CLI Reference - Rotated Secrets

Rotated Secrets

This section outlines the CLI commands relevant to Rotated Secrets.

General Flags:

--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token: The universal identity token, Required only for universal_identity authentication

-h, --help: Display help information

--json[=false]: Set output format to JSON

--jq-expression: JQ expression to filter result output

--no-creds-cleanup[=false]: Do not clean local temporary expired creds

gateway-create-rotated-secret

Creates a new rotated secret item

Usage
akeyless create-rotated-secret \
--name <secret name> \
--target-name <target name> \
--gateway-url <API Gateway URL:8000> \
--rotator-type <passwordtargetapi-keyldapcustomazure-storage-account> \
--rotation-hour <The hour of the rotation (in UTC)> 
Flags

-n, --name: Required, Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.

-r, --target-name: Required, The target name to associate

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2

-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key key will be used).

--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation

--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes

--rotation-hour: The hour of the rotation (in UTC)

--rotator-type: Required, The rotator type password/target/api-key/ldap/azure-storage-account/custom

--rotator-creds-type: The credentials to connect with use-self-creds/use-target-creds - deprecated, replace by authentication-credentials

--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds/use-target-creds

--rotator-custom-cmd: Custom rotation command (relevant only for SSH target)

--ssh-username: SSH username - deprecated, replace by rotated-username

--ssh-password: SSH password to rotate - deprecated, replace by rotated-password

--api-id: API ID to rotate (relevant only for rotator-type=api-key)

--api-key: API key to rotate (relevant only for rotator-type=api-key)

--grace-rotation: Create a new access key without deleting the old key from AWS for backup (relevant only for AWS) [true/false]

--rotated-username: username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate its own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password)

--rotated-password: rotated-username password (relevant only for rotator-type=password)

--same-password: Rotate same password for each host from the Linked Target (relevant only for Linked Target)

--user-dn: Base DN to Perform User Search

--user-attribute: LDAP User Attribute, Default value "cn"

--app-id: Id of the azure app that hold the serect to be rotated (relevant only for azure & rotator-type=api-key & authentication-credentials=use-target-creds)

--custom-payload: Secret payload to be sent with rotation request (relevant only for rotator-type=custom)

--storage-account-key-name: The name of the storage account key to rotate [key1/key2/kerb1/kerb2] (relevat to azure-storage-account)

--gcp-key-file-path: Path to file with the base64-encoded Google service account private key. If this is defined you do not need --gcp-key.

--gcp-key: Base64-encoded Google service account private key text. If this is defined you do not need --gcp-key-file-path.

--gcp-service-account-email: The email of the gcp service account to rotate (relevant only when rotator-type=servcie-account-rotator)

--gcp-service-account-key-id: The key id of the gcp service account to rotate (relevant only when rotator-type=servcie-account-rotator)

--password-length: The length of the password to be generated

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--rotate-after-disconnect[=false]: Rotate the value of the secret after SRA session ends [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web=[false]: Enable Web Secure Remote Access

--secure-access-url: Destination URL to inject secrets

--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)

--secure-access-db-name: The DB name (relevant only for DB)

--secure-access-db-schema: The db schema (relevant only for Mysql or postgreSQL)

--secure-access-aws-account-id: The aws account id (relevant only for aws)

--secure-access-aws-native-cli: The aws native cli (relevant only for aws)

--secure-access-web-browsing: Secure browser via Akeyless Web Access Bastion (relevant only for aws or azure)

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion (relevant only for aws or azure)

--secure-access-rdp-domain: Required when the Rotated Secret is used for a domain user (relevant only for rdp)

--secure-access-rdp-user: Override the RDP Domain username (relevant only for rdp)

--secure-access-allow-external-user[=false]: Allow providing external user for a domain users (relevant only for rdp)

--aws-region[=us-east-2]: Aws Region (relevant only for aws)

--host-provider[=explicit]: Host provider type [explicit/target], Relevant only for Secure Remote Access of ssh cert issuer and ldap rotated secret

--target: A list of linked targets to be associated, Relevant only for Secure Remote Access for ssh cert issuer and ldap rotated secret, To specify multiple targets use argument multiple times

--description: Description of the object

--delete-protection: Protection from accidental deletion of this item, [true/false]

gateway-list-rotated-secrets

List available rotated secrets in the current account

Usage
akeyless gateway-list-rotated-secrets \
--gateway-url <'https://Akeyless-GW-URL:8000'> \
Flags

