CLI Reference - Rotated Secrets
This section outlines the CLI commands relevant to Rotated Secrets.
Rotated Secrets enable you to protect the credentials for privileged-user accounts such as an Administrator account on a Windows Server, a root account on a Linux server, or an Admin account on a network device, by resetting its password.
General Flags
--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-token: The universal identity token, required only for universal_identity authentication
-h, --help: Display help information
--json[=false]: Set the output format to JSON
--jq-expression: Provide a jQuery expression to filter result output
--no-creds-cleanup[=false]: Do not clean local temporary expired credentials
create
createakeyless rotated-secret create
Commands to create a Rotated Secret
Subcommands
aws: Creates a new AWS rotated secret item
azure: Creates a new Azure rotated secret item
cassandra: Creates a new Cassandra rotated secret item
custom: Creates a new custom rotated secret item
dockerhub: Creates a new Docker Hub rotated secret item
gcp: Creates a new GCP rotated secret item.
hanadb: Creates a new SAP HANA database rotated secret item
ldap: Creates a new LDAP rotated secret item
mongodb: Creates a new MongoDB rotated secret item
mssql: Creates a new MSSQL rotated secret item
mysql: Creates a new MySQL rotated secret item
oracledb: Creates a new OracleDB rotated secret item
postgresql: Creates a new PostgreSQL rotated secret item
redis: Creates a new Redis rotated secret item
redshift: Creates a new Amazon Redshift rotated secret item
snowflake: Creates a new Snowflake rotated secret item
ssh: Creates a new SSH rotated secret item
windows: Creates a new Windows rotated secret item
aws
awsCreates a new AWS rotated secret item
Usage
akeyless rotated-secret create aws \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/api-key> Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/api-key]
--api-id: API ID to rotate (relevant only for rotator-type=api-key)
--api-key: API Key to rotate (relevant only for rotator-type=api-key)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-versions: Set the maximum number of versions, limited by the account settings defaults.
--grace-rotation: A boolean flag, when enabled, a graceful mode of rotation will be conducted, where only the older AWS Access Key will be rotated. When there is only one Access Key, a new version will be created - to maintain 2 values at the same time, following AWS best practice.
--grace-rotation-interval: The number of days to wait before deleting the old key (must be bigger than rotation-interval)
--grace-rotation-hour: The number of hours of grace rotation allowed in UTC
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-aws-account-id: The AWS account ID
--aws-region[=us-east-2]: AWS region
--secure-access-aws-native-cli: The AWS native CLI
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
azure
azureCreates a new Azure rotated secret item
Usage
akeyless rotated-secret create azure \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target|api-key|azure-storage-account|password> Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/api-key/azure-storage-account/password]
--app-id: ID of the Azure app that holds the secret to be rotated (relevant only for rotator-type=api-key & authentication-credentials=use-target-creds)
--api-id: API ID to rotate (relevant only for rotator-type=api-key)
--api-key: API Key to rotate (relevant only for rotator-type=api-key)
--storage-account-key-name: The name of the Storage Account key to rotate [key1/key2/kerb1/kerb2] (relevant to azure-storage-account)
--username: The user principal name to rotate his password (relevant only for rotator-type=password)
--explicitly-set-sa[=false]: If set, explicitly provide the Storage Account details [true/false]
--resource-group-name: The resource group name (only relevant when explicitly-set-sa=true)
--resource-name: The name of the Storage Account (only relevant when explicitly-set-sa=true)
--secure-access-disable-concurrent-connections[=false]: Enable this flag to prevent simultaneous use of the same secret
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-verisons: Set the maximum number of versions, limited by the account settings defaults
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
cassandra
cassandraCreates a new Cassandra rotated secret item
Usage
akeyless rotated-secret create cassandra \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password> Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
custom
customCreates a new custom rotated secret item
Usage
akeyless rotated-secret create custom \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--custom-payload: Secret payload to be sent with rotation request
--password-policy-contains-capital-letters: Password must contain capital letters [true/false]
--password-policy-contains-lower-letters: Password must contain lower case letters [true/false]
--password-policy-contains-numbers: Password must contain numbers [true/false]
--password-policy-contains-special-characters: Password must contain special characters [true/false]
--enable-password-policy: Enable password policy
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-versions: Set the maximum number of versions, limited by the account settings defaults
--timeout-sec[=40]: Maximum allowed timeout in seconds for the custom rotator to return the results
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after SRA session ends [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-allow-external-user[=false]: Allow providing external user for a domain users
--secure-access-url: Destination URL to inject secrets
--secure-access-ssh-user: Override the SSH username as indicated in SSH Certificate Issuer
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
dockerhub
dockerhubCreates a new Docker Hub rotated secret item
Usage
akeyless rotated-secret create dockerhub \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
gcp
gcpCreates a new GCP rotated secret item
Usage
akeyless rotated-secret create gcp \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/service-account-rotator>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/service-account-rotator]
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--gcp-key-file-path: Path to file with the service account private key
--gcp-key: Base64-encoded service account private key text
--gcp-service-account-email: The email of the GCP service account to rotate (relevant only when rotator-type=servcie-account-rotator)
--gcp-service-account-key-id: The key ID of the GCP service account to rotate (relevant only when rotator-type=servcie-account-rotator)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--grace-rotation: A boolean flag, when enabled, a graceful mode of rotation will be conducted, where only the older service account key will be rotated. When there is only one key, a new version will be created to maintain 2 values at the same time.
--grace-rotation-interval: The number of days to wait before deleting the old key (must be bigger than rotation-interval)
--grace-rotation-hour: The number of hours of grace rotation allowed in UTC
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-versions: Set the maximum number of versions, limited by the account settings defaults
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
hanadb
hanadbCreates a new SAP HANA database rotated secret item
Usage
akeyless rotated-secret create hanadb \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
ldap
ldapCreates a new LDAP rotated secret item
Usage
akeyless rotated-secret create ldap \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/ldap>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/ldap]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=ldap)
--rotated-password: Rotated-username password (relevant only for rotator-type=ldap)
--user-dn: Base DN to Perform User Search
--user-attribute: LDAP User Attribute, Default value cn
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--grace-rotation: Create a new access key without deleting the old key from AWS for backup (relevant only for AWS) [true/false]
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-url: Destination URL to inject secrets
--host-provider[=explicit]: Host provider type [explicit/target], Relevant only for Secure Remote Access of SSH cert issuer and LDAP rotated secret
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--target: A list of linked targets to be associated, Relevant only for Secure Remote Access for SSH cert issuer and LDAP rotated secret, To specify multiple targets use argument multiple times
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
mongodb
mongodbCreates a new MongoDB rotated secret item
Usage
akeyless rotated-secret create mongodb \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
mssql
mssqlCreates a new MSSQL rotated secret item
Usage
akeyless rotated-secret create mssql \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-db-schema: The DB scheme
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
mysql
mysqlCreates a new MySQL rotated secret item
Usage
akeyless rotated-secret create mysql \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
oracledb
oracledbCreates a new OracleDB rotated secret item
Usage
akeyless rotated-secret create oracledb \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds/use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
postgresql
postgresqlCreates a new PostgreSQL rotated secret item
Usage
akeyless rotated-secret create postgresql \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-db-schema: The DB scheme
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
redis
redisCreates a new Redis rotated secret item
Usage
akeyless rotated-secret create redis \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2\
--delete-protection: Protection from accidental deletion of this item, [true/false]
redshift
redshiftCreates a new Amazon Redshift rotated secret item
Usage
akeyless rotated-secret create redshift \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2\
--delete-protection: Protection from accidental deletion of this item, [true/false]
snowflake
snowflakeCreates a new Snowflake rotated secret item
Usage
akeyless rotated-secret create snowflake \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password / key]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password or rotator-type=key)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
--private-key: RSA Private key (Base64-encoded) to rotate (relevant only for rotator-type=key)
--private-key-file-name: The path to the file containing the private key (relevant only for rotator-type=key)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2\
--delete-protection: Protection from accidental deletion of this item, [true/false]
ssh
sshCreates a new SSH rotated secret item
Usage
akeyless rotated-secret create ssh \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--same-password: Rotate the same password for each host from the Linked Target (relevant only for Linked Target)
--rotator-custom-cmd: Custom rotation command
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after SRA session ends [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-allow-external-user[=false]: Allow providing external user for a domain users
--secure-access-ssh-user: Override the SSH username as indicated in SSH Certificate Issuer
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2\
--delete-protection: Protection from accidental deletion of this item, [true/false]
windows
windowsCreates a new Windows rotated secret item
Usage
akeyless rotated-secret create windows \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--target-name: Required, the target name to associate
--rotator-type: Required, The rotator type. options: [target/password]
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--same-password: Rotate the same password for each host from the Linked Target (relevant only for Linked Target)
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-allow-external-user[=false]: Allow providing external user for a domain user
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
update
updateakeyless rotated-secret-update
Commands to update a Rotated Secret
Subcommands
aws: Updates an AWS rotated secret item
azure: Updates an Azure rotated secret item
cassandra: Updates a Cassandra rotated secret item
custom: Updates a custom rotated secret item
dockerhub: Updates a Docker Hub rotated secret item
gcp: Updates a GCP rotated secret item.
hanadb: Updates a SAP HANA database rotated secret item
ldap: Updates a LDAP rotated secret item
mongodb: Updates a MongoDB rotated secret item
mssql: Updates a MSSQL rotated secret item
mysql: Updates a MySQL rotated secret item
oracledb: Updates an OracleDB rotated secret item
postgresql: Updates a PostgreSQL rotated secret item
redis: Updates a Redis rotated secret item
redshift: Updates a Redshift rotated secret item
snowflake: Updates a Snowflake rotated secret item
ssh: Updates a SSH rotated secret item
windows: Updates a Windows rotated secret item
aws
awsUsage
akeyless rotated-secret update aws \
--name <Rotated Secret name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--new-name <New Item name>Flags
-n, --name: Required, Rotated Secret name
--new-name: New item name
--api-id: API ID to rotate (relevant only for rotator-type=api-key)
--api-key: API Key to rotate (relevant only for rotator-type=api-key)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-versions: Set the maximum number of versions, limited by the account settings defaults
--grace-rotation: A boolean flag, when enabled, a graceful mode of rotation will be conducted, where only the older AWS Access Key will be rotated. When there is only one Access Key, a new version will be created - to maintain 2 values at the same time, following AWS best practice.
--grace-rotation-interval: The number of days to wait before deleting the old key (must be bigger than rotation-interval)
--grace-rotation-hour: The number of hours of grace rotation allowed in UTC
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-aws-account-id: The AWS account ID
--aws-region[=us-east-2]: AWS region
--secure-access-aws-native-cli: The AWS native CLI
--delete-protection: Protection from accidental deletion of this item, [true/false]
azure
azureUsage
akeyless rotated-secret update azure \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--app-id: ID of the Azure app that hold the secret to be rotated (relevant only for rotator-type=api-key & authentication-credentials=use-target-creds)
--api-id: API ID to rotate (relevant only for rotator-type=api-key)
--api-key: API Key to rotate (relevant only for rotator-type=api-key)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--storage-account-key-name: The name of the Storage Account key to rotate [key1/key2/kerb1/kerb2] (relevant to azure-storage-account)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--grace-rotation: A boolean flag, when enabled, a graceful mode of rotation will be conducted, where only the older secret will be rotated. When there is only one secret, a new version will be created - to maintain 2 values at the same time. Relevant only for Client Secret.
--grace-rotation-interval: The number of days to wait before deleting the old key (must be bigger than rotation-interval)
--grace-rotation-hour: The number of hours of grace rotation allowed in UTC
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-versions: Set the maximum number of versions, limited by the account settings defaults
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
cassandra
cassandraUsage
akeyless rotated-secret update cassandra \
--name <Rotated Secret name> \
--new-name <New-Item name>
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
custom
customUsage
akeyless rotated-secret update custom \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--custom-payload: Secret payload to be sent with rotation request
--password-policy-contains-capital-letters: Password must contain capital letters [true/false]
--password-policy-contains-lower-letters: Password must contain lower case letters [true/false]
--password-policy-contains-numbers: Password must contain numbers [true/false]
--password-policy-contains-special-characters: Password must contain special characters [true/false]
--enable-password-policy: Enable password policy
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--max-versions: Set the maximum number of versions, limited by the account settings defaults
--timeout-sec[=40]: Maximum allowed timeout in seconds for the custom rotator to return the results
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after SRA session ends [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-allow-external-user[=false]: Allow providing external user for a domain users
--secure-access-url: Destination URL to inject secrets
--secure-access-ssh-user: Override the SSH username as indicated in SSH Certificate Issuer
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
dockerhub
dockerhubUsage
akeyless rotated-secret update dockerhub \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
gcp
gcpUsage
akeyless rotated-secret update gcp \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotator-type: Required, The rotator type. options: [target/service-account-rotator]
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
--gcp-key-file-path: Path to file with the service account private key
--gcp-key: Base64-encoded service account private key text
--gcp-service-account-email: The email of the GCP service account to rotate (relevant only when rotator-type=servcie-account-rotator)
--gcp-service-account-key-id: The key ID of the GCP service account to rotate (relevant only when rotator-type=servcie-account-rotator)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--rotation-hour: The Hour of the rotation in UTC
--grace-rotation: A boolean flag, when enabled, a graceful mode of rotation will be conducted, where only the older service account key will be rotated. When there is only one key, a new version will be created to maintain 2 values at the same time.
--grace-rotation-interval: The number of days to wait before deleting the old key (must be bigger than rotation-interval)
--grace-rotation-hour: The number of hours of grace rotation allowed in UTC
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--max-versions: Set the maximum number of versions, limited by the account settings defaults
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
hanadb
hanadbUsage
akeyless rotated-secret update hanadb \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
ldap
ldapUsage
akeyless rotated-secret update ldap \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=ldap)
--rotated-password: Rotated-username password (relevant only for rotator-type=ldap)
--user-dn: Base DN to Perform User Search
--user-attribute: LDAP User Attribute, Default value cn
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--grace-rotation: Create a new access key without deleting the old key from AWS for backup (relevant only for AWS) [true/false]
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-url: Destination URL to inject secrets
--host-provider[=explicit]: Host provider type [explicit/target], Relevant only for Secure Remote Access of SSH cert issuer and LDAP rotated secret
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--target: A list of linked targets to be associated, Relevant only for Secure Remote Access for SSH cert issuer and LDAP rotated secret, To specify multiple targets use argument multiple times
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
monogodb
monogodbUsage
akeyless rotated-secret update mongodb \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
mssql
mssqlUsage
akeyless rotated-secret update mssql \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
mysql
mysqlUsage
akeyless rotated-secret update mysql \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
oracledb
oracledbUsage
akeyless rotated-secret update oracledb \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
-t, --tag: Add tags attached to this object. To specify multiple tags use the argument multiple times: --tag Tag1 -t Tag2
--delete-protection: Protection from accidental deletion of this item, [true/false]
postgresql
postgresqlUsage
akeyless rotated-secret update postgresql \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--secure-access-web[=false]: Enable Web Secure Remote Access
