CLI Reference - Static Secrets

Static Secrets

create-secret

Creates a new static secret item

Please note: mandatory values for this command: -n, --name, --value

Usage
akeyless create-secret --name <Secret name> \
--value <Secret value> \
--type <secret sub type [generic/password]> \
--password-manager-password <password value (relevant for "password manager" only)> \
--password-manager-username <username value (relevant for "password manager" only)>
Parameters
ParameterDescription
--name(Mandatory) Secret name
--value(Mandatory) The secret value
--descriptionSecret description
--type[=generic]The secret sub type [generic/password]
-p, --password-manager-passwordThe password value (relevant for "password manager" only)
-u, --password-manager-usernameThe username value (relevant for "password manager" only)
-t, --tagList of the tags attached to this secret. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2
-k, --keyThe name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used)
--multilineThe provided value is a multiline value (separated by '\n')
--secure-access-enableEnable/Disable secure remote access, 'true'/'false'
--secure-access-ssh-credsStatic-Secret values contains SSH Credentials, either Private Key or Password [password/private-key]
--secure-access-urlDestination URL to inject secrets
--secure-access-web-browsing[=false]Secure browser via Akeyless Web Access Bastion
--secure-access-web-proxy[=false]Web-Proxy via Akeyless Web Access Bastion
--secure-access-bastion-issuerPath to the SSH Certificate Issuer for your Akeyless Bastion
--secure-access-hostTarget servers for connections., For multiple values repeat this flag.
--secure-access-ssh-userOverride the SSH username as indicated in SSH Certificate Issuer
--accessibility[=regular]In case of an item in a user's personal folder [regular/personal]
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-secret-val

Update static secret value

Please note: mandatory values for this command: -n, --name, --value

Usage
akeyless update-secret-val --name <Secret Name> \
--value <secret value> \
--password-manager-password <password value (relevant for "password manager" only)> \
--password-manager-username <username value (relevant for "password manager" only)>
Parameters
ParameterDescription
--name(Mandatory) Secret name
--valueThe updated secret value
--url, --password-manager-inject-urlList of the URL associated with the item (relevant for "password manager" only)
-p, --password-manager-passwordThe password value (relevant for "password manager" only)
-u, --password-manager-usernameThe username value (relevant for "password manager" only)
-c, --password-manager-custom-fieldList of additional fields to associate with the item, use argument multiple times: --password-manager-custom-field fieldName1=value1 (relevant for "password manager" only)
-k, --keyThe name of a key that used to encrypt the secret value (if empty, the account default protectionKey key will be used)
--multilineThe provided value is a multiline value (separated by '\n')
--new-version[Deprecated: Use keep-prev-version instead] Whether to create a new version
--keep-prev-versionWhether to keep previous version, options:[true, false]. If not set, use default according to account settings
--accessibility[=regular]In case of an item in a user's personal folder [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

For other data, such as description or tags, use update-item as described in Commands for all items and objects.

get-secret-value

Get static secret value

Please note: mandatory values for this command: -n, --name

Usage
akeyless get-secret-value --name <Secret Name>
Parameters
ParameterDescription
--name(Mandatory) Secret name
--versionSecret version
--ignore-cache[=false]Retrieve the Secret value without checking the Gateway's cache [true/false]. This flag is only relevant when using the RestAPI
--accessibility[=regular]In case of an item in a user's personal folder [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

describe-item

Get the item details

Usage
akeyless describe-item --name <item-name>
Parameters
ParameterDescription
-n, --nameItem name
-d, --display-idThe display id of the item
-I, --item-idItem id of the item
--show-versions[=false]Include all item versions in reply
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

See Commands for all items and objects and also Updating and versioning static secrets for details.

rollback-secret

Rollback secret to older version

Please note: mandatory values for this command: -n, --name, --old-version

Usage
akeyless rollback-secret -n <Secret Name> \
--old-version <Old secret version to rollback to>
Parameters
ParameterDescription
--name(Mandatory) Secret name
--old-version(Mandatory) Old secret version to rollback to
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

share-item

Sharing item operation [start sharing/stop sharing/sharing describe]

Please note: mandatory values for this command: -n, --item-name, -a, --action

Usage
akeyless share-item --item-name <Secret Name> \
--action <start/stop/describe> \
--email <List of emails to start/stop sharing the secret with> \
--ttl <Availability of the shared secret in seconds>

Parameters

ParameterDescription
-n, --item-name(Mandatory) The secret name (supported types: static secret)
-a, --action(Mandatory) The action to perform [start/stop/describe]
-e, --emailList of emails to start/stop sharing the secret with, To specify multiple emails use argument multiple times: -e email1 -e email2
-t, --ttlAvailability of the shared secret in seconds
-v, --view-once[=false]Shared secrets can only be viewed once [true/false]
--accessibility[=regular]In case of an item in a user's personal folder [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

list-shared-items

List shared items

Parameters
ParameterDescription
--accessibility='regular'In case of an item in a user's personal folder [regular/personal]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

Automatic Secrets Migration

gateway-create-migration

Create migration

Please note: mandatory values for this command: -n, --name, -t, --type , -l, --target-location

Usage
akeyless gateway-create-migration --name <Migration name> \
--type <Migration type> \
--target-location <Target location> \
--gateway-url <API Gateway URL:8000> \
--protection-key <The name of the key that protects the classic key value>
Parameters
ParameterDescription
-n, --name(Mandatory) Migration name for display
-t, --type (Mandatory) Migration type (hashi/aws/gcp/k8s/azure_kv/1password/active_directory)
-l, --target-location(Mandatory) Target location in Akeyless for imported secrets
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-k, --protection-keyThe name of the key that protects the classic key value (if empty, the account default key will be used)
-g, --gcp-key-file-pathPath to file with the base64-encoded GCP Service Account private key with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration)
-G, --gcp-key-dataBase64-encoded GCP Service Account private key text with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration)
-U, --hashi-urlHashiCorp Vault API URL, e.g. https://vault-server:8200 (relevant only for HasiCorp Vault migration)
--hashi-nsHashiCorp Vault Namespaces is a comma-separated list of namespaces which need to be imported into Akeyless Vault. For every provided namespace, all its child namespaces are imported as well, e.g. nmsp/subnmsp1/subnmsp2,nmsp/anothernmsp. By default, import all namespaces (relevant only for HasiCorp Vault migration)
-T, --hashi-tokenHashiCorp Vault access token with sufficient permissions to preform list & read operations on secrets objects (relevant only for HasiCorp Vault migration)
--hashi-json=[true]Import secret key as json value or independent secrets (relevant only for HasiCorp Vault migration)
-I, --aws-key-idAWS Access Key ID with sufficient permissions to get all secrets, e.g. 'arn:aws:secretsmanager:AWSregion:AWSAccountId:Secret:/path/to/secrets/*' (relevant only for AWS migration)
-K, --aws-keyAWS Secret Access Key (relevant only for AWS migration)
--aws-region[=us-east-2]AWS region of the required Secrets Manager (relevant only for AWS migration)
-v, --azure-kv-nameAzure Key Vault Name (relevant only for Azure Key Vault migration)
-a, --azure-tenant-idAzure Key Vault Access tenant ID (relevant only for Azure Key Vault migration)
-c, --azure-client-id Azure Key Vault Access client ID, should be Azure AD App with a service principal (relevant only for Azure Key Vault migration)
-s, --azure-secretAzure Key Vault secret (relevant only for Azure Key Vault migration)
--k8s-namespaceK8s Namespace, Use this field to import secrets from a particular namespace only. By default, the secrets are imported from all namespaces (relevant only for K8s migration)
--k8s-urlK8s API Server URL, e.g. https://k8s-api.mycompany.com:6443 (relevant only for K8s migration)
--k8s-skip-systemK8s Skip Control Plane Secrets, This option allows to avoid importing secrets from system namespaces (relevant only for K8s migration)
--k8s-ca-certificateK8s Cluster CA certificate (relevant only for K8s migration with Certificate Authentication method)
--k8s-client-certK8s Client certificate with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Certificate Authentication method)
--k8s-client-key K8s Client key (relevant only for K8s migration with Certificate Authentication method)
--k8s-usernameK8s Client username with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Password Authentication method)
--k8s-passwordK8s Client password (relevant only for K8s migration with Password Authentication method)
--k8s-token K8s Bearer Token with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Token Authentication method)
--ad-target-nameActive Directory LDAP Target Name. Server type should be Active Directory (Relevant only for Active Directory migration)
--ad-domain-nameActive Directory Domain Name (Relevant only for Active Directory migration)
--ad-user-base-dnDistinguished Name of User objects to search in Active Directory, e.g.: CN=Users,DC=example,DC=com (Relevant only for Active Directory migration)
--ad-domain-users-path-templatePath location template for migrating domain users as Rotated Secrets e.g.: .../DomainUsers/{{USERNAME}} (Relevant only for Active Directory migration)
--ad-user-groupsComma-separated list of domain groups from which privileged domain users will be migrated (Relevant only for Active Directory migration)
--ad-discover-local-usersEnable/Disable discovery of local users from each domain server and migrate them as SSH Rotated Secrets. Default is false: only domain users will be migrated. Discovery of local users might require further installation of SSH on the servers, based on the supplied computer base DN. This will be implemented automatically as part of the migration process (Relevant only for Active Directory migration)
--ad-targets-path-templatePath location template for migrating domain servers as SSH Targets e.g.: .../Servers/{{COMPUTER_NAME}} (Relevant only for Active Directory migration)
--ad-local-users-path-templatePath location template for migrating domain users as Rotated Secrets e.g.: .../LocalUsers/{{COMPUTER_NAME}}/{{USERNAME}} (Relevant only for Active Directory migration)
--ad-computer-base-dnDistinguished Name of Computer objects (servers) to search in Active Directory e.g.: CN=Computers,DC=example,DC=com (Relevant only for Active Directory migration)
--ad-local-users-ignoreComma-separated list of Local Users which should not be migrated (Relevant only for Active Directory migration)
--ad-ssh-port[=22]Set the SSH Port for further connection to the domain servers. Default is port 22 (Relevant only for Active Directory migration)
--ad-sra-enable-rdpEnable/Disable RDP Secure Remote Access for the migrated local users rotated secrets. Default is false: rotated secrets will not be created with SRA (Relevant only for Active Directory migration)
--ad-auto-rotateEnable/Disable automatic/recurrent rotation for migrated secrets. Default is false: only manual rotation is allowed for migrated secrets. If set to true, this command should be combined with --ad-rotation-interval and --ad-rotation-hour parameters (Relevant only for Active Directory migration)
--ad-rotation-intervalThe number of days to wait between every automatic rotation [1-365] (Relevant only for Active Directory migration)
--ad-rotation-hourThe hour of the scheduled rotation in UTC (Relevant only for Active Directory migration)
--1password-url1Password sign-in address for your account
--1password-email1Password user email
--1password-password1Password password for the given user's email
--1password-secret-keyUser's 1Password Secret Key
--1password-vaultsOptional list of 1Password vaults to migrate items from; can be used multiple times (--1password-vaults vault1 --1password-vaults vault2), If not provided, all non-private vaults will be migrated
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

