diff --git a/.other/redirects-backup.txt b/.other/redirects-backup.txt index 2410879f6..cad6ead6c 100644 --- a/.other/redirects-backup.txt +++ b/.other/redirects-backup.txt @@ -835,3 +835,7 @@ /v2/docs/remote-access-desktop-application-beta -> /docs/sra-desktop-application-beta /docs/copy-of-remote-access-on-k8s -> /docs/sra-setup-k8s /v2/docs/copy-of-remote-access-on-k8s -> /docs/sra-setup-k8s +/docs/akeyless-mcp-model-context-protocol-command -> /docs/mcp-server +/v2/docs/akeyless-mcp-model-context-protocol-command -> /docs/mcp-server +/docs/akeyless-mcp-plugin-jetbrains-ides -> /docs/mcp-jetbrains-ides +/v2/docs/akeyless-mcp-plugin-jetbrains-ides -> /docs/mcp-jetbrains-ides diff --git a/docs/AI Security/MCP/_order.yaml b/docs/AI Security/MCP/_order.yaml new file mode 100644 index 000000000..e90732014 --- /dev/null +++ b/docs/AI Security/MCP/_order.yaml @@ -0,0 +1,5 @@ +- index +- mcp-claude-desktop +- mcp-cursor +- mcp-github-copilot +- mcp-jetbrains-ides diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md new file mode 100644 index 000000000..d7bde3ae0 --- /dev/null +++ b/docs/AI Security/MCP/index.md @@ -0,0 +1,72 @@ +--- +title: MCP Server +excerpt: Overview of Akeyless MCP content, requirements, and supported integrations. +deprecated: false +hidden: false +link: + new_tab: false +metadata: + title: Akeyless MCP Server + description: Overview of Akeyless MCP content, requirements, and supported integrations. + robots: index +--- +The Akeyless Model Context Protocol (MCP) Server lets MCP-enabled tools connect to your Akeyless identity security platform through the Akeyless CLI or Gateway. This section explains the MCP server, its command syntax, and the supported client integrations documented by Akeyless. + +Model Context Protocol (MCP) is an open protocol that standardizes how an AI client discovers tools and sends tool calls to an external server. In this model, your MCP client (for example, Claude Desktop, Cursor, or GitHub Copilot) launches the Akeyless MCP server locally over `stdio`, then uses it to run authorized operations against Akeyless resources. + +## Common Requirements + +All documented MCP integrations share these requirements: + +* Akeyless CLI version `1.130.0` or later. +* An Akeyless account and a configured CLI profile, or explicit authentication flags. +* A Gateway URL passed directly in the client configuration or command arguments. +* A client that can launch the Akeyless MCP server over `stdio`. + +Read more about the [Model Context Protocol](https://modelcontextprotocol.io/). + +## General MCP Usage Flow + +Use this high-level flow for any supported MCP integration: + +1. Install and configure the Akeyless CLI and authentication profile. +2. Configure your MCP client to run the Akeyless MCP server command. +3. Start or reload the MCP client so it discovers the Akeyless tools. +4. Invoke Akeyless tools from the client prompt and review the response. +5. Use RBAC and scoped secret permissions to control what the client can access. + +## MCP-Related CLI Commands + +The Akeyless CLI currently exposes two MCP-related commands: + +| Command | Purpose | +| --- | --- | +| `akeyless mcp` | Starts the general Akeyless MCP server for standard Akeyless tools. | +| `akeyless mcp-runtime-authority` | Starts the Agentic Runtime Authority MCP server for runtime query workflows (`list-secrets`, `query-db`, `service-execute`). | + +For full command flags and usage details, see [CLI Reference](https://docs.akeyless.io/docs/cli-reference#mcp). + +### Command: akeyless mcp + +The `akeyless mcp` command starts an MCP server so AI assistants can securely interact with Akeyless services through a standardized interface. It accepts the same authentication flags as other Akeyless CLI commands. For details, see [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods). + +> Important: `akeyless mcp` does not use the `gateway_url` value configured in a CLI profile. You must pass `--gateway-url` directly in every `akeyless mcp` command (or MCP client args). + +For full command syntax and flags, see [CLI Reference - mcp](https://docs.akeyless.io/docs/cli-reference#mcp). + +### Command: akeyless mcp-runtime-authority + +The `akeyless mcp-runtime-authority` command starts the MCP server for Agentic Runtime Authority runtime-query tools (`list-secrets`, `query-db`, `service-execute`). It uses the same authentication model as `akeyless mcp`, and accepts an optional `--secret-name` flag to set a default secret path for `query-db`. + +For full command syntax and flags, see [CLI Reference - mcp-runtime-authority](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). + +For Runtime Authority behavior, prerequisites, and tool semantics, see [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). + +## Supported Integrations + +| Integration | Primary use case | Configuration surface | +| --- | --- | --- | +| [Claude Desktop](https://docs.akeyless.io/docs/mcp-claude-desktop) | Desktop AI assistant workflow with local MCP client configuration | `~/Library/Application Support/Claude/claude_desktop_config.json` | +| [Cursor](https://docs.akeyless.io/docs/mcp-cursor) | Editor-based MCP workflow in Cursor | `~/.cursor/mcp.json` or Cursor settings JSON | +| [GitHub Copilot](https://docs.akeyless.io/docs/mcp-github-copilot) | MCP workflow with GitHub Copilot CLI | `~/.copilot/mcp-config.json` | +| [JetBrains IDEs](https://docs.akeyless.io/docs/mcp-jetbrains-ides) | IDE-native plugin workflow for JetBrains products | JetBrains plugin settings | diff --git a/docs/AI Security/MCP/mcp-claude-desktop.md b/docs/AI Security/MCP/mcp-claude-desktop.md new file mode 100644 index 000000000..097b078d3 --- /dev/null +++ b/docs/AI Security/MCP/mcp-claude-desktop.md @@ -0,0 +1,88 @@ +--- +title: Claude Desktop +slug: mcp-claude-desktop +excerpt: Connect Claude Desktop to the Akeyless MCP Server. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- +Connect Claude Desktop to the Akeyless Model Context Protocol (MCP) Server when you want Claude Desktop to access Akeyless tools through MCP. + +For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +## Requirements + +* Akeyless CLI version `1.130.0` or later. +* A configured Akeyless profile, or the authentication values required by your chosen access type. +* A Gateway URL passed directly in the client configuration. + +## Configure Claude Desktop + +1. Install and configure the Akeyless CLI. +2. Edit `~/Library/Application Support/Claude/claude_desktop_config.json`. +3. Add the Akeyless MCP server configuration. +4. Restart Claude Desktop. + +The following examples show common authentication configurations: + +```json Default +{ + "mcpServers": { + "akeyless": { + "command": "akeyless", + "args": [ + "mcp", + "--profile", "", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json SAML +{ + "mcpServers": { + "akeyless-saml": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "saml", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json OIDC +{ + "mcpServers": { + "akeyless-oidc": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "oidc", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` + +## Verify The Integration + +After Claude Desktop restarts, verify that Claude can run MCP-backed requests such as: + +* "Show me my Akeyless secrets" +* "List all my targets" +* "Create a new secret called `api-key`" + +## Notes + +* The Akeyless CLI serves MCP over `stdio`, so Claude Desktop must invoke the `akeyless mcp` command directly. +* When `--profile` is used, the saved CLI profile supplies the authentication settings. +* Pass `--gateway-url` directly in the Claude Desktop configuration even when the profile already has a saved Gateway value. diff --git a/docs/AI Security/MCP/mcp-cursor.md b/docs/AI Security/MCP/mcp-cursor.md new file mode 100644 index 000000000..26e57c4f1 --- /dev/null +++ b/docs/AI Security/MCP/mcp-cursor.md @@ -0,0 +1,88 @@ +--- +title: Cursor +slug: mcp-cursor +excerpt: Connect Cursor to the Akeyless MCP Server. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- +Connect Cursor to the Akeyless MCP Server when you want MCP access inside the Cursor editor. + +For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +## Requirements + +* Akeyless CLI version `1.130.0` or later. +* A configured Akeyless profile, or the authentication values required by your chosen access type. +* A Gateway URL passed directly in the client configuration. + +## Configure Cursor + +1. Install and configure the Akeyless CLI. +2. Open Cursor settings JSON. +3. Add the Akeyless MCP server configuration. +4. Restart Cursor. + +The following examples show common authentication configurations: + +```json Default +{ + "mcpServers": { + "akeyless": { + "command": "akeyless", + "args": [ + "mcp", + "--profile", "", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json SAML +{ + "mcpServers": { + "akeyless-saml": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "saml", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json OIDC +{ + "mcpServers": { + "akeyless-oidc": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "oidc", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` + +## Verify The Integration + +After Cursor restarts, verify that Cursor can run MCP-backed requests such as: + +* "Show me my Akeyless secrets" +* "Create a new secret called `api-key`" +* "List all my targets" + +## Notes + +* The Akeyless CLI serves MCP over `stdio`, so Cursor must invoke the `akeyless mcp` command directly. +* When `--profile` is used, the saved CLI profile supplies the authentication settings. +* Pass `--gateway-url` directly in the Cursor configuration even when the profile already has a saved Gateway value. diff --git a/docs/AI Security/MCP/mcp-github-copilot.md b/docs/AI Security/MCP/mcp-github-copilot.md new file mode 100644 index 000000000..66a0360f7 --- /dev/null +++ b/docs/AI Security/MCP/mcp-github-copilot.md @@ -0,0 +1,101 @@ +--- +title: GitHub Copilot +slug: mcp-github-copilot +excerpt: Connect GitHub Copilot to the Akeyless MCP Server. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- +Connect GitHub Copilot to the Akeyless MCP Server when you want Copilot to access Akeyless tools through MCP. + +For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +## Requirements + +* Akeyless CLI version `1.130.0` or later. +* GitHub Copilot CLI installed. +* A configured Akeyless profile, or the authentication values required by your chosen access type. +* A Gateway URL passed directly in the client configuration. + +## Install GitHub Copilot CLI + +```shell +npm install -g @githubnext/github-copilot-cli +``` + +## Configure GitHub Copilot + +1. Install and configure the Akeyless CLI. +2. Edit `~/.copilot/mcp-config.json`. +3. Add the Akeyless MCP server configuration. +4. Start GitHub Copilot with MCP enabled. + +The following examples show common authentication configurations: + +```json Default +{ + "mcpServers": { + "akeyless": { + "command": "akeyless", + "args": [ + "mcp", + "--profile", "", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json SAML +{ + "mcpServers": { + "akeyless-saml": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "saml", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json OIDC +{ + "mcpServers": { + "akeyless-oidc": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "oidc", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` + +Start Copilot with MCP: + +```shell +copilot mcp +``` + +## Verify The Integration + +After GitHub Copilot starts with MCP enabled, verify that it can run MCP-backed requests such as: + +* "Show me my Akeyless secrets" +* "List all my targets" +* "Create a new secret called `api-key`" + +## Notes + +* The Akeyless CLI serves MCP over `stdio`, so GitHub Copilot must invoke the `akeyless mcp` command directly. +* When `--profile` is used, the saved CLI profile supplies the authentication settings. +* Pass `--gateway-url` directly in the Copilot configuration even when the profile already has a saved Gateway value. diff --git a/docs/AI/MCP/akeyless-mcp-plugin-jetbrains-ides.md b/docs/AI Security/MCP/mcp-jetbrains-ides.md similarity index 96% rename from docs/AI/MCP/akeyless-mcp-plugin-jetbrains-ides.md rename to docs/AI Security/MCP/mcp-jetbrains-ides.md index fc69476b8..060957151 100644 --- a/docs/AI/MCP/akeyless-mcp-plugin-jetbrains-ides.md +++ b/docs/AI Security/MCP/mcp-jetbrains-ides.md @@ -1,5 +1,6 @@ --- title: Akeyless MCP Plugin for JetBrains IDEs +slug: mcp-jetbrains-ides excerpt: Integrate Akeyless secrets management directly into JetBrains IDEs with MCP deprecated: false hidden: false @@ -113,10 +114,12 @@ For profile details and advanced options, see [CLI Profiles](https://docs.akeyle Note that the project uses a JDK 17 compile toolchain. If the Gradle wrapper fails to start because the default Java version is too new, set `org.gradle.java.home` in `gradle.properties` to a JDK 17 or JDK 21 installation. +Install the generated plugin from disk: + 1. In your JetBrains IDE, go to **Settings → Plugins**. -1. Select the gear icon, and then select **Install Plugin from Disk...