The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

Universal Identity

The Akeyless Universal Identity authentication method enables you to identify your machines without the need for an initial secret. This authentication method solves the secret zero problem by providing an inherited identity derived from the parent system together with an ephemeral token for continuous authentication.

Generate a Token

  1. Create a new Universal Identity authentication method:
akeyless create-auth-method-universal-identity --name uidAuth --ttl 1000 --profile adminProfile

where:

Parameter

Description

--access-expires[=0]

The access expiration date as Unix timestamp. Select 0 for access without an expiry date.

--bound-ips

A CIDR whitelist of the IPs to which the access is restricted.

--deny-rotate

The deny from root token to rotate.

--deny-inheritance

The deny from root token to create child tokens.

--ttl

The root token time to live in minutes. The TTL is renewed with every rotation.

📘

To create a new Universal Identity authentication method from the Akeyless Console, select Auth Methods, then select New > Universal Identity, and enter the required information.

  1. Generate a token for the authentication method:
akeyless uid-generate-token --auth-method-name uidAuth --profile adminProfile
Token: u-XXXXXXXX

📘

To generate a token from the Akeyless Console, select the authentication method, then select Generate Universal Identity.

Use a Token

akeyless list-items --uid-token u-XXXXXXXX
...
akeyless get-secret-value -n MyFirstSecret --uid-token u-XXXXXXXX
curl http://<api-gw-url>:8080 -d "cmd=get-secret-value&name=MyFirstSecret&&uid-token=u-XXXXX"
curl http://<api-gw-url>:8080 -d "cmd=list-items&&uid-token=u-XXXXX"

Create a Child Token

akeyless uid-create-child-token --uid-token u-XXXXXXXX
Child Token: u-XXXXXXXX2

** you can provide to uid-create-child-token the following flags:
 --comment,
 --child-ttl(if not provided it will inherit the global ttl),
 --child-deny-rotate(if true this token will not be able to rotate),
 --child-deny-inheritance(if true this token will not be able to create children-tokens of his own)

📘

Akeyless Console

To create a child token from the Akeyless Console, in the UID tree right-click the node and select Create child token.

Revoke a Token

akeyless uid-revoke-token --uid-token u-XXXX --revoke-token u-XXXX --revoke-type revokeSelf

--uid-token - authentication token
--revoke-token - the token to revoke (may be the same as uid-token)
--revoke-type: 1.revokeSelf delete only this token 2.revokeAll delete this token and his children

📘

Akeyless Console

To revoke a token from the Akeyless Console, in the UID tree right-click the node and select Revoke token.

Get the Token Tree

akeyless uid-list-children --uid-token u-XXXXXXXX
Universal Identity Details:
 {
  "number_of_tokens": 2,
  "max_depth": 1,
  "root": {
    "id": "ywzsub3u4tbu",
    "comment": "root token",
    "ttl": 1000,
    "last_rotate": "2020-10-13 13:36:47 UTC",
    "expired_date": "2020-10-14 06:16:47 UTC",
    "children": {
      "ywzsub3u4tbunVCo": {
        "depth": 1,
        "id": "ywzsub3u4tbunVCo",
        "ttl": 1000,
        "last_rotate": "2020-10-13 13:41:00 UTC",
        "expired_date": "2020-10-14 06:21:00 UTC"
      }
    }
  }
}

📘

Akeyless Console

To get the token tree in the Akeyless Console, open the UID tree.

Rotate a Token

You can download the rotate script from here.

akeyless uid-rotate-token --uid-token u-XXXXXXXX
ROTATED TOKEN: [u-XXXXXXXX2]
curl http://localhost:8080 -d "cmd=uid-rotate-token&&uid-token=u-XXXXX"

To read or write a token from or to file:

echo u-XXXXXXXX > /tmp/token
akeyless uid-rotate-token -i /tmp/token -o /tmp/token

To rotate a token with backward compatibility:

akeyless rotate-token --token u-XXXXX
curl http://localhost:8080 -d "cmd=rotate-token&&token=u-XXXXX"

Updated 5 months ago

Universal Identity


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.