CLI Reference - Rotated Secrets
Rotated Secrets
gateway-create-rotated-secret
gateway-create-rotated-secret
Creates a new rotated secret item
Please note: mandatory values for this command: -n, --name, -r, --target-name
Usage
akeyless create-rotated-secret -n <secret name> \
--target-name <target name to associate the secret> \
--gateway-url <API Gateway URL:8000> \
--rotator-type <password|target|api-key|ldap|custom|azure-storage-account> \
--rotation-hour <The hour of the rotation (in UTC)> \
--rotation-interval <The number of days to wait between every automatic rotation (1-365)>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators. |
-r, --target-name | (Mandatory) The target name to associate |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
-m, --metadata | Metadata about the secret. |
-t, --tag | List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2 |
-k, --key | The name of a key that is used to encrypt the secret value (if empty, the account default protection key key will be used). |
--auto-rotate | Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation |
--rotation-interval | The number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes |
--rotation-hour | The hour of the rotation (in UTC). |
--rotator-type | (Mandatory) The rotator type password/target/api-key/ldap/azure-storage-account/custom |
--rotator-creds-type | The credentials to connect with use-self-creds/use-target-creds - deprecated, replace by authentication-credentials |
--authentication-credentials[=use-user-creds] | The credentials to connect with use-user-creds/use-target-creds |
--rotator-custom-cmd | Custom rotation command (relevant only for SSH target) |
--ssh-username | SSH username - deprecated, replace by rotated-username |
--ssh-password | SSH password to rotate - deprecated, replace by rotated-password |
--api-id | API ID to rotate (relevant only for rotator-type=api-key) |
--api-key | API key to rotate (relevant only for rotator-type=api-key) |
--rotated-username | username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password) |
--rotated-password | rotated-username password (relevant only for rotator-type=password) |
--user-dn | Base DN to Perform User Search |
--user-attribute | LDAP User Attribute, Default value "cn" |
--app-id | Id of the azure app that hold the serect to be rotated (relevant only for azure & rotator-type=api-key & authentication-credentials=use-target-creds) |
--custom-payload | Secret payload to be sent with rotation request (relevant only for rotator-type=custom) |
--storage-account-key-name | The name of the storage account key to rotate [key1/key2/kerb1/kerb2] (relevat to azure-storage-account) |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web=[false] | Enable Web Secure Remote Access |
--secure-access-host | Target servers for connections., For multiple values repeat this flag. |
--secure-access-db-name | The DB name (relevant only for DB) |
--secure-access-db-schema | The db schema (relevant only for Mysql or postgreSQL) |
--secure-access-aws-account-id | The aws account id (relevant only for aws) |
--secure-access-aws-native-cli | The aws native cli (relevant only for aws) |
--aws-region[=us-east-2] | Aws Region (relevant only for aws) |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion (relevant only for aws or azure) |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion (relevant only for aws or azure) |
--secure-access-rdp-domain | Required when the Rotated Secret is used for a domain user (relevant only for rdp) |
--secure-access-rdp-user | Override the RDP Domain username (relevant only for rdp) |
--secure-access-allow-external-user[=false] | Allow providing external user for a domain users (relevant only for rdp) |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
--gcp-key-file-path | Path to file with the base64-encoded Google service account private key. If this parameter is defined you do not need --gcp-key. |
--gcp-key | Base64-encoded Google service account private key text. If this parameter is defined you do not need --gcp-key-file-path. |
gateway-list-rotated-secrets
gateway-list-rotated-secrets
List available rotated secrets
Usage
akeyless gateway-list-rotated-secrets \
--gateway-url <'https://Akeyless-GW-URL:8000'> \
Parameters
| Parameter | Description |
|---|---|
-u, --gateway-url[=http://localhost:8000] | API Gateway URL |
get-rotated-secret-value
get-rotated-secret-value
Get rotated secret value.