gateway-delete-migration

Delete migration

Please note: mandatory values for this command: -i, --id

Usage
akeyless gateway-delete-migration --i <Migration ID> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-i, --id(Mandatory) Migration ID (Can be retrieve with gateway-list-migration command)
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenhe universal identity token, Required only for universal_identity authentication

gateway-get-migration

Get migrations

Please note: mandatory values for this command: -n, --name

Usage
akeyless gateway-get-migration --name <Migration Name> \
--gateway-url <API Gateway URL:8000> \
Parameters
ParameterDescription
-n, --name(Mandatory) Migration name to display
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenhe universal identity token, Required only for universal_identity authentication

gateway-list-migration

List migrations

Parameters
ParameterDescription
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenhe universal identity token, Required only for universal_identity authentication

gateway-sync-migration

Sync migration

Please note: mandatory values for this command: -n, --name

usage

Akeyless gateway-sync-migration --name <Migration Name> \
--gateway-url <API Gateway URL:8000> \
--sync <true = start synchronization, false = stop>
Parameters
ParameterDescription
-n, --name (Mandatory) Migration name
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
--synctrue, for starting synchronization, false for stopping
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenhe universal identity token, Required only for universal_identity authentication

gateway-update-migration

Update migration

Please note: mandatory values for this command: -l, --target-location

Usage
akeyless gateway-update-migration --id <Migration ID> \
--name <Migration name> \
--new-name <New migration name> \
--target-location <Target location in Akeyless for imported secrets> \
--gateway-url <API Gateway URL:8000>
Parameters
ParameterDescription
-i, --idMigration ID (Can be retrieved with gateway-list-migration command)
-n, --nameMigration name
--new-nameNew migration name
-l, --target-location Target location in Akeyless for imported secrets
-u, --gateway-url[=http://localhost:8000]API Gateway URL (Configuration Management port)
-k, --protection-keyThe name of the key that protects the classic key value (if empty, the account default key will be used)
-g, --gcp-key-file-pathPath to file with the base64-encoded GCP Service Account private key with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration)
-G, --gcp-key-data Base64-encoded GCP Service Account private key text with sufficient permissions to Secrets Manager, Minimum required permission is Secret Manager Secret Accessor, e.g. 'roles/secretmanager.secretAccessor' (relevant only for GCP migration).
-U, --hashi-urlHashiCorp Vault API URL, e.g. https://vault-mgr01:8200 (relevant only for HasiCorp Vault migration)
--hashi-nsHashiCorp Vault Namespaces is a comma-separated list of namespaces which need to be imported into Akeyless Vault. For every provided namespace, all its child namespaces are imported as well, e.g. nmsp/subnmsp1/subnmsp2,nmsp/anothernmsp. By default, import all namespaces (relevant only for HasiCorp Vault migration)
-T, --hashi-tokenHashiCorp Vault access token with sufficient permissions to preform list & read operations on secrets objects (relevant only for HasiCorp Vault migration)
--hashi-json='true'Import secret key as json value or independent secrets (relevant only for HasiCorp Vault migration)
-I, --aws-key-idAWS Access Key ID with sufficient permissions to get all secrets, e.g. 'arn:aws:secretsmanager:[Region]:[AccountId]: secret:[/path/to/secrets/*]' (relevant only for AWS migration)
-K, --aws-keyAWS Secret Access Key (relevant only for AWS migration)
--aws-region[=us-east-2]AWS region of the required Secrets Manager (relevant only for AWS migration)
-v, --azure-kv-nameAzure Key Vault Name (relevant only for Azure Key Vault migration)
-a, --azure-tenant-idAzure Key Vault Access tenant ID (relevant only for Azure Key Vault migration)
-c, --azure-client-idAzure Key Vault Access client ID, should be Azure AD App with a service principal (relevant only for Azure Key Vault migration)
-s, --azure-secretAzure Key Vault secret (relevant only for Azure Key Vault migration)
