CLI Reference - Dynamic Secrets
This section outlines the CLI commands relevant to Dynamic Secrets.
Dynamic secrets are secrets that are generated every time they are accessed, using permissions you've defined in advance. In this way, users can access a resource for a temporary period with a defined set of permissions.
You can create a dynamic secret using an existing target or manually enter the connection settings.
General Flags:
--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token: The universal identity token, Required only for universal_identity authentication
-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-h, --help: Display help information
--json[=false]: Set output format to JSON
--jq-expression: JQ expression to filter result output
--no-creds-cleanup[=false]: Do not clean local temporary expired creds
--description: Description of the object
--delete-protection: Protection from accidental deletion of this item, [true/false]
create
create
akeyless dynamic-secret create
Command to create a Dynamic Secret
Flags
artifactory: Creates Artifactory dynamic secret
aws: Creates AWS dynamic secret
azure: Creates Azure AD dynamic secret
cassandra: Creates Cassandra dynamic secret
chef: Creates Chef dynamic secret
custom: Creates a Custom webhook dynamic secret
dockerhub: Creates a Dockerhub dynamic secret
eks: Creates Amazon Elastic Kubernetes Service (Amazon EKS) dynamic secret
gcp: Creates Google Cloud Provider (GCP) dynamic secret
github: Creates Github dynamic secret that support tokens creation with fixed ttl of 60 minutes
gke: Creates Google Kubernetes Engine (GKE) dynamic secret
hanadb: Creates HanaDB dynamic secret
k8s: Creates Native Kubernetes Service dynamic secret
ldap: Creates LDAP dynamic secret
mongodb: Creates a MongoDB/MongoDB Atlas dynamic secret
mssql: Creates Microsoft SQL Server
mysql: Creates MySQL dynamic secret
oracledb: Creates Oracle DB dynamic secret
ping: Creates Ping Federate dynamic secret
postgresql: Creates PostgreSQL dynamic secret
rabbitmq: Creates RabbitMQ dynamic secret
rdp: Creates RDP dynamic secret
redis: Creates Redis dynamic secret
redshift: Creates Redshift dynamic secret
snowflake: Creates Snowflake dynamic secret
gitlab: Creates GitLab dynamic secret
venafi: Creates a Venafi dynamic secret to create certificates generated by Venafi or monitored by Venafi and generated by Akeyless.
artifactory
artifactory
Creates Artifactory Dynamic Secret
Usage
akeyless dynamic-secret create artifactory \
--name <Dynamic Secret Name> \
--artifactory-token-scope <Space-separated list of scopes> \
--artifactory-token-audience <Space-separated list of instances> \
--target-name <Target Name> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix)
akeyless dynamic-secret create artifactory \
--name <Dynamic Secret Name> \
--artifactory-token-scope *<Space-separated list of scopes> \
--artifactory-token-audience *<Space-separated list of instances> \
--gateway-url <Artifactory REST URL:8000 must end with artifactory postfix) \
--base-url <Artifactory REST URL> \
--artifactory-admin-name <Artifactory Admin username> \
--artifactory-admin-pwd <Artifactory Admin API Key or password>
Flags
-n, --name: Required, Dynamic Secret name
-s, --artifactory-token-scope: Required, Token scope provided as a space-separated list, for example: member-of-groups:readers
-a, --artifactory-token-audience: Required, A space-separated list of other Artifactory instances or services that should accept this token, for example: jfrt@*
--target-name: Name of existing target to use in Dynamic Secret creation
-b, --base-url: Artifactory REST URL, must end with artifactory postfix
-r, --artifactory-admin-name: Admin name
-p, --artifactory-admin-pwd: Admin API Key/Password
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL, Default = 60m
aws
aws
Creates AWS Dynamic Secret
Usage
akeyless dynamic-secret create aws \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--aws-access-mode <iam_userassumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
akeyless dynamic-secret create aws \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--aws-access-mode <iam_userassumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs> \
--aws-access-key-id <Access ID> \
--aws-access-secret-key <Access Key> \
--aws-region <Region>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-i, --aws-access-key-id: Access Key ID
-s, --aws-access-secret-key: Access Secret Key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port), Default = http://localhost:8000
--aws-access-mode: The types of credentials to retrieve from AWS. Options:[iam_user,assume_role]
--aws-region[=us-east-2]: Region, Default = us-east-2
--aws-user-policies: Policy ARN(s). Multiple values should be separated by comma
--aws-user-groups: UserGroup name(s). Multiple values should be separated by comma
--aws-role-arns: AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma
--aws-user-console-access=[false] : Enable AWS User console access, Default = false
--aws-user-programmatic-access[=true]: Enable AWS User programmatic access, Default = true
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL, Default = 60m
--admin-creds-rotation[=false]: Enable automatic admin credentials rotation, Default = flase
--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)
--session-tags: String of Key value session tags comma separated, relevant only for Assumed Role
--transitive-tag-keys: String of transitive tag keys space separated, relevant only for Assumed Role
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-aws-account-id: The AWS account ID
--secure-access-aws-native-cli: The AWS native CLI
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion, Default = false
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion, Default = false
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=true]: Enable Web Secure Remote Access, Default = true
azure
azure
Creates Azure AD Dynamic Secret
Usage
akeyless dynamic-secret create azure \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <truefalse> \
--azure-user-programmatic-access <truefalse> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <truefalse> \
--fixed-user-claim-keyname <Key name of the IdP claim>
akeyless dynamic-secret create azure \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <truefalse> \
--azure-user-programmatic-access <truefalse> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <truefalse> \
--fixed-user-claim-keyname <Key name of the IdP claim> \
--azure-tenant-id <Azure Tenant ID> \
--azure-client-id <Azure Client ID> \
--azure-client-secret <Azure AD Client Secret>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--azure-tenant-id: Azure Tenant ID
--azure-client-id: Azure Client ID (Application ID)
--azure-client-secret: Azure AD Client Secret
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--azure-user-portal-access[=false]: Enable Azure AD user portal access, Default = false
--azure-user-programmatic-access[=true]: Enable Azure AD user programmatic access, Default = True.
--azure-app-obj-id: Azure App Object ID (required if selected programmatic access)
--azure-user-principal-name: Azure AD User Principal Name (required if selected Portal access)
--azure-user-group-obj-id : Azure AD User Group Object ID (required if selected Portal access)
--azure-administrative-unit: Azure AD administrative unit (relevant only when azure-user-portal-access=true)
--azure-user-role-template-id: Azure AD User Role Template ID (required if selected Portal access)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--fixed-user-only[=false]: Allow access using externally (IdP) provided username, Default = false
--fixed-user-claim-keyname: For externally provided users, denotes the key-name of IdP claim to extract username from
--user-ttl[=60m] : User TTL
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=true]: Enable Web Secure Remote Access
--password-length: The length of the password to be generated
cassandra
cassandra
Create Cassandra Dynamic Secret
Usage
akeyless dynamic-secret create cassandra \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--cassandra-statements CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';
akeyless dynamic-secret create cassandra \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--cassandra-hosts <Cassandra host> \
--cassandra-port <Cassandra port> \
--cassandra-username <Cassandra username> \
--cassandra-password <password> \
--cassandra-statements CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Target name
--cassandra-hosts: Cassandra hosts names or IP addresses, comma separated
--cassandra-username: Cassandra superuser user name
--cassandra-password: Cassandra superuser password
--cassandra-port[=904]: Cassandra port
-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)
--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';]: Cassandra Creation Statements
--user-ttl[=60m]: User TTL (<=60m for access token)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--ssl[=false]: Enable/Disable SSL [true/false]
--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--password-length: The length of the password to be generated
chef
chef
Creates Chef Dynamic Secret
Usage
akeyless dynamic-secret create chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--chef-orgs <Chef organizations>
akeyless dynamic-secret create chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--chef-orgs <Chef organizations> \
--chef-server-username <Chef server username> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--skip-ssl <truefalse>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-c, --chef-server-username: Chef server username
-y, --chef-server-key: Chef server key
-s, --chef-server-url: Chef server URL
-g, --chef-orgs: Chef organizations
--skip-ssl[=true]: Skip SSL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m] : User TTL
--password-length: The length of the password to be generated
custom
custom
Creates a custom webhook-based dynamic secret
Usage
akeyless dynamic-secret create custom \
--name <Dynamic Secret Name> \
--create-sync-url <'https://example.com/sync/create:Port'> \
--revoke-sync-url <'https://example.com/sync/revoke:Port'> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
Flags
-n, --name: Required, Dynamic Secret name
--create-sync-url: Required, URL of an endpoint that implements /sync/create method
--revoke-sync-url: Required, URL of an endpoint that implements /sync/revoke method
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--rotate-sync-url: URL of an endpoint that implements /sync/rotate method
--payload: Secret payload to be sent with each create/revoke webhook request
--timeout-sec[=60]: Maximum allowed time in seconds for the webhook to return the results
--enable_admin_rotation[=false]: Enable automatic admin credentials rotation
--admin_rotation_interval_days: Rotation period in days
dockerhub
dockerhub
Creates a Dockerhub Dynamic Secret
Usage
akeyless dynamic-secret create dockerhub \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read'
akeyless dynamic-secret create dockerhub \
--name *<Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--dockerhub-token-scopes <'repo:admin,repo:write,repo:read,repo:public_read'> \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--dockerhub-username: Username for docker repository
--dockerhub-password: password for docker repository
--dockerhub-token-scopes : Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read'
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--user-ttl[=60m] : User TTL (<=60m for access token)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
eks
eks
Creates Amazon Elastic Kubernetes Service (Amazon EKS) Dynamic Secret
Usage
akeyless dynamic-secret create eks \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN>
akeyless dynamic-secret create eks \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN> \
--eks-access-key-id <IAM user Access Key ID> \
--eks-secret-access-key <IAM user secret Access Key> \
--eks-region <EKS cluster region> \
--eks-cluster-name <EKS cluster Name> \
--eks-cluster-endpoint <EKS Cluster endpoint URL> \
--eks-cluster-ca-cert <Base64-encoded EKS cluster CA certificate>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--eks-cluster-name: EKS cluster name. Must match the EKS cluster name you want to connect to
--eks-cluster-endpoint: EKS Cluster endpoint. https:// , <DNS / IP> of the cluster
--eks-cluster-ca-cert: EKS Cluster certificate. Base 64 encoded certificate
--eks-access-key-id: EKS Access Key ID
--eks-secret-access-key : EKS Secret Access Key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--eks-region[=us-east-2]: EKS Region, Default = us-east-2
--eks-assume-role: Role ARN. Role to assume when connecting to the EKS cluster
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL, Default = 60m
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-cluster-endpoint: The K8s cluster endpoint URL
--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access.
