Setting Up Universal Identity for Windows Machines
To use Universal Identity tokens for a Windows machine, you need to set up the machine to accept and renew tokens.
- On the Windows machine, create the following PowerShell script, where
C:\Users\Administrator
is replaced with the home directory of the user for which the token is used. Save the script as akeyless_universal_identity_token_rotator.ps1.
# akeyless_universal_identity_token_rotator.ps1
$base_dir = "$HOME" # replace with home directory of user
$proxy_url = "https://rest.akeyless.io/"
$token_file = "$base_dir/.vault-token"
$cur_token = Get-Content -Path $token_file
if (Test-Path alias:curl) {
Remove-item alias:curl # to avoid conflict with CmdLet Invoke-WebRequest
}
$curl_output = (curl -s -d "cmd=rotate-token&token=$cur_token" $proxy_url)
$res = $curl_output | Select-String 'ROTATED TOKEN:' | Out-String
$token = ($res.Split(" "))[6].Trim().Trim("[", " ").Replace("]`"","")
Write-Host "NEW TOKEN: [$token]"
if([string]::IsNullOrEmpty($token)) {
Write-Host "Error! empty token"
} else {
$token | Out-File $token_file
}
- Set up a running task using the following settings:

- Create the following PowerShell script, and save it as akeyless_init_universal_identity.ps1 in the same folder as the other script:
# akeyless_init_universal_identity.ps1
Param(
# Parameter help description
[Parameter(Mandatory = $true)]
[string]
$AccessID,
# Parameter help description
[Parameter(Mandatory = $true)]
[securestring]
$AccessKey = (Read-Host -Prompt "Access Key" -AsSecureString)
)
$proxy_url = "https://rest.akeyless.io/"
$sched_task_name = "akeyless_universal_identity_rotator"
$token_file = "$HOME/.vault-token"
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
$body = @{
cmd = 'configure'
'access-id' = $AccessID
'access-key' = $AccessKey
}
$token = (Invoke-RestMethod -Method Post -Uri $proxy_url -Body $body -ContentType 'application/x-www-form-urlencoded').token
$body.Clear()
Write-Host "Starter token received [$token]"
if([string]::IsNullOrEmpty($token)) {
Write-Host "Error! empty token"
} else {
$token | Out-File $token_file
$script_name = "akeyless_universal_identity_token_rotator.ps1"
$script_path = "$(Get-Item -Path ".\")\${script_name}"
$task_to_run = "powershell -noninteractive -File ${script_path}"
if (schtasks /query | Select-String $sched_task_name -Quiet) # if sched_task already running, delete it first
{
schtasks /delete /tn $sched_task_name /f
}
# run sched task every minute
schtasks /create /sc MINUTE /tn $sched_task_name /tr $task_to_run /it /mo 1
#schtasks /create /sc MINUTE /tn $sched_task_name /tr $task_to_run /ru "SYSTEM" /mo 1
Write-Host "AKEYLESS Universal Identity successfully initiated"
}
- Open Powershell as an administrator, and use the following command to run the script, where the value of AccessID is your Akeyless access ID.
./akeyless_init_universal_identity.ps1 -AccessID <your access ID> -Init
Updated 13 days ago