Setting Up Universal Identity for Windows Machines

To use Universal Identity tokens for a Windows machine, you need to set up the machine to accept and renew tokens.

  1. On the Windows machine, create the following PowerShell script, where C:\Users\Administrator is replaced with the home directory of the user for which the token is used. Save the script as akeyless_universal_identity_token_rotator.ps1.
# akeyless_universal_identity_token_rotator.ps1

$base_dir = "$HOME" # replace with home directory of user
$proxy_url = ""
$token_file = "$base_dir/.vault-token"
$cur_token = Get-Content -Path $token_file

if (Test-Path alias:curl) {
    Remove-item alias:curl # to avoid conflict with CmdLet Invoke-WebRequest

$curl_output = (curl -s -d "cmd=rotate-token&token=$cur_token" $proxy_url)
$res = $curl_output | Select-String 'ROTATED TOKEN:' | Out-String

$token = ($res.Split(" "))[6].Trim().Trim("[", " ").Replace("]`"","")

Write-Host "NEW TOKEN: [$token]"
if([string]::IsNullOrEmpty($token)) {
    Write-Host "Error! empty token"
} else {
    $token | Out-File $token_file
  1. Set up a running task using the following settings:
  1. Create the following PowerShell script, and save it as akeyless_init_universal_identity.ps1 in the same folder as the other script:
# akeyless_init_universal_identity.ps1

    # Parameter help description
    [Parameter(Mandatory = $true)]

    # Parameter help description
    [Parameter(Mandatory = $true)]
    $AccessKey = (Read-Host -Prompt "Access Key" -AsSecureString)

$proxy_url       = ""
$sched_task_name = "akeyless_universal_identity_rotator"
$token_file      = "$HOME/.vault-token"

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072

$body = @{
    cmd          = 'configure'
    'access-id'  = $AccessID
    'access-key' = $AccessKey

$token = (Invoke-RestMethod -Method Post -Uri $proxy_url -Body $body -ContentType 'application/x-www-form-urlencoded').token
Write-Host "Starter token received [$token]"

if([string]::IsNullOrEmpty($token)) {
    Write-Host "Error! empty token"
} else {
    $token | Out-File $token_file
    $script_name = "akeyless_universal_identity_token_rotator.ps1"
    $script_path = "$(Get-Item -Path ".\")\${script_name}"
    $task_to_run = "powershell -noninteractive -File ${script_path}"

    if (schtasks /query | Select-String $sched_task_name -Quiet) # if sched_task already running, delete it first
        schtasks /delete /tn $sched_task_name /f
    # run sched task every minute
    schtasks /create /sc MINUTE /tn $sched_task_name /tr $task_to_run /it /mo 1
    #schtasks /create /sc MINUTE /tn $sched_task_name /tr $task_to_run /ru "SYSTEM" /mo 1

    Write-Host "AKEYLESS Universal Identity successfully initiated"
  1. Open Powershell as an administrator, and use the following command to run the script, where the value of AccessID is your Akeyless access ID.
./akeyless_init_universal_identity.ps1 -AccessID <your access ID> -Init