Please note: mandatory values for this command: -n, --name
Usage
akeyless get-rotated-secret-value -n <path/to/rotated/secret>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators. |
--version | A version of the secret. |
--ignore-cache[=false] | Retrieve the Secret value without checking the Gateway's cache [true/false]. This flag is only relevant when using the RestAPI |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
update-rotated-secret
update-rotated-secret
Update rotated secret
Please note: mandatory values for this command: -n, --name
Usage
akeyless update-rotated-secret -n <secret name> \
--new-name <New secret name> \
--gateway-url <API Gateway URL:8000> \
--rotation-interval <Number of days to wait between every automatic rotation (1-365)> \
--rotation-hour <The Hour of the rotation in UTC>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators. |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--new-name | New item name |
--new-metadata | New item metadata |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
--auto-rotate | Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation |
--rotation-interval | The number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes |
--rotation-hour | The Hour of the rotation in UTC |
--rotator-creds-type[=use-user-creds] | The credentials to connect with use-self-creds/use-target-creds |
--rotator-custom-cmd | Custom rotation command (relevant only for ssh target) |
k, --key | The name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used) |
--ssh-username | SSH username - deprecated, replace by rotated-username |
--ssh-password | SSH password to rotate - deprecated, replace by rotated-password |
--api-id | API ID to rotate |
--api-key | API key to rotate |
--rotated-username | username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password |
--rotated-password | rotated-username password |
--custom-payload | Secret payload to be sent with rotation request (relevant only for rotator-type=custom) |
--storage-account-key-name | The name of the storage account key to rotate [key1/key2/kerb1/kerb2] (relevat to azure-storage-account) |
--new-version | [Deprecated: Use keep-prev-version instead] Whether to create a new version |
-keep-prev-version | Whether to keep previous version, options:[true, false]. If not set, use default according to account settings |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-issuer | Path to the SSH Certificate Issuer for your Akeyless Bastion |
--secure-access-web[=false] | Enable Web Secure Remote Access |
--secure-access-host | Target servers for connections., For multiple values repeat this flag. |
--secure-access-db-name | The DB name (relevant only for DB) |
--secure-access-db-schema | The db schema (relevant only for mssql or postgresql) |
--secure-access-aws-account-id | The aws account id (relevant only for aws) |
--secure-access-aws-native-cli | The aws native cli (relevant only for aws) |
--aws-region[=us-east-2] | Aws Region (relevant only for aws) |
--secure-access-web-browsing[=false] | Secure browser via Akeyless Web Access Bastion (relevant only for aws or azure) |
--secure-access-web-proxy[=false] | Web-Proxy via Akeyless Web Access Bastion (relevant only for aws or azure) |
--secure-access-rdp-domain | Required when the Rotated Secret is used for a domain user (relevant only for rdp) |
--secure-access-rdp-user | Override the RDP Domain username (relevant only for rdp) |
--secure-access-allow-external-user[=false] | Allow providing external user for a domain users (relevant only for rdp) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-rotate-secret
gateway-rotate-secret
Trigger a rotate operation for a Rotated Secret.
Please note: mandatory values for this command: -n, --name
Usage
akeyless gateway-rotate-secret \
--name <path/to/rotated/secret> \
--gateway-url <API Gateway URL:8000> \
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators. |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
gateway-update-item
gateway-update-item
Updates gateway item
Please note: mandatory values for this command: -n, --name, -t, --type
Usage
akeyless gateway-update-item --name <Item name> \
--new-name <New item name> \
--type <classic-key, rotated-secret> \
--gateway-url <API Gateway URL:8000> \
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Item name |
-t, --type | (Mandatory) Item type; options: [classic-key, rotated-secret] |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL (Configuration Management port) |
--new-name | New item name |
--new-metadata[=default_metadata] | New item metadata |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
--auto-rotate | [true/false] Sets automatic rotation to be enabled or disabled, if enabled rotation will be triggered periodically based on --rotation-interval |
--rotation-interval | The number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes |
--rotation-hour[=0] | The Hour of the rotation in UTC (relevant only for --type=rotated-secret) |
--rotator-creds-type[=use-self-creds] | The credentials to connect with use-self-creds/use-target-creds (relevant only for --type=rotated-secret) |
--new-version[=false] | [Deprecated: Use keep-prev-version instead] Whether to create a new version |
--keep-prev-version | Whether to keep previous version, options:[true, false] (relevant only for --type=rotated-secret). If not set, use default according to account settings |
--custom-payload | Secret payload to be sent with rotation request (relevant only for rotator-type=custom) |
--api-id | API ID to rotate (relevant only for rotator-type=api-key) |
--api-key | API key to rotate (relevant only for rotator-type=api-key) |
--rotated-username | username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password) |
--rotated-password | rotated-username password (relevant only for rotator-type=password) |
-k, --key | The name of the key that protects the item value (if empty, the account default key will be used) |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
Updated about 1 month ago