CLI Reference - Static Secrets

Static Secrets

create-secret

Creates new static secrets and configures their values.

Usage
akeyless create-secret --name mySecret1 --value MyPasswordString
Parameters

Parameter

Mandatory

Description

--name

**Y**

Assign a unique name to the secret.

--value

**Y**

Enter the value of the secret, which is the password string.

--delete-protection[=false]

Protection from accidental deletion of a secret. Possible values: [true/false]

To delete a protected secret, the customer should run the update-item command with the --item-protected false parameter.

-m, --metadata

Secret description. This is especially handy when the name of the secret is generic or not specific enough.

-t, --tag

Use tags as an extra tool for organizing and searching secrets. If the tag you want hasn't yet been created, you can add it as part of secret creation. Use commas to create or indicate mutiple tags: -t Tag1 -t Tag2

-k, --key

Choose an Encryption Key to be used to encrypt your secret. Leave the field empty in order to use the default (protectionKey) system key.

--multiline

The provided value is a multiline value (separated by '\n')

--secure-access-enable

Enable/Disable secure remote access, [true/false]

--secure-access-ssh-creds

Static-Secret values contains SSH Credentials, either Private Key or Password [password/private-key]

--secure-access-url

Destination URL to inject secrets.

--secure-access-web-browsing[=false]

Secure browser via Akeyless Web Access Bastion.

--secure-access-web-proxy[=false]

Web-Proxy via Akeyless Web Access Bastion.

--secure-access-bastion-issuer

Path to the SSH Certificate Issuer for your Akeyless Bastion.

--secure-access-host

Target servers for connections. For multiple values repeat this flag.

--secure-access-ssh-user

Override the SSH username as indicated in SSH Certificate Issuer.

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temporary access token.

--uid-token

The universal identity token, Required only for universal_identity authentication.

update-secret-val

Updates the password for an existing static secret.

Usage
akeyless update-secret-val --name mySecret1 --value "new value"
Parameters

Parameter

Mandatory

Description

--name

**Y**

Enter the name of the existing secret that you want to update.

--value

**Y**

Enter the new value for the secret, which is the password string.

-k, --key

Choose an Encryption Key to be used to encrypt your secret. Leave the field empty in order to use the default (protectionKey) system key.

--multiline

The provided value is a multiline value (separated by '\n').

--keep-prev-version

Whether to keep previous version, options:[true, false]. If not set, use default according to account settings.

For other data, such as metadata or tags, use update-item as described in Commands for all items and objects.

get-secret-value

Retrieves the value of a given secret.

Usage
akeyless get-secret-value --name mySecret1
Parameters

Parameter

Mandatory

Description

--name

**Y**

Enter the name of the existing secret that you want to update.

--version

Get the value of a specific version of the secret.

show-versions

Shows the list of versions for a specified static or dynamic secret.

Usage
akeyless describe-item --name NAME --show-versions

See Commands for all items and objects and also Updating and versioning static secrets for details.

rollback-secret

Replaces the current version with a previously used version of the static secret value.

Usage
akeyless rollback-secret -n /secret1 --old-version 2
Parameters

Parameter

Mandatory

Description

--name

**Y**

Path to secret.

--old-version

**Y**

Enter the number of the previous version to which you want to roll the secret back. This version must be older than the current version.

delete-item

Deletes any secret, key, certificate or role. See Commands for all items and objects for details.

Usage
akeyless delete-item -n <path/to/item>
Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Path to the item to be deleted.

--version

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days

The number of days to wait before deleting the item (relevant for keys only). By default 7 days.

--delete-immediately

When delete-in-days=-1, must be set, by default set to false.

Automatic Secrets Migration

gateway-create-migration

Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Migration name for display

-t, --type

**Y**

Migration type (hashi/aws/gcp/k8s/azure_kv)

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

-l, --target-location

Target location in Akeyless for imported secrets

-k, --protection-key

The name of the key that protects the classic key value (if empty, the account default key will be used)

-g, --gcp-key-file-path

Path to file with the base64-encoded GCP Service Account private key with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration)

-G, --gcp-key-data

Base64-encoded GCP Service Account private key text with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration)

-U, --hashi-url

HashiCorp Vault API URL, e.g. https://vault-mgr01:8200 (relevant only for HasiCorp Vault migration)

--hashi-ns

HashiCorp Vault Namespaces is a comma-separated list of namespaces which need to be imported into Akeyless Vault. For every provided namespace, all its child namespaces are imported as well, e.g. nmsp/subnmsp1/subnmsp2,nmsp/anothernmsp. By default, import all namespaces (relevant only for HasiCorp Vault migration)

-T, --hashi-token

HashiCorp Vault access token with sufficient permissions to preform list & read operations on secrets objects (relevant only for HasiCorp Vault migration)

--hashi-json[=true]

Import secret key as json value or independent secrets (relevant only for HasiCorp Vault migration)

-I, --aws-key-id

AWS Access Key ID with sufficient permissions to get all secrets, e.g. 'arn:aws:secretsmanager:[Region]:[AccountId]:secret:[/path/to/secrets/*]' (relevant only for AWS migration)

-K, --aws-key

AWS Secret Access Key (relevant only for AWS migration)