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
gcp
gcp
Creates Google Cloud Provider (GCP) Dynamic Secret
Usage
akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--service-account-type <fixed/dynamic> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gcp-sa-email <service account email> \
--gcp-cred-type <tokenkey> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>
akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--service-account-type <fixed, dynamic> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gcp-sa-email <service account email> \
--gcp-cred-type <tokenkey> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm> \
--gcp-sa-email <GCP Service Account Email> \
--gcp-key-file-path <GCP Service Account Private Key>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--gcp-cred-type[=token]: Credentials type, options are [token, key]
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--gcp-key-file-path : Path to file with the Base64-encoded service account private key
--gcp-key: Base64-encoded service account private key text
--gcp-token-scopes: Access token scopes list, e.g. scope,scope
--gcp-key-algo: Service account key algorithm, e.g. KEY_ALG_RSA_04
--user-ttl='60m': User TTL, Default = 60m
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
-s, --service-account-type[=fixed]: Required, The type of the GCP dynamic secret. Options[fixed, dynamic]
-e, --gcp-sa-email: The email of the fixed service account to generate keys or tokens for. (revelant for service-account-type=fixed)
--role-binding: Role binding definitions in json format
google-workspace
google-workspace
Creates Google-Workspace Dynamic Secret
Usage
akeyless dynamic-secret create google-workspace \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
--access-mode <group / user> \
--target-name <Target Name> \
--admin-email <admin user email> \
--group-email <group email> \
--group-role <owner / manager / member> \
--role-scope[=CUSTOMER] <customer / org_unit>
Flags
-n, --name: Required, Dynamic Secret name
-a, --access-mode: Required, Adding a user to an existing group or assign an admin role to a user [group/role]
-d, --admin-email: Required, Email of an admin user within the account
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--target-name: Name of existing target to use in Dynamic Secret creation
--group-email: Email address of the group to add the user to (relevant only for group access-mode)
--group-role: Group role [OWNER/MANAGER/MEMBER], (relevant only for group access-mode)
--role-name: Name of the admin role the user will be assign to, (relevant only for role access-mode)
--role-scope[=customer]: The scope in which this role is assigned [customer/org_unit], relevant only for role access-mode
--fixed-user-claim-keyname[=ext_email]: For externally provided users, denotes the key-name of IdP claim to extract the username from
--gcp-key-file-path: Path to file with the service account private key
--gcp-key: Base64-encoded service account private key text
--user-ttl[=60m]: User TTL, Default = 60m
--producer-encryption-key-name: Dynamic producer encryption key
github
github
Creates Github Dynamic Secret that support tokens creation with fixed ttl of 60 minutes
Usage
akeyless dynamic-secret create github \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--installation-id <Your GitHub Installation ID>
akeyless dynamic-secret create github \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--installation-id <Your GitHub Installation ID> \
--github-app-id <Your GitHub application ID> \
--github-app-private-key <Base64-encoded application private key> \
--github-base-url <Github base URL>
Flags
-n, --name: Required, Dynamic Secret name
--installation-id: Github application installation id
--installation-organization: Optional, instead of installation id, set a GitHub organization name
--installation-repository : Optional, instead of installation id, set a GitHub repository <owner>/<repo-name>
--target-name: Name of existing target to use in Dynamic Secret creation
--github-app-id: Github application id
--github-app-private-key: Github application private key (base64 encoded key)
--github-base-url[=https://api.github.com/]: Github base URL
-p, --token-permissions: Tokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - -p contents=read -p issues=write or -p '{content:read}'
-r, --token-repositories: Tokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use the argument multiple times: -r RepoName -r RepoName
--token-ttl[=60m]: Token TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
gke
gke
Creates Google Kubernetes Engine (GKE) Dynamic Secret
Usage
akeyless dynamic-secret create gke \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
akeyless dynamic-secret create gke \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gke-account-email <GKE service account email> \
--gke-account-key <GKE service account Key> \
--gke-cluster-endpoint <GKE cluster endpoint URL> \
--gke-cluster-ca-cert <Base64-encoded GKE cluster CA certificate> \
--gke-cluster-name <GKE cluster name>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-a, --gke-account-email: GKE service account email
-e, --gke-cluster-endpoint: GKE cluster endpoint, i.e., cluster URI https\://\<DNS/IP>
-c, --gke-cluster-ca-cert: GKE Base-64 encoded cluster certificate
--gke-account-key-file-path: File path to GKE service account key
--gke-account-key: GKE service account key
--gke-cluster-name: GKE cluster name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--user-ttl[=60m]: User TTL, Default = 60m
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-cluster-endpoint: The K8s cluster endpoint URL
--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access
--secure-access-bastion-issuer : Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
hanadb
hanadb
Creates HanaDB Dynamic Secret
Usage
akeyless dynamic-secret create hanadb \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--hanadb-creation-statements CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}}; \
--hanadb-revocation-statements DROP USER {{name}};
akeyless dynamic-secret create hanadb \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--hana-dbname <HanaDB name> \
--hanadb-username <HanaDB admin username> \
--hanadb-password <HanaDB admin password> \
--hanadbt-host <HanaDB host> \
--hanadb-port <HanaDB port> \
--hanadb-creation-statements CREATE USER {{name}} PASSWORD '{{password}}';GRANT 'MONITOR ADMIN' TO {{name}}; \
--hanadb-revocation-statements DROP USER {{name}};
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --hana-dbname: Hana DB Name
--hanadb-username: HanaDB user
--hanadb-password: HanaDB password
--hanadb-host[=127.0.0.1]: HanaDB host name
--hanadb-port[=443]: HanaDB port
--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD {{password}}; GRANT MONITOR ADMIN TO {{name}};]: HanaDB Creation Statements
--hanadb-revocation-statements[=DROP USER {{name}};]: HanaDB Revocation Statements
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer : Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.
--secure-access-db-schema: The db schema
--secure-access-web[=false]: Enable Web Secure Remote Access
k8s
k8s
Creates Native Kubernetes Service Dynamic Secret
Usage
akeyless dynamic-secret create k8s \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--k8s-service-account <service account>
akeyless dynamic-secret create k8s \
--name <Dynamic Secret name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--k8s-service-account <service account> \
--k8s-cluster-endpoint <Cluster Endpoint URL> \
--k8s-cluster-ca-cert <Base64-encoded cluster CA certificate> \
--k8s-cluster-token ${TOKEN}
# Or using GW Service Account
akeyless dynamic-secret create k8s \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--use-gw-service-account
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-e, --k8s-cluster-endpoint: K8S Cluster endpoint. <DNS / IP> of the cluster
-c, --k8s-cluster-ca-cert: K8S Cluster certificate. Base 64 encoded certificate
-t, --k8s-cluster-token: K8S Cluster authentication token
-s, --k8s-service-account: K8S ServiceAccount to extract token from
-i, --use-gw-service-account: Use GW's Service Account. Boolean, when provided, as part of the inline connection.
--k8s-service-account-type[=fixed]: K8S ServiceAccount type [fixed, dynamic].
--k8s-namespace[=default]: K8S Namespace where the ServiceAccount exists.(relevant only for service-account-type=fixed)
--k8s-allowed-namespaces[=*]: Comma-separated list of allowed K8S namespaces for the generated ServiceAccount (relevant only for k8s-service-account-type=dynamic)
--k8s-predefined-role-name: The pre-existing Role or ClusterRole name to bind the generated ServiceAccount to (relevant only for k8s-service-account-type=dynamic)
--k8s-predefined-role-type: Specifies the type of the pre-existing K8S role [Role, ClusterRole] (relevant only for k8s-service-account-type=dynamic)
--k8s-rolebinding-yaml-def: Path to yaml file that contains definitions of K8S role and role binding (relevant only for k8s-service-account-type=dynamic)
--k8s-cluster-name: K8S cluster name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m] : User TTL
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-cluster-endpoint: The K8s cluster endpoint
--secure-access-dashboard-url: The K8s dashboard url
--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
ldap
ldap
Creates LDAP Dynamic Secret
Usage
akeyless dynamic-secret create ldap \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--user-dn <User Base DN>
akeyless dynamic-secret create ldap \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--ldap-url <LDAP server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password> \
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--user-dn <User Base DN>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--ldap-url: LDAP Server URL
--user-dn: User Base DN
--group-dn: Group DN which the temporary user should be added
--user-attribute: LDAP User Attribute
-t, --ldap-ca-cert: LDAP base-64 encoded CA Certificate
--bind-dn: LDAP Bind DN
--bind-dn-password: Password for LDAP Bind DN
--external-username[=false]: Externally provided username
--fixed-user-claim-keyname[=ext_username]: For externally provided users, denotes the key-name of IdP claim to extract the username from (relevant only for external-username=true)
--token-expiration: LDAP token expiration in seconds
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m] : User TTL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--host-provider: Host provider type [explicit/target], Default Host provider is explicit, Relevant only for Secure Remote Access of ssh cert issuer, ldap rotated secret and ldap dynamic secret
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--target: A list of linked targets to be associated, Relevant only for Secure Remote Access for ssh cert issuer, ldap rotated secret and ldap dynamic secret, To specify multiple targets use argument multiple times
--secure-access-rd-gateway-server: RD Gateway server
mongodb
mongodb
Creates a MongoDB/MongoDB Atlas Dynamic Secret
Usage
akeyless dynamic-secret create mongodb \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mongodb-roles <New User Role>
akeyless dynamic-secret create mongodb \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mongodb-roles <New User Role> \
--mongodb-name <MongoDB name> \
--mongodb-username <MongoDB server admin username> \
--mongodb-password <MongoDB server admin password> \
--mongodb-host-port <host:port>
Flags
-n, --name: Required, Dynamic Secret name
--target-name : Name of existing target to use in Dynamic Secret creation
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--mongodb-name: MongoDB name
--mongodb-roles\[=\[]]: MongoDB roles (e.g. MongoDB:[{role:readWrite, db: sales}], MongoDB Atlas:[{roleName : readWrite, databaseName: sales}])
--mongodb-custom-data: MongoDB custom data (e.g. {team:blue})
--mongodb-server-uri: MongoDB server URI (e.g. mongodb://user:[email protected]:707/admin?replicaSet=mySet)
--mongodb-username: MongoDB server username
--mongodb-password: MongoDB server password
--mongodb-host-port: host:port (e.g. my.mongo.db:707)
--mongodb-default-auth-db: MongoDB server default authentication database
--mongodb-uri-options: MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)
--mongodb-atlas-project-id: MongoDB Atlas project ID
--mongodb-atlas-api-public-key: MongoDB Atlas public key
--mongodb-atlas-api-private-key: MongoDB Atlas private key
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL (e.g. 60s, 60m, 60h)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.
--secure-access-web[=false]: Enable Web Secure Remote Access
mssql
mssql
Creates Microsoft SQL Server
Usage
akeyless dynamic-secret create mssql \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mssql-creation-statements CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}'; \
--mssql-revocation-statements DROP LOGIN '{{name}}';
akeyless dynamic-secret create mssql \
--name *<Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mssql-creation-statements CREATE LOGIN {{name}} WITH PASSWORD = '{{password}}'; \
--mssql-revocation-statements DROP LOGIN '{{name}}'; \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MSSQL Server admin user> \
--mssql-password <MSSQL Server admin password> \
--mssql-host <MSSQL Server host name> \
--mssql-port <MSSQL Server port>
Flags
-n, --name: Required, Dynamic Secret name
--target-name : Name of existing target to use in Dynamic Secret creation
-d, --mssql-dbname: MSSQL Server DB Name
--mssql-username: MS SQL Server user
--mssql-password: MS SQL Server password
--mssql-host[=127.0.0.1]: MS SQL Server host name
--mssql-port[=1433]: MS SQL Server port
--mssql-creation-statements\[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';]: MSSQL Server Creation Statements
--mssql-revocation-statements\[=DROP LOGIN [{{name}}];]: MSSQL Server Revocation Statements
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-db-schema: The db schema
--secure-access-web[=false]: Enable Web Secure Remote Access
mysql
mysql
Creates MySQL Dynamic Secret
Usage
akeyless dynamic-secret create mysql \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mysql-statements CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%';
akeyless dynamic-secret create mysql \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mysql-statements CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}' PASSWORD EXPIRE INTERVAL 30 DAY;GRANT SELECT ON *.* TO '{{name}}'@'%'; \
--mysql-dbname <MySQL DB Name > \
--mysql-host <MySQL host> \
--mysql-port <MySQL port> \
--mysql-username <MySQL admin username> \
--mysql-password <MySQL admin password>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --mysql-dbname: MySQL DB name
--mysql-username: MySQL user
--mysql-password: MySQL password
--mysql-host[=127.0.0.1]: MySQL host name
--mysql-port[=3306]": MySQL port
--mysql-statements: MySQL Creation Statements
--mysql-revocation-statements: MySQL Revocation Statements
--ssl[=false]: Enable/Disable SSL [true/false]
--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer : Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections. For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts)
--secure-access-web[=false]: Enable Web Secure Remote Access
oracledb
oracledb
Creates Oracle DB Dynamic Secret
Usage
akeyless dynamic-secret create oracledb \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
akeyless dynamic-secret create oracledb \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--oracle-service-name <Your Oracle DB Service name > \
--oracle-username <Oracle DB admin username> \
--oracle-password <Oracle DB admin password> \
--oracle-host <Your Oracle DB host> \
--oracle-port <Oracle DB port> \
--oracle-statements 'CREATE USER {{username}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{username}}; GRANT CREATE SESSION TO {{username}};'
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --oracle-service-name: Oracle service name
--oracle-username: Oracle user
--oracle-password: Oracle password
--oracle-host[=127.0.0.1]: Oracle host name
--oracle-port[=1521]: Oracle port
--oracle-statements: Oracle Creation Statements
--oracle-revocation-statements: Oracle Revocation Statements
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable[=false]: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.
--secure-access-web[=false]: Enable Web Secure Remote Access
ping
ping
Creates a Ping dynamic secret Dynamic Secret
There are possible ways to run this command - using a target or an inline connection
Usage
akeyless dynamic-secret create ping \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--ping-client-authentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
akeyless dynamic-secret create ping \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--ping-url <https://my-pf-server.com> \
--ping-privileged-user <Username> \
--ping-password <Password> \
--ping-client-uthentication-type CLIENT_SECRET \
--ping-grant-types AUTHORIZATION_CODES \
--ping-redirect-uris <https://your-server.com/api/callback>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--ping-url: Ping URL
-s, --ping-privileged-user: Ping Federate privileged user
-p, --ping-password: Ping Federate privileged user password
-i, --ping-administrative-port[=9999]: Ping Federate administrative port
-j, --ping-authorization-port[=9031]: Ping Federate authorization port
-t, --ping-client-authentication-type[=CLIENT_SECRET]: OAuth Client Authentication Type [CLIENT_SECRET, PRIVATE_KEY_JWT, CLIENT_TLS_CERTIFICATE]
--ping-issuer-dn: Issuer DN of trusted CA certificate that imported into Ping Federate server. You may select Trust Any to trust all the existing issuers in Ping Federate server. Used in conjunction with --ping-cert-subject-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method)
--ping-cert-subject-dn: The subject DN of the client certificate. If no explicit value is given, the Dynamic Secret will create CA certificate and matched client certificate and return it as value. Used in conjunction with --ping-issuer-dn (relevant for CLIENT_TLS_CERTIFICATE authentication method)
-f, --ping-enforce-replay-prevention[=false]: Determines whether PingFederate requires a unique signed JWT from the client for each action (relevant for PRIVATE_KEY_JWT authentication method)
--ping-jwks: Base64-encoded JSON Web Key Set (JWKS). If no explicit value is given, the Dynamic Secret will create JWKs and matched signed JWT (Sign Algo: RS56) and return it as value (relevant for PRIVATE_KEY_JWT authentication method)
--ping-jwks-url: The URL of the JSON Web Key Set (JWKS). If no explicit value is given, the Dynamic Secret will create JWKs and matched signed JWT and return it as value (relevant for PRIVATE_KEY_JWT authentication method)
--ping-signing-algo: The signing algorithm that the client must use to sign its request objects [RS56, RS384, RS5, ES56, ES384, ES5, PS56, PS384, PS5] If no explicit value is given, the client can use any of the supported signing algorithms (relevant for PRIVATE_KEY_JWT authentication method)
-g, --ping-grant-types: OAuth client grant types [IMPLICIT, AUTHORIZATION_CODE, CLIENT_CREDENTIALS, TOKEN_EXCHANGE, REFRESH_TOKEN, ASSERTION_GRANTS, PASSWORD, RESOURCE_OWNER_CREDENTIALS]. If no explicit value is given, AUTHORIZATION_CODE will be selected as default. For multiple values repeat this flag.
-r, --ping-redirect-uris: URI to which the OAuth authorization server may redirect the resource owner's user agent after authorization is obtained. At least one redirection URI is required for the AUTHORIZATION_CODE and IMPLICIT grant types. For multiple values repeat this flag.
-d, --ping-atm-id: Set a specific Access Token Management (ATM) instance for the created OAuth Client by providing the ATM Id. If no explicit value is given, the default pingfederate server ATM will be set.
-o, --ping-restricted-scopes: Limit the OAuth client to specific scopes. For multiple values repeat this flag.
-e, --producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: The time from dynamic secret creation to expiration.
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
postgresql
postgresql
Creates PostgreSQL Dynamic Secret
Usage
akeyless dynamic-secret create postgresql \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--postgresql-statements 'CREATE USER {{name}} WITH PASSWORD {{password}}; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}}; GRANT CONNECT ON DATABASE postgres TO {{name}}; GRANT USAGE ON SCHEMA public TO {{name}};' \
--postgresql-revoke-statement 'REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = {{name}}; DROP USER {{name}};'
akeyless dynamic-secret create postgresql \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--postgresql-db-name <PostgreSQL DB name> \
--postgresql-username <PostgreSQL DB admin username> \
--postgresql-password <PostgreSQL DBadmin password> \
--postgresql-host <PostgreSQL DB host> \
--postgresql-port <PostgreSQL DB port> \
--postgresql-statements 'CREATE USER {{name}} WITH PASSWORD {{password}}; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}}; GRANT CONNECT ON DATABASE postgres TO {{name}}; GRANT USAGE ON SCHEMA public TO {{name}};' \
--postgresql-revoke-statement 'REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = {{name}}; DROP USER {{name}};'
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --postgresql-db-name: PostgreSQL DB name
--postgresql-username: PostgreSQL user
--postgresql-password: PostgreSQL password
--postgresql-host[=127.0.0.1]: PostgreSQL hostname
--postgresql-port[=5432]: PostgreSQL port
--postgresql-statements[=CREATE USER {{name}} WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}};GRANT CONNECT ON DATABASE postgres TO {{name}};GRANT USAGE ON SCHEMA public TO {{name}};]: PostgreSQL Creation Statements
--postgresql-revoke-statement[=REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER {{name}};]: PostgreSQL Revocation Statement
--enc-key-name: Encrypt (Dynamic Secret) producer with the following key
--ssl[=false]: Enable/Disable SSL [true/false]
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000] : API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion.
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.
--secure-access-db-schema: The db schema
--secure-access-web[=false]: Enable Web Secure Remote Access
rabbitmq
rabbitmq
Creates RabbitMQ Dynamic Secret
Usage
akeyless dynamic-secret create rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission>
akeyless dynamic-secret create rabbitmq \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-server-uri <RabbitMQ server URI> \
--rabbitmq-admin-user <RabbitMQ server admin> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-s, --rabbitmq-server-uri: RabbitMQ server URI
-c, --rabbitmq-user-conf-permission: User configuration permission, for example:[.*,queue-name]
-w, --rabbitmq-user-write-permission: User write permission, for example:[.*,queue-name]
-r, --rabbitmq-user-read-permission: User read permission, for example:[.*,queue-name]
-a, --rabbitmq-admin-user: RabbitMQ server user
-p, --rabbitmq-admin-pwd: RabbitMQ server password
--rabbitmq-user-vhost: User Virtual Host
--rabbitmq-user-tags: Comma separated list of tags to apply to user
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion.
--secure-access-url: Destination URL to inject secrets.
--secure-access-web[=true]: Enable Web Secure Remote Access
rdp
rdp
Creates RDP Dynamic Secret
Usage
akeyless dynamic-secret create rdp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rdp-user-groups <Group Name>
akeyless dynamic-secret create rdp \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rdp-user-groups <Group Name> \
--rdp-host-name <RDP Host name> \
--rdp-host-port <RDP port> \
--rdp-admin-name <RDP Admin name> \
--rdp-admin-pwd <RDP Admin Password>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-g, --rdp-user-groups : RDP UserGroup name(s). Multiple values should be separated by a comma
-r, --rdp-host-name: RDP Hostname
--rdp-admin-name: RDP Admin name
--rdp-admin-pwd: RDP Admin password
--rdp-host-port[=22]: RDP Host port
--fixed-user-only[=false]: Allow access using externally (IdP) provided username
--fixed-user-claim-keyname[=ext_username]: For externally provided users, denotes the key-name of IdP claim to extract the username from (relevant only for fixed-user-only=true)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--warn-user-before-expiration: Display message to user before TTL expires (min)
--allow-user-extend-session: Allow user to extend session periodically (min)
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-host: Target servers for connections., For multiple values repeat this flag.
--secure-access-rd-gateway-server: RD Gateway server
--secure-access-allow-external-user[=false]: Allow providing external user for a domain users
redis
redis
Creates a redis Dynamic Secret
Usage
akeyless dynamic-secret create redis \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--username <Redis Username> \
--password <Redis Password>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-u, --gateway-url[=http://localhost:8000]: API Gateway URL
--username: Redis username
--password: Redis password
--host[=127.0.0.1]: Redis host
--port[=6379]: Redis port
--acl-rules: A JSON array list of redis ACL rules to attach to the created user. For available rules see the ACL CAT command https://redis.io/commands/acl-cat. If omitted the user will have access to read all keys ([~*, +@read])
--ssl[=false]: Enable/Disable SSL [true/false]
--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
redshift
redshift
Creates Redshift Dynamic Secret
Usage
akeyless dynamic-secret create redshift \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--redshift-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}'; \
--ssl <falestrue>
akeyless dynamic-secret create redshift \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--redshift-db-name <Redshift DB name> \
--redshift-username <Redshift DB admin username> \
--redshift-password <Redshift DB admin password> \
--redshift-host <Redshift DB host> \
--redshift-port <Redshift DB port> \
--redshift-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--redshift-db-name: Redshift DB name
--redshift-username: Redshift user
--redshift-password: Redshift password
--redshift-host[=127.0.0.1]: Redshift host name
--redshift-port[=5439]: Redshift port
--redshift-statements[=CREATE USER {{username}} WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{username}};]: Redshift Creation Statements
--ssl[=false]: Enable/Disable SSL [true/false]
--enc-key-name: Encrypt (Dynamic Secret) producer with the following key
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: Gateway URL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag.
