diff --git a/.github/markdownlint/fence-tabs.txt b/.github/markdownlint/fence-tabs.txt index e8cb94d90..387c84fc8 100644 --- a/.github/markdownlint/fence-tabs.txt +++ b/.github/markdownlint/fence-tabs.txt @@ -69,10 +69,12 @@ dnf DNS with AWS DNS with Azure DNS with GCP +DNS with Cloudflare Docker Docker Hub Target docker-compose.yml Dynamic +HTTP Dynamic Group Dynamic Mode Dynamic Secret @@ -160,7 +162,7 @@ MSSQL MSSQL RDS Multi region MyAES256SIVKey -MySQL/MariaDB +MySQL (and MariaDB) MySQLWordPress.yaml Native Kubernetes Oauth2.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07b3ef73c..7e525a559 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -21,7 +21,7 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] - id: cspell name: cspell (edited markdown files) @@ -30,7 +30,7 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] - id: lychee name: lychee (edited markdown files) @@ -39,4 +39,4 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] diff --git a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md index 26ee9a5f1..048c622a2 100644 --- a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md +++ b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md @@ -95,7 +95,7 @@ For optional features that apply across Authentication Methods, see [Common Opti * **Bounded Role Names:** Enter one or more IAM role names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-name` for each value. * **Bounded Role IDs:** Enter one or more IAM role IDs that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-id` for each value. * **Bounded User names:** Enter one or more IAM user names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-user-name` for each value. -* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. +* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. For AWS China partitions, a regional endpoint is required; for example, `https://sts.cn-north-1.amazonaws.com.cn` for `cn-north-1`, or `https://sts.cn-northwest-1.amazonaws.cn` for `cn-northwest-1`. * **Unique Identifier:** Set a sub-claim key used to uniquely identify authenticated IAM principals. ## AWS Instance Metadata Service diff --git a/docs/Advanced Functionality/audit-logs/log-actions.md b/docs/Advanced Functionality/audit-logs/log-actions.md index f26679383..663c36900 100644 --- a/docs/Advanced Functionality/audit-logs/log-actions.md +++ b/docs/Advanced Functionality/audit-logs/log-actions.md @@ -165,3 +165,12 @@ This page includes a thorough comb through all of the different options for the * `update_object_version_settings_for_account`: Update account settings for objects * `impersonation`: Impersonate another user in your Akeyless account + +## KMIP Certificate Expiry Observability + +KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically: + +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` + +For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation. diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 68dc49743..98c826174 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -37,7 +37,7 @@ The following Events are currently supported: For `items-event-source-locations`: -* `certificate-pending-expiration`: When a certificate is about to expire, the users sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item. +* `certificate-pending-expiration`: When a certificate is about to expire, the user sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item. * `certificate-expired`: When a certificate is expired. @@ -53,15 +53,17 @@ For `items-event-source-locations`: * `rotated-secret-failure`: Upon **automatic** rotation failure, including the error details. +* `rotated-secret-partial-failure`: When an automatic rotation partially succeeds, some targets rotate successfully but at least one fails. + * `secret-sync`: Upon **automatic** sync failure, including the error details. * `dynamic-secret-failure`: On general failure of a [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). * `static-secret-updated`: When a [Static Secret](https://docs.akeyless.io/docs/static-secrets) is set to trigger events on value changes. -* `usage_unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval. +* `usage-unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval. -* `usage_unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval. +* `usage-unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval. * `request-access`: When a user requests access, either for privilege permission or for a Secure Remote Access session. **Note**: Relevant also for `targets-event-source-locations`. @@ -87,9 +89,20 @@ For `gateways-event-source-locations`: * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway. -* `gateway-certificate-about-to-expire`: When a Gateway certificate (Gateway Certificate Store) is about to expire. +* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire, it must be set on the Gateway. + +* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired, it must be set on the Gateway. + +### KMIP Certificate Expiry Coverage + +Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. These events are emitted by the Gateway. + +Use the following event types to monitor KMIP certificate lifecycle: + +* `kmip-cert-pending-expiration`: When a KMIP certificate is about to expire, it must be set on the Gateway. +* `kmip-cert-expired`: When a KMIP certificate has expired, it must be set on the Gateway. -* `gateway-certificate-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center#event-forwarders). ## Event Forwarders diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md index 03adac5c8..88e2dc66e 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md @@ -29,6 +29,12 @@ Before running migration workflows: * Validate network connectivity from Gateway to source systems and Akeyless services. * Prepare destination paths and required encryption settings. +## Security Guidance + +* Use least-privilege credentials for source access. +* Avoid broad admin permissions when migration-specific permissions are sufficient. +* Rotate temporary migration credentials after the migration window closes. + ## Configuration Scope Automatic migration configuration usually includes: @@ -36,8 +42,29 @@ Automatic migration configuration usually includes: * Source system connection parameters. * Authentication credentials or identity settings. * Migration mode and target path strategy. +* [HashiCorp Vault metadata preservation mode](#hashicorp-vault-metadata-preservation-mode) (`full`, `minimal`, or `none`) when configuring HashiCorp Vault migrations. * Conflict handling behavior for existing items. +## HashiCorp Vault Metadata Preservation Mode + +When migrating from HashiCorp Vault, Akeyless