongodb-roles\[=\[]]: MongoDB roles (e.g. MongoDB:[{role:readWrite, db: sales}], MongoDB Atlas:[{roleName : readWrite, databaseName: sales}])

--mongodb-custom-data: MongoDB custom data (e.g. {team:blue})

--mongodb-server-uri: MongoDB server URI (e.g. mongodb://user:[email protected]:707/admin?replicaSet=mySet)

--mongodb-username: MongoDB server username

--mongodb-password: MongoDB server password

--mongodb-host-port: host:port (e.g. my.mongo.db:707)

--mongodb-default-auth-db: MongoDB server default authentication database

--mongodb-uri-options: MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)

--mongodb-atlas-project-id: MongoDB Atlas project ID

--mongodb-atlas-api-public-key: MongoDB Atlas public key

--mongodb-atlas-api-private-key: MongoDB Atlas private key

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL (e.g. 60s, 60m, 60h)

-t, --tag: Add tags attached to this object. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

mssql

Creates Microsoft SQL Server

Usage
akeyless dynamic-secret create mssql \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-creation-statements CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}'; \
--mssql-revocation-statements DROP LOGIN '{{name}}';
akeyless dynamic-secret create mssql \
--name *<Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-creation-statements CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}'; \
--mssql-revocation-statements DROP LOGIN '{{name}}'; \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MSSQL Server admin user> \
--mssql-password <MSSQL Server admin password> \
--mssql-host <MSSQL Server host name> \
--mssql-port <MSSQL Server port>
Flags

-n, --name: Required, Dynamic Secret name

--target-name : Name of existing target to use in Dynamic Secret creation

--mssql-dbname: MSSQL Server DB Name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--mssql-username: MS SQL Server user

--mssql-password: MS SQL Server password

--mssql-host[=7.0.0.]: MS SQL Server host name

--mssql-port[=433]: MS SQL Server port

--mssql-creation-statements\[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';]: MSSQL Server Creation Statements

--mssql-revocation-statements\[=DROP LOGIN [{{name}}];]: MSSQL Server Revocation Statements

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with the following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-db-schema: The db schema

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

mysql

Creates MySQL Dynamic Secret

Usage
akeyless dynamic-secret create mysql \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-statements CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';
akeyless dynamic-secret create mysql \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-statements CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%'; \
--mysql-dbname <MySQL DB Name > \
--mysql-host <MySQL host> \
--mysql-port <MySQL port> \
--mysql-username <MySQL admin username> \
--mysql-password <MySQL admin password>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--mysql-dbname: MySQL DB name

-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)

--mysql-username: MySQL user

--mysql-password: MySQL password

--mysql-host[=7.0.0.]: MySQL host name

--mysql-port[=3306]": MySQL port

--mysql-statements: MySQL Creation Statements

--ssl[=false]: Enable/Disable SSL [true/false]

--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates

--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer : Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

oracledb

Creates Oracle DB Dynamic Secret

Usage
akeyless dynamic-secret create oracledb \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \ 
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
akeyless dynamic-secret create oracledb \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-service-name <Your Oracle DB Service name > \
--oracle-username <Oracle DB admin username> \
--oracle-password <Oracle DB admin password> \
--oracle-host <Your Oracle DB host> \
--oracle-port <Oracle DB port> \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-d, --oracle-service-name: Oracle service name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--oracle-username: Oracle user

--oracle-password: Oracle password

--oracle-host[=7.0.0.]: Oracle host name

--oracle-port[=5]: Oracle port

--oracle-statements: Oracle Creation Statements

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl\[=60m: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates

--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address

--secure-access-enable[=false]: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host : Target DB servers for connections., For multiple values repeat this flag.

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

ping

Creates a Ping dynamic secret Dynamic Secret

There are possible ways to run this command - using a target or an inline connection

Usage
akeyless dynamic-secret create ping \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--ping-client-authentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
akeyless dynamic-secret create ping \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--ping-url <https://my-pf-server.com> \
--ping-privileged-user <Username> \
--ping-password <Password> \
--ping-client-uthentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--ping-url: Ping URL

-s, --ping-privileged-user: Ping Federate privileged user

-p, --ping-password: Ping Federate privileged user password

-i, --ping-administrative-port[=9999]: Ping Federate administrative port

-j, --ping-authorization-port[=903]: Ping Federate authorization port

-t, --ping-client-authentication-type[=CLIENT_SECRET]: OAuth Client Authentication Type [CLIENT_SECRET, PRIVATE_KEY_JWT, CLIENT_TLS_CERTIFICATE]

--ping-issuer-dn: Issuer DN of trusted CA certificate that imported into Ping Federate server. You may select Trust Any to trust all the existing issuers in Ping Federate server. Used in conjunction with --ping-cert-subject-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method)

--ping-cert-subject-dn: The subject DN of the client certificate. If no explicit value is given, the Dynamic Secret will create CA certificate and matched client certificate and return it as value. Used in conjunction with --ping-issuer-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method)

-f, --ping-enforce-replay-prevention[=false]: Determines whether PingFederate requires a unique signed JWT from the client for each action (relevant for PRIVATE_KEY_JWT authentication method)

--ping-jwks: Base64-encoded JSON Web Key Set (JWKS). If no explicit value is given, the Dynamic Secret will create JWKs and matched signed JWT (Sign Algo: RS56) and return it as value (relevant for PRIVATE_KEY_JWT authentication method)

--ping-jwks-url: The URL of the JSON Web Key Set (JWKS). If no explicit value is given, the Dynamic Secret will create JWKs and matched signed JWT and return it as value (relevant for PRIVATE_KEY_JWT authentication method)

--ping-signing-algo: The signing algorithm that the client must use to sign its request objects [RS56, RS384, RS5, ES56, ES384, ES5, PS56, PS384, PS5] If no explicit value is given, the client can use any of the supported signing algorithms (relevant for PRIVATE_KEY_JWT authentication method)

-g, --ping-grant-types: OAuth client grant types [IMPLICIT, AUTHORIZATION_CODE, CLIENT_CREDENTIALS, TOKEN_EXCHANGE, REFRESH_TOKEN, ASSERTION_GRANTS, PASSWORD, RESOURCE_OWNER_CREDENTIALS]. If no explicit value is given, AUTHORIZATION_CODE will be selected as default. For multiple values repeat this flag.

-r, --ping-redirect-uris: URI to which the OAuth authorization server may redirect the resource owner's user agent after authorization is obtained. At least one redirection URI is required for the AUTHORIZATION_CODE and IMPLICIT grant types. For multiple values repeat this flag.

-d, --ping-atm-id: Set a specific Access Token Management (ATM) instance for the created OAuth Client by providing the ATM Id. If no explicit value is given, the default pingfederate server ATM will be set.

-o, --ping-restricted-scopes: Limit the OAuth client to specific scopes. For multiple values repeat this flag.

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

-e, --Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: The time from dynamic secret creation to expiration.

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--delete-protection: Protection from accidental deletion of this item, [true/false]

postgresql

Creates PostgreSQL Dynamic Secret

Usage
akeyless dynamic-secret create postgresql \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-statements 'CREATE USER {{name}} WITH PASSWORD {{password}}; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}}; GRANT CONNECT ON DATABASE postgres TO {{name}}; GRANT USAGE ON SCHEMA public TO {{name}};' \
--postgresql-revoke-statement 'REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = {{name}}; DROP USER {{name}};'
akeyless dynamic-secret create postgresql \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-db-name <PostgreSQL DB name> \
--postgresql-username <PostgreSQL DB admin username> \
--postgresql-password <PostgreSQL DBadmin password> \
--postgresql-host <PostgreSQL DB host> \
--postgresql-port <PostgreSQL DB port> \
--postgresql-statements 'CREATE USER {{name}} WITH PASSWORD {{password}}; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}}; GRANT CONNECT ON DATABASE postgres TO {{name}}; GRANT USAGE ON SCHEMA public TO {{name}};' \
--postgresql-revoke-statement 'REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = {{name}}; DROP USER {{name}};'
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--postgresql-db-name: PostgreSQL DB name

-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)

--postgresql-username: PostgreSQL user

--postgresql-password: PostgreSQL password

--postgresql-host[=7.0.0.]: PostgreSQL hostname

--postgresql-port[=543]: PostgreSQL port

--postgresql-statements[=CREATE USER {{name}} WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}};GRANT CONNECT ON DATABASE postgres TO {{name}};GRANT USAGE ON SCHEMA public TO {{name}};]: PostgreSQL Creation Statements

--postgresql-revoke-statement[=REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER {{name}};]: PostgreSQL Revocation Statement

--enc-key-name: Encrypt Dynamic Secret with the following key

--ssl[=false]: Enable/Disable SSL [true/false]

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion.

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.

--secure-access-db-schema: The db schema

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

rabbitmq

Creates RabbitMQ Dynamic Secret

Usage
akeyless dynamic-secret create rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission>
akeyless dynamic-secret create rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-server-uri <RabbitMQ server URI> \
--rabbitmq-admin-user <RabbitMQ server admin> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--rabbitmq-server-uri: RabbitMQ server URI

--rabbitmq-user-conf-permission: User configuration permission, for example:[.*,queue-name]

--rabbitmq-user-write-permission: User write permission, for example:[.*,queue-name]

--rabbitmq-user-read-permission: User read permission, for example:[.*,queue-name]

--rabbitmq-admin-user: RabbitMQ server user

--rabbitmq-admin-pwd: RabbitMQ server password

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--rabbitmq-user-vhost: User Virtual Host

--rabbitmq-user-tags: Comma separated list of tags to apply to user

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with the following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion.

--secure-access-url: Destination URL to inject secrets.

--secure-access-web[=true]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

rdp

Creates RDP Dynamic Secret

Usage
akeyless dynamic-secret create rdp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name>
akeyless dynamic-secret create rdp \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-host-port <RDP port> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--rdp-user-groups : RDP UserGroup name(s). Multiple values should be separated by a comma

--rdp-host-name: RDP Hostname

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--rdp-admin-name: RDP Admin name

--rdp-admin-pwd: RDP Admin password

--rdp-host-port[=]: RDP Host port

--fixed-user-only[=false]: Allow access using externally (IdP) provided username

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with the following key

--warn-user-before-expiration: Display message to user before TTL expires (min)

--allow-user-extend-session: Allow user to extend session periodically (min)

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

----password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user

--secure-access-rdp-user: Override the RDP Domain username

--secure-access-host: Target servers for connections., For multiple values repeat this flag.

