From 3926108099f9a359a435c913540aa167270ace66 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 09:44:50 -0600 Subject: [PATCH 01/22] DOCS-691: document 4.51.0 and 1.144.0 release updates --- .../cli-reference-universal-identity.md | 20 +++++++++++++ .../cli-reference/cli-ref-targets.md | 10 +++++-- .../cli-reference-rotated-secrets.md | 12 ++++++++ .../targets/digicert-target.md | 21 ++++++++++++-- .../targets/google-ca-target.md | 21 ++++++++++++-- .../targets/lets-encrypt.md | 28 +++++++++++++------ 6 files changed, 96 insertions(+), 16 deletions(-) diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index 9efe7c3e7..207541490 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -98,6 +98,26 @@ List the token children ids of Akeyless Universal Identity akeyless uid-list-children --auth-method-name ``` +## `uid-auto-rotate` + +Configure automatic UID token rotation + +### Usage + +```shell +akeyless uid-auto-rotate \ +--auth-method-name \ +--uid-token +``` + +### Flags + +`-n, --auth-method-name`: Universal Identity auth method name + +`-t, --uid-token`: Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable + +`--install-cron-d`: Install or update a `cron.d` entry for automatic rotation (Linux) + ## `uid-revoke-token` Revoke token using Akeyless Universal Identity diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md index 2965a118c..6e4ad29c4 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md @@ -725,6 +725,7 @@ akeyless target create lets-encrypt \ --acme-challenge[=http] \ --email \ --dns-target-creds \ +--dns-zone \ --hosted-zone \ --resource-group \ --gcp-project \ @@ -742,7 +743,9 @@ akeyless target create lets-encrypt \ `-e, --email`: **Required**, Email address for ACME account registration -`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`]). Relevant only when `--acme-challenge=dns` +`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`/`Cloudflare`]). Relevant only when `--acme-challenge=dns` + +`--dns-zone`: **Cloudflare DNS zone** name. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is Cloudflare `--hosted-zone`: **Amazon Route 53** hosted zone identifier. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is AWS @@ -2007,6 +2010,7 @@ akeyless target update lets-encrypt \ --acme-challenge[=http] \ --email \ --dns-target-creds \ +--dns-zone \ --hosted-zone \ --resource-group \ --gcp-project \ @@ -2026,7 +2030,9 @@ akeyless target update lets-encrypt \ `-e, --email`: **Required**, Email address for ACME account registration -`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`]). Relevant only when `--acme-challenge=dns` +`--dns-target-creds`: Name of an existing cloud target that holds DNS provider credentials (supported: [`AWS`/`Azure`/`GCP`/`Cloudflare`]). Relevant only when `--acme-challenge=dns` + +`--dns-zone`: **Cloudflare DNS zone** name. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is Cloudflare `--hosted-zone`: **Amazon Route 53** hosted zone identifier. Relevant only when `--acme-challenge`=`dns` and the DNS credentials target is AWS diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md index c69e99ccf..50ef9ab48 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md @@ -166,6 +166,10 @@ akeyless rotated-secret create azure \ `--resource-name`: The name of the Storage Account (only relevant when `explicitly-set-sa`=`true`) +`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + `--secure-access-disable-concurrent-connections[=false]`: Enable this flag to prevent simultaneous use of the same secret `-u, --gateway-url[=http://localhost:8000]`: API Gateway URL (Configuration Management port) @@ -384,6 +388,8 @@ akeyless rotated-secret create gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) + `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1320,6 +1326,10 @@ akeyless rotated-secret update azure \ `--storage-account-key-name`: The name of the Storage Account key to rotate [`key1`/`key2`/`kerb1`/`kerb2`] (relevant to `azure-storage-account`) +`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) + `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1544,6 +1554,8 @@ akeyless rotated-secret update gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) +`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) + `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index afc8caf79..ff7b3f7df 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -52,6 +52,17 @@ akeyless target create digicert \ --dns-target-creds \ --resource-group ``` +```shell +akeyless target create digicert \ +--name \ +--digicert-url \ +--email \ +--eab-key-id \ +--eab-hmac-key \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` Where: @@ -67,7 +78,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -94,9 +107,9 @@ Where: * **Email**: Email address used to register the ACME account. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). @@ -104,6 +117,8 @@ Where: * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). 1. Click Finish. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index fa8dd6ad1..6a8653653 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -52,6 +52,17 @@ akeyless target create google-trust \ --dns-target-creds \ --resource-group ``` +```shell +akeyless target create google-trust \ +--name \ +--google-trust-url \ +--email \ +--eab-key-id \ +--eab-hmac-key \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` Where: @@ -67,7 +78,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -98,9 +111,9 @@ Where: * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). @@ -108,6 +121,8 @@ Where: * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). 1. Click Finish. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index e9d7db1b5..498c3857d 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -59,6 +59,14 @@ akeyless target create lets-encrypt \ akeyless target create lets-encrypt \ --name \ --email \ +--acme-challenge dns \ +--dns-target-creds \ +--dns-zone +``` +```shell +akeyless target create lets-encrypt \ +--name \ +--email \ --acme-challenge http ``` @@ -72,7 +80,9 @@ Where: * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. -* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, and GCP. +* `dns-target-creds`: Use this when `--acme-challenge=dns`. This is required for DNS validation. Supported target types are AWS, Azure, GCP, and Cloudflare. + +* `dns-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to a Cloudflare target. * `hosted-zone`: Use this when `--acme-challenge=dns` and `--dns-target-creds` points to an AWS target. This identifies the Route 53 hosted zone. @@ -101,18 +111,20 @@ Where: * **Challenge Type**: Either **HTTP** or **DNS**. - * **DNS Provider**: Either **AWS**, **GCP**, or **Azure** (relevant only if **Challenge Type** is **DNS**). +* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + +* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). - * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). +* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). +* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). - * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). - * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). +* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. - * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. +* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. - * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). +* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -5. Click Finish. +1. Click Finish. ## DNS Provider Permissions for DNS-01 From d41f8c1452ba7a64a3fcffbfce036156e89ebd03 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 09:51:08 -0600 Subject: [PATCH 02/22] docs: update fenced code block labels for Cloudflare DNS and HTTP --- .github/markdownlint/fence-tabs.txt | 2 ++ docs/Secrets Management/targets/digicert-target.md | 2 +- docs/Secrets Management/targets/lets-encrypt.md | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/markdownlint/fence-tabs.txt b/.github/markdownlint/fence-tabs.txt index 97974d684..96974cb86 100644 --- a/.github/markdownlint/fence-tabs.txt +++ b/.github/markdownlint/fence-tabs.txt @@ -67,10 +67,12 @@ dnf DNS with AWS DNS with Azure DNS with GCP +DNS with Cloudflare Docker Docker Hub Target docker-compose.yml Dynamic +HTTP Dynamic Group Dynamic Mode Dynamic Secret diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index ff7b3f7df..c23d40462 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -52,7 +52,7 @@ akeyless target create digicert \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare akeyless target create digicert \ --name \ --digicert-url \ diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index 498c3857d..09262f988 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -55,7 +55,7 @@ akeyless target create lets-encrypt \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare akeyless target create lets-encrypt \ --name \ --email \ @@ -63,7 +63,7 @@ akeyless target create lets-encrypt \ --dns-target-creds \ --dns-zone ``` -```shell +```shell HTTP akeyless target create lets-encrypt \ --name \ --email \ From f91b668514fd2772b1b40c4fe450e82e5506a043 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:14:09 -0600 Subject: [PATCH 03/22] docs: enhance KMIP certificate expiry documentation and add Cloudflare target details --- .../audit-logs/log-actions.md | 9 +++ .../event-center/index.md | 13 ++++- docs/Encryption & KMS/kmip-server/index.md | 13 +++++ docs/Secrets Management/targets/_order.yaml | 1 + .../targets/cloudflare-target.md | 57 +++++++++++++++++++ 5 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 docs/Secrets Management/targets/cloudflare-target.md diff --git a/docs/Advanced Functionality/audit-logs/log-actions.md b/docs/Advanced Functionality/audit-logs/log-actions.md index f26679383..316017589 100644 --- a/docs/Advanced Functionality/audit-logs/log-actions.md +++ b/docs/Advanced Functionality/audit-logs/log-actions.md @@ -165,3 +165,12 @@ This page includes a thorough comb through all of the different options for the * `update_object_version_settings_for_account`: Update account settings for objects * `impersonation`: Impersonate another user in your Akeyless account + +## KMIP Certificate Expiry Observability + +KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically: + +* `certificate-pending-expiration` +* `certificate-expired` + +For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation. diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 68dc49743..08d1dfd9f 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -37,7 +37,7 @@ The following Events are currently supported: For `items-event-source-locations`: -* `certificate-pending-expiration`: When a certificate is about to expire, the users sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item. +* `certificate-pending-expiration`: When a certificate is about to expire, the user sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item. * `certificate-expired`: When a certificate is expired. @@ -67,6 +67,17 @@ For `items-event-source-locations`: * `apply-justification`: When the user provides a connection justification as part of the Secure Remote Access session. +### KMIP Certificate Expiry Coverage + +Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. + +Use the following event types to