CLI Reference - Rotated Secrets

Rotated Secrets

gateway-create-rotated-secret

Creates a new rotated secret item

Please note: mandatory values for this command: -n, --name, -r, --target-name

Usage
akeyless create-rotated-secret -n <secret name> \
--target-name <target name to associate the secret> \
--gateway-url <API Gateway URL:8000> \
--rotator-type <password|target|api-key|ldap|custom|azure-storage-account> \
--rotation-hour <The hour of the rotation (in UTC)> \
--rotation-interval <The number of days to wait between every automatic rotation (1-365)>
Parameters
ParameterDescription
-n, --name(Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.
-r, --target-name(Mandatory) The target name to associate
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-m, --metadataMetadata about the secret.
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: -t Tag1 -t Tag2
-k, --keyThe name of a key that is used to encrypt the secret value (if empty, the account default protection key key will be used).
--auto-rotateWhether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-intervalThe number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes
--rotation-hourThe hour of the rotation (in UTC).
--rotator-type(Mandatory) The rotator type password/target/api-key/ldap/azure-storage-account/custom
--rotator-creds-typeThe credentials to connect with use-self-creds/use-target-creds - deprecated, replace by authentication-credentials
--authentication-credentials[=use-user-creds]The credentials to connect with use-user-creds/use-target-creds
--rotator-custom-cmdCustom rotation command (relevant only for SSH target)
--ssh-usernameSSH username - deprecated, replace by rotated-username
--ssh-passwordSSH password to rotate - deprecated, replace by rotated-password
--api-idAPI ID to rotate (relevant only for rotator-type=api-key)
--api-keyAPI key to rotate (relevant only for rotator-type=api-key)
--rotated-usernameusername to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password)
--rotated-passwordrotated-username password (relevant only for rotator-type=password)
--user-dnBase DN to Perform User Search
--user-attributeLDAP User Attribute, Default value "cn"
--app-idId of the azure app that hold the serect to be rotated (relevant only for azure & rotator-type=api-key & authentication-credentials=use-target-creds)
--custom-payloadSecret payload to be sent with rotation request (relevant only for rotator-type=custom)
--storage-account-key-nameThe name of the storage account key to rotate [key1/key2/kerb1/kerb2] (relevat to azure-storage-account)
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web=[false]Enable Web Secure Remote Access
--secure-access-hostTarget servers for connections., For multiple values repeat this flag.
--secure-access-db-nameThe DB name (relevant only for DB)
--secure-access-db-schemaThe db schema (relevant only for Mysql or postgreSQL)
--secure-access-aws-account-idThe aws account id (relevant only for aws)
--secure-access-aws-native-cliThe aws native cli (relevant only for aws)
--aws-region[=us-east-2]Aws Region (relevant only for aws)
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion (relevant only for aws or azure)
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion (relevant only for aws or azure)
--secure-access-rdp-domainRequired when the Rotated Secret is used for a domain user (relevant only for rdp)
--secure-access-rdp-userOverride the RDP Domain username (relevant only for rdp)
--secure-access-allow-external-user[=false]Allow providing external user for a domain users (relevant only for rdp)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
--gcp-key-file-pathPath to file with the base64-encoded Google service account private key. If this parameter is defined you do not need --gcp-key.
--gcp-keyBase64-encoded Google service account private key text. If this parameter is defined you do not need --gcp-key-file-path.

gateway-list-rotated-secrets

List available rotated secrets

Usage
akeyless gateway-list-rotated-secrets \
--gateway-url <'https://Akeyless-GW-URL:8000'> \
Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL

get-rotated-secret-value

Get rotated secret value.