--secure-access-allow-external-user[=false]: Allow providing external user for a domain users

--delete-protection: Protection from accidental deletion of this item, [true/false]

redis

Creates a redis Dynamic Secret

Usage
akeyless dynamic-secret create redis \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--username <Redis Username> \
--password <Redis Password>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-u, --gateway-url: API Gateway URL

--username: Redis username

--password: Redis password

--host[=7.0.0.]: Redis host

--port[=6379]: Redis port

--acl-rules: A JSON array list of redis ACL rules to attach to the created user. For available rules see the ACL CAT command https://redis.io/commands/acl-cat. If omitted the user will have access to read all keys ([~*, +@read])

--ssl[=false]: Enable/Disable SSL [true/false]

--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with the following key

--user-ttl[=60m]: User TTL

-t, --tag: Add tags attached to this object. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

redshift

Creates Redshift Dynamic Secret

Usage
akeyless dynamic-secret create redshift \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}'; \
--ssl <falestrue>
akeyless dynamic-secret create redshift \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-db-name <Redshift DB name> \
--redshift-username <Redshift DB admin username> \
--redshift-password <Redshift DB admin password> \
--redshift-host <Redshift DB host> \
--redshift-port <Redshift DB port> \
--redshift-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--redshift-db-name: Redshift DB name

-u, --gateway-url[=http://localhost:8000]: Gateway URL

--redshift-username: redshift user

--redshift-password: Redshift password

--redshift-host[=7.0.0.]: Redshift hostname

--redshift-port[=5439]: Redshift port

--redshift-statements[=CREATE USER {{username}} WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{username}};]: Redshift Creation Statements

--ssl[=false]: Enable/Disable SSL [true/false]

--enc-key-name: Encrypt Dynamic Secret with the following key

--user-ttl[=60m]: User TTL

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

snowflake

Creates Snowflake Dynamic Secret

Usage
akeyless dynamic-secret create snowflake \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name>
akeyless dynamic-secret create snowflake \
--name <Dynamic Secret Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account <Snowflake account name> \
--username <Snowflake username> \
--password <Snowflake password> \
--db-name <Database to which the generated credentials are restricted>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--account: Snowflake account name

--account-username: Snowflake account user name

--account-password: Snowflake account password

--db-name: The DB the generated credentials are restricted to

--role: Role to be assigned to the generated credentials

--warehouse: The warehouse the generated credentials are restricted to

--snowflake-api-private-key: RSA Private key (base64 encoded), if this is provided, flag --snowflake-api-private-key-file-name is ignored

--snowflake-api-private-key-file-name: The path to the file containing the private key, if this is provided, flag --snowflake-api-private-key is ignored

--snowflake-api-private-key-passphrase: The Private key passphrase

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--user-ttl[=4h]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

venafi

Creates a Venafi dynamic secret to create certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI

Usage
akeyless gateway-create venafi \
  --name <Dynamic Secret Name> \
  --gateway-url <API Gateway URL:8000> \
  --venafi-use-tpp <Required in TTP> \
  --venafi-access-token <Venafi Access Token> \
  --venafi-refresh-token <Venafi Refresh Token> \
  --venafi-baseurl <TPP Enviornment BASE URL> \
  --venafi-zone <Venafi Zone>
Flags

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-z, --venafi-zone: Venafi Zone

-u, --gateway-url[=http://localhost:8000]:API Gateway URL (Configuration Management port)

--venafi-api-key: Venafi API key (Relevant when using Venafi Cloud)

--venafi-use-tpp: When connecting to TPP this flag is required

--venafi-access-token: Venafi Access Token to use to access the TPP environment (Relevant when using TPP)

--venafi-refresh-token: Venafi Refresh Token to use when the Access Token is expired (Relevant when using TPP)

--venafi-baseurl: Base URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/

--sign-using-akeyless-pki: creating certificates using Akeyless PKI

--root-first-in-chain: root first in chain

--store-private-key: store private key in Akeyless

--auto-generated-folder: auto-generated folder

--signer-key-name: signer key name

--allowed-domains: allowed domains

--allow-subdomains: allow subdomains

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with the following key

--user-ttl[=60h]: User TTL in time.Duration format (60h / 9600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (440h). For more information - https://cert-manager.io/docs/usage/certificate/ \nDefault = 60h

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--admin-creds-rotation[=false]: Enable automatic admin credentials rotation \nDefault = false

--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update a dynamic secret

akeyless dynamic-secret update

Command to update a Dynamic Secret

Flags

artifactory: Updates Artifactory dynamic secret

aws: Updates AWS dynamic secret

azure: Updates Azure AD dynamic secret

cassandra: Updates Cassandra dynamic secret

chef: Updates Chef dynamic secret

custom: Updates a Custom webhook dynamic secret

dockerhub: Updates a Dockerhub dynamic secret

eks: Updates Amazon Elastic Kubernetes Service (Amazon EKS) dynamic secret

gcp: Updates Google Cloud Provider (GCP) dynamic secret

github: Updates Github dynamic secret that support tokens creation with fixed ttl of 60 minutes

gke: Updates Google Kubernetes Engine (GKE) dynamic secret

hanadb: Updates HanaDB dynamic secret

k8s: Updates Native Kubernetes Service dynamic secret

ldap: Updates LDAP dynamic secret

mongodb: Updates a MongoDB/MongoDB Atlas dynamic secret

mssql: Updates Microsoft SQL Server

mysql: Updates MySQL dynamic secret

oracledb: Updates Oracle DB dynamic secret

ping: Updates Ping Federate dynamic secret

postgresql: Updates PostgreSQL dynamic secret

rabbitmq: Updates RabbitMQ dynamic secret

rdp: Updates RDP dynamic secret

redis: Updates Redis dynamic secret

redshift: Updates Redshift dynamic secret

snowflake: Updates Snowflake dynamic secret

venafi: Updates a Venafi dynamic secret to creating certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI

Updates Artifactory dynamic secret

Usage
akeyless dynamic-secret update artifactory \
--name <Dynamic Secret Name> \
--artifactory-token-audience <Space-separated list of instances> \
--new-name <Dynamic Secret New name> \
--gateway-url <API Gateway URL:8000> \
--Target-name <Target Name> \
--artifactory-token-scope <Space-separated list of scopes> \
--Dynamic Secret-encryption-key-name <Encrypt Dynamic Secret with following key>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

-s, --artifactory-token-scope: Required, Token scope provided as a space-separated list, for example: member-of-groups:readers

-a, --artifactory-token-audience: Required, A space-separated list of other Artifactory instances or services that should accept this token, for example: jfrt@*

--target-name: Name of existing target to use in Dynamic Secret creation

-b, --base-url: Artifactory REST URL, must end with artifactory postfix

-r, --artifactory-admin-name: Admin name

-p, --artifactory-admin-pwd: Admin API Key/Password

u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates AWS Dynamic Secret

Usage
akeyless dynamic-secret update aws \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--aws-access-mode <iam_userassumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-i, --aws-access-key-id: Access Key ID

-s, --aws-access-secret-key: Access Secret Key

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--aws-access-mode: The types of credentials to retrieve from AWS. Options:[iam_user,assume_role]

--aws-region[=us-east-]: Region

--aws-user-policies: Policy ARN(s). Multiple values should be separated by comma

--aws-user-groups: UserGroup name(s). Multiple values should be separated by comma

--aws-role-arns: AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma

--aws-user-console-access[=false]: Enable AWS User console access

--aws-user-programmatic-access[=true]: Enable AWS User programmatic access

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--admin-creds-rotation[=false]: Enable automatic admin credentials rotation

--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-aws-account-id: The aws account id

--secure-access-aws-native-cli: The aws native cli

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=true]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Azure AD Dynamic Secret

Usage
akeyless dynamic-secret update azure \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--azure-user-portal-access <truefalse> \
--azure-user-programmatic-access <truefalse> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <truefalse> \
--fixed-user-claim-keyname <Key name of the IdP claim>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-t, --azure-tenant-id: Azure Tenant ID

-i, --azure-client-id: Azure Client ID (Application ID)

-s, --azure-client-secret: Azure AD Client Secret

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--azure-user-portal-access[=false]: Enable Azure AD user portal access

--azure-user-programmatic-access[=false]: Enable Azure AD user programmatic access

--azure-app-obj-id: Azure App Object ID (required if selected programmatic access)

--azure-user-principal-name: Azure AD User Principal Name (required if selected Portal access)

--azure-user-group-obj-id: Azure AD User Group Object ID (required if selected Portal access)

--azure-user-role-template-id: Azure AD User Role Template ID (required if selected Portal access)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--fixed-user-only[=false]: Allow access using externally (IdP) provided username

--fixed-user-claim-keyname: For externally provided users, denotes the key-name of IdP claim to extract username from

--user-ttl[=60m]: User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-web[=true]: Enable Web Secure Remote Access

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update Cassandra Dynamic Secret

akeyless dynamic-secret update cassandra \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New Name> \
--target-name <Target Name> \
--cassandra-hosts <Hosts>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Target name

--cassandra-hosts: Cassandra hosts names or IP addresses, comma-separated

--cassandra-username: Cassandra superuser user name

--cassandra-password: Cassandra superuser password

--cassandra-port[=904]: Cassandra port

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';]: Cassandra Creation Statements

--user-ttl[=60m]: User TTL (<=60m for access token)

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--Dynamic Secret-encryption-key-name: Dynamic Dynamic Secret encryption key

--ssl[=false]: Enable/Disable SSL [true/false]

--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Chef Dynamic Secret

Usage
akeyless dynamic-secret update chef \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-c, --chef-server-username: Chef server username

-y, --chef-server-key: Chef server key

-s, --chef-server-url: Chef server URL

-g, --chef-orgs: Chef organizations

--skip-ssl[=true]: Skip SSL

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with the following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates a custom webhook based dynamic secret Dynamic Secret

Usage
akeyless dynamic-secret update custom \
--name <Dynamic Secret Name> \
--create-sync-url <URL of an endpoint that implements /sync/create method> \
--revoke-sync-url <URL of an endpoint that implements /sync/revoke method>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

-c, --create-sync-url: Required, URL of an endpoint that implements /sync/create method

-r, --revoke-sync-url: Required, URL of an endpoint that implements /sync/revoke method

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--rotate-sync-url: URL of an endpoint that implements /sync/rotate method

--payload: Secret payload to be sent with each create/revoke webhook request

--timeout-sec[=60]: Maximum allowed time in seconds for the webhook to return the results

--enable_admin_rotation[=false]: Enable automatic admin credentials rotation

--admin_rotation_interval_days: Rotation period in days

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates a Dockerhub Dynamic Secret

Usage
akeyless dynamic-secret update dockerhub \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--dockerhub-username: Username for docker repository

--dockerhub-password: Password for docker repository

--dockerhub-token-scopes: Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read'

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--user-ttl[=60m]: User TTL (<=60m for access token)

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--Dynamic Secret-encryption-key-name: Dynamic Dynamic Secret encryption key

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Amazon Elastic Kubernetes Service (Amazon EKS) Dynamic Secret

Usage
akeyless dynamic-secret update eks \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--eks-assume-role <Role ARN> \
--eks-cluster-name <EKS cluster name. Must match the EKS cluster name you want to connect to> \
--eks-cluster-endpoint <EKS Cluster endpoint> \
--eks-cluster-ca-cert <EKS Cluster certificate. Base 64 encoded certificate> \
--eks-access-key-id <EKS Access Key ID> \
--eks-secret-access-key <EKS Secret Access Key>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-c, --eks-cluster-name: EKS cluster name. Must match the EKS cluster name you want to connect to

-e, --eks-cluster-endpoint: EKS Cluster endpoint. https:// , <DNS / IP> of the cluster

-r, --eks-cluster-ca-cert: EKS Cluster certificate. Base 64 encoded certificate

--eks-access-key-id: EKS Access Key ID

--eks-secret-access-key: EKS Secret Access Key

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--eks-region[=us-east-]: EKS Region

--eks-assume-role: Role ARN. Role to assume when connecting to the EKS cluster

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-cluster-endpoint: The K8s cluster endpoint URL

--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Google Cloud Provider (GCP) Dynamic Secret

Usage
akeyless dynamic-secret update gcp \
--name <Dynamic Secret Name> \
--service-account-type[=fixed] <fixed, dynamic>
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gcp-sa-email <service account email> \
--gcp-cred-type <tokenkey> \
--gcp-key-file-path <Path to file with the Base64-encoded service account private key> \
--gcp-key <Base64-encoded service account private key text> \
--gcp-token-scopes <Access token scopes list> \
--gcp-key-algo <Service account key algorithm>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-t, --gcp-cred-type[=token]: Credentials type, options are [token, key]

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--gcp-key-file-path: Path to file with the Base64-encoded service account private key

--gcp-key: Base64-encoded service account private key text

--gcp-token-scopes: Access token scopes list, e.g. scope,scope

--gcp-key-algo: Service account key algorithm, e.g. KEY_ALG_RSA_04

--user-ttl[=60m]: User TTL (<=60m for access token)

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2

--Dynamic Secret-encryption-key-name: Dynamic Dynamic Secret encryption key

-s, --service-account-type[=fixed]: Required, The type of the gcp dynamic secret. Options[fixed, dynamic]

-e, --gcp-sa-email: The email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed)

--role-binding: Role binding definitions in json format

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Github Dynamic Secret

Usage
akeyless dynamic-secret update github \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--installation-id <Your GitHub Installation ID> \
--installation-repository <instead of installation id, set a GitHub repository> \
--github-app-id <Github application id> \
--github-app-private-key <Github application private key (base64 encoded key)> \
--github-base-url <Github base url (Deafult = https://api.github.com/)
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--installation-id: Github application installation id

--installation-repository: Optional, instead of installation id, set a GitHub repository '/'

--target-name: Name of existing target to use in Dynamic Secret creation

--github-app-id: Github application id

--github-app-private-key: Github application private key (base64 encoded key)

--github-base-url[=https://api.github.com/]: Github base url

-p, --token-permissions: Tokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - -p contents=read -p issues=write or -p '{content:read}'

-r, --token-repositories: Tokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName -r RepoName

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Google Kubernetes Engine (GKE) Dynamic Secret

Usage
akeyless dynamic-secret update gke \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base-64 encoded cluster certificate> \
--gke-account-key-file-path <File path to GKE service account key> \
--gke-account-key <GKE service account key> \
--gke-cluster-name <GKE cluster name>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-a, --gke-account-email: GKE service account email

-e, --gke-cluster-endpoint: GKE cluster endpoint, i.e., cluster URI https://<DNS/IP>

-c, --gke-cluster-ca-cert: GKE Base-64 encoded cluster certificate

--gke-account-key-file-path: File path to GKE service account key

--gke-account-key: GKE service account key

--gke-cluster-name: GKE cluster name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-cluster-endpoint: The K8s cluster endpoint URL

--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates HanaDB Dynamic Secret

Usage
akeyless dynamic-secret update hanadb \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--hanadb-username <HanaDB user> \
--hanadb-password <--hanadb-password> \
--hanadb-host <HanaDB host name (Deafult = 7.0.0.) \
--hanadb-port <HanaDB port (Deafult = 443) \
--Dynamic Secret-encryption-key-name <Encrypt Dynamic Secret with following key>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--hanadb-username: HanaDB user