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-db-schema: The DB scheme
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
redis
redisUsage
akeyless rotated-secret update redis \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
redshift
redshiftUsage
akeyless rotated-secret update redshift \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-db-name: The DB name (relevant only for DB)
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
snowflake
snowflakeUsage
akeyless rotated-secret update snowflake \
--name <Rotated Secret name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--rotator-type <target/password>Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password or rotator-type=key)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
--private-key: RSA Private key (Base64-encoded) to rotate (relevant only for rotator-type=key)
--private-key-file-name: The path to the file containing the private key (relevant only for rotator-type=key)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
ssh
sshUsage
akeyless rotated-secret update ssh \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--same-password: Rotate the same password for each host from the Linked Target (relevant only for Linked Target)
--rotator-custom-cmd: Custom rotation command
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after SRA session ends [true/false]
--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-allow-external-user[=false]: Allow providing external user for a domain users
--secure-access-ssh-user: Override the SSH username as indicated in SSH Certificate Issuer
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
windows
windowsUsage
akeyless rotated-secret update windows \
--name <Rotated Secret name> \
--new-name <New Item name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' Flags
-n, --name: Required, Rotated Secret name
--new-name: New Item name
--rotated-username: Username to be rotated, if selected use-self-creds at rotator-creds-type, this username will try to rotate its password, if use-target-creds is selected, target credentials will be used to rotate the rotated password (relevant only for rotator-type=password)
--rotated-password: Rotated-username password (relevant only for rotator-type=password)
-u, --gateway-url[=http://localhost:8000]: API Gateway URL (Configuration Management port)
-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key will be used)
--auto-rotate: Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
--rotation-interval: The number of days to wait between every automatic rotation (1-365), custom rotator interval will be set in minutes
--rotation-hour: The Hour of the rotation in UTC
--rotation-event-in: How many days before auto rotation of the item would you like to be notified. To specify multiple events, use argument multiple times: --rotation-event-in 1 --rotation-event-in 5
--authentication-credentials[=use-user-creds]: The credentials to connect with use-user-creds or use-target-creds
--password-length: The length of the password to be generated
--same-password: Rotate the same password for each host from the Linked Target (relevant only for Linked Target)
--secure-access-enable: Enable/Disable Secure Remote Access, [true/false]
--rotate-after-disconnect[=false]: Rotate the value of the secret after the SRA session ends [true/false]
--secure-access-host: Target servers for connections, For multiple values repeat this flag. (In case of Linked Target association, host(s) will inherit Linked Target hosts - Relevant only for Dynamic Secrets/producers)
--secure-access-rdp-domain: Required when the Dynamic Secret is used for a domain user
--secure-access-rdp-user: Override the RDP Domain username
--secure-access-allow-external-user[=false]: Allow providing external user for a domain user
--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--keep-prev-version: Whether to keep the previous version, options:[true, false]. If not set, use default according to account settings
--delete-protection: Protection from accidental deletion of this item, [true/false]
get-value
get-valueUsage
akeyless rotated-secret get-value \
--name <Rotated Secret name> \
--version <Rotated Secret version>Flags
--host: Get rotated secret value of specific Host (relevant only for Linked Target)
--ignore-cache[=false]: Retrieve the Secret value without checking the Gateway's cache [true/false]. This flag is only relevant when using the REST API
list
listUsage
akeyless rotated-secret list \
--gateway-url <API Gateway URL:8000> sync
syncUsage
akeyless rotated-secret sync \
--name <Rotated Secret Name> \
--usc-name <USC Name> \
--remote-secret-name <Remote secret Name> \
--namespace <Namespace Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>'Flags
--name: The Rotated Secret name.
--usc-name: The name of the Universal Secret Connector.
--remote-secret-name: Remote Secret name that will be created on the remote endpoint.
--namespace: Namespace name, Relevant only for HashiCorp Vault target.
--filter-secret-value: jq expression to filter or transform the secret value
--gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).
Updated 11 days ago