CLI Reference - Rotated Secrets

Rotated Secrets

create-rotated-secret

Creates a new rotated secret item

Usage
akeyless create-rotated-secret -n <secret name> \
-r <target name to associate the secret> \
-u <Gateway URL> \
--rotator-type <password|target|api-key|ldap|custom|azure-storage-account>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

A name of the rotated secret. The name can include the path to the virtual folder where you created the secret, using slash / separators.

-r, --target-name

**Y**

The target name to associate the secret.

-u, --gateway-url[=http://localhost:8000]

**Y**

Akeyless Gateway URL (Configuration Management port).

--rotator-type

**Y**

The rotator type: password/target/api-key/ldap/azure-storage-account/custom.

-m, --metadata

Metadata about the secret.

-t, --tag

List of the tags attached to this secret. To specify multiple tags, use this parameter multiple times: -t Tag1 -t Tag2.

-k, --key

The name of a key that is used to encrypt the secret value (if empty, the account default protection key key will be used).

--auto-rotate

Whether to automatically rotate the secret every --rotation-interval days or disable automatic secret rotation.

--rotation-interval

The secret rotation interval in days (1-365).

--rotation-hour

The hour of the rotation (in UTC).

--authentication-credentials[=use-user-creds]

The credentials to connect with use-self-creds/use-target-creds.

--delete-protection[=false]

Protection from accidental deletion of a secret. Possible values: [true/false]

To delete a protected secret, the customer should run the update-item command with the --item-protected false parameter.

--rotator-custom-cmd

Custom command to be executed after the rotation is performed (relevant only for SSH targets).

--rotated-username

The username for which the password will be rotated.

If the use-self-creds value is set for the authentication-credentials parameter, this username will try to rotate its own password.

If the use-target-creds value is set for the authentication-credentials parameter, target credentials will be used to rotate the rotated-password.

--rotated-password

The password to be rotated. It needs to match the username specified in the rotated-username parameter value.

--api-id

The Access ID for which the Access Key will be rotated.

--api-key

The Access Key to be rotated.

It needs to match the Access ID specified in the api-id parameter value.

--user-dn

Base DN to Perform User Search

Relevant for rotator-type = ldap.

--user-attribute

LDAP User Attribute

Relevant for rotator-type = ldap.

--app-id

The ID of the Azure app that holds the secret being rotated.

In the case of rotator-type=api-key and authentication-credentials=use-target-creds, it is possible to use a higher-privilege app to rotate keys in a lower-privilege app.

--custom-payload

Secret payload to be sent with the rotation request.

Relevant for rotator-type = custom.

--storage-account-key-name

The name of the key you want to rotate. Must be one of the following: key1/key2/kerb1/kerb2.

Relevant for rotator-type = azure-storage-account.

--secure-access-enable

Enable/Disable secure remote access, [true/false].

--secure-access-bastion-issuer

Path to the SSH Certificate Issuer for your Akeyless Bastion.

--secure-access-web[=false]

Enable Web Secure Remote Access.

--secure-access-host

Target servers for connections., For multiple values repeat this flag.

--secure-access-db-name

The DB name (relevant only for DB).

--secure-access-db-schema

The DB schema (relevant only for MSSQL or PostgreSQL).

--secure-access-aws-account-id

The AWS account ID (relevant only for AWS).

--secure-access-aws-native-cli

The AWS native CLI (relevant only for AWS).

--aws-region[=us-east-2]

AWS Region (relevant only for aws)

--secure-access-web-browsing[=false]

Secure browser via Akeyless Web Access Bastion (relevant only for AWS or Azure).

--secure-access-web-proxy[=false]

Web-Proxy via Akeyless Web Access Bastion (relevant only for AWS or Azure).

--secure-access-rdp-domain

Required when the Rotated Secret is used for a domain user (relevant only for RDP).

--secure-access-rdp-user

Override the RDP Domain username (relevant only for RDP).

--secure-access-allow-external-user[=false]

Allow providing external user for a domain users (relevant only for RDP).

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

get-rotated-secret-value

Get rotated secret value.

Usage
akeyless get-rotated-secret-value -n <path/to/rotated/secret>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

A name of the rotated secret. The name can include the path to the virtual folder where you created the secret, using slash / separators.

--version

A version of the secret.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

update-rotated-secret

Updates a rotated secret.

Usage
akeyless update-rotated-secret -n <secret name> \
-u <Gateway URL>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

A name of the rotated secret. The name can include the path to the virtual folder where you created the secret, using slash / separators.

--new-name

New name for the rotated secret.

-u, --gateway-url[=http://localhost:8000]

**Y**

Akeyless Gateway URL (Configuration Management port).

--new-metadata

New metadata for the rotated secret.

--add-tag/code>

List of new tags that will be attached to this secret. To specify multiple tags, use the argument multiple times: --add-tag Tag1 --add-tag Tag2 .

--rm-tag

List of the current tags that will be removed from this secret. To specify multiple tags, use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2

-k, --key

The name of a key that is used to encrypt the secret value (if empty, the account default protection key key will be used).

--auto-rotate

Whether to automatically rotate the secret every --rotation-interval days or disable automatic secret rotation.

