CLI Reference - Static Secrets

This section outlines the CLI commands relevant to Static Secrets.

General Flags:

--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token: The universal identity token, Required only for universal_identity authentication

-h, --help: Display help information

--json[=false]: Set output format to JSON

--jq-expression: JQ expression to filter result output

--no-creds-cleanup[=false]: Do not clean local temporary expired creds

create-secret

Creates a new static secret item

Usage

akeyless create-secret \
--name <Secret name> \
--value <Secret value> \
--type <generic/password> 

Flags

--name: Required, Secret name

--type[=generic]: The secret sub type [generic/password]

--value: Required, The secret value (relevant only for type generic)

-f, --format[=text]: Secret format [text/json / key-value] (relevant only for type 'generic')

--url, --inject-url: Comma separated list of URLs associated with the item (only relevant for type 'password')

-p, --password: The password value (relevant for "password manager" only)

-u, --username: The username value (relevant for "password manager" only)

-c, --custom-field: Additional custom fields to associate with the item, to specify multiple fields repeat the argument: --custom-field fieldName1=value1 -c fieldName2=value2 (only relevant for type 'password')

--accessibility[=regular]: In case of an item in a user's personal folder [regular/personal]

-t, --tag: List of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2

-k, --key: The name of a key that used to encrypt the secret value (if empty, the account default protection key will be used)

--multiline: The provided value is a multiline value (separated by '\n')

--max-versions: Set the maximum number of versions, limited by the account settings defaults

--secure-access-enable: Enable/Disable secure remote access, 'true'/'false'

--secure-access-ssh-creds: Static-Secret values contains SSH Credentials, either Private Key or Password [password/private-key]

--secure-access-url: Destination URL to inject secrets

--secure-access-web-browsing[=false]: Secure browser via Akeyless Web Access Bastion

--secure-access-web-proxy[=false]: Web-Proxy via Akeyless Web Access Bastion

--secure-access-bastion-issuer: Path to the SSH Certificate Issuer for your Akeyless Bastion

--secure-access-host: Target servers for connections., For multiple values repeat this flag.

--secure-access-ssh-user: Override the SSH username as indicated in SSH Certificate Issuer

--secure-access-rdp-user: Remote Desktop Username

--description: Secret description

--delete-protection: Protection from accidental deletion of this item, [true/false]

--change-event: Trigger an event when a secret value changed, [True/False]

describe-item

Get the item details

Usage

akeyless describe-item \
--name <item-name> \
--display-id <display id of the item> \
--item-id <Item-ID> 

Flags

-n, --name: Item name

-d, --display-id: The display id of the item

-I, --item-id: Item id of the item

--show-versions[=false] : Include all item versions in reply

--gateway-details[=false]: Output will include additional gateway details (e.g cluster URL)

--bastion-details[=false]: Output will include additional bastion details

--services-details[=false]: Include all associated services details

--accessibility[=regular]: In case of an item in a user's personal folder [regular/personal]

See Commands for all items and objects and also Updating and versioning static secrets for details.

get-secret-value

Get static secret value

Usage

akeyless get-secret-value --name <Secret Name>

Flags

--name: Required, Secret name

--version: Secret version, if negative value N is provided (--version=-N) the last N versions will return (maximum 20)

--ignore-cache[=false]: Retrieve the Secret value without checking the Gateway's cache [true/false]. This flag is only relevant when using the RestAPI

--accessibility[=regular]: In case of an item in a user's personal folder [regular/personal]

import-passwords

Import passwords from CSV file

📘

CSV Example

The box below has an example CSV that is valid for importing in the format of Chrome

Usage

akeyless import-passwords \
--import-path <Path/to/CSV/Filee> \
--format <source format>

name,url,username,password,description
/path/to/Example Email,https://mail.example.com,[email protected],P@ssword123,Primary email account for personal use
/full/path/to/Example Bank,https://bank.example.com,alice_bank,P@ssw0rd!,Banking account login details
/path/to/Example Social,https://social.example.com,alice_social,Social123,Social media account credentials

Flags

-p, --import-path: Required, Path to the CSV file that contains passwords to import

--format[=LastPass]: Password format type [LastPass/Chrome/Firefox,1password,keeper,bitwarden,dashlane]

--accessibility[=personal]: Whether passwords should be imported to the user's personal folder [regular/personal]

--target-folder[=/]: Target folder for imported passwords

-k, --key: The name of a key that is used to encrypt the secret value (if empty, the account default protection key key will be used)

--update-mode[=skip]: Specify how to handle passwords that already exist (skip/update)

list-shared-items

List shared items in the current account

rollback-secret

Rollback secret to older version

Usage

akeyless rollback-secret \
--name <Secret Name> \
--old-version <Secret version>

Flags

--name: Required, Secret name

--old-version: Required, Old secret version to rollback to

share-item

Sharing item operation [start sharing/stop sharing/sharing describe]

Usage

akeyless share-item \
--item-name <Secret Name> \
--action <start/stop/describe> \
--email <Email list> 

Flags

-n, --item-name: Required, The secret name (supported types: static secret)

-a, --action: Required, The action to perform [start/stop/describe]

--share-type[=email]: Share type [email/token]

-e, --email: List of emails to start/stop sharing the secret with, To specify multiple emails use argument multiple times: -e email1 -e email2

-s, --shared-token-id: Shared token ids to stop sharing a secret, To specify multiple token ids use the argument multiple times: --shared-token-id token1 --shared-token-id token2

-t, --ttl: Availability of the shared secret in seconds

-v, --view-once[=false]: Shared secrets can only be viewed once [true/false]

--accessibility[=regular]: In case of an item in a user's personal folder [regular/personal]

unwrap-token

Unwrapping the token containing a secret

Usage

akeyless unwrap-token \
--shared-token <token>

Flags

-s, --shared-token: Required, The value of the shared token that wraps the secret

update-secret-val

Update static secret value

Usage

akeyless update-secret-val \
--name <Secret Name> \
--value <secret value> 

Flags

--name: Required, Secret name

--value: Required, The updated secret value

--url, --inject-url: List of the URL associated with the item (relevant for "password manager" only)

-p, --password: The password value (relevant for "password manager" only)

-u, --username: The username value (relevant for "password manager" only)

-c, --custom-field: Additional custom fields to associate with the item, to specify multiple fields repeat the argument: --custom-field fieldName1=value1 -c fieldName2=value2 (only relevant for type 'password')

-k, --key: The name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used)

--multiline: The provided value is a multiline value (separated by '\n')

--last-version: The last version number before the update

--new-version: [Deprecated: Use keep-prev-version instead] Whether to create a new version

--keep-prev-version: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings

--accessibility[=regular]: In case of an item in a user's personal folder [regular/personal]

For other data, such as description or tags, use update-item as described in Commands for all items and objects.