--hanadb-password: HanaDB password

--hanadb-host[=7.0.0.]: HanaDB host name

--hanadb-port[=443]: HanaDB port

--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD {{password}}; GRANT MONITOR ADMIN TO {{name}};]: HanaDB Creation Statements

--hanadb-revocation-statements[=DROP USER {{name}};]: HanaDB Revocation Statements

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-db-schema: The db schema

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Native Kubernetes Service Dynamic Secret

Usage
akeyless dynamic-secret update k8s \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-e, --k8s-cluster-endpoint: K8S Cluster endpoint. https:// , <DNS / IP> of the cluster

-c, --k8s-cluster-ca-cert: K8S Cluster certificate. Base 64 encoded certificate

-t, --k8s-cluster-token: K8S Cluster authentication token

-s, --k8s-service-account: K8S ServiceAccount to extract token from

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--k8s-namespace[=default]: K8S Namespace where the ServiceAccount exists

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-cluster-endpoint: The K8s cluster endpoint

--secure-access-dashboard-url: The K8s dashboard url

--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates LDAP Dynamic Secret

Usage
akeyless dynamic-secret update ldap \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret New name> \
--target-name <Target name>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--ldap-url: User Base DN

--user-attribute: LDAP User Attribute

-t, --ldap-ca-cert: LDAP base-64 encoded CA Certificate

--bind-dn: LDAP Bind DN

--bind-dn-password: Password for LDAP Bind DN

--external-username[=false]: Externally provided username

--token-expiration: LDAP token expiration in seconds

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

--tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2

--password-length: The length of the password to be generated

-delete-protection: Protection from accidental deletion of this item, [true/false]

Updates a MongoDB/MongoDB Atlas Dynamic Secret

Usage
akeyless dynamic-secret update mongo \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mongodb-name <MongoDB name> \
--mongodb-custom-data <MongoDB custom data>\
--mongodb-username <MongoDB server username> \
--mongodb-password <MongoDB server password> \
--mongodb-host-port <host port>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required,

--target-name: Name of existing target to use in Dynamic Secret creation

--mongodb-name: MongoDB name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--mongodb-roles\[=\[]]: MongoDB roles (e.g. MongoDB:[{role:readWrite, db: sales}], MongoDB Atlas:[{roleName : readWrite, databaseName: sales}])

--mongodb-custom-data: MongoDB custom data (e.g. {team:blue})

--mongodb-server-uri: MongoDB server URI (e.g. mongodb://user:[email protected]:707/admin?replicaSet=mySet)

--mongodb-username: MongoDB server username

--mongodb-password: MongoDB server password

--mongodb-host-port: host:port (e.g. my.mongo.db:707)

--mongodb-default-auth-db: MongoDB server default authentication database

--mongodb-uri-options: MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)

--mongodb-atlas-project-id: MongoDB Atlas project ID

--mongodb-atlas-api-public-key: MongoDB Atlas public key

--mongodb-atlas-api-private-key: MongoDB Atlas private key

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL (e.g. 60s, 60m, 60h)

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Updates Microsoft SQL Server

Usage
akeyless dynamic-secret update mssql \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MS SQL Server user> \
--mssql-password <MS SQL Server password> \
--mssql-host <MS SQL Server host name (Deafult = 7.0.0.) > \
--mssql-port <MS SQL Server port (Deafult = 433) >
Flags

--new-name: Dynamic Secret New name

-n, --name: Required,

--target-name: Name of existing target to use in Dynamic Secret creation

-d, --mssql-dbname: MSSQL Server DB Name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--mssql-username: MS SQL Server user

--mssql-password: MS SQL Server password

--mssql-host[=7.0.0.]: MS SQL Server host name

--mssql-port[=433]: MS SQL Server port

--mssql-creation-statements\[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';]: MSSQL Server Creation Statements

--mssql-revocation-statements\[=DROP LOGIN [{{name}}];]: MSSQL Server Revocation Statements

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-db-schema: The db schema

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update MySQL Dynamic Secret

Usage
akeyless dynamic-secret update mysql \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--mysql-username <MySQL user> \
--mysql-password <MySQL password> \
--mysql-host <MySQL host name (Deafult = 7.0.0.) > \
--mysql-port <MySQL port Deafult = 3306) >
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-d, --mysql-dbname: MySQL DB name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--mysql-username: MySQL user

--mysql-password: MySQL password

--mysql-host[=7.0.0.]: MySQL host name

--mysql-port[=3306]: MySQL port

--mysql-statements: MySQL Creation Statements

--ssl[=false]: Enable/Disable SSL [true/false]

--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates

--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update OracleDB Dynamic Secret

Usage
akeyless dynamic-secret update oracledb \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--oracle-username <Oracle user> \
--oracle-password <Oracle password> \
--oracle-host <Oracle host name (Deafult = 7.0.0.) > \
--oracle-port <Oracle port (Default = 5)
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-d, --oracle-service-name: Oracle service name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--oracle-username: Oracle user

--oracle-password: Oracle password

--oracle-host[=7.0.0.]: Oracle host name

--oracle-port[=5]: Oracle port

--oracle-statements: Oracle Creation Statements

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates

--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address

--secure-access-enable[=false]: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update PostgreSQL Dynamic Secret

Usage
akeyless dynamic-secret update postgresql \
--name *<Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--postgresql-username <PostgreSQL user> \
--postgresql-password <PostgreSQL password> \
--postgresql-host <PostgreSQL host name (Deafult = 7.0.0.) > \
--postgresql-port <PostgreSQL port (Deafult = 543) > \
--postgresql-statements 'CREATE USER {{name}} WITH PASSWORD {{password}}; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}}; GRANT CONNECT ON DATABASE postgres TO {{name}}; GRANT USAGE ON SCHEMA public TO {{name}};' \
--postgresql-revoke-statement 'REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = {{name}}; DROP USER {{name}};'
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-d, --postgresql-db-name: PostgreSQL DB name

-u, --gateway-url[=http://localhost:8000]: Gateway url

--postgresql-username: PostgreSQL user

--postgresql-password: PostgreSQL password

--postgresql-host[=7.0.0.]: PostgreSQL host name

--postgresql-port[=543]: PostgreSQL port

--postgresql-statements[=CREATE USER {{name}} WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}};GRANT CONNECT ON DATABASE postgres TO {{name}};GRANT USAGE ON SCHEMA public TO {{name}};]: PostgreSQL Creation Statements

--postgresql-revoke-statement[=REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER {{name}};]: PostgreSQL Revocation Statement

--enc-key-name: Encrypt Dynamic Secret with following key

--ssl[=false]: Enable/Disable SSL [true/false]

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

--secure-access-db-schema: The db schema

--secure-access-web[=false]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update RabbitMQ Dynamic Secret

Usage
akeyless dynamic-secret update rabbitmq \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-admin-user <RabbitMQ server user> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-s, --rabbitmq-server-uri: RabbitMQ server URI

-c, --rabbitmq-user-conf-permission: User configuration permission, for example:[.*,queue-name]

-w, --rabbitmq-user-write-permission: User write permission, for example:[.*,queue-name]

-r, --rabbitmq-user-read-permission: User read permission, for example:[.*,queue-name]

-a, --rabbitmq-admin-user: RabbitMQ server user

-p, --rabbitmq-admin-pwd: RabbitMQ server password

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--rabbitmq-user-vhost: User Virtual Host

--rabbitmq-user-tags: Comma separated list of tags to apply to user

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-url: Destination URL to inject secrets

--secure-access-web[=true]: Enable Web Secure Remote Access

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update RDP Dynamic Secret

Usage
akeyless dynamic-secret update rdp \
--new-name <Dynamic Secret New name> \
--name <Dynamic Secret name> \
--target-name <Target name>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-g, --rdp-user-groups: RDP UserGroup name(s). Multiple values should be separated by comma

-r, --rdp-host-name: RDP Host name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--rdp-admin-name: RDP Admin name

--rdp-admin-pwd: RDP Admin Password

--rdp-host-port[=]: RDP Host port

--fixed-user-only[=false]: Allow access using externally (IdP) provided username

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--warn-user-before-expiration: Display message to user before TTL expires (min)

--allow-user-extend-session: Allow user to extend session periodically (min)

--user-ttl[=60m]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user

--secure-access-rdp-user: Override the RDP Domain username

--secure-access-host: Target servers for connections., For multiple values repeat this flag

--secure-access-allow-external-user[=false]: Allow providing external user for a domain users

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update Redis Dynamic Secret

Usage
akeyless dynamic-secret update redis \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret new name> \
--target-name <Target name> \
--gateway-url <API Gateway URL:8000> \
--username <Redis username> \
--password <Redis password>
Flags

-n, --name: Required, Dynamic Secret name

--new-name: Dynamic Secret New name

--target: Name of existing target to use in Dynamic Secret creation

--gateway-url: API Gateway URL

--username: Redis username

--password: Redis password

--host[=7.0.0.]: Redis host

--port[=6379]: Redis port

--acl-rules: A JSON array list of redis ACL rules to attach to the created user. For available rules see the ACL CAT command https://redis.io/commands/acl-cat. If omitted the user will have access to read all keys ([~*, +@read])

--ssl[=false]: Enable/Disable SSL [true/false]

--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

-t, --tag: Add tags attached to this object. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update Redshift Dynamic Secret

Usage
akeyless dynamic-secret update redshift \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--redshift-username <redshiftL user> \
--redshift-password <Redshift password> \
--redshift-host <Redshift host name (Default = 7.0.0.)> \
--redshift-port <Redshift port (Default = 5439)> \
--redshift-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';
--ssl <falestrue>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

--redshift-db-name: Redshift DB name

-u, --gateway-url[=http://localhost:8000]: Gateway url

--redshift-username: redshiftL user

--redshift-password: Redshift password

--redshift-host[=7.0.0.]: Redshift host name

--redshift-port[=5439]: Redshift port

--redshift-statements[=CREATE USER {{username}} WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{username}};]: Redshift Creation Statements

--ssl[=false]: Enable/Disable SSL [true/false]

--enc-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60m]: User TTL

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-host: Target DB servers for connections., For multiple values repeat this flag

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update Snowflake Dynamic Secret

Usage
akeyless dynamic-secret update snowflake \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account-username <Snowflake account user name> \
--account-password <Snowflake account password> \
--db-name <The DB the generated credentials are restricted to>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-a, --account: Snowflake account name

--account-username: Snowflake account user name

--account-password: Snowflake account password

-d, --db-name: The DB the generated credentials are restricted to

--role: Role to be assigned to the generated credentials

--warehouse: The warehouse the generated credentials are restricted to

--snowflake-api-private-key: RSA Private key (base64 encoded), if this is provided, flag --snowflake-api-private-key-file-name is ignored

--snowflake-api-private-key-file-name: The path to the file containing the private key, if this is provided, flag --snowflake-api-private-key is ignored

--snowflake-api-private-key-passphrase: The Private key passphrase

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--user-ttl[=4h]: User TTL

-t, --tag: List of the tags attached to this secret. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2

--password-length: The length of the password to be generated

--delete-protection: Protection from accidental deletion of this item, [true/false]

Update a Venafi dynamic secret to update certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI

Usage
akeyless dynamic-secret update venafi  \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url <API Gateway URL:8000> \
--venafi-zone <Venafi Zone> \
--venafi-api-key <Venafi API key (Relevant when using Venafi Cloud)> \
--venafi-use-tpp <When connecting to TPP this flag is required> \
--venafi-access-token <Venafi Access Token> \
--venafi-refresh-token <Venafi Refresh Token>
Flags

--new-name: Dynamic Secret New name

-n, --name: Required, Dynamic Secret name

--target-name: Name of existing target to use in Dynamic Secret creation

-z, --venafi-zone: Venafi Zone

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--venafi-api-key: Venafi API key (Relevant when using Venafi Cloud)

--venafi-use-tpp: When connecting to TPP this flag is required

--venafi-access-token: Venafi Access Token to use to access the TPP environment (Relevant when using TPP)

--venafi-refresh-token: Venafi Refresh Token to use when the Access Token is expired (Relevant when using TPP)

--venafi-baseurl: Base URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/

--sign-using-akeyless-pki: creating certificates using Akeyless PKI

--root-first-in-chain: root first in chain

--store-private-key: store private key in Akeyless

--auto-generated-folder: auto generated folder

--signer-key-name: signer key name

--allowed-domains: allowed domains

--allow-subdomains: allow subdomains

--Dynamic Secret-encryption-key-name: Encrypt Dynamic Secret with following key

--user-ttl[=60h]: User TTL in time.Duration format (60h / 9600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (440h). For more information - https://cert-manager.io/docs/usage/certificate/

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

--admin-creds-rotation[=false]: Enable automatic admin credentials rotation

--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)

--delete-protection: Protection from accidental deletion of this item, [true/false]

Get a dynamic secret

Get dynamic secret details

Usage
akeyless get-dynamic-secret get \
--name <Dynamic Secret name> \
--gateway-url <API Gateway URL:8000>

Get dynamic secret value

Usage
akeyless get-dynamic-secret get-value \
--name <Dynamic Secret name> \
--host <Host> \
--target <Taget name> \
Flags

args: Optional arguments as key=value pairs or JSON strings, e.g - "--args=csr=base64_encoded_csr --args=common_name=bar" or --args='{"csr":"base64_encoded_csr"}. It is possible to combine both formats.' [role_arn,username,csr,common_name]

--timeout[=15]: timeout in seconds

List available dynamic secrets

List available dynamic secrets

Usage
akeyless get-dynamic-secret list \
--gateway-url <API Gateway URL:8000> 

Delete a dynamic secret

Deletes dynamic secret in the current account

Usage
akeyless gateway-delete-Dynamic Secret \
--name <Dynamic Secret name> \
--gateway-url <API Gateway URL:8000> 
Flags

-n, --name: Required, Dynamic Secret name

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

Dynamic secrets tmp-creds

Commands to update, get, and delete a Dynamic Secret temporary creds

Revoke dynamic secret temporary credentials

akeyless dynamic-secret tmp-creds delete \
--name <Dynamic Secret name> \
--tmp-creds-id <Temp Creds ID> \
--revoke-all <Revoke All Temp Creds> \
--gateway-url <API Gateway URL:8000> \
--soft-delete <Use soft-delete> \
--host <Host>
Flags

-n, --name: Required, Dynamic Secret name

--tmp-creds-id: Temp Creds ID

--revoke-all: Revoke All Temp Creds

-u, --gateway-url: API Gateway URL (Configuration Management port)

--soft-delete: Use soft delete

--host: Host

Get dynamic secret temporary credentials list

Usage
akeyless dynamic-secret tmp-creds get \
--name <Dynamic Secret name> \
--gateway-url <<API Gateway URL:8000>

Update ttl of dynamic secret temporary credentials

Usage
akeyless dynamic-secret tmp-creds update \
--name <Dynamic Secret name> \
--tmp-creds-id <Temp Creds ID> \
--new-ttl-min <New TTL in Minutes> \
--host <Requested host>
--gateway-url <<API Gateway URL:8000>

set-item-state

Set an item's state (Enabled, Disabled)

Usage
akeyless set-item-state \
--name <Dynamic Secret name> \
--gateway-url <API Gateway URL:8000> \
--desired-state <>
Flags

-n, --name: Required, Dynamic Secret name

-s, --desired-state: Required Desired item state [Enabled, Disabled]

-u, --gateway-url: API Gateway URL (Configuration Management port)

--version[=0]: The specific version you want to update: 0=item level state (default) (relevant only for keys)