monitor KMIP certificate lifecycle: + +* `certificate-pending-expiration` +* `certificate-expired` + +To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). + For `auth-methods-event-source-locations`: * `uid-rotation-failure`: On [Universal Identity](https://docs.akeyless.io/docs/auth-with-universal-identity) rotation failure, to track the automatic rotation. diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index a03fcc24c..06ebc9d55 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -18,6 +18,19 @@ The [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) built-in Cryptographic objects managed by the Akeyless KMIP server are stored under the `/kmip/default/` path, hence your [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) authentication method must have sufficient privileges, including `create`, `list`, `delete` and `read` rules, under the `/kmip/default/*` path. This path can be changed during the KMIP server setup. +## KMIP Certificate Expiry Events + +KMIP server and KMIP client certificates are time-bound objects. To reduce renewal failures and service interruptions, monitor certificate expiration events in the [Event Center](https://docs.akeyless.io/docs/event-center). + +For KMIP certificate observability, use the following event types: + +* `certificate-pending-expiration`: Triggered before certificate expiration based on configured lead time. +* `certificate-expired`: Triggered when a certificate has expired. + +To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). + +For audit action taxonomy, see [Log Actions](https://docs.akeyless.io/docs/log-actions). + > ℹ️ **Note:** > > Only users from your Gateway admins list can configure the KMIP server. diff --git a/docs/Secrets Management/targets/_order.yaml b/docs/Secrets Management/targets/_order.yaml index f8078376b..ce71c1ece 100644 --- a/docs/Secrets Management/targets/_order.yaml +++ b/docs/Secrets Management/targets/_order.yaml @@ -2,6 +2,7 @@ - aws-targets - azure-targets - chef-infra-targets +- cloudflare-target - database-targets - digicert-target - docker-hub-target diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md new file mode 100644 index 000000000..7b82aa7eb --- /dev/null +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -0,0 +1,57 @@ +--- +title: Cloudflare and Akeyless Targets +excerpt: '' +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +next: + description: '' +--- +Cloudflare in Akeyless is used as a DNS provider in certificate automation flows that rely on ACME DNS validation. + +Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public CA targets. + +## How Cloudflare Fits in Akeyless + +Cloudflare is part of the certificate lifecycle path, not a standalone Public CA in Akeyless. + +Use Cloudflare with the following target types: + +* [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt) +* [DigiCert Target](https://docs.akeyless.io/docs/digicert-target) +* [Google CA Target](https://docs.akeyless.io/docs/google-ca-target) + +In these flows: + +1. The Public CA target handles ACME issuance. +2. The Cloudflare credentials target handles DNS TXT record updates for DNS-01 validation. +3. The PKI Issuer issues and stores certificates through Akeyless. + +## Cloudflare Parameters in ACME Target Flows + +When using DNS challenge with Cloudflare, configure: + +* `dns-target-creds`: The target that stores Cloudflare credentials. +* `dns-zone`: The Cloudflare DNS zone used for DNS-01 records. + +For parameter-level details, see [CLI Reference - Akeyless Targets](https://docs.akeyless.io/docs/cli-ref-targets). + +## Related Akeyless Capabilities + +Cloudflare-connected certificate automation works together with: + +* [PKI Issuers and Certificate Issuance](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) +* [Certificate Storage](https://docs.akeyless.io/docs/certificate-storage) +* [Event Center](https://docs.akeyless.io/docs/event-center) for pending expiration and expired certificate events +* [Gateway](https://docs.akeyless.io/docs/gateway-overview) when required by target and forwarding architecture + +## Suggested Implementation Flow + +1. Create or identify your Cloudflare credentials target. +2. Create a Public CA target (Let's Encrypt, DigiCert, or Google CA) with `acme-challenge=dns`. +3. Set `dns-target-creds` to the Cloudflare target and set `dns-zone`. +4. Create or update your PKI Issuer to use that Public CA target. +5. Configure certificate expiration notifications in Event Center forwarders. From 02bed3d738d4aca2cb8f2550ecc0d83a6955d97d Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:23:31 -0600 Subject: [PATCH 04/22] docs: update KMIP certificate event types in multiple documents for consistency --- .../audit-logs/log-actions.md | 4 ++-- .../event-center/index.md | 4 ++-- docs/Encryption & KMS/kmip-server/index.md | 4 ++-- .../cli-reference-universal-identity.md | 22 ++++++++++++++----- .../cli-reference-rotated-secrets.md | 12 ---------- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/Advanced Functionality/audit-logs/log-actions.md b/docs/Advanced Functionality/audit-logs/log-actions.md index 316017589..663c36900 100644 --- a/docs/Advanced Functionality/audit-logs/log-actions.md +++ b/docs/Advanced Functionality/audit-logs/log-actions.md @@ -170,7 +170,7 @@ This page includes a thorough comb through all of the different options for the KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically: -* `certificate-pending-expiration` -* `certificate-expired` +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation. diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 08d1dfd9f..9f73411e4 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -73,8 +73,8 @@ Certificate expiration events also apply to certificates used by the [KMIP Serve Use the following event types to monitor KMIP certificate lifecycle: -* `certificate-pending-expiration` -* `certificate-expired` +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index 06ebc9d55..292521947 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -24,8 +24,8 @@ KMIP server and KMIP client certificates are time-bound objects. To reduce renew For KMIP certificate observability, use the following event types: -* `certificate-pending-expiration`: Triggered before certificate expiration based on configured lead time. -* `certificate-expired`: Triggered when a certificate has expired. +* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on configured lead time. +* `kmip-cert-expired`: Triggered when a certificate has expired. To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index 207541490..e296c4fde 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -105,18 +105,30 @@ Configure automatic UID token rotation ### Usage ```shell -akeyless uid-auto-rotate \ ---auth-method-name \ +akeyless uid-auto-rotate +``` + +Initialize automatic UID token rotation: + +```shell +akeyless uid-auto-rotate init \ +--rotation-interval <1|15|60|240|1440> \ --uid-token ``` ### Flags -`-n, --auth-method-name`: Universal Identity auth method name - `-t, --uid-token`: Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable -`--install-cron-d`: Install or update a `cron.d` entry for automatic rotation (Linux) +`--rotation-interval`: **Required**, rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440` + +`-i, --token-file-path`: Path to store the rotated UID token file + +`--gateway-api-url`: Gateway URL for rotation requests + +`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task` + +`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system` ## `uid-revoke-token` diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md index 50ef9ab48..c69e99ccf 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-rotated-secrets.md @@ -166,10 +166,6 @@ akeyless rotated-secret create azure \ `--resource-name`: The name of the Storage Account (only relevant when `explicitly-set-sa`=`true`) -`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - `--secure-access-disable-concurrent-connections[=false]`: Enable this flag to prevent simultaneous use of the same secret `-u, --gateway-url[=http://localhost:8000]`: API Gateway URL (Configuration Management port) @@ -388,8 +384,6 @@ akeyless rotated-secret create gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) - `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1326,10 +1320,6 @@ akeyless rotated-secret update azure \ `--storage-account-key-name`: The name of the Storage Account key to rotate [`key1`/`key2`/`kerb1`/`kerb2`] (relevant to `azure-storage-account`) -`--activation-date`: Secret activation date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for Azure rotated secrets) - `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation @@ -1554,8 +1544,6 @@ akeyless rotated-secret update gcp \ `--gcp-service-account-key-id`: The key ID of the **GCP** service account to rotate (relevant only when `rotator-type`=`servcie-account-rotator`) -`--expiration-date`: Secret expiration date in `YYYY`-`MM`-`DD` format (relevant for GCP rotated secrets) - `-k, --key`: The name of a key that is used to encrypt the secret value (if empty, the account default **protection key** will be used) `--auto-rotate`: Whether to automatically rotate every `--rotation-interval` days, or disable existing automatic rotation From 74471fe046313281a44b9f107f2477c9d94320d7 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:30:25 -0600 Subject: [PATCH 05/22] docs: standardize formatting for DNS provider details across multiple target documents --- .../targets/digicert-target.md | 16 ++++++++-------- .../targets/google-ca-target.md | 18 +++++++++--------- .../Secrets Management/targets/lets-encrypt.md | 17 +++++++++-------- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index c23d40462..ff15c0291 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -107,18 +107,18 @@ Where: * **Email**: Email address used to register the ACME account. -* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). -* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). + * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). -* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). + * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). + * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). -* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. + * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. -* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -1. Click Finish. +5. Click Finish. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index 6a8653653..d42c3223f 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -52,7 +52,7 @@ akeyless target create google-trust \ --dns-target-creds \ --resource-group ``` -```shell +```shell DNS with Cloudflare akeyless target create google-trust \ --name \ --google-trust-url \ @@ -111,18 +111,18 @@ Where: * **EAB HMAC Key**: External Account Binding HMAC Key from Google CA Services. -* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). -* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). + * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). -* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). + * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). + * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). -* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. + * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. -* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). -1. Click Finish. +5. Click Finish. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index 09262f988..80de2ea54 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -111,20 +111,21 @@ Where: * **Challenge Type**: Either **HTTP** or **DNS**. -* **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). + * **DNS Provider**: Either **AWS**, **GCP**, **Azure**, or **Cloudflare** (relevant only if **Challenge Type** is **DNS**). -* **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). + * **Target**: Select a target that contains the DNS provider credentials (relevant only if **Challenge Type** is **DNS**). -* **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). + * **Hosted Zone**: [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) hosted zone identifier. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **AWS**). -* **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. + * **Resource Group**: Azure resource group name. (Relevant only if **Challenge Type** is **DNS** and **DNS Provider** is **Azure**). -* **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. + * **GCP Project**: GCP Cloud DNS project ID. Optional when **DNS Provider** is **GCP**. -* **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + * **DNS Zone**: Cloudflare DNS zone name. Relevant only when **DNS Provider** is **Cloudflare**. -1. Click Finish. + * **Timeout**: Challenge validation timeout in seconds. Default is 300 seconds (5 minutes). + +5. Click Finish. ## DNS Provider Permissions for DNS-01 From b44236abb9c6653e33c255184441a2269c499320 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:32:22 -0600 Subject: [PATCH 06/22] docs: update title for Cloudflare target documentation to improve clarity --- docs/Secrets Management/targets/cloudflare-target.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md index 7b82aa7eb..49f471e4a 100644 --- a/docs/Secrets Management/targets/cloudflare-target.md +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -1,5 +1,5 @@ --- -title: Cloudflare and Akeyless Targets +title: Cloudflare Usage excerpt: '' deprecated: false hidden: false From 844aa6d6577e032359968862eb0e3f4d5ab54b1d Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:34:42 -0600 Subject: [PATCH 07/22] docs: correct typo in EAB HMAC key description for DigiCert target CLI instructions --- docs/Secrets Management/targets/digicert-target.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index ff15c0291..fa2673d8b 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -58,7 +58,7 @@ akeyless target create digicert \ --digicert-url \ --email \ --eab-key-id \ ---eab-hmac-key \ +--eab-hmac-key \ --acme-challenge dns \ --dns-target-creds \ --dns-zone From df20323b9978bd3e074f3ff4ed70085e5f7c9244 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:35:49 -0600 Subject: [PATCH 08/22] docs: standardize event type naming conventions in Event Center documentation --- docs/Advanced Functionality/event-center/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 9f73411e4..23cbc9c39 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -59,9 +59,9 @@ For `items-event-source-locations`: * `static-secret-updated`: When a [Static Secret](https://docs.akeyless.io/docs/static-secrets) is set to trigger events on value changes. -* `usage_unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval. +* `usage-unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval. -* `usage_unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval. +* `usage-unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval. * `request-access`: When a user requests access, either for privilege permission or for a Secure Remote Access session. **Note**: Relevant also for `targets-event-source-locations`. @@ -98,9 +98,9 @@ For `gateways-event-source-locations`: * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway. -* `gateway-certificate-about-to-expire`: When a Gateway certificate (Gateway Certificate Store) is about to expire. +* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire. -* `gateway-certificate-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. ## Event Forwarders From 9e806725a9bc4ff4b6f3490f2d9a00c6fe417cbb Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 10:40:59 -0600 Subject: [PATCH 09/22] docs: relocate KMIP certificate expiry coverage section to improve clarity and context --- .../event-center/index.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 23cbc9c39..8dd54a25e 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -67,17 +67,6 @@ For `items-event-source-locations`: * `apply-justification`: When the user provides a connection justification as part of the Secure Remote Access session. -### KMIP Certificate Expiry Coverage - -Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. - -Use the following event types to monitor KMIP certificate lifecycle: - -* `kmip-cert-pending-expiration` -* `kmip-cert-expired` - -To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). - For `auth-methods-event-source-locations`: * `uid-rotation-failure`: On [Universal Identity](https://docs.akeyless.io/docs/auth-with-universal-identity) rotation failure, to track the automatic rotation. @@ -102,6 +91,17 @@ For `gateways-event-source-locations`: * `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +### KMIP Certificate Expiry Coverage + +Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. These events are emitted by the Gateway. + +Use the following event types to monitor KMIP certificate lifecycle: + +* `kmip-cert-pending-expiration` +* `kmip-cert-expired` + +To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). + ## Event Forwarders Event forwarders are tools you can configure through the Event Center to get notified on other platforms (For example, email) when a certain event type happens. For example, one might want to be notified every time a certain [Certificate](https://docs.akeyless.io/docs/certificate-storage) is about to expire or when a user requests to access an item you have in your Akeyless Platform. From de324818badb620d06927092823ff9a7a8f454ca Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 11 May 2026 12:26:30 -0600 Subject: [PATCH 10/22] docs: enhance clarity and detail in KMIP certificate event types and UID token rotation instructions --- docs/Encryption & KMS/kmip-server/index.md | 2 +- .../cli-reference-universal-identity.md | 66 ++++++++++++++++--- .../manage-your-secrets-overview.md | 22 ++++--- docs/Secrets Management/targets/index.md | 11 +++- 4 files changed, 83 insertions(+), 18 deletions(-) diff --git a/docs/Encryption & KMS/kmip-server/index.md b/docs/Encryption & KMS/kmip-server/index.md index 292521947..415eefa2d 100644 --- a/docs/Encryption & KMS/kmip-server/index.md +++ b/docs/Encryption & KMS/kmip-server/index.md @@ -24,7 +24,7 @@ KMIP server and KMIP client certificates are time-bound objects. To reduce renew For KMIP certificate observability, use the following event types: -* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on configured lead time. +* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on the certificate's configured expiration-notification window. Set that window when you create or update the certificate, then use [Event Forwarders](https://docs.akeyless.io/docs/event-center) to route the alert. * `kmip-cert-expired`: Triggered when a certificate has expired. To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md index e296c4fde..51fd05e71 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md @@ -108,7 +108,13 @@ Configure automatic UID token rotation akeyless uid-auto-rotate ``` -Initialize automatic UID token rotation: +The `init` subcommand initializes rotation and stores the token file. The `rotate`, `status`, and `uninstall` subcommands use the stored token file and the configured gateway URL. + +### `init` + +Initialize automatic UID token rotation. + +#### Usage ```shell akeyless uid-auto-rotate init \ @@ -116,19 +122,63 @@ akeyless uid-auto-rotate init \ --uid-token ``` -### Flags +#### Flags + +`-t, --uid-token`: Optional. Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable. + +`--rotation-interval`: **Required** for `init`. Rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440`. + +`-i, --token-file-path`: Optional. Path to store the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value. -`-t, --uid-token`: Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable +`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task`. + +`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system`. + +### `rotate` + +Rotate the current UID token on demand. + +#### Usage + +```shell +akeyless uid-auto-rotate rotate +``` -`--rotation-interval`: **Required**, rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440` +#### Flags -`-i, --token-file-path`: Path to store the rotated UID token file +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. -`--gateway-api-url`: Gateway URL for rotation requests +`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value. + +### `status` + +Check the current UID auto-rotate setup. + +#### Usage + +```shell +akeyless uid-auto-rotate status +``` + +#### Flags + +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. + +### `uninstall` + +Remove the UID auto-rotate setup and scheduled entry. + +#### Usage + +```shell +akeyless uid-auto-rotate uninstall +``` -`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task` +#### Flags -`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system` +`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows. ## `uid-revoke-token` diff --git a/docs/Secrets Management/manage-your-secrets-overview.md b/docs/Secrets Management/manage-your-secrets-overview.md index ab0c4e34f..730216373 100644 --- a/docs/Secrets Management/manage-your-secrets-overview.md +++ b/docs/Secrets Management/manage-your-secrets-overview.md @@ -10,18 +10,24 @@ metadata: next: description: '' --- -Akeyless enables you to work with the following secret types: +Akeyless supports several item types for storing, generating, protecting, and distributing sensitive data. -* **Static Secrets**: Key/value pairs that you create and update manually. The values usually remain the same for long periods. Typically, you use Static Secrets to protect passwords, API tokens, and personal identifiers (PII) or credit card numbers. See [Static Secrets](https://docs.akeyless.io/docs/static-secrets). +## Secret Types -* **Dynamic Secrets**: Temporary credentials generated on-demand to provide a client with access to a resource for a limited period of time, with a limited set of permissions. See [Dynamic Secrets](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). +Use these secret types to manage application and user credentials: -* **Rotated Secrets**: Passwords for privileged-user accounts that are periodically updated by resetting a password on a target machine. The Akeyless Platform stores the updated secret value to retrieve it when required. See [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets). +* **Static Secrets**: Key/value pairs that you create and update manually. Use them for values that change infrequently, such as passwords, API tokens, personal