-u, --gateway-url[=http://localhost:8000]: API Gateway URL

get-rotated-secret-value

Get the value of the rotated secret

Usage
akeyless get-rotated-secret-value \
--name <Secret Name> \
--version <Secret Version> \
--host <Host>
Flags

-n, --name: Required, Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators

--version: A version of the secret

--host: Get rotated secret value of specific Host (relevant only for Linked Target)

--ignore-cache[=false]: Retrieve the Secret value without checking the Gateway's cache [true/false]. This flag is only relevant when using the RestAPI

update-rotated-secret

Update rotated secret in the current account

Usage
akeyless update-rotated-secret \
--name <secret name> \
--new-name <New secret name> \
--gateway-url <API Gateway URL:8000> \
--rotation-interval <Number of days to wait between every automatic rotation (1-365)> \
--rotation-hour <The Hour of the rotation in UTC>
Flags

-n, --name: Required, Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--new-name: New item name

--new-metadata: New item metadata

--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2

--rm-tag : List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2

--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation

--rotation-interval: The number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes

--rotation-hour: The Hour of the rotation in UTC

--rotator-creds-type[=use-user-creds]: The credentials to connect with use-self-creds/use-target-creds

--rotator-custom-cmd: Custom rotation command (relevant only for ssh target)

k, --key: The name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used)

--ssh-username: SSH username - deprecated, replace by rotated-username

--ssh-password: SSH password to rotate - deprecated, replace by rotated-password

--api-id: API ID to rotate

--api-key: API key to rotate

--rotated-username: username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password

--rotated-password: rotated-username password

--same-password: Rotate same password for each host from the Linked Target (relevant only for Linked Target)

--custom-payload: Secret payload to be sent with rotation request (relevant only for rotator-type=custom)

--storage-account-key-name: The name of the storage account key to rotate [key1/key2/kerb1/kerb2] (relevat to azure-storage-account)

--new-version: [Deprecated: Use keep-prev-version instead] Whether to create a new version

-keep-prev-version: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-web[=false]: Enable Web Secure Remote Access

--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)

--secure-access-db-name: The DB name (relevant only for DB)

--secure-access-db-schema: The db schema (relevant only for mssql or postgresql)

--secure-access-aws-account-id: The aws account id (relevant only for aws)

--secure-access-aws-native-cli: The aws native cli (relevant only for aws)

--aws-region[=us-east-2]: Aws Region (relevant only for aws)

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion (relevant only for aws or azure)

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion (relevant only for aws or azure)

--secure-access-rdp-domain: Required when the Rotated Secret is used for a domain user (relevant only for rdp)

--secure-access-rdp-user: Override the RDP Domain username (relevant only for rdp)

--secure-access-allow-external-user[=false]: Allow providing external user for a domain users (relevant only for rdp)

gateway-rotate-secret

Trigger a rotation operation for a Rotated Secret

Usage
akeyless gateway-rotate-secret \
--name <Secret Name> \
--gateway-url <API Gateway URL:8000> 
Flags

-n, --name: Required, Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

gateway-update-item

Updates gateway item

Usage
akeyless gateway-update-item \
--name <Item name> \
--type <classic-key, rotated-secret> \
--new-name <New item name> \
--gateway-url <API Gateway URL:8000> 
Flags

-n, --name: Required, Item name

-t, --type: Required, Item type; options: [classic-key, rotated-secret]

-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)

--new-name: New item name

--new-metadata[=default_metadata]: New item metadata

--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2

--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2

--auto-rotate: [true/false] Sets automatic rotation to be enabled or disabled, if enabled rotation will be triggered periodically based on --rotation-interval

--rotation-interval: The number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes

--rotation-hour[=0]: The Hour of the rotation in UTC (relevant only for --type=rotated-secret)

--rotator-creds-type[=use-self-creds]: The credentials to connect with use-self-creds/use-target-creds (relevant only for --type=rotated-secret)

--new-version[=false]: [Deprecated: Use keep-prev-version instead] Whether to create a new version

--keep-prev-version: Whether to keep previous version, options:[true, false] (relevant only for --type=rotated-secret). If not set, use default according to account settings

--custom-payload: Secret payload to be sent with rotation request (relevant only for rotator-type=custom)

--api-id: API ID to rotate (relevant only for rotator-type=api-key)

--api-key: API key to rotate (relevant only for rotator-type=api-key)

--rotated-username: username to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password)

--rotated-password: rotated-username password (relevant only for rotator-type=password)

-k, --key: The name of the key that protects the item value (if empty, the account default key will be used)

--delete-protection: Protection from accidental deletion of this item, [true/false]