CLI Reference - Universal Identity
Akeyless Universal Identity Auth Method
This section outlines the CLI commands relevant to Universal Identity authentication.
General Flags:
--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-token: The universal identity token, Required only for universal_identity authentication
-h, --help: Display help information
--json[=false]: Set output format to JSON
--jq-expression: JQ expression to filter result output
--no-creds-cleanup[=false]: Do not clean local temporary expired creds
create
create
Create a new Auth Method that will be able to authenticate using Akeyless Universal Identity
Usage
akeyless auth-method create universal-identity \
--name <Auth method name> \
--ttl <Token TTL>
Flags
-n, --name: Required Auth Method name
--descrpition: Auth Method description
--access-expires[=0]: Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ips: A comma-separated CIDR block list to allow client access
--gw-bound-ips: A comma-separated CIDR block list as a trusted Gateway entity
--delete-protection: Protection from accidental deletion of this object, [true/false
--force-sub-claims: enforce role-association must include sub-claims
--jwt-ttl[=0]: creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--deny-rotate: Deny from the token to rotate
--deny-inheritance: Deny from root to create children
--ttl[=60]: Token TTL (has the value that configured in Akeyless console > Authentication settings)
uid-create-child-token
uid-create-child-token
Create a new child token using Akeyless Universal Identity
Usage
akeyless uid-create-child-token \
--child-deny-rotate \
--child-deny-inheritance
Flags
--child-deny-rotate: Deny from new child to rotate
--child-deny-inheritance: Deny from new child to create their own children
--child-ttl: New child token TTL
-n, --auth-method-name: The universal identity auth method name, required only when uid-token is not provided
--tid, --uid-token-id: The ID of the uid-token, required only when uid-token is not provided
--profile or --token: Use a specific Akeyless profile (located at $HOME/.akeyless/profiles) or a temporary access token
--uid-token: The universal identity token. It is required only for universal_identity authentication
uid-generate-token
uid-generate-token
Generate a new token using Akeyless Universal Identity
Usage
akeyless uid-generate-token --auth-method-name <Auth method name>
uid-list-children
uid-list-children
List the token children ids of Akeyless Universal Identity
Usage
akeyless uid-list-children --auth-method-name <UID Auth Method Name>
uid-revoke-token
uid-revoke-token
Revoke token using Akeyless Universal Identity
Usage
akeyless uid-revoke-token \
--revoke-type <revokeSelf/revokeAll> \
--revoke-token <UID Token ID>
Flags
--revoke-type: Required, revokeSelf/revokeAll (delete only this token/this token and his children)
--revoke-token: Required, the universal identity token/token-id to revoke
-n, --auth-method-name: The universal identity auth method name
uid-rotate-token
uid-rotate-token
Rotate Akeyless Universal Identity token
Flags
-t, --token, --uid-token: The Universal identity token to rotate
--fork: Create a new child token with default Flags
--send-manual-ack-token: The new rotated token to send manual ack for (with uid-token=the-orig-token)
--with-manual-ack: Disable automatic ack
-o, --output-file: Path to the output file
-i, --input-file: Path to the input file
update
update
Update a new Auth Method that will be able to authenticate using Akeyless Universal Identity
Usage
akeyless auth-method update universal-identity \
--name <Auth method name> \
--new-name <Auth method new name>
Flags
--new-name: Auth Method new name
-n, --name: Required, Auth Method name
--descrpition: Auth Method description
--access-expires[=0]: Access expiration date in Unix timestamp (select 0 for access without expiry date)
--bound-ips: A comma-separated CIDR block list to allow client access
--gw-bound-ips: A comma-separated CIDR block list as a trusted Gateway entity
--force-sub-claims: enforce role-association must include sub-claims
--audit-logs-claims: Additional sub-claims to include in audit logs. e.g. --audit-logs-claims email --audit-logs-claims username
--delete-protection: Protection from accidental deletion of this object, [true/false]
--jwt-ttl[=0]: creds expiration time in minutes. If not set, use default according to account settings (see get-account-settings)
--deny-rotate: Deny from the token to rotate
--deny-inheritance: Deny from root to create children
--ttl[=60]: Token ttl (in minutes)
Updated about 2 months ago