--aws-region[=us-east-2]

AWS region of the required Secrets Manager (relevant only for AWS migration)

-v, --azure-kv-name

Azure Key Vault Name (relevant only for Azure Key Vault migration)

-a, --azure-tenant-id

Azure Key Vault Access tenant ID (relevant only for Azure Key Vault migration)

-c, --azure-client-id

Azure Key Vault Access client ID, should be Azure AD App with a service principal (relevant only for Azure Key Vault migration)

-s, --azure-secret

Azure Key Vault secret (relevant only for Azure Key Vault migration)

--k8s-namespace

K8s Namespace, Use this field to import secrets from a particular namespace only. By default, the secrets are imported from all namespaces (relevant only for K8s migration)

--k8s-url

K8s API Server URL, e.g. https://k8s-api.mycompany.com:6443 (relevant only for K8s migration)

--k8s-skip-system

K8s Skip Control Plane Secrets, This option allows to avoid importing secrets from system namespaces (relevant only for K8s migration)

--k8s-ca-certificate

K8s Cluster CA certificate (relevant only for K8s migration with Certificate Authentication method)

--k8s-client-cert

K8s Client certificate with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Certificate Authentication method)

--k8s-client-key

K8s Client key (relevant only for K8s migration with Certificate Authentication method)

--k8s-username

K8s Client username with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Password Authentication method)

--k8s-password

K8s Client password (relevant only for K8s migration with Password Authentication method)

--k8s-token

K8s Bearer Token with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Token Authentication method)

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication

gateway-delete-migration

Parameters

Parameter

Mandatory

Description

-i, --id

**Y**

Migration ID (Can be retrieve with gateway-list-migration command)

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication

gateway-get-migration

Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Migration name to display

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication

gateway-list-migration

Parameters

Parameter

Mandatory

Description

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication

gateway-sync-migration

Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

Migration name

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

--sync

true, for starting synchronization, false for stopping

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication

gateway-update-migration

Parameters

Parameter

Mandatory

Description

-i, --id

Migration ID (Can be retrieved with gateway-list-migration command)

-n, --name

Migration name

--new-name

New migration name

-u, --gateway-url[=http://localhost:8000]

API Gateway URL (Configuration Management port)

-l, --target-location

Target location in Akeyless for imported secrets

-k, --protection-key

The name of the key that protects the classic key value (if empty, the account default key will be used)

-g, --gcp-key-file-path

Path to file with the base64-encoded GCP Service Account private key with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration)

-G, --gcp-key-data

Base64-encoded GCP Service Account private key text with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration).

-U, --hashi-url

HashiCorp Vault API URL, e.g. https://vault-mgr01:8200 (relevant only for HasiCorp Vault migration)

--hashi-ns

HashiCorp Vault Namespaces is a comma-separated list of namespaces which need to be imported into Akeyless Vault. For every provided namespace, all its child namespaces are imported as well, e.g. nmsp/subnmsp1/subnmsp2,nmsp/anothernmsp. By default, import all namespaces (relevant only for HasiCorp Vault migration)

-T, --hashi-token

HashiCorp Vault access token with sufficient permissions to preform list & read operations on secrets objects (relevant only for HasiCorp Vault migration)

--hashi-json[=true]

Import secret key as json value or independent secrets (relevant only for HasiCorp Vault migration)

-I, --aws-key-id

AWS Access Key ID with sufficient permissions to get all secrets, e.g. 'arn:aws:secretsmanager:[Region]:[AccountId]:secret:[/path/to/secrets/*]' (relevant only for AWS migration)

-K, --aws-key

AWS Secret Access Key (relevant only for AWS migration)

--aws-region[=us-east-2]

AWS region of the required Secrets Manager (relevant only for AWS migration)

-v, --azure-kv-name

Azure Key Vault Name (relevant only for Azure Key Vault migration)

-a, --azure-tenant-id

Azure Key Vault Access tenant ID (relevant only for Azure Key Vault migration)

-c, --azure-client-id

Azure Key Vault Access client ID, should be Azure AD App with a service principal (relevant only for Azure Key Vault migration)

-s, --azure-secret

Azure Key Vault secret (relevant only for Azure Key Vault migration)

--k8s-namespace

K8s Namespace, Use this field to import secrets from a particular namespace only. By default, the secrets are imported from all namespaces (relevant only for K8s migration)

--k8s-url

K8s API Server URL, e.g. https://k8s-api.mycompany.com:6443 (relevant only for K8s migration)

--k8s-skip-system

K8s Skip Control Plane Secrets, This option allows to avoid importing secrets from system namespaces (relevant only for K8s migration)

--k8s-ca-certificate

K8s Cluster CA certificate (relevant only for K8s migration with Certificate Authentication method)

--k8s-client-cert

K8s Client certificate with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Certificate Authentication method)

--k8s-client-key

K8s Client key (relevant only for K8s migration with Certificate Authentication method)

--k8s-username

K8s Client username with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Password Authentication method)

--k8s-password

K8s Client password (relevant only for K8s migration with Password Authentication method)

--k8s-token

K8s Bearer Token with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Token Authentication method)

--profile, --token

Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token

The universal identity token, Required only for universal_identity authentication


Did this page help you?