--rotation-interval

The secret rotation interval in days (1-365).

--rotation-hour

The hour of the rotation (in UTC).

--rotator-creds-type[=use-user-creds]

The credentials to connect with use-self-creds/use-target-creds.

--rotator-custom-cmd

Custom command to be executed after the rotation is performed (relevant only for SSH targets).

--rotated-username

The username for which the password will be rotated.

If the use-self-creds value is set for the authentication-credentials parameter, this username will try to rotate its own password.

If the use-target-creds value is set for the authentication-credentials parameter, target credentials will be used to rotate the rotated-password.

--rotated-password

The password to be rotated. It needs to match the username specified in the rotated-username parameter value.

--api-id

The Access ID for which the Access Key will be rotated.

--api-key

The Access Key to be rotated.

It needs to match the Access ID specified in the api-id parameter value.

--user-dn

Base DN to Perform User Search.

Relevant for rotator-type = ldap.

--user-attribute

LDAP User Attribute

Relevant for rotator-type = ldap.

--app-id

The ID of the Azure app that holds the secret being rotated.

In the case of rotator-type=api-key and authentication-credentials=use-target-creds, it is possible to use a higher-privilege app to rotate keys in a lower-privilege app.

--custom-payload

Secret payload to be sent with the rotation request.

Relevant for rotator-type = custom.

--storage-account-key-name

The name of the key you want to rotate. Must be one of the following: key1/key2/kerb1/kerb2.

Relevant for rotator-type = azure-storage-account.

--keep-prev-version

Whether to keep previous version, options:[true, false]. If not set, use default according to account settings.

--secure-access-enable

Enable/Disable secure remote access, [true/false].

--secure-access-bastion-issuer

Path to the SSH Certificate Issuer for your Akeyless Bastion.

--secure-access-web[=false]

Enable Web Secure Remote Access.

--secure-access-host

Target servers for connections., For multiple values repeat this flag.

--secure-access-db-name

The DB name (relevant only for DB).

--secure-access-db-schema

The DB schema (relevant only for MSSQL or PostgreSQL).

--secure-access-aws-account-id

The AWS account id (relevant only for AWS).

--secure-access-aws-native-cli

The AWS native CLI (relevant only for AWS).

--aws-region[=us-east-2]

AWS Region (relevant only for AWS).

--secure-access-web-browsing[=false]

Secure browser via Akeyless Web Access Bastion (relevant only for AWS or Azure).

--secure-access-web-proxy[=false]

Web-Proxy via Akeyless Web Access Bastion (relevant only for AWS or Azure).

--secure-access-rdp-domain

Required when the Dynamic Secret is used for a domain user (relevant only for RDP).

--secure-access-rdp-user

Override the RDP Domain username (relevant only for RDP).

--secure-access-allow-external-user[=false]

Allow providing external user for a domain users (relevant only for RDP).

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

gateway-rotate-secret

Rotate a secret.

Usage
akeyless gateway-rotate-secret \
-n <path/to/rotated/secret> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>'
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

A name of the rotated secret. The name can include the path to the virtual folder where you created the secret, using slash / separators.

-u, --gateway-url[=http://localhost:8000]

The URL of your Akeyless Gateway (with the configuration management port).

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.

gateway-update-item

Update a secret.

Usage
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Item name.

-t, --type

**Y**

Item type; options: classic-key, rotated-secret.

-u, --gateway-url[=http://localhost:8000]

Akeyless Gateway URL (with the Configuration Management port).

--new-name

New item name.

--new-metadata[=default_metadata]

New item metadata.

--add-tag

List of the new tags that will be attached to this item. To specify multiple tags, use the argument multiple times: --add-tag Tag1 --add-tag Tag2.

--rm-tag

List of existing tags that will be removed from this item. To specify multiple tags, use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2

--auto-rotate

Sets automatic rotation to be enabled or disabled. When enabled, rotation will be triggered periodically based on --rotation-interval.

--rotation-interval

The number of days to wait between every automatic rotation (1-365). The custom rotator interval will be set in minutes.

--rotation-hour[=0]

The Hour of the rotation in UTC (relevant only for --type=rotated-secret).

--rotator-creds-type[=use-self-creds]

The credentials to connect with use-self-creds/use-target-creds (relevant only for --type=rotated-secret).

--keep-prev-version

Whether to keep previous version, options: true, false. (Relevant only for --type=rotated-secret). If not set, use default value according to account settings.

--custom-payload

Secret payload to be sent with rotation request (relevant only for rotator-type=custom).

--api-id

API key ID (relevant only for rotator-type=api-key).

--api-key

API key to rotate (relevant only for rotator-type=api-key).

--rotated-username

Username of the user whose password will be rotated. If selected "use-self-creds" at rotator-creds-type, this username will try to rotate it's own password, if "use-target-creds" is selected, target credentials will be use to rotate the rotated-password (relevant only for rotator-type=password).

--rotated-password

Password to rotate (relevant only for rotator-type=password).

-k, --key

The name of the key that protects the item value (if empty, the account default key will be used).

--delete-protection

Protection from accidental deletion of this item, [true/false].

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token. It is required only for universal_identity authentication.


Did this page help you?