supports Key/Value (KV) v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. + +If the flag is omitted on `gateway-create-migration`, the mode defaults to `full`. On `gateway-update-migration`, omitting the flag leaves the existing mode unchanged. + +| Mode | What is migrated | +| --- | --- | +| `full` | The complete KV v2 metadata block, trimmed to only the secret versions being imported. | +| `minimal` | Only the [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata) field from the KV v2 metadata block. All other metadata fields are discarded. | +| `none` | No metadata. Only the secret values are migrated. | + +### When to choose each mode + +* Use `full` when you need to preserve as much Vault context as possible, for example, when keeping version history alignment or retaining all metadata fields for auditing. +* Use `minimal` when only your own custom key–value annotations (stored in [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata)) are needed in Akeyless and you want to reduce migration payload size. +* Use `none` when metadata is not relevant to your use case and you want the smallest possible migration footprint. + +Set the mode with the `--hashi-metadata-mode` flag on `gateway-create-migration` or `gateway-update-migration`. For full flag reference, see the [Automatic Migration CLI Reference](https://docs.akeyless.io/docs/cli-reference-automatic-migration). + ## Operational Guidance Use a phased rollout: @@ -47,12 +74,6 @@ Use a phased rollout: 3. Expand migration scope after successful validation. 4. Monitor Gateway logs during migration and remediation. -## Security Guidance - -* Use least-privilege credentials for source access. -* Avoid broad admin permissions when migration-specific permissions are sufficient. -* Rotate temporary migration credentials after the migration window closes. - ## CLI Reference For command-level usage and flags, use the Automatic Migration CLI reference: diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index a03fcc24c..415eefa2d 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -18,6 +18,19 @@ The [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) built-in Cryptographic objects managed by the Akeyless KMIP server are stored under the `/kmip/default/` path, hence your [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) authentication method must have sufficient privileges, including `create`, `list`, `delete` and `read` rules, under the `/kmip/default/*` path. This path can be changed during the KMIP server setup. +## KMIP Certificate Expiry Events + +KMIP server and KMIP client certificates are time-bound objects. To reduce renewal failures and service interruptions, monitor certificate expiration events in the [Event Center](https://docs.akeyless.io/docs/event-center). + +For KMIP certificate observability, use the following event types: + +* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on the certificate's configured expiration-notification window. Set that window when you create or update the certificate, then use [Event Forwarders](https://docs.akeyless.io/docs/event-center) to route the alert. +* `kmip-cert-expired`: Triggered when a certificate has expired. + +To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). + +For audit action taxonomy, see [Log Actions](https://docs.akeyless.io/docs/log-actions). + > ℹ️ **Note:** > > Only users from your Gateway admins list can configure the KMIP server. diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index 9efe7c3e7..51fd05e71 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -98,6 +98,88 @@ List the token children ids of Akeyless Universal Identity akeyless uid-list-children --auth-method-name ``` +## `uid-auto-rotate` + +Configure automatic UID token rotation + +### Usage + +```shell +akeyless uid-auto-rotate +``` + +The `init` subcommand initializes rotation and stores the token file. The `rotate`, `status`, and `uninstall` subcommands use the stored token file and the configured gateway URL. + +### `init` + +Initialize automatic UID token rotation. + +#### Usage + +```shell +akeyless uid-auto-rotate init \ +--rotation-interval <1|15|60|240|1440> \ +--uid-token +``` + +#### Flags + +`-t, --uid-token`: Optional. Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable. + +`--rotation-interval`: **Required** for `init`. Rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440`. + +`-i, --token-file-path`: Optional. Path to store the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value. + +`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task`. + +`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system`. + +### `rotate` + +Rotate the current UID token on demand. + +#### Usage + +```shell +akeyless uid-auto-rotate rotate +``` + +#### Flags + +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value. + +### `status` + +Check the current UID auto-rotate setup. + +#### Usage + +```shell +akeyless uid-auto-rotate status +``` + +#### Flags + +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +### `uninstall` + +Remove the UID auto-rotate setup and scheduled entry. + +#### Usage + +```shell +akeyless uid-auto-rotate uninstall +``` + +#### Flags + +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + ## `uid-revoke-token` Revoke token using Akeyless Universal Identity diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md index 2965a118c..5ac678ebc 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md @@ -26,6 +26,8 @@ Create a new Target `azure` +`cloudflare` + `db` `dockerhub` @@ -181,6 +183,33 @@ akeyless target create azure \ `--description`: Target description `--max-versions`: Set the maximum number of versions, limited by the account settings defaults +### `cloudflare` + +Creates a new Cloudflare target in the current account + +#### Usage + +```shell +akeyless target create cloudflare \ +--name \ +--api-token \ +--account-id +``` + +##### Flags + +`-n, --name`: **Required**, Target name + +`--api-token`: **Required**, Cloudflare API token + +`--account-id`: Optional. Cloudflare account ID + +`-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used + +`--description`: Description of the object + +`--max-versions`: Set the maximum number of versions, limited by the account settings defaults + ### `db` Creates a new DB target in the current account @@ -725,6 +754,7 @@ akeyless target create lets-encrypt \ --acme-challenge[=http] \ --email \ --dns-target-creds \ +--dns-zone \ --hosted-zone \ --resource-group \ --gcp-project \ @@ -742,7 +772,9 @@ akeyless target create lets-encrypt \ `-e, --email`: **Required**, Email address for ACME account registration -`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`]). Relevant only when `--acme-challenge=dns` +`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`/`Cloudflare`]). Relevant only when `--acme-challenge=dns` + +`--dns-zone`: **Cloudflare DNS zone** name. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is Cloudflare `--hosted-zone`: **Amazon Route 53** hosted zone identifier. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is AWS @@ -1427,6 +1459,39 @@ akeyless target update azure \ `--keep-prev-version`: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings +#### `cloudflare` + +Updates an existing Cloudflare target in the current account + +##### Usage + +```shell +akeyless target update cloudflare \ +--name \ +--new-name \ +--api-token \ +--account-id \ +--key +``` + +##### Flags + +`-n, --name`: **Required**, Target name + +`--new-name`: New target name + +`--api-token`: Cloudflare API token + +`--account-id`: Optional. Cloudflare account ID + +`-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used + +`--description`: Description of the object + +`--max-versions`: Set the maximum number of versions, limited by the account settings defaults + +`--keep-prev-version`: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings + #### `db` Update an existing db target in the current account @@ -2007,6 +2072,7 @@ akeyless target update lets-encrypt \ --acme-challenge[=http] \ --email \ --dns-target-creds \ +--dns-zone \ --hosted-zone \ --resource-group \ --gcp-project \ @@ -2026,7 +2092,9 @@ akeyless target update lets-encrypt \ `-e, --email`: **Required**, Email address for ACME account registration -`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`]). Relevant only when `--acme-challenge=dns` +`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`/`Cloudflare`]). Relevant only when `--acme-challenge=dns` + +`--dns-zone`: **Cloudflare DNS zone** name. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is Cloudflare `--hosted-zone`: **Amazon Route 53** hosted zone identifier. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is AWS diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md index 63b86e79e..58eb05260 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md @@ -52,6 +52,8 @@ akeyless gateway-create-migration \ `--hashi-json=[true]`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) +`--hashi-metadata-mode[=full]`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. + `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:AWSregion:AWSAccountId:Secret:/path/to/secrets/*` (relevant only for AWS migration) `-K, --aws-key`: AWS Secret Access Key (relevant only for AWS migration) @@ -275,6 +277,8 @@ akeyless gateway-update-migration \ `--hashi-json='true'`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) +`--hashi-metadata-mode[=full]`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. + `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:[Region]:[AccountId]:secret:[/path/to/secrets/*]` (relevant only for AWS migration) `-K, --aws-key`: AWS Secret Access Key (relevant only for AWS migration) diff --git a/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md b/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md index 24d59b577..f5e2d46ed 100644 --- a/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md +++ b/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md @@ -20,7 +20,7 @@ You can create Dynamic Secrets for a wide range of databases, including: * MongoDB -* MySQL/MariaDB +* MySQL (and MariaDB) * OracleDB @@ -44,7 +44,7 @@ When a client requests a dynamic secret value, the Akeyless Platform connects to To create a dynamic database secret with the CLI using an existing [Target](https://docs.akeyless.io/docs/targets), run the following command: -```shell MySQL/MariaDB +```shell MySQL (and MariaDB) akeyless dynamic-secret create mysql \ --name \ --target-name \ @@ -153,7 +153,7 @@ akeyless dynamic-secret create redis \ Or using an inline connection string: -```shell MySQL/MariaDB +```shell MySQL (and MariaDB) akeyless dynamic-secret create mysql \ --name \ --gateway-url 'https://:8000' \ diff --git a/docs/Secrets Management/manage-your-secrets-overview.md b/docs/Secrets Management/manage-your-secrets-overview.md index ab0c4e34f..730216373 100644 --- a/docs/Secrets Management/manage-your-secrets-overview.md +++ b/docs/Secrets Management/manage-your-secrets-overview.md @@ -10,18 +10,24 @@ metadata: next: description: '' --- -Akeyless enables you to work with the following secret types: +Akeyless supports several item types for storing, generating, protecting, and distributing sensitive data. -* **Static Secrets**: Key/value pairs that you create and update manually. The values usually remain the same for long periods. Typically, you use Static Secrets to protect passwords, API tokens, and personal identifiers (PII) or credit card numbers. See [Static Secrets](https://docs.akeyless.io/docs/static-secrets). +## Secret Types -* **Dynamic Secrets**: Temporary credentials generated on-demand to provide a client with access to a resource for a limited period of time, with a limited set of permissions. See [Dynamic Secrets](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). +Use these secret types to manage application and user credentials: -* **Rotated Secrets**: Passwords for privileged-user accounts that are periodically updated by resetting a password on a target machine. The Akeyless Platform stores the updated secret value to retrieve it when required. See [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets). +* **Static Secrets**: Key/value pairs that you create and update manually. Use them for values that change infrequently, such as passwords, API tokens, personal identifiers, or credit card numbers. Akeyless also provides dedicated [Password](https://docs.akeyless.io/docs/passwords) items for username, password, and website credentials. See [Static Secrets](https://docs.akeyless.io/docs/static-secrets). -In addition, Akeyless enables you to work with: +* **Dynamic Secrets**: Temporary credentials generated on demand for a limited time and with a limited set of permissions. See [Dynamic Secrets](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). -* **Targets**: Targets act as a connector between credentials and the items that need to use them, both saving time for the user and protecting your flows from credential breakage. For more detail, see [Targets](https://docs.akeyless.io/docs/targets). +* **Rotated Secrets**: Passwords for privileged accounts that Akeyless updates periodically by resetting the password on the target system. The platform stores the latest value so you can retrieve it when needed. See [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets). -* **Encryption Keys**: AES, RSA, or EC keys of various sizes. Use these keys to encrypt secrets or any other kind of data and also to sign binaries or application transactions. See [Encryption Keys](https://docs.akeyless.io/docs/encryption-key-management-overview). +## Supporting Objects -* **Certificates**: Akeyless acts as a Certificate Authority for the internal environment. Supporting both types of [PKI/TLS Certificates](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) and [SSH certificates](https://docs.akeyless.io/docs/sra-ssh-certificates). +Akeyless also provides supporting objects that help you deliver secrets securely and consistently: + +* **Targets**: Targets connect credentials to the systems that consume them. This helps you reuse endpoint details across secrets and reduces the risk of credential drift. See [Targets](https://docs.akeyless.io/docs/targets). + +* **Encryption Keys**: AES, RSA, or EC keys that you can use to encrypt data or sign binaries and application transactions. See [Encryption Keys](https://docs.akeyless.io/docs/encryption-key-management-overview). + +* **Certificates**: Akeyless can act as a certificate authority for internal environments, supporting both [PKI/TLS Certificates](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) and [SSH certificates](https://docs.akeyless.io/docs/sra-ssh-certificates). diff --git a/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md b/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md index f8d9fe1fa..c57c5b890 100644 --- a/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md +++ b/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md @@ -20,7 +20,7 @@ You can create a Rotated Secret for a database user. Currently, Akeyless Rotated * MongoDB -* MySQL/MariaDB +* MySQL (and MariaDB) * Oracle Database diff --git a/docs/Secrets Management/targets/_order.yaml b/docs/Secrets Management/targets/_order.yaml index f8078376b..ce71c1ece 100644 --- a/docs/Secrets Management/targets/_order.yaml +++ b/docs/Secrets Management/targets/_order.yaml @@ -2,6 +2,7 @@ - aws-targets - azure-targets - chef-infra-targets +- cloudflare-target - database-targets - digicert-target - docker-hub-target diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md new file mode 100644 index 000000000..a408355da --- /dev/null +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -0,0 +1,94 @@ +--- +title: Cloudflare Target +excerpt: '' +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +next: + description: '' +--- +The Cloudflare Target stores Cloudflare credentials in Akeyless. It is used as a DNS provider in certificate automation flows that rely on ACME DNS-01 validation. + +Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public Certificate Authority (CA) targets. + +## How Cloudflare Fits in Akeyless + +Cloudflare is part of the certificate lifecycle path, not a standalone public CA in Akeyless. + +Use a Cloudflare target with the following target types: + +* [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt) +* [DigiCert Target](https://docs.akeyless.io/docs/digicert-target) +* [Google CA Target](https://docs.akeyless.io/docs/google-ca-target) + +In these flows: + +1. The public CA target handles ACME issuance. +2. The Cloudflare credentials target handles DNS TXT record updates for DNS-01 validation. +3. The PKI Issuer issues and stores certificates through Akeyless. + +## Create a Cloudflare Target with the CLI + +```shell +akeyless target create cloudflare \ +--name \ +--api-token \ +--account-id +``` + +Where: + +* `name`: A unique name for the target. The name can include a path to a virtual folder by using slash `/` separators. If the folder does not exist, Akeyless creates it with the target. + +* `api-token`: Required. A Cloudflare API token with permission to create and delete DNS TXT records in the relevant zone. + +* `account-id`: Optional. The Cloudflare account ID associated with the token. + +* `key`: Optional. Use this when you want to encrypt target secret values with a specific protection key instead of the account default key. + +[View the complete list of parameters for this command.](https://docs.akeyless.io/docs/cli-ref-targets) + +## Create a Cloudflare Target in the Console + +1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Cloudflare**. + +2. Define the **Name** of the target, and specify the **Location** as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +4. Define the following parameters: + +* **API Token**: Required. A Cloudflare API token with permission to create and delete DNS TXT records. + +* **Account ID**: Optional. The Cloudflare account ID associated with the token. + +1. Click **Finish**. + +## Use the Cloudflare Target in ACME Flows + +When using DNS-01 challenge with Cloudflare, configure the Public CA target with: + +* `--dns-target-creds`: The name of the Cloudflare target. +* `--dns-zone`: The Cloudflare DNS zone name used for DNS-01 records. + +For parameter-level details, see [CLI Reference - Akeyless Targets](https://docs.akeyless.io/docs/cli-ref-targets). + +## Related Akeyless Capabilities + +Cloudflare-connected certificate automation works together with: + +* [PKI Issuers and Certificate Issuance](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) +* [Certificate Storage](https://docs.akeyless.io/docs/certificate-storage) +* [Event Center](https://docs.akeyless.io/docs/event-center) for pending expiration and expired certificate events +* [Gateway](https://docs.akeyless.io/docs/gateway-overview) when required by target and forwarding architecture + +## Implementation Flow + +1. Create a Cloudflare target using either the CLI command above or the Console flow. +2. Create a public CA target (Let's Encrypt, DigiCert, or Google CA) with `--acme-challenge=dns`. +3. Set `--dns-target-creds` to the Cloudflare target name and set `--dns-zone`. +4. Create or update your PKI Issuer to use that public CA target. +5. Configure certificate expiration notifications in Event Center forwarders. diff --git a/docs/Secrets Management/targets/database-targets.md b/docs/Secrets Management/targets/database-targets.md index 51b54e209..0d46c8cc6 100644 --- a/docs/Secrets Management/targets/database-targets.md +++ b/docs/Secrets Management/targets/database-targets.md @@ -14,28 +14,28 @@ You can define a database target to be used with [Database Dynamic Secrets](http Available database targets: -* [MySQL/MariaDB](https://docs.akeyless.io/docs/database-targets#mysql) - -* [PostgreSQL](https://docs.akeyless.io/docs/database-targets#postgresql) - -* [MSSQL](https://docs.akeyless.io/docs/database-targets#mssql) - -* [Redshift](https://docs.akeyless.io/docs/database-targets#redshift) +* [Cassandra](https://docs.akeyless.io/docs/database-targets#cassandra) -* [Oracle](https://docs.akeyless.io/docs/database-targets#oracle) +* [Microsoft