CLI Reference - External Secrets Manager

External Secrets Manager

create-esm

Creates a new External Secrets Manager

Usage
akeyless create-esm \
--name <ESM name> \
--target-to-associate <target to associate>
Parameters
ParameterDescription
-n, --name(Mandatory) External Secrets Manager name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--descriptionDescription of the External Secrets Manager
-t, --tagList of the tags attached to this External Secrets Manager. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2
-a, --target-to-associate(Mandatory) Target External Secrets Manager to connect
-v, --azure-kv-nameAzure Key Vault name (Relevant only for Azure targets)
-s, --k8s-namespaceK8s namespace (Relevant to Kubernetes targets)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

ESM Sub-Commands

After creating an ESM, you will need to use these sub-commands, prefixed with esm, to further interact with it.

esm

This command only has one parameter, -h, and it will display a list of the other esm commands.

esm list

Lists the secrets within the External Secrets Manager

Usage
akeyless esm list --name <ESM name>
Parameters
ParameterDescription
-n, --esm-name(Mandatory) ESM name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

esm get

Gets the value and internal details of a secret from an External Secrets Manager

Usage
esm get \
--esm-name <esm name> \
--secret-id <Secret name or id>
Parameters
ParameterDescription
-n, --esm-name(Mandatory) ESM name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-s, --secret-id(Mandatory) The secret id (or name, for AWS, Azure or K8s targets) to get from the External Secrets Manager
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

esm create

Create a new secret in an existing ESM

Usage
esm create \
--esm-name <esm name> \
--secret-name <Secret name> \
--value <secret value>
Parameters
ParameterDescription
-n, --esm-name(Mandatory) ESM name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-s, --secret-name(Mandatory)Name for the new external secret
-v, --value(Mandatory)Value of the external secret item, either text or base64 encoded binary
-b, --binary-valueUse this option if the external secret value is a base64 encoded binary
--descriptionDescription of the external secret
--tagsTags for the external secret. Should be provided as --tags tag1=value1 --tags tag2=value2
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

esm update

Update an existing secret within the External Secrets Manager

Usage
esm update \
--esm-name <esm name> \
--secret-id <Secret name or id> \
--value <secret value>
Parameters
ParameterDescription
-n, --esm-name(Mandatory) ESM name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-s, --secret-id(Mandatory) The secret id (or name, for AWS, Azure or K8s targets) to get from the External Secrets Manager
-v, --value(Mandatory)Value of the external secret item, either text or base64 encoded binary
-b, --binary-valueUse this option if the external secret value is a base64 encoded binary
--descriptionDescription of the external secret
--tagsTags for the external secret. Should be provided as --tags tag1=value1 --tags tag2=value2
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds

esm delete

Delete a secret from an External Secrets Manager

Usage
esm delete \
--esm-name <esm name> \
--secret-id <Secret name or id>
Parameters
ParameterDescription
-n, --esm-name(Mandatory) ESM name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-s, --secret-id(Mandatory) The secret id (or name, for AWS, Azure or K8s targets) to get from the External Secrets Manager
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpDisplay help information
--json[=false]Set output format to JSON
--jq-expressionJQ expression to filter result output
--no-creds-cleanup[=false]Do not clean local temporary expired creds