snowflake
snowflake
Creates Snowflake Dynamic Secret
Usage
akeyless dynamic-secret create snowflake \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--role <New User Role> \
--warehouse <Wahehouse Name>
akeyless dynamic-secret create snowflake \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account <Snowflake account name> \
--username <Snowflake username> \
--password <Snowflake password> \
--db-name <Database to which the generated credentials are restricted>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-a, --account: Snowflake account name
--account-username: Snowflake account user name
--account-password: Snowflake account password
-d, --db-name: The DB the generated credentials are restricted to
--role: Role to be assigned to the generated credentials
--warehouse: The warehouse the generated credentials are restricted to
--private-key: RSA Private key (base64 encoded)
--private-key-file-name: The path to the file containing the private key
--private-key-passphrase: The Private key passphrase
--auth-mode[=password]: The authentication mode for the temporary user [password/key]
--key-algo[=RSA2048]: he temporary key algorithm to generate (relevant only for auth-mode=key) [RSA2048/RSA3072/RSA4096]
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--user-ttl[=24h]: User TTL
--password-length: The length of the password to be generated
venafi
venafi
Creates a Venafi dynamic secret to create certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI
Usage
akeyless gateway-create venafi \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--venafi-use-tpp <Required in TTP> \
--venafi-access-token <Venafi Access Token> \
--venafi-refresh-token <Venafi Refresh Token> \
--venafi-baseurl <TPP Enviornment BASE URL> \
--venafi-zone <Venafi Zone>
Flags
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-z, --venafi-zone: Venafi Zone
--venafi-api-key: Venafi API key (Relevant when using Venafi Cloud)
--venafi-use-tpp: When connecting to TPP this flag is required
--venafi-access-token: Venafi Access Token to use to access the TPP environment (Relevant when using TPP)
--venafi-refresh-token: Venafi Refresh Token to use when the Access Token is expired (Relevant when using TPP)
--venafi-client-id[=akeyless]: Venafi Client ID to use when refreshing the token (Relevant when using TPP)
--venafi-baseurl: Base URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/
--sign-using-akeyless-pki: creating certificates using Akeyless PKI
--root-first-in-chain: root first in chain
--store-private-key: store private key in Akeyless
--auto-generated-folder: auto-generated folder
--signer-key-name: signer key name
--allowed-domains: allowed domains
--allow-subdomains: allow subdomains
--admin-creds-rotation[=false]: Enable automatic admin credentials rotation, Default = false
--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60h]: User TTL in time.Duration format (60h / 9600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (440h). For more information - https://cert-manager.io/docs/usage/certificate/, Default = 60h
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
update
update
akeyless dynamic-secret update
Command to update a Dynamic Secret
Flags
artifactory: Updates Artifactory dynamic secret
aws: Updates AWS dynamic secret
azure: Updates Azure AD dynamic secret
cassandra: Updates Cassandra dynamic secret
chef: Updates Chef dynamic secret
custom: Updates a Custom webhook dynamic secret
dockerhub: Updates a Dockerhub dynamic secret
eks: Updates Amazon Elastic Kubernetes Service (Amazon EKS) dynamic secret
gcp: Updates Google Cloud Provider (GCP) dynamic secret
github: Updates Github dynamic secret that support tokens creation with fixed ttl of 60 minutes
gke: Updates Google Kubernetes Engine (GKE) dynamic secret
hanadb: Updates HanaDB dynamic secret
k8s: Updates Native Kubernetes Service dynamic secret
ldap: Updates LDAP dynamic secret
mongodb: Updates a MongoDB/MongoDB Atlas dynamic secret
mssql: Updates Microsoft SQL Server
mysql: Updates MySQL dynamic secret
oracledb: Updates Oracle DB dynamic secret
ping: Updates Ping Federate dynamic secret
postgresql: Updates PostgreSQL dynamic secret
rabbitmq: Updates RabbitMQ dynamic secret
rdp: Updates RDP dynamic secret
redis: Updates Redis dynamic secret
redshift: Updates Redshift dynamic secret
snowflake: Updates Snowflake dynamic secret
venafi: Updates a Venafi dynamic secret to creating certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI
Updates Artifactory dynamic secret
Usage
akeyless dynamic-secret update artifactory \
--name <Dynamic Secret Name> \
--artifactory-token-audience <Space-separated list of instances> \
--new-name <Dynamic Secret New name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--target-name <Target Name> \
--artifactory-token-scope <Space-separated list of scopes> \
--producer-encryption-key-name <Encrypt Dynamic Secret producer with following key>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
-s, --artifactory-token-scope: Required, Token scope provided as a space-separated list, for example: member-of-groups:readers
-a, --artifactory-token-audience: Required, A space-separated list of other Artifactory instances or services that should accept this token, for example: jfrt@*
--target-name: Name of existing target to use in Dynamic Secret creation
-b, --base-url: Artifactory REST URL, must end with artifactory postfix
-r, --artifactory-admin-name: Admin name
-p, --artifactory-admin-pwd: Admin API Key/Password
u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
Updates AWS Dynamic Secret
Usage
akeyless dynamic-secret update aws \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--aws-access-mode <iam_userassumed_role> \
--aws-user-policies <Policy ARN> \
--aws-user-groups <UserGroup name> \
--aws-role-arns <AWS Role ARNs>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-i, --aws-access-key-id: Access Key ID
-s, --aws-access-secret-key: Access Secret Key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--aws-access-mode: The types of credentials to retrieve from AWS. Options:[iam_user,assume_role]
--aws-region[=us-east-2]: Region, Default = us-east-2
--aws-user-policies: Policy ARN(s). Multiple values should be separated by comma
--aws-user-groups: UserGroup name(s). Multiple values should be separated by comma
--aws-role-arns: AWS Role ARNs to be use in the Assume Role operation. Multiple values should be separated by comma
--aws-user-console-access[=false]: Enable AWS User console access
--aws-user-programmatic-access[=true]: Enable AWS User programmatic access
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--admin-creds-rotation[=false]: Enable automatic admin credentials rotation
--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)
--session-tags: String of Key value session tags comma separated, relevant only for Assumed Role
--transitive-tag-keys: String of transitive tag keys space separated, relevant only for Assumed Role
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-aws-account-id: The aws account id
--secure-access-aws-native-cli: The aws native cli
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=true]: Enable Web Secure Remote Access
Updates Azure AD Dynamic Secret
Usage
akeyless dynamic-secret update azure \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--azure-user-portal-access <truefalse> \
--azure-user-programmatic-access <truefalse> \
--azure-app-obj-id <Azure App Object ID> \
--azure-user-principal-name <Azure User Principal Name> \
--fixed-user-only <truefalse> \
--fixed-user-claim-keyname <Key name of the IdP claim>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-t, --azure-tenant-id: Azure Tenant ID
-i, --azure-client-id: Azure Client ID (Application ID)
-s, --azure-client-secret: Azure AD Client Secret
--azure-user-portal-access[=false]: Enable Azure AD user portal access
--azure-user-programmatic-access[=false]: Enable Azure AD user programmatic access
--azure-app-obj-id: Azure App Object ID (required if selected programmatic access)
--azure-user-principal-name: Azure AD User Principal Name (required if selected Portal access)
--azure-user-group-obj-id: Azure AD User Group Object ID (required if selected Portal access)
--azure-user-role-template-id: Azure AD User Role Template ID (required if selected Portal access)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--fixed-user-only[=false]: Allow access using externally (IdP) provided username
--fixed-user-claim-keyname: For externally provided users, denotes the key-name of IdP claim to extract username from
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-web[=true]: Enable Web Secure Remote Access
--password-length: The length of the password to be generated
Update Cassandra Dynamic Secret
akeyless dynamic-secret update cassandra \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New Name> \
--target-name <Target Name> \
--cassandra-hosts <Hosts>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Target name
--cassandra-hosts: Cassandra hosts names or IP addresses, comma-separated
--cassandra-username: Cassandra superuser user name
--cassandra-password: Cassandra superuser password
--cassandra-port[=9042]: Cassandra port
--cassandra-statements[=CREATE ROLE '{{username}}' WITH PASSWORD = '{{password}}' AND LOGIN = true; GRANT SELECT ON ALL KEYSPACES TO '{{username}}';]: Cassandra Creation Statements
--user-ttl[=60m]: User TTL (<=60m for access token)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--ssl[=false]: Enable/Disable SSL [true/false]