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-rotated-secret-value -n <path/to/rotated/secret>
Parameters
ParameterDescription
-n, --name(Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.
--versionA version of the secret.
--ignore-cache[=false]Retrieve the Secret value without checking the Gateway's cache [true/false]. This flag is only relevant when using the RestAPI
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-rotated-secret

Update rotated secret

Please note: mandatory values for this command: -n, --name

Usage
akeyless update-rotated-secret -n <secret name> \
--new-name <New secret name> \
--gateway-url <API Gateway URL:8000> \
--rotation-interval <Number of days to wait between every automatic rotation (1-365)> \
--rotation-hour <The Hour of the rotation in UTC>
Parameters
ParameterDescription
-n, --name(Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--new-nameNew item name
--new-metadataNew item metadata
--add-tagList of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--auto-rotateWhether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-intervalThe number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes
--rotation-hourThe Hour of the rotation in UTC
--rotator-creds-type[=use-user-creds]The credentials to connect with use-self-creds/use-target-creds
--rotator-custom-cmdCustom rotation command (relevant only for ssh target)
k, --keyThe name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used)
--ssh-usernameSSH username - deprecated, replace by rotated-username
--ssh-passwordSSH password to rotate - deprecated, replace by rotated-password
--api-idAPI ID to rotate
--api-keyAPI key to rotate
--rotated-usernameusername to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password
--rotated-passwordrotated-username password
--custom-payloadSecret payload to be sent with rotation request (relevant only for rotator-type=custom)
--storage-account-key-nameThe name of the storage account key to rotate [key1/key2/kerb1/kerb2] (relevat to azure-storage-account)
--new-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
-keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]Enable Web Secure Remote Access
--secure-access-hostTarget servers for connections., For multiple values repeat this flag.
--secure-access-db-nameThe DB name (relevant only for DB)
--secure-access-db-schemaThe db schema (relevant only for mssql or postgresql)
--secure-access-aws-account-idThe aws account id (relevant only for aws)
--secure-access-aws-native-cliThe aws native cli (relevant only for aws)
--aws-region[=us-east-2]Aws Region (relevant only for aws)
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion (relevant only for aws or azure)
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion (relevant only for aws or azure)
--secure-access-rdp-domainRequired when the Rotated Secret is used for a domain user (relevant only for rdp)
--secure-access-rdp-userOverride the RDP Domain username (relevant only for rdp)
--secure-access-allow-external-user[=false]Allow providing external user for a domain users (relevant only for rdp)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-rotate-secret

Trigger a rotate operation for a Rotated Secret.

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-rotate-secret \
--name <path/to/rotated/secret> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) Rotated secret name. The name can include the path to the virtual folder where you created the secret, using slash / separators.
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-update-item

Updates gateway item

Please note: mandatory values for this command: -n, --name, -t, --type

Usage
akeyless gateway-update-item --name <Item name> \
--new-name <New item name> \
--type <classic-key, rotated-secret> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) Item name
-t, --type(Mandatory) Item type; options: [classic-key, rotated-secret]
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--new-nameNew item name
--new-metadata[=default_metadata]New item metadata
--add-tagList of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tagList of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--auto-rotate[true/false] Sets automatic rotation to be enabled or disabled, if enabled rotation will be triggered periodically based on --rotation-interval
--rotation-intervalThe number of days to wait between every automatic rotation (1-365),custom rotator interval will be set in minutes
--rotation-hour[=0]The Hour of the rotation in UTC (relevant only for --type=rotated-secret)
--rotator-creds-type[=use-self-creds]The credentials to connect with use-self-creds/use-target-creds (relevant only for --type=rotated-secret)
--new-version[=false][Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false] (relevant only for --type=rotated-secret). If not set, use default according to account settings
--custom-payloadSecret payload to be sent with rotation request (relevant only for rotator-type=custom)
--api-idAPI ID to rotate (relevant only for rotator-type=api-key)
--api-keyAPI key to rotate (relevant only for rotator-type=api-key)
--rotated-usernameusername to be rotated, if selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password)
--rotated-passwordrotated-username password (relevant only for rotator-type=password)
-k, --keyThe name of the key that protects the item value (if empty, the account default key will be used)
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication