Install and configure the Gateway

To get up and running with the Gateway features, you need to first:


  1. Register for an account with Akeyless Vault here.
  2. Ensure the following ports are open on the server where you're installing and running the Gateway:
    • 8000 - configuration manager
    • 18888 - Akeyless UI
    • 8200 - HVP vault proxy
    • 8080 - Akeyless Restful API
    • 5696 - KMIP


Network Settings

Akeyless Gateway services should not be exposed to the external network. Please refer to Gateway Specs & Network page for more information.

Install the Gateway

Run the following to install Akeyless Gateway:

docker run -d -p 8000:8000 \
  -p 8200:8200 -p 18888:18888 \
  -p 8080:8080 \
  -p 5696:5696 \
  --name akeyless-gw akeyless/base


Command structure - host port:docker port
Ports: (-p)

  • 8000 - configuration manager
  • 18888 - Akeyless UI
  • 8200 - HVP vault proxy
  • 8080 - Akeyless Restful API
  • 5696 - KMIP



By default, the running user will become the Admin of the first Akeyless GW.
In case you are using a dedicated authentication method, please make sure to set the required access permission.

To customize the access method, or to enable multiple Akeyless GW administrators, review the following advanced options.

Advanced administration
To set an Admin user for your Akeyless GW you can define the following environment variables:

Environment variable name



Supports the following options:

where access_id can be: API Key or a CSP IAM: aws_iam/azure_ad/gcp_gce.

or an email


Relevant only for API key. The matching access key should be provided.


Password , Relevant only when using anemail address as your authentication method.

To enable access for multiple users you can provide multiple access id's in the following formats:

A List of a key=value pairs separated by commas, where the key is the access_id and value is the matching access_key.

Note: While using a shared authentication method, please provide the relevant sub claims as well.
ALLOWED_ACCESS_IDS= access_id=access_key.



While using CSP IAM only access id is required.

The following table describe an additional usage with sub claims.



No sub-claims


Access id with sub-claim

ALLOWED_ACCESS_IDS=“access-id-1 subClaimkey1=subClaimVal1"

Access id with 2 different sub-claims

ALLOWED_ACCESS_IDS=“access-id-1 subClaimkey1=subClaimVal1,access-id-1 subClaimkey2=subClaimVal2”

Two different access id's with 2 sub-claims

ALLOWED_ACCESS_IDS=“access-id-1 subClaimkey1=subClaimVal1,access-id-2 subClaimkey1=subClaimVal1"

To set a unique cluster name for your Akeyless GW deployment:

CLUSTER_NAME- name , the default name of Akeyless GW is defaultCluster.



Overriding existing cluster name will create a complete new instance of your Akeyless-GW.

To encrypt your configuration with your Akeyless existing key:

CONFIG_PROTECTION_KEY_NAME - keyName , by default, Akeyless encrypts the GW configuration with the default account key.

To use a specific version of Akeyless-GW:

VERSION:version number, the default policy is to pull the latest version.

To use an existing customer fragment for Zero Knowledge :

docker run -d -p 8000:8000 -p 8200:8200 -p 18888:18888 -p 8080:8080  -p 5696:5696 -v {path-to}/customer_fragments.json:/root/.akeyless/customer_fragments.json -e ADMIN_ACCESS_ID="Your Admin Access ID" -e ADMIN_ACCESS_KEY="Your Admin Access KEY"  --name akeyless-gw akeyless/base

To set a unique display name for your Akeyless GW deployment:

INITIAL_DISPLAY_NAME - unique display name to be shown inside Akeyless gateways monitor screen.

Scalable Akeyless-GW on K8s

To learn how to utilize Helm chart with Akeyless-GW, please follow this guide.

Configure the Gateway

  1. From the Akeyless cloud, configure your Gateway auth method with administrator access.
  2. From the browser, navigate to localhost:8000.
  3. Enter your Gateway Access ID and Access Key to authenticate your account.

After successful login, you can start configuring the Akeyless GW:

  • TLS - you can enable/disable TLS (when TLS is enabled, you will need to provide the TLS certificate and private key)


Configure TLS

Please configure TLS on your first login which can be found on the General menu.

  • General - general settings.
  • Defaults - enable and configure SAML and set the default encryption key.
  • Zero Knowledge Encryption - upload or generate customer-fragment.
  • Dynamic Secrets - create and configure dynamic secret producer.
  • Targets - create and configure targets.
  • Rotated Secrets - create and configure rotated secret.
  • Classic Keys - create classic keys.
  • Caching - enable and configure the caching mechanism.
  • Log Forwarding - enable and configure log forwarding.

Did this page help you?