SQL Server (MSSQL)](https://docs.akeyless.io/docs/database-targets#microsoft-sql-server-mssql) * [MongoDB](https://docs.akeyless.io/docs/database-targets#mongodb) * [MongoDB Atlas](https://docs.akeyless.io/docs/database-targets#mongodb-atlas) -* [Snowflake](https://docs.akeyless.io/docs/database-targets#snowflake) +* [MySQL (and MariaDB)](https://docs.akeyless.io/docs/database-targets#mysql-and-mariadb) -* [Cassandra](https://docs.akeyless.io/docs/database-targets#cassandra) +* [Oracle](https://docs.akeyless.io/docs/database-targets#oracle) + +* [PostgreSQL](https://docs.akeyless.io/docs/database-targets#postgresql) -* [SAP HANA database](https://docs.akeyless.io/docs/database-targets#sap-hanadb) +* [Amazon Redshift](https://docs.akeyless.io/docs/database-targets#amazon-redshift) * [Redis](https://docs.akeyless.io/docs/database-targets#redis) +* [Snowflake](https://docs.akeyless.io/docs/database-targets#snowflake) + +* [SAP HANA database](https://docs.akeyless.io/docs/database-targets#sap-hana-database) + ## Create a Database Target with the CLI > ℹ️ **Note:** @@ -48,53 +48,58 @@ You can find the complete list of parameters for this command in the [CLI Refere To create database targets, you can define the following fields in the [Akeyless CLI](https://docs.akeyless.io/docs/cli): -```shell MySQL/MariaDB +```shell Cassandra akeyless target create db \ --name \ ---db-type mysql \ +--db-type cassandra \ --pwd \ --host \ --port \ ---user-name \ ---db-name \ ---ssl[=true] \ ---enable-mtls[=true] \ ---client-certificate \ ---client-private-key +--user-name ``` -```shell PostgreSQL +```shell MSSQL akeyless target create db \ --name \ ---db-type postgres \ +--db-type mssql \ +--user-name \ --pwd \ --host \ --port \ ---user-name \ ---db-name \ ---ssl[=true] \ ---enable-mtls[=true] \ ---client-certificate \ ---client-private-key +--db-name ``` -```shell MSSQL +```shell MongoDB akeyless target create db \ --name \ ---db-type mssql \ ---user-name \ +--db-type mongodb \ +--db-name \ --pwd \ --host \ --port \ ---db-name +--user-name ``` -```shell Redshift +```shell MongoDB Atlas akeyless target create db \ --name \ ---db-type redshift \ +--db-type mongodb \ +--mongodb-atlas true \ +--db-name \ +--mongodb-atlas-project-id \ +--mongodb-atlas-api-public-key \ +--mongodb-atlas-api-private-key +``` +```shell MySQL (and MariaDB) +akeyless target create db \ +--name \ +--db-type mysql \ --pwd \ --host \ --port \ --user-name \ ---db-name +--db-name \ +--ssl[=true] \ +--enable-mtls[=true] \ +--client-certificate \ +--client-private-key ``` ```shell Oracle akeyless target create db \ @@ -106,25 +111,36 @@ akeyless target create db \ --user-name \ --oracle-service-name ``` -```shell MongoDB +```shell PostgreSQL akeyless target create db \ --name \ ---db-type mongodb \ +--db-type postgres \ +--pwd \ +--host \ +--port \ +--user-name \ --db-name \ +--ssl[=true] \ +--enable-mtls[=true] \ +--client-certificate \ +--client-private-key +``` +```shell Redshift +akeyless target create db \ +--name \ +--db-type redshift \ --pwd \ --host \ --port \ ---user-name +--user-name \ +--db-name ``` -```shell MongoDB Atlas +```shell Redis akeyless target create db \ --name \ ---db-type mongodb \ ---mongodb-atlas true \ ---db-name \ ---mongodb-atlas-project-id \ ---mongodb-atlas-api-public-key \ ---mongodb-atlas-api-private-key +--db-type redis \ +--pwd \ +--user-name ``` ```shell Snowflake akeyless target create db \ @@ -137,15 +153,6 @@ akeyless target create db \ --db-name \ --snowflake-account ``` -```shell Cassandra -akeyless target create db \ ---name \ ---db-type cassandra \ ---pwd \ ---host \ ---port \ ---user-name -``` ```shell SAP HANA database akeyless target create db \ --name \ @@ -156,19 +163,12 @@ akeyless target create db \ --user-name \ --db-name ``` -```shell Redis -akeyless target create db \ ---name \ ---db-type redis \ ---pwd \ ---user-name -``` ## Create a Database Target in the Console -### MySQL +### Cassandra -Log in to the Akeyless Console, and go to **Targets > New > Database (MySQL)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (Cassandra)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. @@ -177,116 +177,127 @@ For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-kno **DB Username:** Privilege database user name with sufficient rights to create users. -**DB Password:** Password of the database privilege user name. - **DB Hostname:** Target database hostname or IP address. -**DB Port:** Target database port. - -**DB Name:** Target database name. - -**SSL:** Check to enable SSL. - -**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. - -**mTLS:** Enable mTLS to present a client certificate and key during authentication. - -**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. - -**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. +**DB Password:** Password of the database privilege user name. -**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. +**DB Port:** Target database port. -**DB Server Name:** The server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address +**SSL:** Check to enable SSL, requires SSL certificate. Click **Finish**. -### PostgreSQL +### Microsoft SQL Server (MSSQL) -Log in to the Akeyless Console, and go to **Targets > New > Database (PostgreSQL)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (MSSQL)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -**DB Username:** Privilege database user name with sufficient rights to create users. +Choose the desired mode of authenticating either **Use Credentials**, **Use Cloud Identity**, or **Target** to use a domain credentials from an existing [LDAP Target](https://docs.akeyless.io/docs/ldap-target) -**DB Hostname:** Target database hostname or IP address. +**DB Username:** Privilege database username with sufficient rights to create users. +(Relevant only when using **Credentials** authenticating) -**DB Password:** Password of the database privilege user name. +**DB Password:** Password of the database privilege username. +(Relevant only when using **Credentials** authenticating) + +**DB Hostname:** Target database hostname or IP address. **DB Port:** Target database port. **DB Name:** Target database name. -**SSL:** Check to enable SSL. - -**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. - -**mTLS:** Enable mTLS to present a client certificate and key during authentication. +**Cluster Mode** Set when working with Cluster. -**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. +**Client