--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--password-length: The length of the password to be generated
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Updates Chef Dynamic Secret
Usage
akeyless dynamic-secret update chef \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-c, --chef-server-username: Chef server username
-y, --chef-server-key: Chef server key
-s, --chef-server-url: Chef server URL
-g, --chef-orgs: Chef organizations
--skip-ssl[=true]: Skip SSL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
Updates a custom webhook based dynamic secret Dynamic Secret
Usage
akeyless dynamic-secret update custom \
--name <Dynamic Secret Name> \
--create-sync-url <URL of an endpoint that implements /sync/create method> \
--revoke-sync-url <URL of an endpoint that implements /sync/revoke method>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
-c, --create-sync-url: Required, URL of an endpoint that implements /sync/create method
-r, --revoke-sync-url: Required, URL of an endpoint that implements /sync/revoke method
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--payload: Secret payload to be sent with each create/revoke webhook request
--timeout-sec[=60]: Maximum allowed time in seconds for the webhook to return the results
--enable_admin_rotation[=false]: Enable automatic admin credentials rotation
--admin_rotation_interval_days: Rotation period in days
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Updates a Dockerhub Dynamic Secret
Usage
akeyless dynamic-secret update dockerhub \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--dockerhub-username: Username for docker repository
--dockerhub-password: Password for docker repository
--dockerhub-token-scopes: Comma-separated access token scopes list to give the created dynamic secret. Valid options are in 'repo:admin', 'repo:write', 'repo:read', 'repo:public_read'
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--user-ttl[=60m]: User TTL, Default = 60m
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
Updates Amazon Elastic Kubernetes Service (Amazon EKS) Dynamic Secret
Usage
akeyless dynamic-secret update eks \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--eks-assume-role <Role ARN> \
--eks-cluster-name <EKS cluster name. Must match the EKS cluster name you want to connect to> \
--eks-cluster-endpoint <EKS Cluster endpoint> \
--eks-cluster-ca-cert <EKS Cluster certificate. Base 64 encoded certificate> \
--eks-access-key-id <EKS Access Key ID> \
--eks-secret-access-key <EKS Secret Access Key>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-c, --eks-cluster-name: EKS cluster name. Must match the EKS cluster name you want to connect to
-e, --eks-cluster-endpoint: EKS Cluster endpoint. https:// , <DNS / IP> of the cluster
-r, --eks-cluster-ca-cert: EKS Cluster certificate. Base 64 encoded certificate
--eks-access-key-id: EKS Access Key ID
--eks-secret-access-key: EKS Secret Access Key
--eks-region[=us-east-2]: EKS Region, Default = us-east-2
--eks-assume-role: Role ARN. Role to assume when connecting to the EKS cluster
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-cluster-endpoint: The K8s cluster endpoint URL
--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
Updates Google Cloud Provider (GCP) Dynamic Secret
Usage
akeyless dynamic-secret update gcp \
--name <Dynamic Secret Name> \
--service-account-type[=fixed] <fixed, dynamic>
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gcp-sa-email <service account email> \
--gcp-cred-type <tokenkey> \
--gcp-key-file-path <Path to file with the Base64-encoded service account private key> \
--gcp-key <Base64-encoded service account private key text> \
--gcp-token-scopes <Access token scopes list> \
--gcp-key-algo <Service account key algorithm>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-t, --gcp-cred-type[=token]: Credentials type, options are [token, key]
--gcp-key-file-path: Path to file with the Base64-encoded service account private key
--gcp-key: Base64-encoded service account private key text
--gcp-token-scopes: Access token scopes list, e.g. scope,scope
--gcp-key-algo: Service account key algorithm, e.g. KEY_ALG_RSA_04
-s, --service-account-type[=fixed]: Required, The type of the gcp dynamic secret. Options[fixed, dynamic]
-e, --gcp-sa-email: The email of the fixed service acocunt to generate keys or tokens for. (revelant for service-account-type=fixed)
--role-binding: Role binding definitions in json format
--user-ttl[=60m]: User TTL, Default = 60m
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Updates Google-Workspace Dynamic Secret
Usage
akeyless dynamic-secret update google-workspace \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name>
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
--access-mode <group / user> \
--target-name <Target Name> \
--admin-email <admin user email> \
--group-email <group email> \
--group-role <owner / manager / member> \
--role-scope[=CUSTOMER] <customer / org_unit>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
-a, --access-mode: Required, Adding a user to an existing group or assign an admin role to a user [group/role]
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --admin-email: Required, Email of an admin user within the account
--group-email: Email address of the group to add the user to (relevant only for group access-mode)
--group-role: Group role [OWNER/MANAGER/MEMBER], (relevant only for group access-mode)
--role-name: Name of the admin role the user will be assign to, (relevant only for role access-mode)
--role-scope[=CUSTOMER]: The scope in which this role is assigned [customer/org_unit], relevant only for role access-mode
--gcp-key-file-path: Path to file with the service account private key
--gcp-key: Base64-encoded service account private key text
--user-ttl[=60m]: User TTL, Default = 60m
--producer-encryption-key-name: Dynamic producer encryption key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Updates Github Dynamic Secret
Usage
akeyless dynamic-secret update github \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--installation-id <Your GitHub Installation ID> \
--installation-repository <instead of installation id, set a GitHub repository> \
--github-app-id <Github application id> \
--github-app-private-key <Github application private key (base64 encoded key)> \
--github-base-url <Github base url (Deafult = https://api.github.com/)
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--installation-id: Github application installation id
--installation-organization: Optional, mutually exclusive with installation id, GitHub organization name
--installation-repository: Optional, instead of installation id, set a GitHub repository '/'
--target-name: Name of existing target to use in Dynamic Secret creation
--github-app-id: Github application id
--github-app-private-key: Github application private key (base64 encoded key)
--github-base-url[=https://api.github.com/]: Github base url
-p, --token-permissions: Tokens' allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - -p contents=read -p issues=write or -p '{content:read}'
-r, --token-repositories: Tokens' allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName -r RepoName
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Updates Google Kubernetes Engine (GKE) Dynamic Secret
Usage
akeyless dynamic-secret update gke \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base-64 encoded cluster certificate> \
--gke-account-key-file-path <File path to GKE service account key> \
--gke-account-key <GKE service account key> \
--gke-cluster-name <GKE cluster name>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-a, --gke-account-email: GKE service account email
-e, --gke-cluster-endpoint: GKE cluster endpoint, i.e., cluster URI https://<DNS/IP>
-c, --gke-cluster-ca-cert: GKE Base-64 encoded cluster certificate
--gke-account-key-file-path: File path to GKE service account key
--gke-account-key: GKE service account key
--gke-cluster-name: GKE cluster name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-cluster-endpoint: The K8s cluster endpoint URL
--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
Updates HanaDB Dynamic Secret
Usage
akeyless dynamic-secret update hanadb \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--hanadb-username <HanaDB user> \
--hanadb-password <--hanadb-password> \
--hanadb-host <HanaDB host name (Deafult = 127.0.0.1) \
--hanadb-port <HanaDB port (Deafult = 443) \
--producer-encryption-key-name <Encrypt Dynamic Secret producer with following key>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --hana-dbname: HanaDB database Name
--hanadb-username: HanaDB user
--hanadb-password: HanaDB password
--hanadb-host[=127.0.0.1]: HanaDB host name
--hanadb-port[=443]: HanaDB port
--hanadb-creation-statements[=CREATE USER {{name}} PASSWORD {{password}}; GRANT MONITOR ADMIN TO {{name}};]: HanaDB Creation Statements
--hanadb-revocation-statements[=DROP USER {{name}};]: HanaDB Revocation Statements
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-db-schema: The db schema
--secure-access-web[=false]: Enable Web Secure Remote Access
Updates Native Kubernetes Service Dynamic Secret
Usage
akeyless dynamic-secret update k8s \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-e, --k8s-cluster-endpoint: K8s Cluster endpoint. https:// , <DNS / IP> of the cluster
-c, --k8s-cluster-ca-cert: K8s Cluster certificate. Base 64 encoded certificate
-t, --k8s-cluster-token: K8s Cluster authentication token
-i, --use-gw-service-account: Use the GW's service account
--k8s-service-account-type[=fixed]: K8S ServiceAccount type [fixed, dynamic]
