Access Roles (RBAC)

Role Based Access Control

Akeyless RBAC follows least privilege principle, in order to limit access rights for users / machines to the bare minimum permissions they need to perform their work.

Akeyless supports several types of Auth methods - API key, Okta, SAML, LDAP, Azure AD, OIDC, Kubernetes Auth and Universal Identity.

We associate specific clients with a certain auth method to a role, allowing multiples of each, in order to increase operational flexibility. The user can define any number of rules with permissions per each role.


Associate an authentication method with a role:

akeyless create-auth-method --name client1
akeyless create-role --name role1

Enable all the authentication methods associated with a role to access all items under /path/to/folder/ with read, create, and update permissions:

akeyless set-role-rule --role-name role1 --path "/path/to/folder/*" --capability read --capability create --capability update

Deny all the authentication methods associated with a role to access the item /path/to/folder/topSecret:

akeyless set-role-rule --role-name role1 --path /path/to/folder/topSecret --capability deny

Add client1 to the role1, so client1 will be able to access all items under /path/to/folder/ apart from /path/to/folder/topSecret:

akeyless assoc-role-am --role-name role1 --am-name client1


Configure access role of "Jenkins environment" with API-key auth method ("Client1"), setting specific permissions per different paths.


Please note

Sub claims are an additional layer of permissions that are relevant only to SAML, LDAP, OpenID, Okta, JWT, K8s auth (the specific list of permissions varies between auth methods).