identifiers, or credit card numbers. Akeyless also provides dedicated [Password](https://docs.akeyless.io/docs/passwords) items for username, password, and website credentials. See [Static Secrets](https://docs.akeyless.io/docs/static-secrets). -In addition, Akeyless enables you to work with: +* **Dynamic Secrets**: Temporary credentials generated on demand for a limited time and with a limited set of permissions. See [Dynamic Secrets](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). -* **Targets**: Targets act as a connector between credentials and the items that need to use them, both saving time for the user and protecting your flows from credential breakage. For more detail, see [Targets](https://docs.akeyless.io/docs/targets). +* **Rotated Secrets**: Passwords for privileged accounts that Akeyless updates periodically by resetting the password on the target system. The platform stores the latest value so you can retrieve it when needed. See [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets). -* **Encryption Keys**: AES, RSA, or EC keys of various sizes. Use these keys to encrypt secrets or any other kind of data and also to sign binaries or application transactions. See [Encryption Keys](https://docs.akeyless.io/docs/encryption-key-management-overview). +## Supporting Objects -* **Certificates**: Akeyless acts as a Certificate Authority for the internal environment. Supporting both types of [PKI/TLS Certificates](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) and [SSH certificates](https://docs.akeyless.io/docs/sra-ssh-certificates). +Akeyless also provides supporting objects that help you deliver secrets securely and consistently: + +* **Targets**: Targets connect credentials to the systems that consume them. This helps you reuse endpoint details across secrets and reduces the risk of credential drift. See [Targets](https://docs.akeyless.io/docs/targets). + +* **Encryption Keys**: AES, RSA, or EC keys that you can use to encrypt data or sign binaries and application transactions. See [Encryption Keys](https://docs.akeyless.io/docs/encryption-key-management-overview). + +* **Certificates**: Akeyless can act as a certificate authority for internal environments, supporting both [PKI/TLS Certificates](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) and [SSH certificates](https://docs.akeyless.io/docs/sra-ssh-certificates). diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index a3bca0d37..a25eebe02 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -10,7 +10,7 @@ metadata: next: description: '' --- -A Target is an endpoint for a secret such as a database, cloud platform, or server. Targets help admins keep their secrets and endpoints more organized. Instead of adding an endpoint to each secret separately. +A target is a reusable endpoint credential item for a database, cloud platform, or server. Targets help admins keep endpoint details organized so you can reuse them across secrets instead of entering the same information for each item. ![Illustration for: A Target is an endpoint for a secret such as a database, cloud platform, or server. Targets help admins keep their secrets and endpoints more organized. Instead of adding an endpoint to each secret separately.](https://files.readme.io/7481a59-Creates_Targets.png) @@ -22,6 +22,15 @@ Using targets has three primary advantages: * Don't break the credential chain: Targets can also be used to sync encryption keys with an external KMS, or to define a Target to be used with our [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) to manage and automate your privilege account credentials rotation. This allows every item referencing the target to be up to date on the necessary information and to stay usable even after rotations are done. +## Common Target Families + +If you are looking for a specific target type, start with the family that matches your endpoint: + +* [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. +* Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. +* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public CA. +* [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. + ## Delete protection for targets Targets support delete protection to reduce accidental deletion risk. From 40cf233b143013649aa7d5cae58486d9b75d9a51 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:39:34 -0600 Subject: [PATCH 11/22] docs: enhance security guidance and add HashiCorp Vault metadata preservation details in migration documentation --- .../gateway-automatic-migration.md | 33 +++++++++++++++---- .../cli-reference-automatic-migration.md | 4 +++ 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md index 03adac5c8..65232339e 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md @@ -29,6 +29,12 @@ Before running migration workflows: * Validate network connectivity from Gateway to source systems and Akeyless services. * Prepare destination paths and required encryption settings. +## Security Guidance + +* Use least-privilege credentials for source access. +* Avoid broad admin permissions when migration-specific permissions are sufficient. +* Rotate temporary migration credentials after the migration window closes. + ## Configuration Scope Automatic migration configuration usually includes: @@ -36,8 +42,29 @@ Automatic migration configuration usually includes: * Source system connection parameters. * Authentication credentials or identity settings. * Migration mode and target path strategy. +* [HashiCorp Vault metadata preservation mode](#hashicorp-vault-metadata-preservation-mode) (`full`, `minimal`, or `none`) when configuring HashiCorp Vault migrations. * Conflict handling behavior for existing items. +## HashiCorp Vault Metadata Preservation Mode + +When migrating from HashiCorp Vault, Akeyless supports KV v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. + +If the flag is omitted, the mode defaults to `full`. + +| Mode | What is migrated | +| --- | --- | +| `full` | The complete KV v2 metadata block, trimmed to only the secret versions being imported. | +| `minimal` | Only the [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata) field from the KV v2 metadata block. All other metadata fields are discarded. | +| `none` | No metadata. Only the secret values are migrated. | + +### When to choose each mode + +* Use `full` when you need to preserve as much Vault context as possible, for example, when keeping version history alignment or retaining all metadata fields for auditing. +* Use `minimal` when only your own custom key–value annotations (stored in [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata)) are needed in Akeyless and you want to reduce migration payload size. +* Use `none` when metadata is not relevant to your use case and you want the smallest possible migration footprint. + +Set the mode with the `--hashi-metadata-mode` flag on `gateway-create-migration` or `gateway-update-migration`. For full flag reference, see the [Automatic Migration CLI Reference](https://docs.akeyless.io/docs/cli-reference-automatic-migration). + ## Operational Guidance Use a phased rollout: @@ -47,12 +74,6 @@ Use a phased rollout: 3. Expand migration scope after successful validation. 4. Monitor Gateway logs during migration and remediation. -## Security Guidance - -* Use least-privilege credentials for source access. -* Avoid broad admin permissions when migration-specific permissions are sufficient. -* Rotate temporary migration credentials after the migration window closes. - ## CLI Reference For command-level usage and flags, use the Automatic Migration CLI reference: diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md index 63b86e79e..a0309f3b9 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-gateway/cli-reference-automatic-migration.md @@ -52,6 +52,8 @@ akeyless gateway-create-migration \ `--hashi-json=[true]`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) +`--hashi-metadata-mode[=full]`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. + `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:AWSregion:AWSAccountId:Secret:/path/to/secrets/*` (relevant only for AWS migration) `-K, --aws-key`: AWS Secret Access Key (relevant only for AWS migration) @@ -275,6 +277,8 @@ akeyless gateway-update-migration \ `--hashi-json='true'`: Import secret key as JSON value or independent secrets (relevant only for HashiCorp Vault migration) +`--hashi-metadata-mode`: Controls how much HashiCorp Vault KV v2 metadata is migrated with each secret value. Supported values: `full`, `minimal`, `none` (relevant only for HashiCorp Vault migration). See [HashiCorp Vault Metadata Preservation Mode](https://docs.akeyless.io/docs/gateway-automatic-migration#hashicorp-vault-metadata-preservation-mode) for details. + `-I, --aws-key-id`: AWS Access Key ID with sufficient permissions to get all secrets, for example, `arn:aws:secretsmanager:[Region]:[AccountId]:secret:[/path/to/secrets/*]` (relevant only for AWS migration) `-K, --aws-key`: AWS Secret Access Key (relevant only for AWS migration) From 2e4eb0079af3f21fe2bf836a9bced32d4e911251 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:39:39 -0600 Subject: [PATCH 12/22] docs: update AWS STS endpoint guidance for China partitions in IAM authentication documentation --- .../access-and-authentication-methods/auth-with-aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md index 26ee9a5f1..048c622a2 100644 --- a/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md +++ b/docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md @@ -95,7 +95,7 @@ For optional features that apply across Authentication Methods, see [Common Opti * **Bounded Role Names:** Enter one or more IAM role names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-name` for each value. * **Bounded Role IDs:** Enter one or more IAM role IDs that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-id` for each value. * **Bounded User names:** Enter one or more IAM user names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-user-name` for each value. -* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. +* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. For AWS China partitions, a regional endpoint is required; for example, `https://sts.cn-north-1.amazonaws.com.cn` for `cn-north-1`, or `https://sts.cn-northwest-1.amazonaws.cn` for `cn-northwest-1`. * **Unique Identifier:** Set a sub-claim key used to uniquely identify authenticated IAM principals. ## AWS Instance Metadata Service From 3d0ede9ad291d9b6263b1c34a1ea552ad37acc43 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:44:16 -0600 Subject: [PATCH 13/22] docs: add expiration parameter for GCP Secret Manager in USC CLI commands --- .../gcp-universal-secrets-connector.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md index 2e481ad53..d660c8d14 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/gcp-universal-secrets-connector.md @@ -117,6 +117,8 @@ The main parameters are: * `value`: The value of the secret you would like to create, plaintext, or Base64-encoded. +* `--remote-secret-expires`: Optional. Expiration time for the secret in GCP Secret Manager, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Once this time passes, GCP automatically disables access to the secret. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#create). For GCP USC, you can create a regional secret by adding `--region `. If omitted, the secret is created as global. @@ -129,6 +131,8 @@ To update an existing secret in your USC, use the following command: akeyless usc update --usc-name --secret-id --value ``` +Use `--remote-secret-expires` to set or update the expiration time for the secret in GCP Secret Manager, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#update). ### Deleting an Existing USC Secret From 4758503b416a846ac02d522820435e62915b03a1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:44:28 -0600 Subject: [PATCH 14/22] docs: add optional expiration and activation date parameters for Azure Key Vault secrets in USC CLI commands --- .../azure-universal-secrets-connector.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md b/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md index 9040c5b82..b43915765 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/azure-universal-secrets-connector.md @@ -243,6 +243,10 @@ The main parameters are: * `--object-type[=secret]`: Either `secret` or `certificate`, when set to `certificate` - Provide a Base64-encoded certificate file that includes the private key. +* `--remote-secret-expires`: Optional. Expiration time for the secret in Azure Key Vault, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Azure sets the `Expires` attribute on the secret version. + +* `--remote-secret-activation-date`: Optional. Activation date for the secret in Azure Key Vault, in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. Azure sets the `NotBefore` attribute on the secret version. The activation date must be earlier than or equal to the expiration date. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#create). ### Updating an Existing USC Secret @@ -253,6 +257,8 @@ To update an existing secret in your USC, use the following command: akeyless usc update --usc-name --secret-id --value ``` +Use `--remote-secret-expires` to set or update the expiration time and `--remote-secret-activation-date` to set or update the activation date (Azure Key Vault `NotBefore`), both in UTC format: `YYYY-MM-DDTHH:MM:SSZ`. The activation date must be earlier than or equal to the expiration date. + Additional parameters can be found in the [CLI Reference](https://docs.akeyless.io/docs/cli-reference-universal-secrets-connector#update). ### Deleting an Existing USC Secret From f174284f10f8385fbb738ae2bd2b75d4f3b2879e Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:46:45 -0600 Subject: [PATCH 15/22] docs: clarify default behavior of --hashi-metadata-mode flag in HashiCorp Vault migration --- .../configure-gateway/gateway-automatic-migration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md index 65232339e..fed8c766c 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md @@ -49,7 +49,7 @@ Automatic migration configuration usually includes: When migrating from HashiCorp Vault, Akeyless supports KV v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless. -If the flag is omitted, the mode defaults to `full`. +If the flag is omitted on `gateway-create-migration`, the mode defaults to `full`. On `gateway-update-migration`, omitting the flag leaves the existing mode unchanged. | Mode | What is migrated | | --- | --- | From fd28fc122860809e26614e6973398cbb6313a6ba Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 11:50:24 -0600 Subject: [PATCH 16/22] docs: clarify Gateway certificate expiration event descriptions in Event Center and Targets documentation --- docs/Advanced Functionality/event-center/index.md | 8 ++++---- docs/Secrets Management/targets/index.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 8dd54a25e..71e63d85a 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -87,9 +87,9 @@ For `gateways-event-source-locations`: * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway. -* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire. +* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire, it must be set on the Gateway. -* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired. +* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired, it must be set on the Gateway. ### KMIP Certificate Expiry Coverage @@ -97,8 +97,8 @@ Certificate expiration events also apply to certificates used by the [KMIP Serve Use the following event types to monitor KMIP certificate lifecycle: -* `kmip-cert-pending-expiration` -* `kmip-cert-expired` +* `kmip-cert-pending-expiration`: When a KMIP certificate is about to expire, it must be set on the Gateway. +* `kmip-cert-expired`: When a KMIP certificate has expired, it must be set on the Gateway. To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center). diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index a25eebe02..007773849 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -28,7 +28,7 @@ If you are looking for a specific target type, start with the family that matche * [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. * Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. -* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public CA. +* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public Certificate Authority (CA). * [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. ## Delete protection for targets From 88bc435bd79f1e2235f97160d7645318bfce80c7 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:02:08 -0600 Subject: [PATCH 17/22] docs: update HMAC key descriptions for DigiCert and Google CA targets --- docs/Secrets Management/targets/digicert-target.md | 2 +- docs/Secrets Management/targets/google-ca-target.md | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index fa2673d8b..27124e09c 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -74,7 +74,7 @@ Where: * `eab-key-id`: External Account Binding Key ID from DigiCert Services. - `eab-hmac-key`: External Account Binding Key ID from DigiCert Services. +* `eab-hmac-key`: External Account Binding HMAC Key from DigiCert Services. * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. Supported values are `http` (default) and `dns`. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index d42c3223f..965f41445 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -33,7 +33,7 @@ akeyless target create google-trust \ ```shell DNS with GCP akeyless target create google-trust \ --name \ ---google-trust-url +--google-trust-url \ --email \ --eab-key-id \ --eab-hmac-key \ @@ -44,10 +44,10 @@ akeyless target create google-trust \ ```shell DNS with Azure akeyless target create google-trust \ --name \ ---google-trust-url +--google-trust-url \ --email \ ---eab-key-id ---eab-hmac-key +--eab-key-id \ +--eab-hmac-key \ --acme-challenge dns \ --dns-target-creds \ --resource-group @@ -72,9 +72,9 @@ Where: * `eab-key-id`: External Account Binding Key ID from Google CA Services. -* `eab-hmac-key`: External Account Binding Key ID from Google CA Services. +* `eab-hmac-key`: External Account Binding HMAC Key from Google CA Services. -* `--google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`. +* `google-trust-url`: Use this when you want to select the ACME environment explicitly. Supported values are `production` (default) and `staging`. * `acme-challenge`: Use this when you need DNS validation or want to set the challenge type explicitly. From d2681b61222527b4b66df45d7de899643738e1f1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:02:14 -0600 Subject: [PATCH 18/22] docs: update Cloudflare DNS validation description in certificate automation targets --- docs/Secrets Management/targets/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secrets Management/targets/index.md b/docs/Secrets Management/targets/index.md index 007773849..95b888d6e 100644 --- a/docs/Secrets Management/targets/index.md +++ b/docs/Secrets Management/targets/index.md @@ -28,7 +28,7 @@ If you are looking for a specific target type, start with the family that matche * [Database Targets](https://docs.akeyless.io/docs/database-targets) for database credentials that applications and teams reuse across secrets. * Cloud provider targets: [AWS Targets](https://docs.akeyless.io/docs/aws-targets), [Azure Targets](https://docs.akeyless.io/docs/azure-targets), and [GCP Targets](https://docs.akeyless.io/docs/gcp-targets) for cloud platform credentials and cloud-specific integrations. -* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and Cloudflare DNS validation for certificate issuance with a public Certificate Authority (CA). +* Certificate automation targets: [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt), [DigiCert Target](https://docs.akeyless.io/docs/digicert-target), [Google CA Target](https://docs.akeyless.io/docs/google-ca-target), and [Cloudflare Target](https://docs.akeyless.io/docs/cloudflare-target) for DNS-01 validation with public Certificate Authority (CA) targets. * [SSH Targets](https://docs.akeyless.io/docs/ssh-target) and [Web Targets](https://docs.akeyless.io/docs/web-targets) for server access and web-facing endpoints. ## Delete protection for targets From 5cdccda33df0ca11579db8188e7a89141b4e835b Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:02:48 -0600 Subject: [PATCH 19/22] docs: update Cloudflare target documentation for clarity and completeness --- .../targets/cloudflare-target.md | 67 ++++++++++++++----- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md index 49f471e4a..dee547762 100644 --- a/docs/Secrets Management/targets/cloudflare-target.md +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -1,5 +1,5 @@ --- -title: Cloudflare Usage +title: Cloudflare Target excerpt: '' deprecated: false hidden: false @@ -10,15 +10,15 @@ metadata: next: description: '' --- -Cloudflare in Akeyless is used as a DNS provider in certificate automation flows that rely on ACME DNS validation. +The Cloudflare Target stores Cloudflare credentials in Akeyless. It is used as a DNS provider in certificate automation flows that rely on ACME DNS-01 validation. -Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public CA targets. +Akeyless uses a Cloudflare credentials target as the DNS provider reference (`dns-target-creds`) when creating or updating Public Certificate Authority (CA) targets. ## How Cloudflare Fits in Akeyless -Cloudflare is part of the certificate lifecycle path, not a standalone Public CA in Akeyless. +Cloudflare is part of the certificate lifecycle path, not a standalone public CA in Akeyless. -Use Cloudflare with the following target types: +Use a Cloudflare target with the following target types: * [Let's Encrypt Target](https://docs.akeyless.io/docs/lets-encrypt) * [DigiCert Target](https://docs.akeyless.io/docs/digicert-target) @@ -26,16 +26,53 @@ Use Cloudflare with the following target types: In these flows: -1. The Public CA target handles ACME issuance. +1. The public CA target handles ACME issuance. 2. The Cloudflare credentials target handles DNS TXT record updates for DNS-01 validation. 3. The PKI Issuer issues and stores certificates through Akeyless. -## Cloudflare Parameters in ACME Target Flows +## Create a Cloudflare Target with the CLI -When using DNS challenge with Cloudflare, configure: +```shell +akeyless target create cloudflare \ +--name \ +--api-token \ +--account-id +``` -* `dns-target-creds`: The target that stores Cloudflare credentials. -* `dns-zone`: The Cloudflare DNS zone used for DNS-01 records. +Where: + +* `name`: A unique name for the target. The name can include a path to a virtual folder by using slash `/` separators. If the folder does not exist, Akeyless creates it with the target. + +* `api-token`: Required. A Cloudflare API token with permission to create and delete DNS TXT records in the relevant zone. + +* `account-id`: Optional. The Cloudflare account ID associated with the token. + +* `key`: Optional. Use this when you want to encrypt target secret values with a specific protection key instead of the account default key. + +[View the complete list of parameters for this command.](https://docs.akeyless.io/docs/cli-ref-targets) + +## Create a Cloudflare Target in the Console + +1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Cloudflare**. + +2. Define the **Name** of the target, and specify the **Location** as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. + +3. Select a **Protection key** with a Customer Fragment to enable Zero-Knowledge and click **Next**. [Read more about Zero-Knowledge Encryption](https://docs.akeyless.io/docs/gateway-zero-knowledge). + +4. Define the following parameters: + + * **API Token**: Required. A Cloudflare API token with permission to create and delete DNS TXT records. + + * **Account ID**: Optional. The Cloudflare account ID associated with the token. + +5. Click **Finish**. + +## Use the Cloudflare Target in ACME Flows + +When using DNS-01 challenge with Cloudflare, configure the Public CA target with: + +* `--dns-target-creds`: The name of the Cloudflare target. +* `--dns-zone`: The Cloudflare DNS zone name used for DNS-01 records. For parameter-level details, see [CLI Reference - Akeyless Targets](https://docs.akeyless.io/docs/cli-ref-targets). @@ -48,10 +85,10 @@ Cloudflare-connected certificate automation works together with: * [Event Center](https://docs.akeyless.io/docs/event-center) for pending expiration and expired certificate events * [Gateway](https://docs.akeyless.io/docs/gateway-overview) when required by target and forwarding architecture -## Suggested Implementation Flow +## Implementation Flow -1. Create or identify your Cloudflare credentials target. -2. Create a Public CA target (Let's Encrypt, DigiCert, or Google CA) with `acme-challenge=dns`. -3. Set `dns-target-creds` to the Cloudflare target and set `dns-zone`. -4. Create or update your PKI Issuer to use that Public CA target. +1. Create a Cloudflare target using the steps above. +2. Create a public CA target (Let's Encrypt, DigiCert, or Google CA) with `--acme-challenge=dns`. +3. Set `--dns-target-creds` to the Cloudflare target name and set `--dns-zone`. +4. Create or update your PKI Issuer to use that public CA target. 5. Configure certificate expiration notifications in Event Center forwarders. From 49f1df8d017ffafa427ac792d3a4f6049ff78cec Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:08:09 -0600 Subject: [PATCH 20/22] docs: add Cloudflare target creation and update instructions to CLI reference --- .../cli-reference/cli-ref-targets.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md index 6e4ad29c4..f0974126d 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md +++ b/docs/Integrations & Plugins/cli-reference/cli-ref-targets.md @@ -26,6 +26,8 @@ Create a new Target `azure` +`cloudflare` + `db` `dockerhub` @@ -181,6 +183,33 @@ akeyless target create azure \ `--description`: Target description `--max-versions`: Set the maximum number of versions, limited by the account settings defaults +### `cloudflare` + +Creates a new Cloudflare target in the current account + +#### Usage + +```shell +akeyless target create cloudflare \ +--name \ +--api-token \ +--account-id +``` + +##### Flags + +`-n, --name`: **Required**, Target name + +`--api-token`: **Required**, Cloudflare API token + +`--account-id`: Cloudflare account ID + +`-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used + +`--description`: Description of the object + +`--max-versions`: Set the maximum number of versions, limited by the account settings defaults + ### `db` Creates a new DB target in the current account @@ -1430,6 +1459,39 @@ akeyless target update azure \ `--keep-prev-version`: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings +#### `cloudflare` + +Updates an existing Cloudflare target in the current account + +##### Usage + +```shell +akeyless target update cloudflare \ +--name \ +--new-name \ +--api-token \ +--account-id \ +--key +``` + +##### Flags + +`-n, --name`: **Required**, Target name + +`--new-name`: New target name + +`--api-token`: Cloudflare API token + +`--account-id`: Cloudflare account ID + +`-k, --key`: Key name. The key will be used to encrypt the target secret value. If key name is not specified, the account default protection key is used + +`--description`: Description of the object + +`--max-versions`: Set the maximum number of versions, limited by the account settings defaults + +`--keep-prev-version`: Whether to keep previous version, options:[true, false]. If not set, use default according to account settings + #### `db` Update an existing db target in the current account From 7b41396d552f4e8cf8420b6ab052219cfa872d3e Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:13:41 -0600 Subject: [PATCH 21/22] docs: add description for rotated-secret-partial-failure event in Event Center documentation --- docs/Advanced Functionality/event-center/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/Advanced Functionality/event-center/index.md b/docs/Advanced Functionality/event-center/index.md index 71e63d85a..4ac2ea6a2 100644 --- a/docs/Advanced Functionality/event-center/index.md +++ b/docs/Advanced Functionality/event-center/index.md @@ -53,6 +53,8 @@ For `items-event-source-locations`: * `rotated-secret-failure`: Upon **automatic** rotation failure, including the error details. +* `rotated-secret-partial-failure`: When an automatic rotation partially succeeds, some targets rotate successfully but at least one fails. + * `secret-sync`: Upon **automatic** sync failure, including the error details. * `dynamic-secret-failure`: On general failure of a [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret). From d62eea3408cf242235e710fe40078ea588fa4293 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 12:30:46 -0600 Subject: [PATCH 22/22] docs: replace UI navigation chevrons with words --- .../account-settings/encryption-key-policy.md | 2 +- .../crossaccount-configuration-using-terraform.md | 8 ++++---- .../deploy-a-gateway-using-cloudformation.md | 10 +++++----- .../configure-gateway/gateway-caching/index.md | 2 +- .../gateway-caching/proactive-caching.md | 2 +- .../gateway-caching/runtime-caching.md | 2 +- .../configure-gateway/gateway-certificate-store.md | 2 +- .../gateway-deploy-serverless-aws.md | 2 +- .../certificate-discovery.md | 4 ++-- .../certificate-storage.md | 2 +- .../technical-documentation-style-guide/index.md | 9 +++++++++ .../classic-keys/create-a-classic-key.md | 2 +- docs/Encryption & KMS/classic-keys/index.md | 2 +- docs/Encryption & KMS/encryption-keys/index.md | 2 +- docs/Encryption & KMS/gpg-keys.md | 2 +- .../plugins-overview/circleci-plugin.md | 4 ++-- .../hashicorp-vault-proxy/github-actions-hvp.md | 4 ++-- .../create-an-azure-ad-app-service-account.md | 2 +- .../google-workspace-secret.md | 2 +- .../openai-dynamic-secrets.md | 2 +- docs/Secrets Management/targets/cloudflare-target.md | 2 +- docs/Secrets Management/targets/digicert-target.md | 2 +- docs/Secrets Management/targets/google-ca-target.md | 2 +- docs/Secrets Management/targets/lets-encrypt.md | 2 +- .../universal-secrets-connector/index.md | 2 +- 25 files changed, 43 insertions(+), 34 deletions(-) diff --git a/docs/Advanced Functionality/account-settings/encryption-key-policy.md b/docs/Advanced Functionality/account-settings/encryption-key-policy.md index 4870ea649..91a4995cd 100644 --- a/docs/Advanced Functionality/account-settings/encryption-key-policy.md +++ b/docs/Advanced Functionality/account-settings/encryption-key-policy.md @@ -47,7 +47,7 @@ Where: ## Set an Encryption Key Policy with the Console -1. Log in to the Akeyless Console, and go to **Account Settings** > **Key Management**. +1. Log in to the Akeyless Console, and go to **Account Settings**, then **Key Management**. 2. In the **Key Management Policies** section, press **Add**. 3. Define the remaining parameters as follows: * **Object Type**: Choose either **Item** or **Target**. diff --git a/docs/Advanced Functionality/aws-best-practices/crossaccount-configuration-using-terraform.md b/docs/Advanced Functionality/aws-best-practices/crossaccount-configuration-using-terraform.md index 9f2240c9d..ff89f10ac 100644 --- a/docs/Advanced Functionality/aws-best-practices/crossaccount-configuration-using-terraform.md +++ b/docs/Advanced Functionality/aws-best-practices/crossaccount-configuration-using-terraform.md @@ -220,7 +220,7 @@ Once finish, you will have a new role in the source Account that trusts itself a To work with this role from Akeyless, an [AWS Target](https://docs.akeyless.io/docs/aws-targets) is required: -1. Navigate to **Targets** > **New** > **AWS**. Press **Next**. +1. Navigate to **Targets**, then **New**, then **AWS**. Press **Next**. 2. Give the Target a **Name** and optionally, a **Location**. Press **Next**. 3. Choose **Use Gateway's Cloud Identity** and click **Finish** @@ -228,7 +228,7 @@ To work with this role from Akeyless, an [AWS Target](https://docs.akeyless.io/d To have a centralized Gateway that will be able to manage resources in multiple AWS Accounts, A target in Akeyless with an [External ID](https://aws.amazon.com/blogs/apn/securely-using-external-id-for-accessing-aws-accounts-owned-by-others/) is required. -1. Navigate to **Targets** > **New** > **AWS**. Press **Next**. +1. Navigate to **Targets**, then **New**, then **AWS**. Press **Next**. 2. Give the Target a **Name** and optionally, a **Location**. Press **Next**. 3. Choose **Use Gateway's Cloud Identity** and check the **External ID** option. @@ -485,7 +485,7 @@ Then, enter the GW console - `https://public-ip>:8000/console` This example will use **IAM\_USER** mode, this will create a new temporary user in the destination account in AWS. -In Akeyless, Navigate to **Items** > **New** > **Dynamic Secret** > **AWS**. +In Akeyless, Navigate to **Items**, then **New**, then **Dynamic Secret**, then **AWS**. 1. Give the Dynamic Secret a name and select **Next**. 2. Choose the **Target** that was created with the **External ID**. @@ -500,7 +500,7 @@ You will get the credentials of the new temporary user that was created in the d Now, we will use an AWS [Rotated Secret](https://docs.akeyless.io/docs/create-an-aws-rotated-secret). -In Akeyless, Navigate to **Items** > **New** > **Rotated Secret** > **AWS**. +In Akeyless, Navigate to **Items**, then **New**, then **Rotated Secret**, then **AWS**. 1. Give the Dynamic Secret a name and select **Next**. 