ID (Application ID):** Azure Client ID. (Relevant only when using **Cloud Identity** authenticating) -**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. +**Tenant ID:** Azure Tenant ID. (Relevant only when using **Cloud Identity** authenticating) -**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. +**Client Secret:** Azure Client Secret. (Relevant only when using **Cloud Identity** authenticating) Click **Finish**. -### MSSQL +### MongoDB -Log in to the Akeyless Console, and go to **Targets > New > Database (MSSQL)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -Choose the desired mode of authenticating either **Use Credentials**, **Use Cloud Identity**, or **Target** to use a domain credentials from an existing [LDAP Target](https://docs.akeyless.io/docs/ldap-target) +Select **MongoDB** radio button. -**DB Username:** Privilege database username with sufficient rights to create users. -(Relevant only when using **Credentials** authenticating) +**DB Name:** Target database name. -**DB Password:** Password of the database privilege username. -(Relevant only when using **Credentials** authenticating) +**Username:** Privilege database user name with sufficient rights to create users. -**DB Hostname:** Target database hostname or IP address. +**Password:** Password of the database privilege user name. -**DB Port:** Target database port. +**Host and Port:** Target database hostname or IP address with port. -**DB Name:** Target database name. +**Default Authentication DB:** MongoDB default authentication database. -**Cluster Mode** Set when working with Cluster. +**Options:** URI options (for example, `replicaSet=mySet&authSource=authDB`) -**Client ID (Application ID):** Azure Client ID. (Relevant only when using **Cloud Identity** authenticating) +Click **Finish**. -**Tenant ID:** Azure Tenant ID. (Relevant only when using **Cloud Identity** authenticating) +### MongoDB Atlas -**Client Secret:** Azure Client Secret. (Relevant only when using **Cloud Identity** authenticating) +Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. + +**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. +For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +Select **MongoDB Atlas** radio button. + +**DB Name:** Users DB name, the default should be `admin` + +**Project ID:** MongoDB Atlas project ID. + +**API public key:** MongoDB Atlas public key. + +**API private key:** MongoDB Atlas private key. Click **Finish**. -### Redshift +### MySQL (and MariaDB) -Log in to the Akeyless Console, and go to **Targets > New > Database (Redshift)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (MySQL)**. -**Name:** A unique name for the target. The name can include the path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. +**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). **DB Username:** Privilege database user name with sufficient rights to create users. -**DB Hostname:** Target database hostname or IP address. - **DB Password:** Password of the database privilege user name. +**DB Hostname:** Target database hostname or IP address. + **DB Port:** Target database port. **DB Name:** Target database name. -**SSL:** Check to enable SSL, requires SSL certificate. +**SSL:** Check to enable SSL. + +**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. + +**mTLS:** Enable mTLS to present a client certificate and key during authentication. + +**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. + +**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. + +**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. + +**DB Server Name:** The server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address Click **Finish**. @@ -339,49 +350,80 @@ Click **Finish**. > > To use your Wallet with login type of Password ensure to add the relevant username to your wallet using the following format: `mkstore -wrl ~/mywallet2 -createCredential "(HOST=)(PORT=1521)(SERVICE_NAME=)" ` -### MongoDB +### PostgreSQL -Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (PostgreSQL)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -Select **MongoDB** radio button. +**DB Username:** Privilege database user name with sufficient rights to create users. + +**DB Hostname:** Target database hostname or IP address. + +**DB Password:** Password of the database privilege user name. + +**DB Port:** Target database port. **DB Name:** Target database name. -**Username:** Privilege database user name with sufficient rights to create users. +**SSL:** Check to enable SSL. -**Password:** Password of the database privilege user name. +**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. -**Host and Port:** Target database hostname or IP address with port. +**mTLS:** Enable mTLS to present a client certificate and key during authentication. -**Default Authentication DB:** MongoDB default authentication database. +**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. -**Options:** URI options (for example, `replicaSet=mySet&authSource=authDB`) +**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. + +**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. Click **Finish**. -### MongoDB Atlas +### Amazon Redshift -Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (Redshift)**. + +**Name:** A unique name for the target. The name can include the path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. +For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +**DB Username:** Privilege database user name with sufficient rights to create users. + +**DB Hostname:** Target database hostname or IP address. + +**DB Password:** Password of the database privilege user name. + +**DB Port:** Target database port. + +**DB Name:** Target database name. + +**SSL:** Check to enable SSL, requires SSL certificate. + +Click **Finish**. + +### Redis + +Log in to the Akeyless Console, and go to **Targets > New > Database (Redis)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -Select **MongoDB Atlas** radio button. +**DB Username:** Privilege database user name with sufficient rights to create users. -**DB Name:** Users DB name, the default should be `admin` +**DB Password:** Password of the database privilege user name. -**Project ID:** MongoDB Atlas project ID. +**DB Hostname:** Target database hostname or IP address. -**API public key:** MongoDB Atlas public key. +**DB Port:** Target database port. -**API private key:** MongoDB Atlas private key. +**SSL:** To enable SSL, requires an SSL certificate. Click **Finish**. @@ -415,27 +457,6 @@ Note: You can find this string in your Snowflake URL. Click **Finish**. -### Cassandra - -Log in to the Akeyless Console, and go to **Targets > New > Database (Cassandra)**. - -**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. - -Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. -For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). - -**DB Username:** Privilege database user name with sufficient rights to create users. - -**DB Hostname:** Target database hostname or IP address. - -**DB Password:** Password of the database privilege user name. - -**DB Port:** Target database port. - -**SSL:** Check to enable SSL, requires SSL certificate. - -Click **Finish**. - ### SAP HANA database Log in to the Akeyless Console, and go to **Targets > New > Database (SAP HanaDB)**. @@ -459,27 +480,6 @@ For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-kno Click **Finish**. -### Redis - -Log in to the Akeyless Console, and go to **Targets > New > Database (Redis)**. - -**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. - -Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. -For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). - -**DB Username:** Privilege database user name with sufficient rights to create users. - -**DB Password:** Password of the database privilege user name. - -**DB Hostname:** Target database hostname or IP address. - -**DB Port:** Target database port. - -**SSL:** To enable SSL, requires an SSL certificate. - -Click **Finish**. - ## Tutorial Check out our tutorial video on [Creating and Configuring MySQL Targets](https://tutorials.akeyless.io/docs/creating-targets). diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index afc8caf79..ebc367644 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -52,6 +52,17 @@ akeyless target create digicert \ --dns-target-creds \ --resource-group ``` +```shell DNS with Cloudflare +akeyless target create digicert \ +--name \ +--digicert-url \ +--email \ +--eab-key-id \ +--eab-hmac-key \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` Where: @@ -63,11 +74,13 @@ Where: * `eab-key-id`: External Account Binding Key ID from DigiCert Services. - `eab-hmac-key`: External Account Binding Key ID from DigiCert Services. +* `eab-hmac-key`: External Account Binding HMAC Key from DigiCert Services. * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -90,13 +103,14 @@ Where: 3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). 4. Define the remaining parameters as follows: - * **Environment**: The ACME environment, **US Production** / **EU Production** / **US Demo** or **EU Demo** - * **Email**: Email address used to register the ACME account. +* **Environment**: The ACME environment, **US Production** / **EU Production** / **US Demo** or **EU Demo** - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **Email**: Email address used to register the ACME account. - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). @@ -104,6 +118,8 @@ Where: * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). 1. Click Finish. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index fa8dd6ad1..50e626d26 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -33,7 +33,7 @@ akeyless target create google-trust \ ```shell DNS with GCP akeyless target create google-trust \ --name \ ---google-trust-url +--google-trust-url \ --email \ --eab-key-id \ --eab-hmac-key \ @@ -44,14 +44,25 @@ akeyless target create google-trust \ ```shell DNS with Azure akeyless target create google-trust \ --name \ ---google-trust-url +--google-trust-url \ --email \ ---eab-key-id ---eab-hmac-key +--eab-key-id \ +--eab-hmac-key \ --acme-challenge dns \ --dns-target-creds \ --resource-group ``` +```shell DNS with Cloudflare +akeyless target create google-trust \ +--name \ +--google-trust-url \ +--email \ +--eab-key-id \ +--eab-hmac-key \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` Where: @@ -61,13 +72,15 @@ Where: * `eab-key-id`: External Account Binding Key ID from Google CA Services. -* `eab-hmac-key`: External Account Binding Key ID from Google CA Services. +* `eab-hmac-key`: External Account Binding HMAC Key from Google CA Services. -* `--google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`. +* `google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`. * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -90,17 +103,18 @@ Where: 3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). 4. Define the remaining parameters as follows: - * **Email**: Email address used to register the ACME account. - * **URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). +* **Email**: Email address used to register the ACME account. + +* **URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). - * **EAB KID**: External Account Binding Key ID from Google CA Services. +* **EAB KID**: External Account Binding Key ID from Google CA Services. - * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. +* **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). @@ -108,6 +122,8 @@ Where: * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). 1. Click Finish. diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index a3bca0d37..993000311 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -10,7 +10,7 @@ metadata: next: description: '' --- -A Target is an endpoint for a secret such as a database, cloud platform, or server. Targets help admins keep their secrets and endpoints more organized. Instead of adding an endpoint to each secret separately. +A target is a reusable endpoint credential item for a database, cloud platform, or server. Targets help admins keep endpoint details organized so you can reuse them across secrets instead of entering the same information for each item. ![Illustration for: A Target is an endpoint for a secret such as a database, cloud platform, or server. Targets help admins keep their secrets and endpoints more organized. Instead of adding an endpoint to each secret separately.](https://files.readme.io/7481a59-Creates_Targets.png) @@ -22,6 +22,75 @@ Using targets has three primary advantages: * Don't break the credential chain: Targets can also be used to sync encryption keys with an external KMS, or to define a Target to be used with our [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) to manage and automate your privilege account credentials rotation. This allows every item referencing the target to be up to date on the necessary information and to stay usable even after rotations are done. +## Target Types + +### Database + +* [Cassandra](https://docs.akeyless.io/docs/database-targets#cassandra) +* [Microsoft SQL Server (MSSQL)](https://docs.akeyless.io/docs/database-targets#microsoft-sql-server-mssql) +* [MongoDB](https://docs.akeyless.io/docs/database-targets#mongodb) +* [MySQL](https://docs.akeyless.io/docs/database-targets#mysql-and-mariadb) +* [Oracle](https://docs.akeyless.io/docs/database-targets#oracle) +* [PostgreSQL](https://docs.akeyless.io/docs/database-targets#postgresql) +* [Redis](https://docs.akeyless.io/docs/database-targets#redis) +* [Redshift](https://docs.akeyless.io/docs/database-targets#amazon-redshift) +* [SAP HANA database](https://docs.akeyless.io/docs/database-targets#sap-hana-database) +* [Snowflake](https://docs.akeyless.io/docs/database-targets#snowflake) + +### Cloud + +* [AWS](https://docs.akeyless.io/docs/aws-targets) +* [Azure AD](https://docs.akeyless.io/docs/azure-targets) +* [Cloudflare](https://docs.akeyless.io/docs/cloudflare-target) +* [GCP](https://docs.akeyless.io/docs/gcp-targets) +* [Salesforce](https://docs.akeyless.io/docs/salesforce-target) + +### AI + +* [Gemini](https://docs.akeyless.io/docs/gemini-target) +* [OpenAI](https://docs.akeyless.io/docs/openai-target) + +### Kubernetes + +* [EKS](https://docs.akeyless.io/docs/kubernetes-targets) +* [GKE](https://docs.akeyless.io/docs/kubernetes-targets) +* [Generic](https://docs.akeyless.io/docs/kubernetes-targets) + +### Operating System + +* [SSH](https://docs.akeyless.io/docs/ssh-target) +* [Windows](https://docs.akeyless.io/docs/windows-target) + +### Certificate Automation + +* [DigiCert](https://docs.akeyless.io/docs/digicert-target) +* [GlobalSign](https://docs.akeyless.io/docs/globalsign-target) +* [GlobalSign Atlas](https://docs.akeyless.io/docs/globalsign-atlas) +* [GoDaddy](https://docs.akeyless.io/docs/godaddy-target) +* [Google CA](https://docs.akeyless.io/docs/google-ca-target) +* [Let's Encrypt](https://docs.akeyless.io/docs/lets-encrypt) +* [Sectigo](https://docs.akeyless.io/docs/sectigo-target) +* [Venafi](https://docs.akeyless.io/docs/venafi-target) +* [ZeroSSL](https://docs.akeyless.io/docs/zerossl-target) + +### Infrastructure + +* [Artifactory](https://docs.akeyless.io/docs/artifactory-targets) +* [Chef Infra](https://docs.akeyless.io/docs/chef-infra-targets) +* [Docker Hub](https://docs.akeyless.io/docs/docker-hub-target) +* [GitHub](https://docs.akeyless.io/docs/github-target) +* [GitLab](https://docs.akeyless.io/docs/gitlab-target) +* [Splunk](https://docs.akeyless.io/docs/splunk-target) + +### Other + +* [Custom](https://docs.akeyless.io/docs/web-targets) +* [HashiCorp Vault](https://docs.akeyless.io/docs/hashicorp-vault-target) +* [LDAP](https://docs.akeyless.io/docs/ldap-target) +* [Linked](https://docs.akeyless.io/docs/linked-target) +* [Ping](https://docs.akeyless.io/docs/ping-target) +* [RabbitMQ](https://docs.akeyless.io/docs/rabbitmq-targets) + ## Delete protection for targets Targets support delete protection to reduce accidental deletion risk. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index e9d7db1b5..73a9d9072 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -55,7 +55,15 @@ akeyless target create lets-encrypt \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare +akeyless target create lets-encrypt \ +--name \ +--email \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` +```shell HTTP akeyless target create lets-encrypt \ --name \ --email \ @@ -72,7 +80,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -95,24 +105,28 @@ Where: 3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). 4. Define the remaining parameters as follows: - * **Server URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). - * **Email**: Email address used to register the ACME account. +* **Server URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). + +* **Email**: Email address used to register the ACME account. + +* **Challenge Type**: Either **HTTP** or **DNS**. + +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Challenge Type**: Either **HTTP** or **DNS**. +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). - * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). +* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. - * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. - * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). +* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -5. Click Finish. +1. Click Finish. ## DNS Provider Permissions for DNS-01 diff --git a/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md index 9040c5b82..b43915765 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md @@ -243,6 +243,10 @@ The main parameters are: * `--object-type[=secret]`: Either `secret` or `certificate`, when set to `certificate` - Provide a Base64-encoded certificate file that includes the private key. +* `--remote-secret-expires`: Optional. Expiration time for the secret in Azure Key Vault, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Azure sets the `Expires` attribute on the secret version. + +* `--remote-secret-activation-date`: Optional. Activation date for the secret in Azure Key Vault, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Azure sets the `NotBefore` attribute on the secret version. The activation date must be earlier than or equal to the expiration date. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#create). ### Updating an Existing USC Secret @@ -253,6 +257,8 @@ To update an existing secret in your USC, use the following command: akeyless usc update --usc-name --secret-id --value ``` +Use `--remote-secret-expires` to set or update the expiration time and `--remote-secret-activation-date` to set or update the activation date (Azure Key Vault `NotBefore`), both in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. The activation date must be earlier than or equal to the expiration date. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#update). ### Deleting an Existing USC Secret diff --git a/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md index 2e481ad53..d660c8d14 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md @@ -117,6 +117,8 @@ The main parameters are: * `value`: The value of the secret you would like to create, plaintext, or Base64-encoded. +* `--remote-secret-expires`: Optional. Expiration time for the secret in GCP Secret Manager, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Once this time passes, GCP automatically disables access to the secret. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#create). For GCP USC, you can create a regional secret by adding `--region `. If omitted, the secret is created as global. @@ -129,6 +131,8 @@ To update an existing secret in your USC, use the following command: akeyless usc update --usc-name --secret-id --value ``` +Use `--remote-secret-expires` to set or update the expiration time for the secret in GCP Secret Manager, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#update). ### Deleting an Existing USC Secret