From 3926108099f9a359a435c913540aa167270ace66 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 09:44:50 -0600 Subject: [PATCH 01/24] DOCS-691: document 4.51.0 and 1.144.0 release updates --- .../cli-reference-universal-identity.md | 20 +++++++++++++ .../cli-reference/cli-ref-targets.md | 10 +++++-- .../cli-reference-rotated-secrets.md | 12 ++++++++ .../targets/digicert-target.md | 21 ++++++++++++-- .../targets/google-ca-target.md | 21 ++++++++++++-- .../targets/lets-encrypt.md | 28 +++++++++++++------ 6 files changed, 96 insertions(+), 16 deletions(-) diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index 9efe7c3e7..207541490 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -98,6 +98,26 @@ List the token children ids of Akeyless Universal Identity akeyless uid-list-children --auth-method-name ``` +## `uid-auto-rotate` + +Configure automatic UID token rotation + +### Usage + +```shell +akeyless uid-auto-rotate \ +--auth-method-name \ +--uid-token +``` + +### Flags + +`-n, --auth-method-name`: Universal Identity auth method name + +`-t, --uid-token`: Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable + +`--install-cron-d`: Install or update a `cron.d` entry for automatic rotation (Linux) + ## `uid-revoke-token` Revoke token using Akeyless Universal Identity diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md index 2965a118c..6e4ad29c4 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md @@ -725,6 +725,7 @@ akeyless target create lets-encrypt \ --acme-challenge[=http] \ --email \ --dns-target-creds \ +--dns-zone \ --hosted-zone \ --resource-group \ --gcp-project \ @@ -742,7 +743,9 @@ akeyless target create lets-encrypt \ `-e, --email`: **Required**, Email address for ACME account registration -`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`]). Relevant only when `--acme-challenge=dns` +`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`/`Cloudflare`]). Relevant only when `--acme-challenge=dns` + +`--dns-zone`: **Cloudflare DNS zone** name. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is Cloudflare `--hosted-zone`: **Amazon Route 53** hosted zone identifier. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is AWS @@ -2007,6 +2010,7 @@ akeyless target update lets-encrypt \ --acme-challenge[=http] \ --email \ --dns-target-creds \ +--dns-zone \ --hosted-zone \ --resource-group \ --gcp-project \ @@ -2026,7 +2030,9 @@ akeyless target update lets-encrypt \ `-e, --email`: **Required**, Email address for ACME account registration -`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`]). Relevant only when `--acme-challenge=dns` +`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`/`Cloudflare`]). Relevant only when `--acme-challenge=dns` + +`--dns-zone`: **Cloudflare DNS zone** name. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is Cloudflare `--hosted-zone`: **Amazon Route 53** hosted zone identifier. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is AWS diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md index c69e99ccf..50ef9ab48 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md @@ -166,6 +166,10 @@ akeyless rotated-secret create azure \ `--resource-name`: The name of the Storage Account (only relevant when `explicitly-set-sa`=`true`) +`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + `--secure-access-disable-concurrent-connections[=false]`: Enable this flag to prevent simultaneous use of the same secret `-u, --gateway-url[=http://localhost:8000]`: API Gateway URL (Configuration Management port) @@ -384,6 +388,8 @@ akeyless rotated-secret create gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) + `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1320,6 +1326,10 @@ akeyless rotated-secret update azure \ `--storage-account-key-name`: The name of the Storage Account key to rotate [`key1`/`key2`/`kerb1`/`kerb2`] (relevant to `azure-storage-account`) +`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1544,6 +1554,8 @@ akeyless rotated-secret update gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) + `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index afc8caf79..ff7b3f7df 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -52,6 +52,17 @@ akeyless target create digicert \ --dns-target-creds \ --resource-group ``` +```shell +akeyless target create digicert \ +--name \ +--digicert-url \ +--email \ +--eab-key-id \ +--eab-hmac-key \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` Where: @@ -67,7 +78,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -94,9 +107,9 @@ Where: * **Email**: Email address used to register the ACME account. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). @@ -104,6 +117,8 @@ Where: * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). 1. Click Finish. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index fa8dd6ad1..6a8653653 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -52,6 +52,17 @@ akeyless target create google-trust \ --dns-target-creds \ --resource-group ``` +```shell +akeyless target create google-trust \ +--name \ +--google-trust-url \ +--email \ +--eab-key-id \ +--eab-hmac-key \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` Where: @@ -67,7 +78,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -98,9 +111,9 @@ Where: * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). @@ -108,6 +121,8 @@ Where: * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). 1. Click Finish. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index e9d7db1b5..498c3857d 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -59,6 +59,14 @@ akeyless target create lets-encrypt \ akeyless target create lets-encrypt \ --name \ --email \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` +```shell +akeyless target create lets-encrypt \ +--name \ +--email \ --acme-challenge http ``` @@ -72,7 +80,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -101,18 +111,20 @@ Where: * **Challenge Type**: Either **HTTP** or **DNS**. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). +* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). - * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). +* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. - * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. - * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). +* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -5. Click Finish. +1. Click Finish. ## DNS Provider Permissions for DNS-01 From d41f8c1452ba7a64a3fcffbfce036156e89ebd03 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 09:51:08 -0600 Subject: [PATCH 02/24] docs: update fenced code block labels for Cloudflare DNS and HTTP --- .github/markdownlint/fence-tabs.txt | 2 ++ docs/Secrets Management/targets/digicert-target.md | 2 +- docs/Secrets Management/targets/lets-encrypt.md | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/markdownlint/fence-tabs.txt b/.github/markdownlint/fence-tabs.txt index 97974d684..96974cb86 100644 --- a/.github/markdownlint/fence-tabs.txt +++ b/.github/markdownlint/fence-tabs.txt @@ -67,10 +67,12 @@ dnf DNS with AWS DNS with Azure DNS with GCP +DNS with Cloudflare Docker Docker Hub Target docker-compose.yml Dynamic +HTTP Dynamic Group Dynamic Mode Dynamic Secret diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index ff7b3f7df..c23d40462 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -52,7 +52,7 @@ akeyless target create digicert \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare akeyless target create digicert \ --name \ --digicert-url \ diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index 498c3857d..09262f988 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -55,7 +55,7 @@ akeyless target create lets-encrypt \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare akeyless target create lets-encrypt \ --name \ --email \ @@ -63,7 +63,7 @@ akeyless target create lets-encrypt \ --dns-target-creds \ --dns-zone ``` -```shell +```shell HTTP akeyless target create lets-encrypt \ --name \ --email \ From f91b668514fd2772b1b40c4fe450e82e5506a043 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:14:09 -0600 Subject: [PATCH 03/24] docs: enhance KMIP certificate expiry documentation and add Cloudflare target details --- .../audit-logs/log-actions.md | 9 +++ .../event-center/index.md | 13 ++++- docs/Encryption & KMS/kmip-server/index.md | 13 +++++ docs/Secrets Management/targets/_order.yaml | 1 + .../targets/cloudflare-target.md | 57 +++++++++++++++++++ 5 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 docs/Secrets Management/targets/cloudflare-target.md diff --git a/docs/Advanced Functionality/audit-logs/log-actions.md b/docs/Advanced Functionality/audit-logs/log-actions.md index f26679383..316017589 100644 --- a/docs/Advanced Functionality/audit-logs/log-actions.md +++ b/docs/Advanced Functionality/audit-logs/log-actions.md @@ -165,3 +165,12 @@ This page includes a thorough comb through all of the different options for the * `update_object_version_settings_for_account`: Update account settings for objects * `impersonation`: Impersonate another user in your Akeyless account + +## KMIP Certificate Expiry Observability + +KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically: + +* `certificate-pending-expiration` +* `certificate-expired` + +For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation. diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 68dc49743..08d1dfd9f 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -37,7 +37,7 @@ The following Events are currently supported: For `items-event-source-locations`: -* `certificate-pending-expiration`: When a certificate is about to expire, the users sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item. +* `certificate-pending-expiration`: When a certificate is about to expire, the user sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item. * `certificate-expired`: When a certificate is expired. @@ -67,6 +67,17 @@ For `items-event-source-locations`: * `apply-justification`: When the user provides a connection justification as part of the Secure Remote Access session. +### KMIP Certificate Expiry Coverage + +Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. + +Use the following event types to monitor KMIP certificate lifecycle: + +* `certificate-pending-expiration` +* `certificate-expired` + +To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). + For `auth-methods-event-source-locations`: * `uid-rotation-failure`: On [Universal Identity](https://docs.akeyless.io/docs/auth-with-universal-identity) rotation failure, to track the automatic rotation. diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index a03fcc24c..06ebc9d55 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -18,6 +18,19 @@ The [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) built-in Cryptographic objects managed by the Akeyless KMIP server are stored under the `/kmip/default/` path, hence your [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) authentication method must have sufficient privileges, including `create`, `list`, `delete` and `read` rules, under the `/kmip/default/*` path. This path can be changed during the KMIP server setup. +## KMIP Certificate Expiry Events + +KMIP server and KMIP client certificates are time-bound objects. To reduce renewal failures and service interruptions, monitor certificate expiration events in the [Event Center](https://docs.akeyless.io/docs/event-center). + +For KMIP certificate observability, use the following event types: + +* `certificate-pending-expiration`: Triggered before certificate expiration based on configured lead time. +* `certificate-expired`: Triggered when a certificate has expired. + +To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). + +For audit action taxonomy, see [Log Actions](https://docs.akeyless.io/docs/log-actions). + > ℹ️ **Note:** > > Only users from your Gateway admins list can configure the KMIP server. diff --git a/docs/Secrets Management/targets/_order.yaml b/docs/Secrets Management/targets/_order.yaml index f8078376b..ce71c1ece 100644 --- a/docs/Secrets Management/targets/_order.yaml +++ b/docs/Secrets Management/targets/_order.yaml @@ -2,6 +2,7 @@ - aws-targets - azure-targets - chef-infra-targets +- cloudflare-target - database-targets - digicert-target - docker-hub-target diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md new file mode 100644 index 000000000..7b82aa7eb --- /dev/null +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -0,0 +1,57 @@ +--- +title: Cloudflare and Akeyless Targets +excerpt: '' +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +next: + description: '' +--- +Cloudflare in Akeyless is used as a DNS provider in certificate automation flows that rely on ACME DNS validation. + +Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public CA targets. + +## How Cloudflare Fits in Akeyless + +Cloudflare is part of the certificate lifecycle path, not a standalone Public CA in Akeyless. + +Use Cloudflare with the following target types: + +* [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt) +* [DigiCert Target](https://docs.akeyless.io/docs/digicert-target) +* [Google CA Target](https://docs.akeyless.io/docs/google-ca-target) + +In these flows: + +1. The Public CA target handles ACME issuance. +2. The Cloudflare credentials target handles DNS TXT record updates for DNS-01 validation. +3. The PKI Issuer issues and stores certificates through Akeyless. + +## Cloudflare Parameters in ACME Target Flows + +When using DNS challenge with Cloudflare, configure: + +* `dns-target-creds`: The target that stores Cloudflare credentials. +* `dns-zone`: The Cloudflare DNS zone used for DNS-01 records. + +For parameter-level details, see [CLI Reference - Akeyless Targets](https://docs.akeyless.io/docs/cli-ref-targets). + +## Related Akeyless Capabilities + +Cloudflare-connected certificate automation works together with: + +* [PKI Issuers and Certificate Issuance](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) +* [Certificate Storage](https://docs.akeyless.io/docs/certificate-storage) +* [Event Center](https://docs.akeyless.io/docs/event-center) for pending expiration and expired certificate events +* [Gateway](https://docs.akeyless.io/docs/gateway-overview) when required by target and forwarding architecture + +## Suggested Implementation Flow + +1. Create or identify your Cloudflare credentials target. +2. Create a Public CA target (Let's Encrypt, DigiCert, or Google CA) with `acme-challenge=dns`. +3. Set `dns-target-creds` to the Cloudflare target and set `dns-zone`. +4. Create or update your PKI Issuer to use that Public CA target. +5. Configure certificate expiration notifications in Event Center forwarders. From 02bed3d738d4aca2cb8f2550ecc0d83a6955d97d Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:23:31 -0600 Subject: [PATCH 04/24] docs: update KMIP certificate event types in multiple documents for consistency --- .../audit-logs/log-actions.md | 4 ++-- .../event-center/index.md | 4 ++-- docs/Encryption & KMS/kmip-server/index.md | 4 ++-- .../cli-reference-universal-identity.md | 22 ++++++++++++++----- .../cli-reference-rotated-secrets.md | 12 ---------- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/Advanced Functionality/audit-logs/log-actions.md b/docs/Advanced Functionality/audit-logs/log-actions.md index 316017589..663c36900 100644 --- a/docs/Advanced Functionality/audit-logs/log-actions.md +++ b/docs/Advanced Functionality/audit-logs/log-actions.md @@ -170,7 +170,7 @@ This page includes a thorough comb through all of the different options for the KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically: -* `certificate-pending-expiration` -* `certificate-expired` +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation. diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 08d1dfd9f..9f73411e4 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -73,8 +73,8 @@ Certificate expiration events also apply to certificates used by the [KMIP Serve Use the following event types to monitor KMIP certificate lifecycle: -* `certificate-pending-expiration` -* `certificate-expired` +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index 06ebc9d55..292521947 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -24,8 +24,8 @@ KMIP server and KMIP client certificates are time-bound objects. To reduce renew For KMIP certificate observability, use the following event types: -* `certificate-pending-expiration`: Triggered before certificate expiration based on configured lead time. -* `certificate-expired`: Triggered when a certificate has expired. +* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on configured lead time. +* `kmip-cert-expired`: Triggered when a certificate has expired. To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index 207541490..e296c4fde 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -105,18 +105,30 @@ Configure automatic UID token rotation ### Usage ```shell -akeyless uid-auto-rotate \ ---auth-method-name \ +akeyless uid-auto-rotate +``` + +Initialize automatic UID token rotation: + +```shell +akeyless uid-auto-rotate init \ +--rotation-interval <1|15|60|240|1440> \ --uid-token ``` ### Flags -`-n, --auth-method-name`: Universal Identity auth method name - `-t, --uid-token`: Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable -`--install-cron-d`: Install or update a `cron.d` entry for automatic rotation (Linux) +`--rotation-interval`: **Required**, rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440` + +`-i, --token-file-path`: Path to store the rotated UID token file + +`--gateway-api-url`: Gateway URL for rotation requests + +`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task` + +`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system` ## `uid-revoke-token` diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md index 50ef9ab48..c69e99ccf 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md @@ -166,10 +166,6 @@ akeyless rotated-secret create azure \ `--resource-name`: The name of the Storage Account (only relevant when `explicitly-set-sa`=`true`) -`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - `--secure-access-disable-concurrent-connections[=false]`: Enable this flag to prevent simultaneous use of the same secret `-u, --gateway-url[=http://localhost:8000]`: API Gateway URL (Configuration Management port) @@ -388,8 +384,6 @@ akeyless rotated-secret create gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) - `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1326,10 +1320,6 @@ akeyless rotated-secret update azure \ `--storage-account-key-name`: The name of the Storage Account key to rotate [`key1`/`key2`/`kerb1`/`kerb2`] (relevant to `azure-storage-account`) -`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1554,8 +1544,6 @@ akeyless rotated-secret update gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) - `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation From 74471fe046313281a44b9f107f2477c9d94320d7 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:30:25 -0600 Subject: [PATCH 05/24] docs: standardize formatting for DNS provider details across multiple target documents --- .../targets/digicert-target.md | 16 ++++++++-------- .../targets/google-ca-target.md | 18 +++++++++--------- .../Secrets Management/targets/lets-encrypt.md | 17 +++++++++-------- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index c23d40462..ff15c0291 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -107,18 +107,18 @@ Where: * **Email**: Email address used to register the ACME account. -* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). -* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). + * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). -* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). + * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). + * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). -* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. + * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. -* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -1. Click Finish. +5. Click Finish. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index 6a8653653..d42c3223f 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -52,7 +52,7 @@ akeyless target create google-trust \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare akeyless target create google-trust \ --name \ --google-trust-url \ @@ -111,18 +111,18 @@ Where: * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. -* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). -* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). + * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). -* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). + * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). + * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). -* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. + * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. -* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -1. Click Finish. +5. Click Finish. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index 09262f988..80de2ea54 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -111,20 +111,21 @@ Where: * **Challenge Type**: Either **HTTP** or **DNS**. -* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). -* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). + * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). -* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). + * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. + * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). -* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. -* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -1. Click Finish. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + +5. Click Finish. ## DNS Provider Permissions for DNS-01 From b44236abb9c6653e33c255184441a2269c499320 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:32:22 -0600 Subject: [PATCH 06/24] docs: update title for Cloudflare target documentation to improve clarity --- docs/Secrets Management/targets/cloudflare-target.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md index 7b82aa7eb..49f471e4a 100644 --- a/docs/Secrets Management/targets/cloudflare-target.md +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -1,5 +1,5 @@ --- -title: Cloudflare and Akeyless Targets +title: Cloudflare Usage excerpt: '' deprecated: false hidden: false From 844aa6d6577e032359968862eb0e3f4d5ab54b1d Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:34:42 -0600 Subject: [PATCH 07/24] docs: correct typo in EAB HMAC key description for DigiCert target CLI instructions --- docs/Secrets Management/targets/digicert-target.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index ff15c0291..fa2673d8b 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -58,7 +58,7 @@ akeyless target create digicert \ --digicert-url \ --email \ --eab-key-id \ ---eab-hmac-key \ +--eab-hmac-key \ --acme-challenge dns \ --dns-target-creds \ --dns-zone From df20323b9978bd3e074f3ff4ed70085e5f7c9244 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:35:49 -0600 Subject: [PATCH 08/24] docs: standardize event type naming conventions in Event Center documentation --- docs/Advanced Functionality/event-center/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 9f73411e4..23cbc9c39 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -59,9 +59,9 @@ For `items-event-source-locations`: * `static-secret-updated`: When a [Static Secret](https://docs.akeyless.io/docs/static-secrets) is set to trigger events on value changes. -* `usage_unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval. +* `usage-unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval. -* `usage_unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval. +* `usage-unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval. * `request-access`: When a user requests access, either for privilege permission or for a Secure Remote Access session. **Note**: Relevant also for `targets-event-source-locations`. @@ -98,9 +98,9 @@ For `gateways-event-source-locations`: * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway. -* `gateway-certificate-about-to-expire`: When a Gateway certificate (Gateway Certificate Store) is about to expire. +* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire. -* `gateway-certificate-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. ## Event Forwarders From 9e806725a9bc4ff4b6f3490f2d9a00c6fe417cbb Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:40:59 -0600 Subject: [PATCH 09/24] docs: relocate KMIP certificate expiry coverage section to improve clarity and context --- .../event-center/index.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 23cbc9c39..8dd54a25e 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -67,17 +67,6 @@ For `items-event-source-locations`: * `apply-justification`: When the user provides a connection justification as part of the Secure Remote Access session. -### KMIP Certificate Expiry Coverage - -Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. - -Use the following event types to monitor KMIP certificate lifecycle: - -* `kmip-cert-pending-expiration` -* `kmip-cert-expired` - -To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). - For `auth-methods-event-source-locations`: * `uid-rotation-failure`: On [Universal Identity](https://docs.akeyless.io/docs/auth-with-universal-identity) rotation failure, to track the automatic rotation. @@ -102,6 +91,17 @@ For `gateways-event-source-locations`: * `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +### KMIP Certificate Expiry Coverage + +Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. These events are emitted by the Gateway. + +Use the following event types to monitor KMIP certificate lifecycle: + +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` + +To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). + ## Event Forwarders Event forwarders are tools you can configure through the Event Center to get notified on other platforms (For example, email) when a certain event type happens. For example, one might want to be notified every time a certain [Certificate](https://docs.akeyless.io/docs/certificate-storage) is about to expire or when a user requests to access an item you have in your Akeyless Platform. From de324818badb620d06927092823ff9a7a8f454ca Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 12:26:30 -0600 Subject: [PATCH 10/24] docs: enhance clarity and detail in KMIP certificate event types and UID token rotation instructions --- docs/Encryption & KMS/kmip-server/index.md | 2 +- .../cli-reference-universal-identity.md | 66 ++++++++++++++++--- .../manage-your-secrets-overview.md | 22 ++++--- docs/Secrets Management/targets/index.md | 11 +++- 4 files changed, 83 insertions(+), 18 deletions(-) diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index 292521947..415eefa2d 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -24,7 +24,7 @@ KMIP server and KMIP client certificates are time-bound objects. To reduce renew For KMIP certificate observability, use the following event types: -* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on configured lead time. +* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on the certificate's configured expiration-notification window. Set that window when you create or update the certificate, then use [Event Forwarders](https://docs.akeyless.io/docs/event-center) to route the alert. * `kmip-cert-expired`: Triggered when a certificate has expired. To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index e296c4fde..51fd05e71 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -108,7 +108,13 @@ Configure automatic UID token rotation akeyless uid-auto-rotate ``` -Initialize automatic UID token rotation: +The `init` subcommand initializes rotation and stores the token file. The `rotate`, `status`, and `uninstall` subcommands use the stored token file and the configured gateway URL. + +### `init` + +Initialize automatic UID token rotation. + +#### Usage ```shell akeyless uid-auto-rotate init \ @@ -116,19 +122,63 @@ akeyless uid-auto-rotate init \ --uid-token ``` -### Flags +#### Flags + +`-t, --uid-token`: Optional. Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable. + +`--rotation-interval`: **Required** for `init`. Rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440`. + +`-i, --token-file-path`: Optional. Path to store the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value. -`-t, --uid-token`: Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable +`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task`. + +`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system`. + +### `rotate` + +Rotate the current UID token on demand. + +#### Usage + +```shell +akeyless uid-auto-rotate rotate +``` -`--rotation-interval`: **Required**, rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440` +#### Flags -`-i, --token-file-path`: Path to store the rotated UID token file +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. -`--gateway-api-url`: Gateway URL for rotation requests +`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value. + +### `status` + +Check the current UID auto-rotate setup. + +#### Usage + +```shell +akeyless uid-auto-rotate status +``` + +#### Flags + +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +### `uninstall` + +Remove the UID auto-rotate setup and scheduled entry. + +#### Usage + +```shell +akeyless uid-auto-rotate uninstall +``` -`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task` +#### Flags -`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system` +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. ## `uid-revoke-token` diff --git a/docs/Secrets Management/manage-your-secrets-overview.md b/docs/Secrets Management/manage-your-secrets-overview.md index ab0c4e34f..730216373 100644 --- a/docs/Secrets Management/manage-your-secrets-overview.md +++ b/docs/Secrets Management/manage-your-secrets-overview.md @@ -10,18 +10,24 @@ metadata: next: description: '' --- -Akeyless enables you to work with the following secret types: +Akeyless supports several item types for storing, generating, protecting, and distributing sensitive data. -* **Static Secrets**: Key/value pairs that you create and update manually. The values usually remain the same for long periods. Typically, you use Static Secrets to protect passwords, API tokens, and personal identifiers (PII) or credit card numbers. See [Static Secrets](https://docs.akeyless.io/docs/static-secrets). +## Secret Types -* **Dynamic Secrets**: Temporary credentials generated on-demand to provide a client with access to a resource for a limited period of time, with a limited set of permissions. See [Dynamic Secrets](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). +Use these secret types to manage application and user credentials: -* **Rotated Secrets**: Passwords for privileged-user accounts that are periodically updated by resetting a password on a target machine. The Akeyless Platform stores the updated secret value to retrieve it when required. See [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets). +* **Static Secrets**: Key/value pairs that you create and update manually. Use them for values that change infrequently, such as passwords, API tokens, personal identifiers, or credit card numbers. Akeyless also provides dedicated [Password](https://docs.akeyless.io/docs/passwords) items for username, password, and website credentials. See [Static Secrets](https://docs.akeyless.io/docs/static-secrets). -In addition, Akeyless enables you to work with: +* **Dynamic Secrets**: Temporary credentials generated on demand for a limited time and with a limited set of permissions. See [Dynamic Secrets](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). -* **Targets**: Targets act as a connector between credentials and the items that need to use them, both saving time for the user and protecting your flows from credential breakage. For more detail, see [Targets](https://docs.akeyless.io/docs/targets). +* **Rotated Secrets**: Passwords for privileged accounts that Akeyless updates periodically by resetting the password on the target system. The platform stores the latest value so you can retrieve it when needed. See [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets). -* **Encryption Keys**: AES, RSA, or EC keys of various sizes. Use these keys to encrypt secrets or any other kind of data and also to sign binaries or application transactions. See [Encryption Keys](https://docs.akeyless.io/docs/encryption-key-management-overview). +## Supporting Objects -* **Certificates**: Akeyless acts as a Certificate Authority for the internal environment. Supporting both types of [PKI/TLS Certificates](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) and [SSH certificates](https://docs.akeyless.io/docs/sra-ssh-certificates). +Akeyless also provides supporting objects that help you deliver secrets securely and consistently: + +* **Targets**: Targets connect credentials to the systems that consume them. This helps you reuse endpoint details across secrets and reduces the risk of credential drift. See [Targets](https://docs.akeyless.io/docs/targets). + +* **Encryption Keys**: AES, RSA, or EC keys that you can use to encrypt data or sign binaries and application transactions. See [Encryption Keys](https://docs.akeyless.io/docs/encryption-key-management-overview). + +* **Certificates**: Akeyless can act as a certificate authority for internal environments, supporting both [PKI/TLS Certificates](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) and [SSH certificates](https://docs.akeyless.io/docs/sra-ssh-certificates). diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index a3bca0d37..a25eebe02 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -10,7 +10,7 @@ metadata: next: description: '' --- -A Target is an endpoint for a secret such as a database, cloud platform, or server. Targets help admins keep their secrets and endpoints more organized. Instead of adding an endpoint to each secret separately. +A target is a reusable endpoint credential item for a database, cloud platform, or server. Targets help admins keep endpoint details organized so you can reuse them across secrets instead of entering the same information for each item. ![Illustration for: A Target is an endpoint for a secret such as a database, cloud platform, or server. Targets help admins keep their secrets and endpoints more organized. Instead of adding an endpoint to each secret separately.](https://files.readme.io/7481a59-Creates_Targets.png) @@ -22,6 +22,15 @@ Using targets has three primary advantages: * Don't break the credential chain: Targets can also be used to sync encryption keys with an external KMS, or to define a Target to be used with our [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) to manage and automate your privilege account credentials rotation. This allows every item referencing the target to be up to date on the necessary information and to stay usable even after rotations are done. +## Common Target Families + +If you are looking for a specific target type, start with the family that matches your endpoint: + +* [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. +* Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. +* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public CA. +* [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. + ## Delete protection for targets Targets support delete protection to reduce accidental deletion risk. From 40cf233b143013649aa7d5cae58486d9b75d9a51 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:39:34 -0600 Subject: [PATCH 11/24] docs: enhance security guidance and add HashiCorp Vault metadata preservation details in migration documentation --- .../gateway-automatic-migration.md | 33 +++++++++++++++---- .../cli-reference-automatic-migration.md | 4 +++ 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md index 03adac5c8..65232339e 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md @@ -29,6 +29,12 @@ Before running migration workflows: * Validate network connectivity from Gateway to source systems and Akeyless services. * Prepare destination paths and required encryption settings. +## Security Guidance + +* Use least-privilege credentials for source access. +* Avoid broad admin permissions when migration-specific permissions are sufficient. +* Rotate temporary migration credentials after the migration window closes. + ## Configuration Scope Automatic migration configuration usually includes: @@ -36,8 +42,29 @@ Automatic migration configuration usually includes: * Source system connection parameters. * Authentication credentials or identity settings. * Migration mode and target path strategy. +* [HashiCorp Vault metadata preservation mode](#hashicorp-vault-metadata-preservation-mode) (`full`, `minimal`, or `none`) when configuring HashiCorp Vault migrations. * Conflict handling behavior for existing items. +## HashiCorp Vault Metadata Preservation Mode + +When migrating from HashiCorp Vault, Akeyless supports KV v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. + +If the flag is omitted, the mode defaults to `full`. + +| Mode | What is migrated | +| --- | --- | +| `full` | The complete KV v2 metadata block, trimmed to only the secret versions being imported. | +| `minimal` | Only the [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata) field from the KV v2 metadata block. All other metadata fields are discarded. | +| `none` | No metadata. Only the secret values are migrated. | + +### When to choose each mode + +* Use `full` when you need to preserve as much Vault context as possible, for example, when keeping version history alignment or retaining all metadata fields for auditing. +* Use `minimal` when only your own custom key–value annotations (stored in [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata)) are needed in Akeyless and you want to reduce migration payload size. +* Use `none` when metadata is not relevant to your use case and you want the smallest possible migration footprint. + +Set the mode with the `--hashi-metadata-mode` flag on `gateway-create-migration` or `gateway-update-migration`. For full flag reference, see the [Automatic Migration CLI Reference](https://docs.akeyless.io/docs/cli-reference-automatic-migration). + ## Operational Guidance Use a phased rollout: @@ -47,12 +74,6 @@ Use a phased rollout: 3. Expand migration scope after successful validation. 4. Monitor Gateway logs during migration and remediation. -## Security Guidance - -* Use least-privilege credentials for source access. -* Avoid broad admin permissions when migration-specific permissions are sufficient. -* Rotate temporary migration credentials after the migration window closes. - ## CLI Reference For command-level usage and flags, use the Automatic Migration CLI reference: diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md index 63b86e79e..a0309f3b9 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md @@ -52,6 +52,8 @@ akeyless gateway-create-migration \ `--hashi-json=[true]`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) +`--hashi-metadata-mode[=full]`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. + `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:AWSregion:AWSAccountId:Secret:/path/to/secrets/*` (relevant only for AWS migration) `-K, --aws-key`: AWS Secret Access Key (relevant only for AWS migration) @@ -275,6 +277,8 @@ akeyless gateway-update-migration \ `--hashi-json='true'`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) +`--hashi-metadata-mode`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. + `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:[Region]:[AccountId]:secret:[/path/to/secrets/*]` (relevant only for AWS migration) `-K, --aws-key`: AWS Secret Access Key (relevant only for AWS migration) From 2e4eb0079af3f21fe2bf836a9bced32d4e911251 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:39:39 -0600 Subject: [PATCH 12/24] docs: update AWS STS endpoint guidance for China partitions in IAM authentication documentation --- .../access-and-authentication-methods/auth-with-aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md index 26ee9a5f1..048c622a2 100644 --- a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md +++ b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md @@ -95,7 +95,7 @@ For optional features that apply across Authentication Methods, see [Common Opti * **Bounded Role Names:** Enter one or more IAM role names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-name` for each value. * **Bounded Role IDs:** Enter one or more IAM role IDs that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-id` for each value. * **Bounded User names:** Enter one or more IAM user names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-user-name` for each value. -* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. +* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. For AWS China partitions, a regional endpoint is required; for example, `https://sts.cn-north-1.amazonaws.com.cn` for `cn-north-1`, or `https://sts.cn-northwest-1.amazonaws.cn` for `cn-northwest-1`. * **Unique Identifier:** Set a sub-claim key used to uniquely identify authenticated IAM principals. ## AWS Instance Metadata Service From 3d0ede9ad291d9b6263b1c34a1ea552ad37acc43 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:44:16 -0600 Subject: [PATCH 13/24] docs: add expiration parameter for GCP Secret Manager in USC CLI commands --- .../gcp-universal-secrets-connector.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md index 2e481ad53..d660c8d14 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md @@ -117,6 +117,8 @@ The main parameters are: * `value`: The value of the secret you would like to create, plaintext, or Base64-encoded. +* `--remote-secret-expires`: Optional. Expiration time for the secret in GCP Secret Manager, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Once this time passes, GCP automatically disables access to the secret. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#create). For GCP USC, you can create a regional secret by adding `--region `. If omitted, the secret is created as global. @@ -129,6 +131,8 @@ To update an existing secret in your USC, use the following command: akeyless usc update --usc-name --secret-id --value ``` +Use `--remote-secret-expires` to set or update the expiration time for the secret in GCP Secret Manager, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#update). ### Deleting an Existing USC Secret From 4758503b416a846ac02d522820435e62915b03a1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:44:28 -0600 Subject: [PATCH 14/24] docs: add optional expiration and activation date parameters for Azure Key Vault secrets in USC CLI commands --- .../azure-universal-secrets-connector.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md index 9040c5b82..b43915765 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md @@ -243,6 +243,10 @@ The main parameters are: * `--object-type[=secret]`: Either `secret` or `certificate`, when set to `certificate` - Provide a Base64-encoded certificate file that includes the private key. +* `--remote-secret-expires`: Optional. Expiration time for the secret in Azure Key Vault, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Azure sets the `Expires` attribute on the secret version. + +* `--remote-secret-activation-date`: Optional. Activation date for the secret in Azure Key Vault, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Azure sets the `NotBefore` attribute on the secret version. The activation date must be earlier than or equal to the expiration date. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#create). ### Updating an Existing USC Secret @@ -253,6 +257,8 @@ To update an existing secret in your USC, use the following command: akeyless usc update --usc-name --secret-id --value ``` +Use `--remote-secret-expires` to set or update the expiration time and `--remote-secret-activation-date` to set or update the activation date (Azure Key Vault `NotBefore`), both in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. The activation date must be earlier than or equal to the expiration date. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#update). ### Deleting an Existing USC Secret From f174284f10f8385fbb738ae2bd2b75d4f3b2879e Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:46:45 -0600 Subject: [PATCH 15/24] docs: clarify default behavior of --hashi-metadata-mode flag in HashiCorp Vault migration --- .../configure-gateway/gateway-automatic-migration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md index 65232339e..fed8c766c 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md @@ -49,7 +49,7 @@ Automatic migration configuration usually includes: When migrating from HashiCorp Vault, Akeyless supports KV v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. -If the flag is omitted, the mode defaults to `full`. +If the flag is omitted on `gateway-create-migration`, the mode defaults to `full`. On `gateway-update-migration`, omitting the flag leaves the existing mode unchanged. | Mode | What is migrated | | --- | --- | From fd28fc122860809e26614e6973398cbb6313a6ba Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:50:24 -0600 Subject: [PATCH 16/24] docs: clarify Gateway certificate expiration event descriptions in Event Center and Targets documentation --- docs/Advanced Functionality/event-center/index.md | 8 ++++---- docs/Secrets Management/targets/index.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 8dd54a25e..71e63d85a 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -87,9 +87,9 @@ For `gateways-event-source-locations`: * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway. -* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire. +* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire, it must be set on the Gateway. -* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired, it must be set on the Gateway. ### KMIP Certificate Expiry Coverage @@ -97,8 +97,8 @@ Certificate expiration events also apply to certificates used by the [KMIP Serve Use the following event types to monitor KMIP certificate lifecycle: -* `kmip-cert-pending-expiration` -* `kmip-cert-expired` +* `kmip-cert-pending-expiration`: When a KMIP certificate is about to expire, it must be set on the Gateway. +* `kmip-cert-expired`: When a KMIP certificate has expired, it must be set on the Gateway. To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index a25eebe02..007773849 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -28,7 +28,7 @@ If you are looking for a specific target type, start with the family that matche * [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. * Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. -* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public CA. +* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public Certificate Authority (CA). * [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. ## Delete protection for targets From 88bc435bd79f1e2235f97160d7645318bfce80c7 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:02:08 -0600 Subject: [PATCH 17/24] docs: update HMAC key descriptions for DigiCert and Google CA targets --- docs/Secrets Management/targets/digicert-target.md | 2 +- docs/Secrets Management/targets/google-ca-target.md | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index fa2673d8b..27124e09c 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -74,7 +74,7 @@ Where: * `eab-key-id`: External Account Binding Key ID from DigiCert Services. - `eab-hmac-key`: External Account Binding Key ID from DigiCert Services. +* `eab-hmac-key`: External Account Binding HMAC Key from DigiCert Services. * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index d42c3223f..965f41445 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -33,7 +33,7 @@ akeyless target create google-trust \ ```shell DNS with GCP akeyless target create google-trust \ --name \ ---google-trust-url +--google-trust-url \ --email \ --eab-key-id \ --eab-hmac-key \ @@ -44,10 +44,10 @@ akeyless target create google-trust \ ```shell DNS with Azure akeyless target create google-trust \ --name \ ---google-trust-url +--google-trust-url \ --email \ ---eab-key-id ---eab-hmac-key +--eab-key-id \ +--eab-hmac-key \ --acme-challenge dns \ --dns-target-creds \ --resource-group @@ -72,9 +72,9 @@ Where: * `eab-key-id`: External Account Binding Key ID from Google CA Services. -* `eab-hmac-key`: External Account Binding Key ID from Google CA Services. +* `eab-hmac-key`: External Account Binding HMAC Key from Google CA Services. -* `--google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`. +* `google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`. * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. From d2681b61222527b4b66df45d7de899643738e1f1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:02:14 -0600 Subject: [PATCH 18/24] docs: update Cloudflare DNS validation description in certificate automation targets --- docs/Secrets Management/targets/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index 007773849..95b888d6e 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -28,7 +28,7 @@ If you are looking for a specific target type, start with the family that matche * [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. * Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. -* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public Certificate Authority (CA). +* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and [Cloudflare Target](https://docs.akeyless.io/docs/cloudflare-target) for DNS-01 validation with public Certificate Authority (CA) targets. * [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. ## Delete protection for targets From 5cdccda33df0ca11579db8188e7a89141b4e835b Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:02:48 -0600 Subject: [PATCH 19/24] docs: update Cloudflare target documentation for clarity and completeness --- .../targets/cloudflare-target.md | 67 ++++++++++++++----- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md index 49f471e4a..dee547762 100644 --- a/docs/Secrets Management/targets/cloudflare-target.md +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -1,5 +1,5 @@ --- -title: Cloudflare Usage +title: Cloudflare Target excerpt: '' deprecated: false hidden: false @@ -10,15 +10,15 @@ metadata: next: description: '' --- -Cloudflare in Akeyless is used as a DNS provider in certificate automation flows that rely on ACME DNS validation. +The Cloudflare Target stores Cloudflare credentials in Akeyless. It is used as a DNS provider in certificate automation flows that rely on ACME DNS-01 validation. -Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public CA targets. +Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public Certificate Authority (CA) targets. ## How Cloudflare Fits in Akeyless -Cloudflare is part of the certificate lifecycle path, not a standalone Public CA in Akeyless. +Cloudflare is part of the certificate lifecycle path, not a standalone public CA in Akeyless. -Use Cloudflare with the following target types: +Use a Cloudflare target with the following target types: * [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt) * [DigiCert Target](https://docs.akeyless.io/docs/digicert-target) @@ -26,16 +26,53 @@ Use Cloudflare with the following target types: In these flows: -1. The Public CA target handles ACME issuance. +1. The public CA target handles ACME issuance. 2. The Cloudflare credentials target handles DNS TXT record updates for DNS-01 validation. 3. The PKI Issuer issues and stores certificates through Akeyless. -## Cloudflare Parameters in ACME Target Flows +## Create a Cloudflare Target with the CLI -When using DNS challenge with Cloudflare, configure: +```shell +akeyless target create cloudflare \ +--name \ +--api-token \ +--account-id +``` -* `dns-target-creds`: The target that stores Cloudflare credentials. -* `dns-zone`: The Cloudflare DNS zone used for DNS-01 records. +Where: + +* `name`: A unique name for the target. The name can include a path to a virtual folder by using slash `/` separators. If the folder does not exist, Akeyless creates it with the target. + +* `api-token`: Required. A Cloudflare API token with permission to create and delete DNS TXT records in the relevant zone. + +* `account-id`: Optional. The Cloudflare account ID associated with the token. + +* `key`: Optional. Use this when you want to encrypt target secret values with a specific protection key instead of the account default key. + +[View the complete list of parameters for this command.](https://docs.akeyless.io/docs/cli-ref-targets) + +## Create a Cloudflare Target in the Console + +1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Cloudflare**. + +2. Define the **Name** of the target, and specify the **Location** as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +4. Define the following parameters: + + * **API Token**: Required. A Cloudflare API token with permission to create and delete DNS TXT records. + + * **Account ID**: Optional. The Cloudflare account ID associated with the token. + +5. Click **Finish**. + +## Use the Cloudflare Target in ACME Flows + +When using DNS-01 challenge with Cloudflare, configure the Public CA target with: + +* `--dns-target-creds`: The name of the Cloudflare target. +* `--dns-zone`: The Cloudflare DNS zone name used for DNS-01 records. For parameter-level details, see [CLI Reference - Akeyless Targets](https://docs.akeyless.io/docs/cli-ref-targets). @@ -48,10 +85,10 @@ Cloudflare-connected certificate automation works together with: * [Event Center](https://docs.akeyless.io/docs/event-center) for pending expiration and expired certificate events * [Gateway](https://docs.akeyless.io/docs/gateway-overview) when required by target and forwarding architecture -## Suggested Implementation Flow +## Implementation Flow -1. Create or identify your Cloudflare credentials target. -2. Create a Public CA target (Let's Encrypt, DigiCert, or Google CA) with `acme-challenge=dns`. -3. Set `dns-target-creds` to the Cloudflare target and set `dns-zone`. -4. Create or update your PKI Issuer to use that Public CA target. +1. Create a Cloudflare target using the steps above. +2. Create a public CA target (Let's Encrypt, DigiCert, or Google CA) with `--acme-challenge=dns`. +3. Set `--dns-target-creds` to the Cloudflare target name and set `--dns-zone`. +4. Create or update your PKI Issuer to use that public CA target. 5. Configure certificate expiration notifications in Event Center forwarders. From 49f1df8d017ffafa427ac792d3a4f6049ff78cec Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:08:09 -0600 Subject: [PATCH 20/24] docs: add Cloudflare target creation and update instructions to CLI reference --- .../cli-reference/cli-ref-targets.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md index 6e4ad29c4..f0974126d 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md @@ -26,6 +26,8 @@ Create a new Target `azure` +`cloudflare` + `db` `dockerhub` @@ -181,6 +183,33 @@ akeyless target create azure \ `--description`: Target description `--max-versions`: Set the maximum number of versions, limited by the account settings defaults +### `cloudflare` + +Creates a new Cloudflare target in the current account + +#### Usage + +```shell +akeyless target create cloudflare \ +--name \ +--api-token \ +--account-id +``` + +##### Flags + +`-n, --name`: **Required**, Target name + +`--api-token`: **Required**, Cloudflare API token + +`--account-id`: Cloudflare account ID + +`-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used + +`--description`: Description of the object + +`--max-versions`: Set the maximum number of versions, limited by the account settings defaults + ### `db` Creates a new DB target in the current account @@ -1430,6 +1459,39 @@ akeyless target update azure \ `--keep-prev-version`: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings +#### `cloudflare` + +Updates an existing Cloudflare target in the current account + +##### Usage + +```shell +akeyless target update cloudflare \ +--name \ +--new-name \ +--api-token \ +--account-id \ +--key +``` + +##### Flags + +`-n, --name`: **Required**, Target name + +`--new-name`: New target name + +`--api-token`: Cloudflare API token + +`--account-id`: Cloudflare account ID + +`-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used + +`--description`: Description of the object + +`--max-versions`: Set the maximum number of versions, limited by the account settings defaults + +`--keep-prev-version`: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings + #### `db` Update an existing db target in the current account From 7b41396d552f4e8cf8420b6ab052219cfa872d3e Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:13:41 -0600 Subject: [PATCH 21/24] docs: add description for rotated-secret-partial-failure event in Event Center documentation --- docs/Advanced Functionality/event-center/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 71e63d85a..4ac2ea6a2 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -53,6 +53,8 @@ For `items-event-source-locations`: * `rotated-secret-failure`: Upon **automatic** rotation failure, including the error details. +* `rotated-secret-partial-failure`: When an automatic rotation partially succeeds, some targets rotate successfully but at least one fails. + * `secret-sync`: Upon **automatic** sync failure, including the error details. * `dynamic-secret-failure`: On general failure of a [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). From 0b154fcd693c37ae343b1011ab61c4a72db82a47 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 08:20:02 -0600 Subject: [PATCH 22/24] docs: restore Cloudflare console target docs --- .pre-commit-config.yaml | 6 ++--- .../targets/cloudflare-target.md | 8 +++--- .../targets/digicert-target.md | 21 ++++++++-------- .../targets/google-ca-target.md | 25 ++++++++++--------- .../targets/lets-encrypt.md | 23 +++++++++-------- 5 files changed, 43 insertions(+), 40 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07b3ef73c..7e525a559 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -21,7 +21,7 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] - id: cspell name: cspell (edited markdown files) @@ -30,7 +30,7 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] - id: lychee name: lychee (edited markdown files) @@ -39,4 +39,4 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md index dee547762..a408355da 100644 --- a/docs/Secrets Management/targets/cloudflare-target.md +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -61,11 +61,11 @@ Where: 4. Define the following parameters: - * **API Token**: Required. A Cloudflare API token with permission to create and delete DNS TXT records. +* **API Token**: Required. A Cloudflare API token with permission to create and delete DNS TXT records. - * **Account ID**: Optional. The Cloudflare account ID associated with the token. +* **Account ID**: Optional. The Cloudflare account ID associated with the token. -5. Click **Finish**. +1. Click **Finish**. ## Use the Cloudflare Target in ACME Flows @@ -87,7 +87,7 @@ Cloudflare-connected certificate automation works together with: ## Implementation Flow -1. Create a Cloudflare target using the steps above. +1. Create a Cloudflare target using either the CLI command above or the Console flow. 2. Create a public CA target (Let's Encrypt, DigiCert, or Google CA) with `--acme-challenge=dns`. 3. Set `--dns-target-creds` to the Cloudflare target name and set `--dns-zone`. 4. Create or update your PKI Issuer to use that public CA target. diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index 27124e09c..ebc367644 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -103,22 +103,23 @@ Where: 3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). 4. Define the remaining parameters as follows: - * **Environment**: The ACME environment, **US Production** / **EU Production** / **US Demo** or **EU Demo** - * **Email**: Email address used to register the ACME account. +* **Environment**: The ACME environment, **US Production** / **EU Production** / **US Demo** or **EU Demo** - * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). +* **Email**: Email address used to register the ACME account. - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). - * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). +* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). - * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. +* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. - * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -5. Click Finish. +* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + +1. Click Finish. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index 965f41445..50e626d26 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -103,26 +103,27 @@ Where: 3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). 4. Define the remaining parameters as follows: - * **Email**: Email address used to register the ACME account. - * **URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). +* **Email**: Email address used to register the ACME account. - * **EAB KID**: External Account Binding Key ID from Google CA Services. +* **URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). - * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. +* **EAB KID**: External Account Binding Key ID from Google CA Services. - * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). +* **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). - * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). +* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). - * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. +* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. - * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -5. Click Finish. +* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + +1. Click Finish. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index 80de2ea54..73a9d9072 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -105,27 +105,28 @@ Where: 3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). 4. Define the remaining parameters as follows: - * **Server URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). - * **Email**: Email address used to register the ACME account. +* **Server URL**: Either [Production](https://acme-v02.api.letsencrypt.org/directory) or [Staging](https://acme-staging-v02.api.letsencrypt.org/directory). - * **Challenge Type**: Either **HTTP** or **DNS**. +* **Email**: Email address used to register the ACME account. - * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). +* **Challenge Type**: Either **HTTP** or **DNS**. - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). - * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). +* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). - * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. +* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. - * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -5. Click Finish. +* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + +1. Click Finish. ## DNS Provider Permissions for DNS-01 From 719bc637b4dcee1c8b8c14a22aff46b067609b9a Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 08:31:14 -0600 Subject: [PATCH 23/24] docs: align target docs with console naming and order --- .github/markdownlint/fence-tabs.txt | 2 +- .../create-dynamic-secret-to-sql-db.md | 6 +- .../create-a-database-rotated-secret.md | 2 +- .../targets/database-targets.md | 338 +++++++++--------- docs/Secrets Management/targets/index.md | 72 +++- 5 files changed, 240 insertions(+), 180 deletions(-) diff --git a/.github/markdownlint/fence-tabs.txt b/.github/markdownlint/fence-tabs.txt index 9294fce4f..387c84fc8 100644 --- a/.github/markdownlint/fence-tabs.txt +++ b/.github/markdownlint/fence-tabs.txt @@ -162,7 +162,7 @@ MSSQL MSSQL RDS Multi region MyAES256SIVKey -MySQL/MariaDB +MySQL (and MariaDB) MySQLWordPress.yaml Native Kubernetes Oauth2.0 diff --git a/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md b/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md index 24d59b577..f5e2d46ed 100644 --- a/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md +++ b/docs/Secrets Management/how-to-create-dynamic-secret/create-dynamic-secret-to-sql-db.md @@ -20,7 +20,7 @@ You can create Dynamic Secrets for a wide range of databases, including: * MongoDB -* MySQL/MariaDB +* MySQL (and MariaDB) * OracleDB @@ -44,7 +44,7 @@ When a client requests a dynamic secret value, the Akeyless Platform connects to To create a dynamic database secret with the CLI using an existing [Target](https://docs.akeyless.io/docs/targets), run the following command: -```shell MySQL/MariaDB +```shell MySQL (and MariaDB) akeyless dynamic-secret create mysql \ --name \ --target-name \ @@ -153,7 +153,7 @@ akeyless dynamic-secret create redis \ Or using an inline connection string: -```shell MySQL/MariaDB +```shell MySQL (and MariaDB) akeyless dynamic-secret create mysql \ --name \ --gateway-url 'https://:8000' \ diff --git a/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md b/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md index f8d9fe1fa..c57c5b890 100644 --- a/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md +++ b/docs/Secrets Management/rotated-secrets/create-a-database-rotated-secret.md @@ -20,7 +20,7 @@ You can create a Rotated Secret for a database user. Currently, Akeyless Rotated * MongoDB -* MySQL/MariaDB +* MySQL (and MariaDB) * Oracle Database diff --git a/docs/Secrets Management/targets/database-targets.md b/docs/Secrets Management/targets/database-targets.md index 51b54e209..0d46c8cc6 100644 --- a/docs/Secrets Management/targets/database-targets.md +++ b/docs/Secrets Management/targets/database-targets.md @@ -14,28 +14,28 @@ You can define a database target to be used with [Database Dynamic Secrets](http Available database targets: -* [MySQL/MariaDB](https://docs.akeyless.io/docs/database-targets#mysql) - -* [PostgreSQL](https://docs.akeyless.io/docs/database-targets#postgresql) - -* [MSSQL](https://docs.akeyless.io/docs/database-targets#mssql) - -* [Redshift](https://docs.akeyless.io/docs/database-targets#redshift) +* [Cassandra](https://docs.akeyless.io/docs/database-targets#cassandra) -* [Oracle](https://docs.akeyless.io/docs/database-targets#oracle) +* [Microsoft SQL Server (MSSQL)](https://docs.akeyless.io/docs/database-targets#microsoft-sql-server-mssql) * [MongoDB](https://docs.akeyless.io/docs/database-targets#mongodb) * [MongoDB Atlas](https://docs.akeyless.io/docs/database-targets#mongodb-atlas) -* [Snowflake](https://docs.akeyless.io/docs/database-targets#snowflake) +* [MySQL (and MariaDB)](https://docs.akeyless.io/docs/database-targets#mysql-and-mariadb) -* [Cassandra](https://docs.akeyless.io/docs/database-targets#cassandra) +* [Oracle](https://docs.akeyless.io/docs/database-targets#oracle) + +* [PostgreSQL](https://docs.akeyless.io/docs/database-targets#postgresql) -* [SAP HANA database](https://docs.akeyless.io/docs/database-targets#sap-hanadb) +* [Amazon Redshift](https://docs.akeyless.io/docs/database-targets#amazon-redshift) * [Redis](https://docs.akeyless.io/docs/database-targets#redis) +* [Snowflake](https://docs.akeyless.io/docs/database-targets#snowflake) + +* [SAP HANA database](https://docs.akeyless.io/docs/database-targets#sap-hana-database) + ## Create a Database Target with the CLI > ℹ️ **Note:** @@ -48,53 +48,58 @@ You can find the complete list of parameters for this command in the [CLI Refere To create database targets, you can define the following fields in the [Akeyless CLI](https://docs.akeyless.io/docs/cli): -```shell MySQL/MariaDB +```shell Cassandra akeyless target create db \ --name \ ---db-type mysql \ +--db-type cassandra \ --pwd \ --host \ --port \ ---user-name \ ---db-name \ ---ssl[=true] \ ---enable-mtls[=true] \ ---client-certificate \ ---client-private-key +--user-name ``` -```shell PostgreSQL +```shell MSSQL akeyless target create db \ --name \ ---db-type postgres \ +--db-type mssql \ +--user-name \ --pwd \ --host \ --port \ ---user-name \ ---db-name \ ---ssl[=true] \ ---enable-mtls[=true] \ ---client-certificate \ ---client-private-key +--db-name ``` -```shell MSSQL +```shell MongoDB akeyless target create db \ --name \ ---db-type mssql \ ---user-name \ +--db-type mongodb \ +--db-name \ --pwd \ --host \ --port \ ---db-name +--user-name ``` -```shell Redshift +```shell MongoDB Atlas akeyless target create db \ --name \ ---db-type redshift \ +--db-type mongodb \ +--mongodb-atlas true \ +--db-name \ +--mongodb-atlas-project-id \ +--mongodb-atlas-api-public-key \ +--mongodb-atlas-api-private-key +``` +```shell MySQL (and MariaDB) +akeyless target create db \ +--name \ +--db-type mysql \ --pwd \ --host \ --port \ --user-name \ ---db-name +--db-name \ +--ssl[=true] \ +--enable-mtls[=true] \ +--client-certificate \ +--client-private-key ``` ```shell Oracle akeyless target create db \ @@ -106,25 +111,36 @@ akeyless target create db \ --user-name \ --oracle-service-name ``` -```shell MongoDB +```shell PostgreSQL akeyless target create db \ --name \ ---db-type mongodb \ +--db-type postgres \ +--pwd \ +--host \ +--port \ +--user-name \ --db-name \ +--ssl[=true] \ +--enable-mtls[=true] \ +--client-certificate \ +--client-private-key +``` +```shell Redshift +akeyless target create db \ +--name \ +--db-type redshift \ --pwd \ --host \ --port \ ---user-name +--user-name \ +--db-name ``` -```shell MongoDB Atlas +```shell Redis akeyless target create db \ --name \ ---db-type mongodb \ ---mongodb-atlas true \ ---db-name \ ---mongodb-atlas-project-id \ ---mongodb-atlas-api-public-key \ ---mongodb-atlas-api-private-key +--db-type redis \ +--pwd \ +--user-name ``` ```shell Snowflake akeyless target create db \ @@ -137,15 +153,6 @@ akeyless target create db \ --db-name \ --snowflake-account ``` -```shell Cassandra -akeyless target create db \ ---name \ ---db-type cassandra \ ---pwd \ ---host \ ---port \ ---user-name -``` ```shell SAP HANA database akeyless target create db \ --name \ @@ -156,19 +163,12 @@ akeyless target create db \ --user-name \ --db-name ``` -```shell Redis -akeyless target create db \ ---name \ ---db-type redis \ ---pwd \ ---user-name -``` ## Create a Database Target in the Console -### MySQL +### Cassandra -Log in to the Akeyless Console, and go to **Targets > New > Database (MySQL)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (Cassandra)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. @@ -177,116 +177,127 @@ For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-kno **DB Username:** Privilege database user name with sufficient rights to create users. -**DB Password:** Password of the database privilege user name. - **DB Hostname:** Target database hostname or IP address. -**DB Port:** Target database port. - -**DB Name:** Target database name. - -**SSL:** Check to enable SSL. - -**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. - -**mTLS:** Enable mTLS to present a client certificate and key during authentication. - -**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. - -**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. +**DB Password:** Password of the database privilege user name. -**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. +**DB Port:** Target database port. -**DB Server Name:** The server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address +**SSL:** Check to enable SSL, requires SSL certificate. Click **Finish**. -### PostgreSQL +### Microsoft SQL Server (MSSQL) -Log in to the Akeyless Console, and go to **Targets > New > Database (PostgreSQL)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (MSSQL)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -**DB Username:** Privilege database user name with sufficient rights to create users. +Choose the desired mode of authenticating either **Use Credentials**, **Use Cloud Identity**, or **Target** to use a domain credentials from an existing [LDAP Target](https://docs.akeyless.io/docs/ldap-target) -**DB Hostname:** Target database hostname or IP address. +**DB Username:** Privilege database username with sufficient rights to create users. +(Relevant only when using **Credentials** authenticating) -**DB Password:** Password of the database privilege user name. +**DB Password:** Password of the database privilege username. +(Relevant only when using **Credentials** authenticating) + +**DB Hostname:** Target database hostname or IP address. **DB Port:** Target database port. **DB Name:** Target database name. -**SSL:** Check to enable SSL. - -**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. - -**mTLS:** Enable mTLS to present a client certificate and key during authentication. +**Cluster Mode** Set when working with Cluster. -**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. +**Client ID (Application ID):** Azure Client ID. (Relevant only when using **Cloud Identity** authenticating) -**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. +**Tenant ID:** Azure Tenant ID. (Relevant only when using **Cloud Identity** authenticating) -**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. +**Client Secret:** Azure Client Secret. (Relevant only when using **Cloud Identity** authenticating) Click **Finish**. -### MSSQL +### MongoDB -Log in to the Akeyless Console, and go to **Targets > New > Database (MSSQL)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -Choose the desired mode of authenticating either **Use Credentials**, **Use Cloud Identity**, or **Target** to use a domain credentials from an existing [LDAP Target](https://docs.akeyless.io/docs/ldap-target) +Select **MongoDB** radio button. -**DB Username:** Privilege database username with sufficient rights to create users. -(Relevant only when using **Credentials** authenticating) +**DB Name:** Target database name. -**DB Password:** Password of the database privilege username. -(Relevant only when using **Credentials** authenticating) +**Username:** Privilege database user name with sufficient rights to create users. -**DB Hostname:** Target database hostname or IP address. +**Password:** Password of the database privilege user name. -**DB Port:** Target database port. +**Host and Port:** Target database hostname or IP address with port. -**DB Name:** Target database name. +**Default Authentication DB:** MongoDB default authentication database. -**Cluster Mode** Set when working with Cluster. +**Options:** URI options (for example, `replicaSet=mySet&authSource=authDB`) -**Client ID (Application ID):** Azure Client ID. (Relevant only when using **Cloud Identity** authenticating) +Click **Finish**. -**Tenant ID:** Azure Tenant ID. (Relevant only when using **Cloud Identity** authenticating) +### MongoDB Atlas -**Client Secret:** Azure Client Secret. (Relevant only when using **Cloud Identity** authenticating) +Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. + +**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. +For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +Select **MongoDB Atlas** radio button. + +**DB Name:** Users DB name, the default should be `admin` + +**Project ID:** MongoDB Atlas project ID. + +**API public key:** MongoDB Atlas public key. + +**API private key:** MongoDB Atlas private key. Click **Finish**. -### Redshift +### MySQL (and MariaDB) -Log in to the Akeyless Console, and go to **Targets > New > Database (Redshift)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (MySQL)**. -**Name:** A unique name for the target. The name can include the path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. +**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). **DB Username:** Privilege database user name with sufficient rights to create users. -**DB Hostname:** Target database hostname or IP address. - **DB Password:** Password of the database privilege user name. +**DB Hostname:** Target database hostname or IP address. + **DB Port:** Target database port. **DB Name:** Target database name. -**SSL:** Check to enable SSL, requires SSL certificate. +**SSL:** Check to enable SSL. + +**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. + +**mTLS:** Enable mTLS to present a client certificate and key during authentication. + +**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. + +**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. + +**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. + +**DB Server Name:** The server name is used to verify the hostname on the returned certificates unless InsecureSkipVerify is provided. It is also included in the client's handshake to support virtual hosting unless it is an IP address Click **Finish**. @@ -339,49 +350,80 @@ Click **Finish**. > > To use your Wallet with login type of Password ensure to add the relevant username to your wallet using the following format: `mkstore -wrl ~/mywallet2 -createCredential "(HOST=)(PORT=1521)(SERVICE_NAME=)" ` -### MongoDB +### PostgreSQL -Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (PostgreSQL)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -Select **MongoDB** radio button. +**DB Username:** Privilege database user name with sufficient rights to create users. + +**DB Hostname:** Target database hostname or IP address. + +**DB Password:** Password of the database privilege user name. + +**DB Port:** Target database port. **DB Name:** Target database name. -**Username:** Privilege database user name with sufficient rights to create users. +**SSL:** Check to enable SSL. -**Password:** Password of the database privilege user name. +**DB Server Certificate:** Optional. Set of root certificate authorities in Base64 encoding used by clients to verify server certificates. -**Host and Port:** Target database hostname or IP address with port. +**mTLS:** Enable mTLS to present a client certificate and key during authentication. -**Default Authentication DB:** MongoDB default authentication database. +**Client Certificate:** Client certificate in Base64 format. Relevant only when **mTLS** is enabled. -**Options:** URI options (for example, `replicaSet=mySet&authSource=authDB`) +**Client Private Key:** Client private key in Base64 format. Relevant only when **mTLS** is enabled. + +**Client Private Key Passphrase:** Optional passphrase for the client private key. Relevant only when **mTLS** is enabled. Click **Finish**. -### MongoDB Atlas +### Amazon Redshift -Log in to the Akeyless Console, and go to **Targets > New > Database (MongoDB)**. +Log in to the Akeyless Console, and go to **Targets > New > Database (Redshift)**. + +**Name:** A unique name for the target. The name can include the path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. +For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +**DB Username:** Privilege database user name with sufficient rights to create users. + +**DB Hostname:** Target database hostname or IP address. + +**DB Password:** Password of the database privilege user name. + +**DB Port:** Target database port. + +**DB Name:** Target database name. + +**SSL:** Check to enable SSL, requires SSL certificate. + +Click **Finish**. + +### Redis + +Log in to the Akeyless Console, and go to **Targets > New > Database (Redis)**. **Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). -Select **MongoDB Atlas** radio button. +**DB Username:** Privilege database user name with sufficient rights to create users. -**DB Name:** Users DB name, the default should be `admin` +**DB Password:** Password of the database privilege user name. -**Project ID:** MongoDB Atlas project ID. +**DB Hostname:** Target database hostname or IP address. -**API public key:** MongoDB Atlas public key. +**DB Port:** Target database port. -**API private key:** MongoDB Atlas private key. +**SSL:** To enable SSL, requires an SSL certificate. Click **Finish**. @@ -415,27 +457,6 @@ Note: You can find this string in your Snowflake URL. Click **Finish**. -### Cassandra - -Log in to the Akeyless Console, and go to **Targets > New > Database (Cassandra)**. - -**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. - -Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. -For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). - -**DB Username:** Privilege database user name with sufficient rights to create users. - -**DB Hostname:** Target database hostname or IP address. - -**DB Password:** Password of the database privilege user name. - -**DB Port:** Target database port. - -**SSL:** Check to enable SSL, requires SSL certificate. - -Click **Finish**. - ### SAP HANA database Log in to the Akeyless Console, and go to **Targets > New > Database (SAP HanaDB)**. @@ -459,27 +480,6 @@ For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-kno Click **Finish**. -### Redis - -Log in to the Akeyless Console, and go to **Targets > New > Database (Redis)**. - -**Name:** A unique name for the target. The name can include the path to the virtual folder in which you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. - -Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. -For more information, [read here](https://docs.akeyless.io/docs/gateway-zero-knowledge). - -**DB Username:** Privilege database user name with sufficient rights to create users. - -**DB Password:** Password of the database privilege user name. - -**DB Hostname:** Target database hostname or IP address. - -**DB Port:** Target database port. - -**SSL:** To enable SSL, requires an SSL certificate. - -Click **Finish**. - ## Tutorial Check out our tutorial video on [Creating and Configuring MySQL Targets](https://tutorials.akeyless.io/docs/creating-targets). diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index 95b888d6e..993000311 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -22,14 +22,74 @@ Using targets has three primary advantages: * Don't break the credential chain: Targets can also be used to sync encryption keys with an external KMS, or to define a Target to be used with our [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) to manage and automate your privilege account credentials rotation. This allows every item referencing the target to be up to date on the necessary information and to stay usable even after rotations are done. -## Common Target Families +## Target Types -If you are looking for a specific target type, start with the family that matches your endpoint: +### Database -* [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. -* Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. -* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and [Cloudflare Target](https://docs.akeyless.io/docs/cloudflare-target) for DNS-01 validation with public Certificate Authority (CA) targets. -* [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. +* [Cassandra](https://docs.akeyless.io/docs/database-targets#cassandra) +* [Microsoft SQL Server (MSSQL)](https://docs.akeyless.io/docs/database-targets#microsoft-sql-server-mssql) +* [MongoDB](https://docs.akeyless.io/docs/database-targets#mongodb) +* [MySQL](https://docs.akeyless.io/docs/database-targets#mysql-and-mariadb) +* [Oracle](https://docs.akeyless.io/docs/database-targets#oracle) +* [PostgreSQL](https://docs.akeyless.io/docs/database-targets#postgresql) +* [Redis](https://docs.akeyless.io/docs/database-targets#redis) +* [Redshift](https://docs.akeyless.io/docs/database-targets#amazon-redshift) +* [SAP HANA database](https://docs.akeyless.io/docs/database-targets#sap-hana-database) +* [Snowflake](https://docs.akeyless.io/docs/database-targets#snowflake) + +### Cloud + +* [AWS](https://docs.akeyless.io/docs/aws-targets) +* [Azure AD](https://docs.akeyless.io/docs/azure-targets) +* [Cloudflare](https://docs.akeyless.io/docs/cloudflare-target) +* [GCP](https://docs.akeyless.io/docs/gcp-targets) +* [Salesforce](https://docs.akeyless.io/docs/salesforce-target) + +### AI + +* [Gemini](https://docs.akeyless.io/docs/gemini-target) +* [OpenAI](https://docs.akeyless.io/docs/openai-target) + +### Kubernetes + +* [EKS](https://docs.akeyless.io/docs/kubernetes-targets) +* [GKE](https://docs.akeyless.io/docs/kubernetes-targets) +* [Generic](https://docs.akeyless.io/docs/kubernetes-targets) + +### Operating System + +* [SSH](https://docs.akeyless.io/docs/ssh-target) +* [Windows](https://docs.akeyless.io/docs/windows-target) + +### Certificate Automation + +* [DigiCert](https://docs.akeyless.io/docs/digicert-target) +* [GlobalSign](https://docs.akeyless.io/docs/globalsign-target) +* [GlobalSign Atlas](https://docs.akeyless.io/docs/globalsign-atlas) +* [GoDaddy](https://docs.akeyless.io/docs/godaddy-target) +* [Google CA](https://docs.akeyless.io/docs/google-ca-target) +* [Let's Encrypt](https://docs.akeyless.io/docs/lets-encrypt) +* [Sectigo](https://docs.akeyless.io/docs/sectigo-target) +* [Venafi](https://docs.akeyless.io/docs/venafi-target) +* [ZeroSSL](https://docs.akeyless.io/docs/zerossl-target) + +### Infrastructure + +* [Artifactory](https://docs.akeyless.io/docs/artifactory-targets) +* [Chef Infra](https://docs.akeyless.io/docs/chef-infra-targets) +* [Docker Hub](https://docs.akeyless.io/docs/docker-hub-target) +* [GitHub](https://docs.akeyless.io/docs/github-target) +* [GitLab](https://docs.akeyless.io/docs/gitlab-target) +* [Splunk](https://docs.akeyless.io/docs/splunk-target) + +### Other + +* [Custom](https://docs.akeyless.io/docs/web-targets) +* [HashiCorp Vault](https://docs.akeyless.io/docs/hashicorp-vault-target) +* [LDAP](https://docs.akeyless.io/docs/ldap-target) +* [Linked](https://docs.akeyless.io/docs/linked-target) +* [Ping](https://docs.akeyless.io/docs/ping-target) +* [RabbitMQ](https://docs.akeyless.io/docs/rabbitmq-targets) ## Delete protection for targets From bb8133caf6939e32b70c827b47639cb86ce4ea03 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 08:34:31 -0600 Subject: [PATCH 24/24] docs: address CodeRabbit review nits --- docs/Advanced Functionality/event-center/index.md | 2 +- .../configure-gateway/gateway-automatic-migration.md | 2 +- docs/Integrations & Plugins/cli-reference/cli-ref-targets.md | 4 ++-- .../cli-reference-automatic-migration.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 4ac2ea6a2..98c826174 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -102,7 +102,7 @@ Use the following event types to monitor KMIP certificate lifecycle: * `kmip-cert-pending-expiration`: When a KMIP certificate is about to expire, it must be set on the Gateway. * `kmip-cert-expired`: When a KMIP certificate has expired, it must be set on the Gateway. -To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). +To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center#event-forwarders). ## Event Forwarders diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md index fed8c766c..88e2dc66e 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md @@ -47,7 +47,7 @@ Automatic migration configuration usually includes: ## HashiCorp Vault Metadata Preservation Mode -When migrating from HashiCorp Vault, Akeyless supports KV v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. +When migrating from HashiCorp Vault, Akeyless supports Key/Value (KV) v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. If the flag is omitted on `gateway-create-migration`, the mode defaults to `full`. On `gateway-update-migration`, omitting the flag leaves the existing mode unchanged. diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md index f0974126d..5ac678ebc 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md @@ -202,7 +202,7 @@ akeyless target create cloudflare \ `--api-token`: **Required**, Cloudflare API token -`--account-id`: Cloudflare account ID +`--account-id`: Optional. Cloudflare account ID `-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used @@ -1482,7 +1482,7 @@ akeyless target update cloudflare \ `--api-token`: Cloudflare API token -`--account-id`: Cloudflare account ID +`--account-id`: Optional. Cloudflare account ID `-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md index a0309f3b9..58eb05260 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md @@ -277,7 +277,7 @@ akeyless gateway-update-migration \ `--hashi-json='true'`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) -`--hashi-metadata-mode`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. +`--hashi-metadata-mode[=full]`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:[Region]:[AccountId]:secret:[/path/to/secrets/*]` (relevant only for AWS migration)