2. Choose the **Target** that was created with the **External ID**. diff --git a/docs/Advanced Functionality/aws-best-practices/deploy-a-gateway-using-cloudformation.md b/docs/Advanced Functionality/aws-best-practices/deploy-a-gateway-using-cloudformation.md index 9301b1054..8cfdab828 100644 --- a/docs/Advanced Functionality/aws-best-practices/deploy-a-gateway-using-cloudformation.md +++ b/docs/Advanced Functionality/aws-best-practices/deploy-a-gateway-using-cloudformation.md @@ -28,13 +28,13 @@ In this case, for simplicity, we used [API Key](https://docs.akeyless.io/docs/au In the Akeyless Console, navigate to **Users & Auth Methods**. -1. Click **New** > **AWS IAM**. +1. Click **New**, then **AWS IAM**. 2. Provide a name AWS Account and click **Finish**. More details about the AWS IAM authentication method can be found [here](https://docs.akeyless.io/docs/auth-with-aws) In addition, to create an authentication methods that support user login, for simplicity, we will use [API Key](https://docs.akeyless.io/docs/auth-with-api-key) -1. Click **New** > **API Key** +1. Click **New**, then **API Key** 2. Provide a name and click **Finish** > ℹ️ **Note (API Key Credentials):** @@ -65,7 +65,7 @@ The following steps will be used to set up the Gateway and create the required * To deploy the Akeyless Gateway using [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html): -1. Open the **AWS Console**, navigate to **CloudFormation** > **Create Stack** > **With new resources (standard)** +1. Open the **AWS Console**, navigate to **CloudFormation**, then **Create Stack**, then **With new resources (standard)** 2. Select **Upload a template file**, then upload the `yaml` file containing the CloudFormation template. @@ -587,7 +587,7 @@ The following steps will create the required resources in Akeyless to generate a ### Create a Rotated Secret -1. Go to **Items** > **New** > **Rotated Secret**, then select **AWS**. +1. Go to **Items**, then **New**, then **Rotated Secret**, then select **AWS**. 2. Provide a name and location. @@ -605,7 +605,7 @@ Click the **eye** icon to view the current credentials, or select **Rotate Secre ### Create a Universal Secret Connector (USC) -1. Go to **Items** > **New** > **Universal Secret Connector**, and choose **AWS**. +1. Go to **Items**, then **New**, then **Universal Secret Connector**, and choose **AWS**. 2. Provide a name and location. diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-caching/index.md b/docs/Akeyless Gateway/configure-gateway/gateway-caching/index.md index d83f51816..1c8308902 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-caching/index.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-caching/index.md @@ -41,7 +41,7 @@ For Kubernetes proactive cache sizing guidance, see [Gateway Best Practices: Res To manage cache runtime settings from Gateway Configuration Manager: 1. Open `https://:8000/console`. -2. Go to **Gateways** > **Your Gateway** > **Manage Gateway** > **Caching Configuration**. +2. Go to **Gateways**, then **Your Gateway**, then **Manage Gateway**, then **Caching Configuration**. 3. Configure cache and proactive cache options. 4. Save changes. diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-caching/proactive-caching.md b/docs/Akeyless Gateway/configure-gateway/gateway-caching/proactive-caching.md index 2055210cf..c75cace2c 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-caching/proactive-caching.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-caching/proactive-caching.md @@ -72,7 +72,7 @@ Do not use proactive caching when: | Deployment option | How to configure | | --- | --- | -| Gateway Console | In the Gateway UI, go to **Manage Gateway** > **Caching** and turn on the **Enable Proactive Caching** toggle. (Requires **Enable Caching** to be on first.) | +| Gateway Console | In the Gateway UI, go to **Manage Gateway**, then **Caching** and turn on the **Enable Proactive Caching** toggle. (Requires **Enable Caching** to be on first.) | | [Kubernetes (Helm)](https://docs.akeyless.io/docs/gateway-deploy-kubernetes-helm) | Set environment variables under `globalConfig.env` in `values.yaml` and [apply a Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/). | | [Standalone Docker](https://docs.akeyless.io/docs/gateway-deploy-standalone-docker) | Set proactive cache environment variables in container runtime configuration. | | [Docker Compose](https://docs.akeyless.io/docs/gateway-deploy-docker-compose) | Set the same environment variables in the compose service definition and redeploy. | diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-caching/runtime-caching.md b/docs/Akeyless Gateway/configure-gateway/gateway-caching/runtime-caching.md index 2d76c770b..4b0ca0a77 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-caching/runtime-caching.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-caching/runtime-caching.md @@ -67,7 +67,7 @@ Use the following deployment-specific options to configure runtime caching: | Deployment option | How to configure | | --- | --- | -| Gateway Console | In the Gateway UI, go to **Manage Gateway** > **Caching** and turn on the **Enable Caching** toggle. | +| Gateway Console | In the Gateway UI, go to **Manage Gateway**, then **Caching** and turn on the **Enable Caching** toggle. | | [Kubernetes (Helm)](https://docs.akeyless.io/docs/gateway-deploy-kubernetes-helm) | Set runtime behavior keys under `globalConfig.env` in `values.yaml` (for example `CACHE_ENABLE`, `PREFER_CLUSTER_CACHE_FIRST`) and [apply a Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/). Set `IGNORE_REDIS_HEALTH` separately when you want to change health-check behavior. | | [Standalone Docker](https://docs.akeyless.io/docs/gateway-deploy-standalone-docker) | Set cache-related environment variables (for example `CACHE_ENABLE`, `PREFER_CLUSTER_CACHE_FIRST`) in container runtime configuration. | | [Docker Compose](https://docs.akeyless.io/docs/gateway-deploy-docker-compose) | Set the same cache-related environment variables in the compose service definition and redeploy. | diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-certificate-store.md b/docs/Akeyless Gateway/configure-gateway/gateway-certificate-store.md index f4aa07b66..31a06fd32 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-certificate-store.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-certificate-store.md @@ -78,4 +78,4 @@ To remove certificates from your gateway using the UI, follow these steps: 2. Go to **Certificate Store**. -3. Choose the certificate you wish to remove and select the **Action Menu** > **Delete**. +3. Choose the certificate you wish to remove and select the **Action Menu**, then **Delete**. diff --git a/docs/Akeyless Gateway/deploy-gateway/gateway-cloud-serverless-deployments/gateway-deploy-serverless-aws.md b/docs/Akeyless Gateway/deploy-gateway/gateway-cloud-serverless-deployments/gateway-deploy-serverless-aws.md index 33bcfed63..2c367ffce 100644 --- a/docs/Akeyless Gateway/deploy-gateway/gateway-cloud-serverless-deployments/gateway-deploy-serverless-aws.md +++ b/docs/Akeyless Gateway/deploy-gateway/gateway-cloud-serverless-deployments/gateway-deploy-serverless-aws.md @@ -187,7 +187,7 @@ Find more information about the available Terraform [configuration files](https: The **Serverless Gateway** version can be updated to different versions based on your preferences, follow these steps to update the Gateway: * Enter the [Serverless Gateway](https://github.com/akeyless-community/akeyless-serverless-gateway) repo in **GitHub** -* Go to **Lambda Docker Image Configuration** > **Selecting a Different Version** +* Go to **Lambda Docker Image Configuration**, then **Selecting a Different Version** * [View available versions](https://gallery.ecr.aws/akeyless/serverless-gateway) * In `variables.tf` file, change the field `image-tag` to the version you desire * Run `terraform apply` diff --git a/docs/Certificate Lifecycle Management/certificate-discovery.md b/docs/Certificate Lifecycle Management/certificate-discovery.md index 79cfa30c3..feca70a74 100644 --- a/docs/Certificate Lifecycle Management/certificate-discovery.md +++ b/docs/Certificate Lifecycle Management/certificate-discovery.md @@ -47,7 +47,7 @@ Use the following mapping when translating Console fields to CLI flags: ## Setting a Certificate Discovery in the Akeyless Console -1. Log in to the Akeyless Console, and go to **Discovery & Migration** > **New** > **Certificate Discovery**. +1. Log in to the Akeyless Console, and go to **Discovery & Migration**, then **New**, then **Certificate Discovery**. 2. Define a Name for the certificate discovery, and specify the **Target Location** as a path to the virtual folder where you want the scanned certificates to be saved in. If the folder does not exist, it will be created together with the scanned certificates. 3. Add the **Sources** of the scan, such as: **IPs**, **CIDR ranges**, or **DNS names** 4. Add the relevant ports, the default value is `443`. @@ -55,4 +55,4 @@ Use the following mapping when translating Console fields to CLI flags: ## Run the Certificate Discovery -To run the discovery, select the discovery item and choose **Action Menu** > **Start Scan**. If the scan completes successfully, a new folder will appear under **Items** containing all the certificates that were found. +To run the discovery, select the discovery item and choose **Action Menu**, then **Start Scan**. If the scan completes successfully, a new folder will appear under **Items** containing all the certificates that were found. diff --git a/docs/Certificate Lifecycle Management/certificate-storage.md b/docs/Certificate Lifecycle Management/certificate-storage.md index 712e37824..1276a2ae1 100644 --- a/docs/Certificate Lifecycle Management/certificate-storage.md +++ b/docs/Certificate Lifecycle Management/certificate-storage.md @@ -75,7 +75,7 @@ All of the parameters from the creation command will also apply here. ## Managing a Certificate in the Console -1. Select **Items** > **New** > **Certificate**. +1. Select **Items**, then **New**, then **Certificate**. 2. Basic Configuration (fill in the following parameters): diff --git a/docs/Contributing Guides/technical-documentation-style-guide/index.md b/docs/Contributing Guides/technical-documentation-style-guide/index.md index ce8251d70..0ee69fa8d 100644 --- a/docs/Contributing Guides/technical-documentation-style-guide/index.md +++ b/docs/Contributing Guides/technical-documentation-style-guide/index.md @@ -163,6 +163,15 @@ With context: * `Monospace`: For commands, code, filenames, configuration keys. * Avoid underlines (can be confused with hyperlinks). +### UI Navigation Paths + +Write out navigation steps using words. Use bold for UI element names and "then" between steps. Do not use `>` as a navigation separator. + +* **Correct**: go to **Account Settings**, then **Key Management** +* **Incorrect**: go to **Account Settings** > **Key Management** + +This applies to all UIs, including third-party consoles such as the AWS Console, Azure Portal, and GitHub. + ## Terminology * Capitalize proper nouns and feature names (For example, Akeyless MCP Server). diff --git a/docs/Encryption & KMS/classic-keys/create-a-classic-key.md b/docs/Encryption & KMS/classic-keys/create-a-classic-key.md index b1d40b356..b2d3a5906 100644 --- a/docs/Encryption & KMS/classic-keys/create-a-classic-key.md +++ b/docs/Encryption & KMS/classic-keys/create-a-classic-key.md @@ -59,7 +59,7 @@ The full list of options for this command is: You can create a classic key using the Akeyless Gateway. If you’d prefer, see how to do this from the [Akeyless CLI](https://docs.akeyless.io/docs/create-a-classic-key#create-a-classic-key-from-the-cli) instead. -1. In the Akeyless Gateway UI, select **Classic Keys** > **New**. +1. In the Akeyless Gateway UI, select **Classic Keys**, then **New**. 2. Define the following: * **Name:** The name of the classic key. diff --git a/docs/Encryption & KMS/classic-keys/index.md b/docs/Encryption & KMS/classic-keys/index.md index 2255c0b3e..6ef578b62 100644 --- a/docs/Encryption & KMS/classic-keys/index.md +++ b/docs/Encryption & KMS/classic-keys/index.md @@ -86,7 +86,7 @@ Additional parameters can be found in the [CLI Reference](https://docs.akeyless. ### Creating a Classic Key -1. In the Akeyless Console, select **Items** > **New** > **Encryption Key** > **Classic**. +1. In the Akeyless Console, select **Items**, then **New**, then **Encryption Key**, then **Classic**. 2. Define the following: diff --git a/docs/Encryption & KMS/encryption-keys/index.md b/docs/Encryption & KMS/encryption-keys/index.md index 494d624c0..c9f221bb4 100644 --- a/docs/Encryption & KMS/encryption-keys/index.md +++ b/docs/Encryption & KMS/encryption-keys/index.md @@ -163,7 +163,7 @@ Select a hash function between `sha-256` and `sha-512`. The full parameters for ### Creating an Encryption Key -1. Log in to the Akeyless Console, and go to **Items** > **New** > **Encryption Key** > **DFC™**. +1. Log in to the Akeyless Console, and go to **Items**, then **New**, then **Encryption Key**, then **DFC™**. 2. Define a **Name** for the key. diff --git a/docs/Encryption & KMS/gpg-keys.md b/docs/Encryption & KMS/gpg-keys.md index 263a8ba3c..70be40069 100644 --- a/docs/Encryption & KMS/gpg-keys.md +++ b/docs/Encryption & KMS/gpg-keys.md @@ -94,7 +94,7 @@ While the console can create GPG-type keys, their full usage functionalities are ### Key Creation -1. In the Akeyless Console, select **New**>**Encryption Key** > **Classic**. +1. In the Akeyless Console, select **New**, then **Encryption Key**, then **Classic**. 2. Define the following: diff --git a/docs/Integrations & Plugins/plugins-overview/circleci-plugin.md b/docs/Integrations & Plugins/plugins-overview/circleci-plugin.md index c45be3058..0aa80ee9f 100644 --- a/docs/Integrations & Plugins/plugins-overview/circleci-plugin.md +++ b/docs/Integrations & Plugins/plugins-overview/circleci-plugin.md @@ -75,7 +75,7 @@ akeyless set-role-rule --role-name /Dev/CI/CircleCIRole \ Instead of checking your Auth Method `access Id`, or your [Gateway](https://docs.akeyless.io/docs/gateway-overview) `URL` into version control, we can store them securely in CircleCI environment variables. -Go to **Project Settings** > **Environment variables** > **Add Environment Variable** +Go to **Project Settings**, then **Environment variables**, then **Add Environment Variable** Create an environment variable in CircleCI called `ACCESS_ID` and store your Auth Method's `access-id` in it. @@ -87,7 +87,7 @@ While working with [Zero Knowledge](https://docs.akeyless.io/docs/gateway-zero-k In jobs using a context, CircleCI provides OpenID Connect ID (OIDC) tokens in environment variables. A job can use these tokens to access Akeyless without storing long-lived credentials in CircleCI. -Go to **Organization Settings** > **Contexts** > **Add a context** +Go to **Organization Settings**, then **Contexts**, then **Add a context** Name it `akeyless`, we will later add this context to a job by adding the context key to the workflows section of your `circleci/config.yml` file. ## Usage diff --git a/docs/Integrations & Plugins/plugins-overview/hashicorp-vault-proxy/github-actions-hvp.md b/docs/Integrations & Plugins/plugins-overview/hashicorp-vault-proxy/github-actions-hvp.md index 8483b98ae..6af05a569 100644 --- a/docs/Integrations & Plugins/plugins-overview/hashicorp-vault-proxy/github-actions-hvp.md +++ b/docs/Integrations & Plugins/plugins-overview/hashicorp-vault-proxy/github-actions-hvp.md @@ -54,7 +54,7 @@ To work with the GitHub Actions plugin: ## Set Up Akeyless Authentication Credentials for the Repository -1. On GitHub, navigate to the main page of the repository, and select **Settings** > **Secrets** > **New repository secret**. +1. On GitHub, navigate to the main page of the repository, and select **Settings**, then **Secrets**, then **New repository secret**. 2. Name the secret **VAULT\_TOKEN**. @@ -72,7 +72,7 @@ The GitHub repository is now configured with an access token for Akeyless. The GitHub [self-hosted runner](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) enables you to start a runner instance on an instance that you manage. Your workstation can be used if it is supported. -1. On GitHub, navigate to the main page of the repository, and select **Settings** > **Actions** > **Runners** > **Add runner**. +1. On GitHub, navigate to the main page of the repository, and select **Settings**, then **Actions**, then **Runners**, then **Add runner**. 2. Select the operating system and architecture of your self-hosted runner machine. diff --git a/docs/Secrets Management/how-to-create-dynamic-secret/create-an-azure-ad-app-service-account.md b/docs/Secrets Management/how-to-create-dynamic-secret/create-an-azure-ad-app-service-account.md index 9fa70c6dd..3b7e8217b 100644 --- a/docs/Secrets Management/how-to-create-dynamic-secret/create-an-azure-ad-app-service-account.md +++ b/docs/Secrets Management/how-to-create-dynamic-secret/create-an-azure-ad-app-service-account.md @@ -12,7 +12,7 @@ next: --- ## Application Registration in Active Directory -1. In the Azure Portal, go to **Azure Active Directory** > **App registration**: +1. In the Azure Portal, go to **Azure Active Directory**, then **App registration**: ![On Azure Portal -> Azure Active Directory -> App Registration](https://files.readme.io/407e4bf-image-20210204-103119.png) diff --git a/docs/Secrets Management/how-to-create-dynamic-secret/google-workspace-secret.md b/docs/Secrets Management/how-to-create-dynamic-secret/google-workspace-secret.md index 59eb9e0c8..fdede72d1 100644 --- a/docs/Secrets Management/how-to-create-dynamic-secret/google-workspace-secret.md +++ b/docs/Secrets Management/how-to-create-dynamic-secret/google-workspace-secret.md @@ -39,7 +39,7 @@ Follow these steps to create a **Service Account** in **Google Cloud Platform**: 3. **Generate and download JSON key**: Click the **Service Account** that was created, go to **Keys**, and click **Add Key > Create new key > JSON**. The key will be downloaded automatically to your computer. -4. **Delegate Domain-Wide Authority**: In the **Google Workspace Admin Console**, go to **Security** > **Access and data control > API controls**, click **Manage Domain Wide Delegation** > **Add new**, and enter the client **ID** from the **JSON** file downloaded earlier. +4. **Delegate Domain-Wide Authority**: In the **Google Workspace Admin Console**, go to **Security**, then **Access and data control > API controls**, click **Manage Domain Wide Delegation**, then **Add new**, and enter the client **ID** from the **JSON** file downloaded earlier. * In the same location, add the following scopes: ```json diff --git a/docs/Secrets Management/how-to-create-dynamic-secret/openai-dynamic-secrets.md b/docs/Secrets Management/how-to-create-dynamic-secret/openai-dynamic-secrets.md index c6414bd0c..da2f27912 100644 --- a/docs/Secrets Management/how-to-create-dynamic-secret/openai-dynamic-secrets.md +++ b/docs/Secrets Management/how-to-create-dynamic-secret/openai-dynamic-secrets.md @@ -61,7 +61,7 @@ Where: > ✅ **Tip:** To start working with Dynamic Secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway. -1. Log in to the Akeyless Console, and go to **Items** > **New** > **Dynamic Secret**. +1. Log in to the Akeyless Console, and go to **Items**, then **New**, then **Dynamic Secret**. 2. Select the **OpenAI** secret type and click **Next**. diff --git a/docs/Secrets Management/targets/cloudflare-target.md b/docs/Secrets Management/targets/cloudflare-target.md index dee547762..a687d0bf3 100644 --- a/docs/Secrets Management/targets/cloudflare-target.md +++ b/docs/Secrets Management/targets/cloudflare-target.md @@ -53,7 +53,7 @@ Where: ## Create a Cloudflare Target in the Console -1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Cloudflare**. +1. Log in to the Akeyless Console, and go to **Targets**, then **New**, then **Cloudflare**. 2. Define the **Name** of the target, and specify the **Location** as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. diff --git a/docs/Secrets Management/targets/digicert-target.md b/docs/Secrets Management/targets/digicert-target.md index 27124e09c..3a5bc7eda 100644 --- a/docs/Secrets Management/targets/digicert-target.md +++ b/docs/Secrets Management/targets/digicert-target.md @@ -96,7 +96,7 @@ Where: ## Create a Digicert Target in the Console -1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Certificate Automation (Digicert)**. +1. Log in to the Akeyless Console, and go to **Targets**, then **New**, then **Certificate Automation (Digicert)**. 2. Define the Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. diff --git a/docs/Secrets Management/targets/google-ca-target.md b/docs/Secrets Management/targets/google-ca-target.md index 965f41445..d8812ab40 100644 --- a/docs/Secrets Management/targets/google-ca-target.md +++ b/docs/Secrets Management/targets/google-ca-target.md @@ -96,7 +96,7 @@ Where: ## Create a Google CA Target in the Console -1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Certificate Automation (Google CA)**. +1. Log in to the Akeyless Console, and go to **Targets**, then **New**, then **Certificate Automation (Google CA)**. 2. Define the Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. diff --git a/docs/Secrets Management/targets/lets-encrypt.md b/docs/Secrets Management/targets/lets-encrypt.md index 80de2ea54..e8073f6d8 100644 --- a/docs/Secrets Management/targets/lets-encrypt.md +++ b/docs/Secrets Management/targets/lets-encrypt.md @@ -98,7 +98,7 @@ Where: ## Create a Let's Encrypt Target in the Console -1. Log in to the Akeyless Console, and go to **Targets** > **New** > **Certificate Automation (Let's Encrypt)**. +1. Log in to the Akeyless Console, and go to **Targets**, then **New**, then **Certificate Automation (Let's Encrypt)**. 2. Define the Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash `/` separators. If the folder does not exist, it will be created together with the target. diff --git a/docs/Universal Secret Connector/universal-secrets-connector/index.md b/docs/Universal Secret Connector/universal-secrets-connector/index.md index 6cff8ccfc..f872f2bb2 100644 --- a/docs/Universal Secret Connector/universal-secrets-connector/index.md +++ b/docs/Universal Secret Connector/universal-secrets-connector/index.md @@ -36,7 +36,7 @@ Akeyless currently supports creating Universal Secrets Connectors for the follow * [HashiCorp Vault Universal Secret Connector](https://docs.akeyless.io/docs/hc-vault-universal-secrets-connector) -To view all your Universal Secret Connectors, log in to the **Console** then navigate to **Items** > **Universal Secrets Connector**. +To view all your Universal Secret Connectors, log in to the **Console** then navigate to **Items**, then **Universal Secrets Connector**. ## Tutorial