-s, --k8s-service-account: K8s ServiceAccount to extract token from
--k8s-namespace[=default]: K8s Namespace where the ServiceAccount exists
--k8s-allowed-namespaces[=*]: Comma-separated list of allowed K8s namespaces for the generated ServiceAccount (relevant only for k8s-service-account-type=dynamic)
--k8s-predefined-role-name: The pre-existing Role or ClusterRole name to bind the generated ServiceAccount to (relevant only for k8s-service-account-type=dynamic)
--k8s-predefined-role-type: Specifies the type of the pre-existing K8S role [Role, ClusterRole] (relevant only for k8s-service-account-type=dynamic)
--k8s-rolebinding-yaml-def: Path to yaml file that contains definitions of K8S role and role binding (relevant only for k8s-service-account-type=dynamic)
--k8s-cluster-name: K8s cluster name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-cluster-endpoint: The K8s cluster endpoint
--secure-access-allow-port-forwading: Enable Port forwarding while using CLI access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-dashboard-url: The K8s dashboard url
Updates LDAP Dynamic Secret
Usage
akeyless dynamic-secret update ldap \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret New name> \
--target-name <Target name>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--ldap-url: LDAP Server URL
--user-dn: User Base DN
--group-dn: Group DN which the temporary user should be added
--user-attribute: LDAP User Attribute
-t, --ldap-ca-cert: LDAP base-64 encoded CA Certificate
--bind-dn: LDAP Bind DN
--bind-dn-password: Password for LDAP Bind DN
--external-username[=false]: Externally provided username
--token-expiration: LDAP token expiration in seconds
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--host-provider: Host provider type [explicit/target], Default Host provider is explicit, Relevant only for Secure Remote Access of ssh cert issuer, ldap rotated secret and ldap dynamic secret
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--target: A list of linked targets to be associated, Relevant only for Secure Remote Access for ssh cert issuer, ldap rotated secret and ldap dynamic secret, To specify multiple targets use argument multiple times
--secure-access-rd-gateway-server: RD Gateway server
Updates a MongoDB/MongoDB Atlas Dynamic Secret
Usage
akeyless dynamic-secret update mongodb \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mongodb-name <MongoDB name> \
--mongodb-custom-data <MongoDB custom data>\
--mongodb-username <MongoDB server username> \
--mongodb-password <MongoDB server password> \
--mongodb-host-port <host port>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required,
--target-name: Name of existing target to use in Dynamic Secret creation
--mongodb-name: MongoDB name
--mongodb-roles\[=\[]]: MongoDB roles (e.g. MongoDB:[{role:readWrite, db: sales}], MongoDB Atlas:[{roleName : readWrite, databaseName: sales}])
--mongodb-custom-data: MongoDB custom data (e.g. {team:blue})
--mongodb-server-uri: MongoDB server URI (e.g. mongodb://user:[email protected]:707/admin?replicaSet=mySet)
--mongodb-username: MongoDB server username
--mongodb-password: MongoDB server password
--mongodb-host-port: host:port (e.g. my.mongo.db:707)
--mongodb-default-auth-db: MongoDB server default authentication database
--mongodb-uri-options: MongoDB server URI options (e.g. replicaSet=mySet&authSource=authDB)
--mongodb-atlas-project-id: MongoDB Atlas project ID
--mongodb-atlas-api-public-key: MongoDB Atlas public key
--mongodb-atlas-api-private-key: MongoDB Atlas private key
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL (e.g. 60s, 60m, 60h)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-web[=false]: Enable Web Secure Remote Access
Updates Microsoft SQL Server
Usage
akeyless dynamic-secret update mssql \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mssql-dbname <MSSQL Server DB Name> \
--mssql-username <MS SQL Server user> \
--mssql-password <MS SQL Server password> \
--mssql-host <MS SQL Server host name (Deafult = 127.0.0.1) > \
--mssql-port <MS SQL Server port (Deafult = 1433) >
Flags
--new-name: Dynamic Secret New name
-n, --name: Required,
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --mssql-dbname: MSSQL Server DB Name
--mssql-username: MS SQL Server user
--mssql-password: MS SQL Server password
--mssql-host[=127.0.0.1]: MS SQL Server host name
--mssql-port[=1433]: MS SQL Server port
--mssql-creation-statements[=CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';]: MSSQL Server Creation Statements
--mssql-revocation-statements[=DROP LOGIN [{{name}}];]: MSSQL Server Revocation Statements
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-db-schema: The db schema
--secure-access-web[=false]: Enable Web Secure Remote Access
Update MySQL Dynamic Secret
Usage
akeyless dynamic-secret update mysql \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--mysql-username <MySQL user> \
--mysql-password <MySQL password> \
--mysql-host <MySQL host name (Deafult = 127.0.0.1) > \
--mysql-port <MySQL port Deafult = 3306) >
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --mysql-dbname: MySQL DB name
--mysql-username: MySQL user
--mysql-password: MySQL password
--mysql-host[=127.0.0.1]: MySQL host name
--mysql-port[=3306]: MySQL port
--mysql-statements: MySQL Creation Statements
--mysql-revocation-statements: MySQL Revocation Statements
--ssl[=false]: Enable/Disable SSL [true/false]
--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-web[=false]: Enable Web Secure Remote Access
Update OracleDB Dynamic Secret
Usage
akeyless dynamic-secret update oracledb \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--oracle-username <Oracle user> \
--oracle-password <Oracle password> \
--oracle-host <Oracle host name (Deafult = 127.0.0.1) > \
--oracle-port <Oracle port (Default = 1521)
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --oracle-service-name: Oracle service name
--oracle-username: Oracle user
--oracle-password: Oracle password
--oracle-host[=127.0.0.1]: Oracle host name
--oracle-port[=1521]: Oracle port
--oracle-statements: Oracle Creation Statements
--oracle-revocation-statements: Oracle Revocation statements
--db-server-certificates: the set of root certificate authorities in base64 encoding that clients use when verifying server certificates
--db-server-name: Server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
--secure-access-enable[=false]: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-web[=false]: Enable Web Secure Remote Access
Update PostgreSQL Dynamic Secret
Usage
akeyless dynamic-secret update postgresql \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--postgresql-username <PostgreSQL user> \
--postgresql-password <PostgreSQL password> \
--postgresql-host <PostgreSQL host name (Deafult = 127.0.0.1) > \
--postgresql-port <PostgreSQL port (Deafult = 5432) > \
--postgresql-statements 'CREATE USER {{name}} WITH PASSWORD {{password}}; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}}; GRANT CONNECT ON DATABASE postgres TO {{name}}; GRANT USAGE ON SCHEMA public TO {{name}};' \
--postgresql-revoke-statement 'REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = {{name}}; DROP USER {{name}};'
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-d, --postgresql-db-name: PostgreSQL DB name
-u, --gateway-url[=http://localhost:8000]: Gateway url
--postgresql-username: PostgreSQL user
--postgresql-password: PostgreSQL password
--postgresql-host[=127.0.0.1]: PostgreSQL host name
--postgresql-port[=5432]: PostgreSQL port
--postgresql-statements[=CREATE USER {{name}} WITH PASSWORD '{{password}}';GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{name}};GRANT CONNECT ON DATABASE postgres TO {{name}};GRANT USAGE ON SCHEMA public TO {{name}};]: PostgreSQL Creation Statements
--postgresql-revoke-statement[=REASSIGN OWNED BY {{name}} TO {{userHost}}; DROP OWNED BY {{name}}; select pg_terminate_backend(pid) from pg_stat_activity where usename = '{{name}}'; DROP USER {{name}};]: PostgreSQL Revocation Statement
--enc-key-name: Encrypt Dynamic Secret with following key
--ssl[=false]: Enable/Disable SSL [true/false]
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
--secure-access-db-schema: The db schema
--secure-access-web[=false]: Enable Web Secure Remote Access
Update RabbitMQ Dynamic Secret
Usage
akeyless dynamic-secret update rabbitmq \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rabbitmq-user-conf-permission <User configuration permission> \
--rabbitmq-user-write-permission <User write permission> \
--rabbitmq-user-read-permission <User read permission> \
--rabbitmq-admin-user <RabbitMQ server user> \
--rabbitmq-admin-pwd <RabbitMQ server password>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-s, --rabbitmq-server-uri: RabbitMQ server URI
-c, --rabbitmq-user-conf-permission: User configuration permission, for example:[.*,queue-name]
-w, --rabbitmq-user-write-permission: User write permission, for example:[.*,queue-name]
-r, --rabbitmq-user-read-permission: User read permission, for example:[.*,queue-name]
-a, --rabbitmq-admin-user: RabbitMQ server user
-p, --rabbitmq-admin-pwd: RabbitMQ server password
--rabbitmq-user-vhost: User Virtual Host
--rabbitmq-user-tags: Comma separated list of tags to apply to user
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-url: Destination URL to inject secrets
--secure-access-web[=true]: Enable Web Secure Remote Access
Update RDP Dynamic Secret
Usage
akeyless dynamic-secret update rdp \
--new-name <Dynamic Secret New name> \
--name <Dynamic Secret name> \
