Associate a Classic Key and a Target

You can associate a classic key with a target (cloud KMS) when you create the key, or add this association at any time. When you associate a classic key with a target, you share the key with the cloud KMS, from where it can be used in the same way as any key created by the cloud provider. Akeyless remains responsible for managing the key lifecycle by providing secure storage, as well as full role-based access control, recording of key activities, and logging.

The CLI command to associate a classic key with a target is:

akeyless assoc-target-item --target-name <target-name> --name <classic key name>


  • target-name: The name of the target you want to associate with the classic key.
  • name: The name of the classic key you want to share with the specified target.

The full list of options for this command is:

-t, --target-name               *The target to associate
-n, --name                      *The item to associate
    --profile                    Use a specific profile from your akeyless/profiles/ folder
    --username                   Optional username for various authentication flows
    --password                   Optional password for various authentication flows
    --uid-token                  The universal identity token, Required only for universal_identity authentication
-h, --help                       display help information
    --json[=false]               Set output format to JSON
    --no-creds-cleanup[=false]   Do not clean local temporary expired creds

Shared Keys on a Cloud KMS

When you associate a classic key with a cloud KMS, you will find a new customer-managed key on the cloud KMS. The key alias is built as managed-by-<account-id>-<item-id>, as shown in the following example:


Did this page help you?