--k8s-namespaceK8s Namespace, Use this field to import secrets from a particular namespace only. By default, the secrets are imported from all namespaces (relevant only for K8s migration)
--k8s-urlK8s API Server URL, e.g. https://k8s-api.mycompany.com:6443 (relevant only for K8s migration)
--k8s-skip-systemK8s Skip Control Plane Secrets, This option allows to avoid importing secrets from system namespaces (relevant only for K8s migration)
--k8s-ca-certificateK8s Cluster CA certificate (relevant only for K8s migration with Certificate Authentication method)
--k8s-client-certK8s Client certificate with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Certificate Authentication method)
--k8s-client-keyK8s Client key (relevant only for K8s migration with Certificate Authentication method)
--k8s-usernameK8s Client username with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Password Authentication method)
--k8s-passwordK8s Client password (relevant only for K8s migration with Password Authentication method)
--k8s-tokenK8s Bearer Token with sufficient permission to list and get secrets in the namespace(s) you selected (relevant only for K8s migration with Token Authentication method)
--ad-target-nameActive Directory LDAP Target Name. Server type should be Active Directory (Relevant only for Active Directory migration)
--ad-domain-nameActive Directory Domain Name (Relevant only for Active Directory migration)
--ad-user-base-dnDistinguished Name of User objects to search in Active Directory, e.g.: CN=Users,DC=example,DC=com (Relevant only for Active Directory migration)
--ad-domain-users-path-templatePath location template for migrating domain users as Rotated Secrets e.g.: .../DomainUsers/{{USERNAME}} (Relevant only for Active Directory migration)
--ad-user-groupsComma-separated list of domain groups from which privileged domain users will be migrated (Relevant only for Active Directory migration)
--ad-discover-local-usersEnable/Disable discovery of local users from each domain server and migrate them as SSH Rotated Secrets. Default is false: only domain users will be migrated. Discovery of local users might require further installation of SSH on the servers, based on the supplied computer base DN. This will be implemented automatically as part of the migration process (Relevant only for Active Directory migration)
--ad-targets-path-templatePath location template for migrating domain servers as SSH Targets e.g.: .../Servers/{{COMPUTER_NAME}} (Relevant only for Active Directory migration)
--ad-local-users-path-templatePath location template for migrating domain users as Rotated Secrets e.g.: .../LocalUsers/{{COMPUTER_NAME}}/{{USERNAME}} (Relevant only for Active Directory migration)
--ad-computer-base-dnDistinguished Name of Computer objects (servers) to search in Active Directory e.g.: CN=Computers,DC=example,DC=com (Relevant only for Active Directory migration)
--ad-local-users-ignoreComma-separated list of Local Users which should not be migrated (Relevant only for Active Directory migration)
--ad-ssh-port[=22]Set the SSH Port for further connection to the domain servers. Default is port 22 (Relevant only for Active Directory migration)
--ad-sra-enable-rdpEnable/Disable RDP Secure Remote Access for the migrated local users rotated secrets. Default is false: rotated secrets will not be created with SRA (Relevant only for Active Directory migration)
--ad-auto-rotateEnable/Disable automatic/recurrent rotation for migrated secrets. Default is false: only manual rotation is allowed for migrated secrets. If set to true, this command should be combined with --ad-rotation-interval and --ad-rotation-hour parameters (Relevant only for Active Directory migration)
--ad-rotation-intervalThe number of days to wait between every automatic rotation [1-365] (Relevant only for Active Directory migration)
--ad-rotation-hourThe hour of the scheduled rotation in UTC (Relevant only for Active Directory migration)
--1password-url1Password sign-in address for your account
--1password-email1Password user email
--1password-password1Password password for the given user's email
--1password-secret-keyUser's 1Password Secret Key
--1password-vaultsOptional list of 1Password vaults to migrate items from; can be used multiple times (--1password-vaults vault1 --1password-vaults vault2), If not provided, all non-private vaults will be migrated
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication