CLI Reference - External Secrets Manager

External Secrets Manager

Creates a new External Secrets Manager

akeyless create-esm \
--name <ESM name> \
--target-to-associate <target to associate>

Parameter	Description
`-n, --name`	(Mandatory) External Secrets Manager name
`-u, --gateway-url[=http://localhost:8000]`	API Gateway URL (Configuration Management port)
`--description`	Description of the External Secrets Manager
`-t, --tag`	List of the tags attached to this External Secrets Manager. To specify multiple tags use the argument multiple times: -t Tag1 -t Tag2
`-a, --target-to-associate`	(Mandatory) Target External Secrets Manager to connect
`-v, --azure-kv-name`	`Azure Key Vault name (Relevant only for Azure targets)`
`-s, --k8s-namespace`	K8s namespace (Relevant to Kubernetes targets)
`--delete-protection`	Protection from accidental deletion of this item, [true/false]
`--profile, --token`	Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
`--uid-token`	The universal identity token, Required only for universal_identity authentication
`-h, --help`	Display help information
`--json[=false]`	Set output format to JSON
`--jq-expression`	JQ expression to filter result output
`--no-creds-cleanup[=false]`	Do not clean local temporary expired creds

After creating an ESM, you will need to use these sub-commands, prefixed with esm, to further interact with it.

This command only has one parameter, -h, and it will display a list of the other esm commands.

Lists the secrets within the External Secrets Manager

akeyless esm list --name <ESM name>

Parameter	Description
`-n, --esm-name`	(Mandatory) ESM name
`-u, --gateway-url[=http://localhost:8000]`	API Gateway URL (Configuration Management port)
`--profile, --token`	Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
`--uid-token`	The universal identity token, Required only for universal_identity authentication
`-h, --help`	Display help information
`--json[=false]`	Set output format to JSON
`--jq-expression`	JQ expression to filter result output
`--no-creds-cleanup[=false]`	Do not clean local temporary expired creds

Gets the value and internal details of a secret from an External Secrets Manager

esm get \
--esm-name <esm name> \
--secret-id <Secret name or id>

Parameter	Description
`-n, --esm-name`	(Mandatory) ESM name
`-u, --gateway-url[=http://localhost:8000]`	API Gateway URL (Configuration Management port)
`-s, --secret-id`	(Mandatory) The secret id (or name, for AWS, Azure or K8s targets) to get from the External Secrets Manager
`--profile`, `--token`	Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
`--uid-token`	The universal identity token, Required only for universal_identity authentication
`-h, --help`	Display help information
`--json[=false]`	Set output format to JSON
`--jq-expression`	JQ expression to filter result output
`--no-creds-cleanup[=false]`	Do not clean local temporary expired creds

Create a new secret in an existing ESM

esm create \
--esm-name <esm name> \
--secret-name <Secret name> \
--value <secret value>

Parameter	Description
`-n, --esm-name`	(Mandatory) ESM name
`-u, --gateway-url[=http://localhost:8000]`	API Gateway URL (Configuration Management port)
`-s, --secret-name`	(Mandatory)Name for the new external secret
`-v, --value`	(Mandatory)Value of the external secret item, either text or base64 encoded binary
`-b, --binary-value`	Use this option if the external secret value is a base64 encoded binary
`--description`	Description of the external secret
`--tags`	Tags for the external secret. Should be provided as --tags tag1=value1 --tags tag2=value2
`--profile`, `--token`	Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
`--uid-token`	The universal identity token, Required only for universal_identity authentication
`-h, --help`	Display help information
`--json[=false]`	Set output format to JSON
`--jq-expression`	JQ expression to filter result output
`--no-creds-cleanup[=false]`	Do not clean local temporary expired creds

Update an existing secret within the External Secrets Manager

esm update \
--esm-name <esm name> \
--secret-id <Secret name or id> \
--value <secret value>

Parameter	Description
`-n, --esm-name`	(Mandatory) ESM name
`-u, --gateway-url[=http://localhost:8000]`	API Gateway URL (Configuration Management port)
`-s, --secret-id`	(Mandatory) The secret id (or name, for AWS, Azure or K8s targets) to get from the External Secrets Manager
`-v, --value`	(Mandatory)Value of the external secret item, either text or base64 encoded binary
`-b, --binary-value`	Use this option if the external secret value is a base64 encoded binary
`--description`	Description of the external secret
`--tags`	Tags for the external secret. Should be provided as --tags tag1=value1 --tags tag2=value2
`--profile`, `--token`	Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
`--uid-token`	The universal identity token, Required only for universal_identity authentication
`-h, --help`	Display help information
`--json[=false]`	Set output format to JSON
`--jq-expression`	JQ expression to filter result output
`--no-creds-cleanup[=false]`	Do not clean local temporary expired creds

Delete a secret from an External Secrets Manager

esm delete \
--esm-name <esm name> \
--secret-id <Secret name or id>

Parameter	Description
`-n, --esm-name`	(Mandatory) ESM name
`-u, --gateway-url[=http://localhost:8000]`	API Gateway URL (Configuration Management port)
`-s, --secret-id`	(Mandatory) The secret id (or name, for AWS, Azure or K8s targets) to get from the External Secrets Manager
`--profile`, `--token`	Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
`--uid-token`	The universal identity token, Required only for universal_identity authentication
`-h, --help`	Display help information
`--json[=false]`	Set output format to JSON
`--jq-expression`	JQ expression to filter result output
`--no-creds-cleanup[=false]`	Do not clean local temporary expired creds