--target-name <Target name>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-g, --rdp-user-groups: RDP UserGroup name(s). Multiple values should be separated by comma
-r, --rdp-host-name: RDP Host name
--rdp-admin-name: RDP Admin name
--rdp-admin-pwd: RDP Admin Password
--rdp-host-port[=22]: RDP Host port
--fixed-user-only[=false]: Allow access using externally (IdP) provided username
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--warn-user-before-expiration: Display message to user before TTL expires (min)
--allow-user-extend-session: Allow user to extend session periodically (min)
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-host: Target servers for connections., For multiple values repeat this flag
--secure-access-rd-gateway-server: RD Gateway server
--secure-access-allow-external-user[=false]: Allow providing external user for a domain users
Update Redis Dynamic Secret
Usage
akeyless dynamic-secret update redis \
--name <Dynamic Secret name> \
--new-name <Dynamic Secret new name> \
--target-name <Target name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--username <Redis username> \
--password <Redis password>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--username: Redis username
--password: Redis password
--host[=127.0.0.1]: Redis host
--port[=6379]: Redis port
--acl-rules: A JSON array list of redis ACL rules to attach to the created user. For available rules see the ACL CAT command https://redis.io/commands/acl-cat. If omitted the user will have access to read all keys ([~*, +@read])
--ssl[=false]: Enable/Disable SSL [true/false]
--ssl-certificate: SSL CA certificate in base64 encoding generated from a trusted Certificate Authority (CA)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60m]: User TTL
--password-length: The length of the password to be generated
Update Redshift Dynamic Secret
Usage
akeyless dynamic-secret update redshift \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--redshift-username <redshiftL user> \
--redshift-password <Redshift password> \
--redshift-host <Redshift host name (Default = 127.0.0.1)> \
--redshift-port <Redshift port (Default = 5439)> \
--redshift-statements CREATE USER '{{username}}' WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO '{{username}}';
--ssl <falestrue>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
--redshift-db-name: Redshift DB name
--redshift-username: Redshift user
--redshift-password: Redshift password
--redshift-host[=127.0.0.1]: Redshift host name
--redshift-port[=5439]: Redshift port
--redshift-statements[=CREATE USER {{username}} WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{username}};]: Redshift Creation Statements
--ssl[=false]: Enable/Disable SSL [true/false]
--enc-key-name: Encrypt Dynamic Secret with following key
--user-ttl[=60m]: User TTL
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable secure remote access, [true/false]
--secure-access-host: Target DB servers for connections., For multiple values repeat this flag
Update Snowflake Dynamic Secret
Usage
akeyless dynamic-secret update snowflake \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--role <New User Role> \
--warehouse <Wahehouse Name> \
--account-username <Snowflake account user name> \
--account-password <Snowflake account password> \
--db-name <The DB the generated credentials are restricted to>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-a, --account: Snowflake account name
--account-username: Snowflake account user name
--account-password: Snowflake account password
-d, --db-name: The DB the generated credentials are restricted to
--role: Role to be assigned to the generated credentials
--warehouse: The warehouse the generated credentials are restricted to
--private-key: RSA Private key (base64 encoded)
--private-key-file-name: The path to the file containing the private key
--private-key-passphrase: The Private key passphrase
--auth-mode[=password]: The authentication mode for the temporary user [password/key]
--key-algo[=RSA2048]: The temporary key algorithm to generate (relevant only for auth-mode=key) [RSA2048/RSA3072/RSA4096]
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--user-ttl[=4h]: User TTL
--password-length: The length of the password to be generated
Update a Venafi dynamic secret to update certificates generated by Venafi or monitored by Venafi and generated by Akeyless PKI
Usage
akeyless dynamic-secret update venafi \
--name <Dynamic Secret Name> \
--new-name <Dynamic Secret New name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--venafi-zone <Venafi Zone> \
--venafi-api-key <Venafi API key (Relevant when using Venafi Cloud)> \
--venafi-use-tpp <When connecting to TPP this flag is required> \
--venafi-access-token <Venafi Access Token> \
--venafi-refresh-token <Venafi Refresh Token>
Flags
--new-name: Dynamic Secret New name
-n, --name: Required, Dynamic Secret name
--target-name: Name of existing target to use in Dynamic Secret creation
-z, --venafi-zone: Venafi Zone
--venafi-api-key: Venafi API key (Relevant when using Venafi Cloud)
--venafi-use-tpp: When connecting to TPP this flag is required
--venafi-access-token: Venafi Access Token to use to access the TPP environment (Relevant when using TPP)
--venafi-refresh-token: Venafi Refresh Token to use when the Access Token is expired (Relevant when using TPP)
--venafi-client-id[=akeyless]: Venafi Client ID to use when refreshing the token (Relevant when using TPP)
--venafi-baseurl: Base URL of the TPP environment. Or Cloud environment which isn't https://venafi.cloud/
--sign-using-akeyless-pki: creating certificates using Akeyless PKI
--root-first-in-chain: root first in chain
--store-private-key: store private key in Akeyless
--auto-generated-folder: auto generated folder
--signer-key-name: signer key name
--allowed-domains: allowed domains
--allow-subdomains: allow subdomains
--admin-creds-rotation[=false]: Enable automatic admin credentials rotation
--admin-creds-rotation-interval[=0]: Admin credentials rotation interval (days)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--producer-encryption-key-name: Encrypt (Dynamic Secret) producer with following key
--user-ttl[=60h]: User TTL in time.Duration format (60h / 9600m / etc...). When using sign-using-akeyless-pki certificates created will have this validity period, otherwise the user-ttl is taken from the Validity Period field of the Zone's' Issuing Template. When using cert-manager it is advised to have a TTL of above 60 days (440h). For more information - https://cert-manager.io/docs/usage/certificate/
Get
Get dynamic secret details
Usage
akeyless dynamic-secret get \
--name <Dynamic Secret name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
Get dynamic secret value
Usage
akeyless dynamic-secret get-value \
--name <Dynamic Secret name> \
--host <Host> \
--target <Taget name> \
Flags
-n, --name: Required, Dynamic Secret name
--host: Host
target: Target Name
args: Optional arguments as key=value pairs or JSON strings, e.g - "--args=csr=base64_encoded_csr --args=common_name=bar" or --args='{"csr":"base64_encoded_csr"}. It is possible to combine both formats.' [role_arn,username,csr,common_name]
--timeout[=15]: Timeout in seconds
List
List available dynamic secrets
Usage
akeyless dynamic-secret list \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
Flags
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Delete
Deletes dynamic secret
Usage
akeyless dynamic-secret delete \
--name <Dynamic Secret name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'
Flags
-n, --name: Required, Dynamic Secret name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Dynamic secrets tmp-creds
Commands to update, get, and delete a Dynamic Secret temporary credentials
Revoke dynamic secret temporary credentials
akeyless dynamic-secret tmp-creds delete \
--name <Dynamic Secret name> \
--tmp-creds-id <Temp Creds ID> \
--revoke-all <Revoke All Temp Creds> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--soft-delete <Use soft-delete> \
--host <Host>
Flags
-n, --name: Required, Dynamic Secret name
-i, --tmp-creds-id: Temp Creds ID
--revoke-all: Revoke All Temp Creds
-u, --gateway-url: API Gateway URL (Configuration Management port)
--soft-delete: Use soft delete
--host: Host
Get dynamic secret temporary credentials list
Usage
akeyless dynamic-secret tmp-creds get \
--name <Dynamic Secret name> \
--gateway-url <'https://<Your-Akeyless-GW-URL:8000>'
Flags
-n, --name: Required, Dynamic Secret name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
Update ttl of dynamic secret temporary credentials
Usage
akeyless dynamic-secret tmp-creds update \
--name <Dynamic Secret name> \
--tmp-creds-id <Temp Creds ID> \
--new-ttl-min <New TTL in Minutes> \
--host <Requested host>
--gateway-url <'https://<Your-Akeyless-GW-URL:8000>'
Flags
-n, --name: Required, Dynamic Secret name
-i, --tmp-creds-id: Required, Temp Creds ID
-t, --new-ttl-min: Required, New TTL in Minutes
--host: Requested host (relevant in linked target only)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
set-item-state
set-item-state
Set an item's state (Enabled, Disabled)
Usage
akeyless set-item-state \
--name <Dynamic Secret name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--desired-state <>
Flags
-n, --name: Required, Dynamic Secret name
-s, --desired-state: Required Desired item state [Enabled, Disabled]
--version[=0]: The specific version you want to update: 0=item level state (default) (relevant only for keys)
-u, --gateway-url: API Gateway URL (Configuration Management port)
Updated 17 days ago