RDP Dynamic Secrets

You can define a Remote Desktop Protocol (RDP) dynamic secret to dynamically generate user credentials for connecting to a specified Windows host.

The Akeyless Gateway connects to the target Windows host over SSH to manage users. Akeyless uses its own internal revocation system, and also deletes RDP users to ensure they become invalid within a reasonable time of the lease expiring.


To create an RDP dynamic secret, ensure that:

  1. You have administrator access to the Akeyless Gateway.
  2. An SSH server is enabled on the target Windows host.

Create an RDP Dynamic Secret from the CLI

Let’s create an RDP dynamic secret using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Gateway instead.

The CLI command to create an RDP dynamic secret is:

$ akeyless gateway-create-producer-rdp \
-u <Your GW URL> \
-n  <secret name> \
--rdp-user-groups <Group Name> \
--rdp-host-name <Hostname\IP> \
--rdp-admin-name <UserName> \
--rdp-admin-pwd <Password>\


For details about the options available for this command, see the CLI Command Reference.

Create an RDP Dynamic Secret from the Akeyless Gateway

  1. Log in to the Akeyless Gateway and go to Dynamic Secrets > New > RDP Producer.

  2. Define the following:

    • Name: A unique name that describes the purpose or permission scope of the secret.
    • Location: The path to the virtual folder in which to create the secret.
    • Admin user: The username of an administrator user with sufficient permissions to create users, groups, and so on.
    • Admin password: The administrator user password.
    • Hostname: The hostname or IP address of the target Windows server.
    • Port: The SSH port for the connection, by default 22.
    • Groups: A comma-separated list of the RDP user group(s) to which the new user should be added.
    • Externally Provided Username: Select this checkbox to create the same user each time the secret is requested.
    • Encrypt Dynamic Producer with the following Key: Select the encryption key with which to encrypt the dynamic secret (if your system includes multiple encryption keys). Otherwise, select Default.
    • User TTL: The length of time for which the credentials generated by the dynamic secret are valid, by default 60 (minutes).
    • Time unit: The time unit for the TTL, by default, minutes.
  3. Select Save.

Did this page help you?