Universal Identity

The Akeyless Universal Identity authentication method enables you to identify your machines without the need for an initial secret. This authentication method solves the secret zero problem by providing an inherited identity derived from the parent system together with an ephemeral token for continuous authentication.

Create a Universal Identity Authentication Method from the CLI

Let's create a new Universal Identity authentication method using the Akeyless CLI. (You can do this also from the Akeyless Console.)

To create a new Universal Identity authentication method from the CLI, run the following command:

akeyless create-auth-method-universal-identity --name uidAuth --ttl 1000 --profile adminProfile

Where:

  • name: A unique name for the authentication method. The name can include the path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  • ttl: The root token time-to-live in minutes. The TTL is renewed with every rotation.

Parameters

You could find the complete list of parameters for this command in the CLI Reference - Authentication section.

Generate a token from the CLI

akeyless uid-generate-token --auth-method-name uidAuth --profile adminProfile

Using Universal Identity tokens from the CLI

akeyless list-items --uid-token u-XXXXXXXX
...
akeyless get-secret-value -n MyFirstSecret --uid-token u-XXXXXXXX
curl http://<api-gw-url>:8080 -d "cmd=get-secret-value&name=MyFirstSecret&&uid-token=u-XXXXX"
curl http://<api-gw-url>:8080 -d "cmd=list-items&&uid-token=u-XXXXX"

Create a child token from the CLI

Child tokens are not mandatory. They are optional and meant for users who want to use the token with a tree structure to control and monitor multiple services.

akeyless uid-create-child-token --uid-token u-XXXXXXXX
akeyless uid-create-child-token --uid-token u-XXXXXXXX

Child Token: u-XXXXXXXX2

Parameters

You could find the complete list of parameters for this command in the CLI Reference - Authentication section.

Revoke a token from the CLI

akeyless uid-revoke-token --uid-token u-XXXX --revoke-token u-XXXX --revoke-type revokeSelf

Parameters

You could find the complete list of parameters for this command in the CLI Reference - Authentication section.

Get the token tree from the CLI

akeyless uid-list-children --uid-token u-XXXXXXXX
akeyless uid-list-children --uid-token u-XXXXXXXX
Universal Identity Details:
 {
  "number_of_tokens": 2,
  "max_depth": 1,
  "root": {
    "id": "ywzsub3u4tbu",
    "comment": "root token",
    "ttl": 1000,
    "last_rotate": "2020-10-13 13:36:47 UTC",
    "expired_date": "2020-10-14 06:16:47 UTC",
    "children": {
      "ywzsub3u4tbunVCo": {
        "depth": 1,
        "id": "ywzsub3u4tbunVCo",
        "ttl": 1000,
        "last_rotate": "2020-10-13 13:41:00 UTC",
        "expired_date": "2020-10-14 06:21:00 UTC"
      }
    }
  }
}

Rotate a token from the CLI

You can download the token rotation script from the Akeyless Downloads folder.

akeyless uid-rotate-token --uid-token u-XXXXXXXX
ROTATED TOKEN: [u-XXXXXXXX2]
curl http://localhost:8080 -d "cmd=uid-rotate-token&&uid-token=u-XXXXX"

To read a token from a file or to write a token to a file:

echo u-XXXXXXXX > /tmp/token
akeyless uid-rotate-token -i /tmp/token -o /tmp/token

To rotate a token with backward compatibility:

akeyless rotate-token --token u-XXXXXXXX
curl http://localhost:8080 -d "cmd=rotate-token&&token=u-XXXXX"

Create a Universal Identity Authentication Method in the Akeyless Console

  1. Log in to the Akeyless Console and go to Auth Methods > New > Universal Identity.

  2. Define a Name for the authentication method, and specify the Location as a path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  3. Define the remaining parameters as follows:

    • Expiration Date: Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.

    • Allowed Client IPs: Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc. This parameter is optional. Leave it empty for unrestricted access.

    • Allowed Trusted Gateway IPs: Enter a comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so they will be visible in the logs). If empty, the Gateway's IP will be used in the logs.

    • Deny Rotate: Select to forbid token rotation.

    • Deny Inheritance: Select to forbid creating child tokens.

    • TTL (minutes): Specify token TTL.

  4. Click Save.

Generate a token in the Akeyless Console

To generate a token in the Akeyless Console,

  1. Open the corresponding authentication method
  2. Scroll to the bottom of the page and click Generate Universal Identity.

Get the token tree in the Akeyless Console

To get the token tree in the Akeyless Console,

  1. Open the corresponding authentication method,
  2. Scroll to the bottom of the page and expand the UID tree section.

Create a child token in the Akeyless Console

To create a child token in the Akeyless Console,

  1. Open the corresponding authentication method,
  2. Scroll to the bottom of the page and expand the UID tree section.
  3. Right-click the root node and click Create child token.

Revoke a token in the Akeyless Console

To revoke a token in the Akeyless Console,

  1. Open the corresponding authentication method,
  2. Scroll to the bottom of the page and expand the UID tree section.
  3. Right-click the node and click Revoke token.

๐Ÿ‘

What's next?

Make sure to associate your new Authentication Method with an Access Role to grant the relevant permissions within Akeyless