**. -1. Select the generated ZIP file from the `build/distributions/` directory. -1. Restart the IDE when prompted. +2. Select the gear icon, and then select **Install Plugin from Disk...**. +3. Select the generated ZIP file from the `build/distributions/` directory. +4. Restart the IDE when prompted. ### Step 4: Configure the Plugin diff --git a/docs/AI/_order.yaml b/docs/AI Security/_order.yaml similarity index 66% rename from docs/AI/_order.yaml rename to docs/AI Security/_order.yaml index 24eca2db8..b5458eef3 100644 --- a/docs/AI/_order.yaml +++ b/docs/AI Security/_order.yaml @@ -1,4 +1,6 @@ +- ai-security - akeyless-ai-insight -- prompt-injection-protection-for-ai-agents -- MCP +- identity-and-secrets-intelligence - agentic-runtime-authority +- MCP +- prompt-injection-protection-for-ai-agents diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md new file mode 100644 index 000000000..1a7936a09 --- /dev/null +++ b/docs/AI Security/agentic-runtime-authority.md @@ -0,0 +1,276 @@ +--- +title: Agentic Runtime Authority +excerpt: Configure Agentic Runtime Authority for controlled AI agent access and runtime query governance. +deprecated: false +hidden: false +metadata: + title: Agentic Runtime Authority + description: Configure Agentic Runtime Authority to apply runtime controls, role-based access, and MCP workflows for AI agent access. + robots: index +--- + +> ⚠️ **Warning:** +> +> Agentic Runtime Authority is currently in early access. Features, behavior, and availability can change between releases. + +Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported secrets without exposing long-lived credentials. In this context, **runtime control** means the authorization checks and input or output rules that Akeyless enforces when an agent sends a live request to a protected resource. Policies on Dynamic Secrets define what agents can and cannot do—input rules restrict allowed operations, and output rules filter returned data—ensuring secure and compliant runtime execution. + +**Agentic Runtime Authority** currently supports these target categories for runtime execution: + +* **Database targets**: MySQL, PostgreSQL, MSSQL, Oracle, Snowflake, HanaDB, Redshift, MongoDB, Redis, and Cassandra. +* **Service targets**: AWS, GCP, Azure, and GitHub. + +The `runtime-authority` command and the MCP execution tools operate on supported: + +* **Dynamic secrets**: For temporary, rotated credentials. +* **Rotated secrets**: For regularly rotated credentials. +* **Static secrets**: Typically used for OAuth 2.1-based MCP workflows and connection-string-based integrations. + +Agentic Runtime Authority extends Akeyless AI security beyond secretless credential retrieval by adding runtime controls and reporting for agent access. + +## Policy Control And Traceability Summary + +Agentic Runtime Authority policy controls are central to secure agent execution. **Input and output rules define what the agent can send and what data it can receive**, and each runtime session is traceable for monitoring and audit workflows. + +### Control: What the Agent Can and Cannot Do + +* **Input rules**: Constrain what the agent is allowed to send (queries, prompts, commands) when accessing dynamic, rotated, or static secrets. Blocked requests are denied before reaching the target. +* **Output rules**: Constrain what data can be returned to the agent from protected resources. Blocked response content is filtered or redacted. + +### Traceability: Full Audit Trail + +* **Session recording**: Each runtime session and query event is recorded with full context. +* **Access scope**: Runtime behavior is scoped by role rules and secret permissions. +* **Monitoring and audit**: Use the `ara-reports-access` role rule to grant access to Agentic Runtime Authority reporting data for compliance and investigation workflows. + +The current implementation exposes Agentic Runtime Authority in these places: + +* The **Agentic Runtime Authority** step or details tab on supported Dynamic Secrets in the Akeyless Console +* The [runtime-authority CLI command](https://docs.akeyless.io/docs/cli-reference#runtime-authority) for direct runtime queries through the Gateway +* The [mcp-runtime-authority CLI command](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority) for MCP-based agent integrations +* The MCP tools exposed by `mcp-runtime-authority`: `list-secrets`, `query-db`, and `service-execute` +* The `ara-reports-access` role rule for dashboard visibility +* The **Agentic Runtime Authority** role-rule type with the **Allow Access** capability in the Console role editor +* Repeated `--input-rule` and `--output-rule` flags on Dynamic Secret create and update commands + +## Prerequisites + +* [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0` or later. +* **[AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway.** This is required for runtime authority functionality. +* A Dynamic Secret configured with Agentic Runtime Authority enabled. +* A role with access to the relevant Dynamic Secret and, when required, reporting access to Agentic Runtime Authority. +* An authentication method associated with that role. +* A supported desktop client, such as Claude Desktop or Cursor, if you plan to use MCP. +* _(Optional)_ Akeyless CLI version `1.144.0` or later when you plan to use CLI-based setup or execution flows. CLI is not required for MCP-based workflows or direct Gateway queries via API. + +## Control Access With RBAC + +Agentic Runtime Authority uses separate RBAC controls for dashboard visibility and runtime execution. + +### Control Dashboard Visibility + +Use the `ara-reports-access` administrative rule on a role to control access to the Agentic Runtime Authority dashboard. + +Supported values are: + +* `none` +* `scoped` +* `all` + +Use the Console when you want to configure dashboard visibility on a role without using the CLI: + +1. Open the relevant access role in the Akeyless Console. +2. Open the administrative rules section. +3. Locate **Agentic Runtime Authority**. +4. Set the reporting scope to `None`, `Scoped`, or `All`. +5. Save the role. + +For command syntax, see [CLI Reference - Access Roles](https://docs.akeyless.io/docs/cli-reference-access-roles). Use the create role command when creating a new role: + +```shell +akeyless create-role \ + --name \ + --ara-reports-access +``` + +Use the update role command when modifying an existing role: + +```shell +akeyless update-role \ + --name \ + --ara-reports-access +``` + +This rule controls dashboard visibility. Runtime execution also depends on the relevant Agentic Runtime Authority role rule and underlying secret permissions. + +### Grant Runtime Execution Access + +Use the role-rule workflow when you want a role to execute Agentic Runtime Authority operations on a path. + +1. Open the access role that should run Agentic Runtime Authority queries. +2. Add a role rule with the type **Agentic Runtime Authority**. +3. Set the path to the relevant Agentic Runtime Authority (ARA)-enabled secret path. +4. Select the **Allow Access** capability. +5. Save the role. + +Use the administrative rule separately when you also want reporting visibility. + +## Configure Agentic Runtime Authority In The Console + +1. Open the Dynamic Secret that the AI agent will use. +2. Open the **Agentic Runtime Authority** step or details tab. +3. Turn on **Enable Agentic Runtime Authority**. +4. Review the **Input Rules** table. +5. Review the **Output Rules** table. +6. Add, edit, or delete rules as needed. +7. Save the Dynamic Secret. + +For new Dynamic Secrets, the current Console implementation can prepopulate default input rules for these producer types: + +* MySQL +* PostgreSQL +* Redshift +* MSSQL +* Oracle +* Snowflake +* HanaDB +* Cassandra +* Redis +* MongoDB + +These defaults are producer-specific. For example, SQL producers receive read-only and no-multi-statement input rules by default. + +## Configure Agentic Runtime Authority With The CLI + +Dynamic Secret [create](https://docs.akeyless.io/docs/cli-reference-dynamic-secrets#create) and [update](https://docs.akeyless.io/docs/cli-reference-dynamic-secrets#update) commands accept repeated `--input-rule` and `--output-rule` flags in `name=...,rule=...` format. + +Example input and output rule values: + +```text +name=read-only-sql,rule=Only allow read-only SQL statements: SELECT, SHOW, DESCRIBE, DESC, EXPLAIN, WITH. Reject any DML or DDL statements such as INSERT, UPDATE, DELETE, DROP, ALTER, CREATE, TRUNCATE, GRANT, REVOKE. +name=mask-email,rule=Mask email addresses in the returned results. +``` + +The current CLI parser requires both `name` and `rule` for each repeated flag. + +## Set Up The AI Agent + +To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. For general MCP concepts, command syntax, and client setup patterns, see [Akeyless MCP Model Context Protocol Command](https://docs.akeyless.io/docs/akeyless-mcp-model-context-protocol-command). The configuration below is specific to the [mcp-runtime-authority subcommand](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). + +### For Claude + +Create the following file: `~/Library/Application Support/Claude/claude_desktop_config.json`. + +### For Cursor + +Create the following file: `~/.cursor/mcp.json`. + +Use the following configuration template for both **Claude** and **Cursor**. Replace the placeholder values with your environment details: + +```json +{ + "mcpServers": { + "akeyless-connector": { + "command": "akeyless", + "args": [ + "mcp-runtime-authority", + "--gateway-url", + "https://:8000", + "--profile", + "profile_name" + ] + } + } +} +``` + +Where: + +* `gateway-url`: The Gateway URL where the Dynamic Secret exists. + +* `secret-name`: Optional. Use this only when you want to set a default path for the `query-db` MCP tool. This does not replace RBAC scoping for the server. Use role rules and secret permissions to restrict which secrets the profile can access. + +* `profile`: The CLI profile with the required RBAC permissions for working with Agentic Runtime Authority. + +When the MCP server is running, it exposes these workflows: + +* `list-secrets`: Lists ARA-supported secrets that the current profile can access. +* `query-db`: Runs database queries. `payload` and `agent-id` are required. `secret-name` is required per request only when no default `--secret-name` was provided at server startup. +* `service-execute`: Runs service actions against supported service targets. `secret-name`, `payload`, and `agent-id` are required. + +For OAuth-backed service flows, `service-execute` can also require `auth-code` and `state` on the follow-up call after the server returns an authorization URL. + +## Query Protected Resources With The CLI + +Use the [runtime-authority command](https://docs.akeyless.io/docs/cli-reference#runtime-authority) for direct runtime queries through the Gateway: + +```shell +akeyless runtime-authority \ + --name /demo/apps/analytics/postgres-ro \ + --payload 'SELECT current_user, current_database();' \ + --agent-id ai-assistant-01 \ + -u https://:8000 \ + --profile +``` + +Use the [mcp-runtime-authority command](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority) when the agent connects through MCP: + +```shell +akeyless mcp-runtime-authority \ + --gateway-url https://:8000 \ + --secret-name /demo/apps/analytics/postgres-ro \ + --profile +``` + +## Monitoring Access + +Each session and resource query is logged by the runtime services. Use the `ara-reports-access` role rule to grant access to Agentic Runtime Authority reporting data. See [Control Access With RBAC](#control-access-with-rbac) for role setup details. + +## Control Agent Behavior With Rules + +For additional security, Agentic Runtime Authority supports both input rules and output rules on the Dynamic Secret. Use these rules to limit unsafe requests and reduce accidental exposure of sensitive information. + +To restrict certain queries or responses: + +1. Open the [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret) object in the Akeyless Console. +2. Add an **Input Rule** to block disallowed prompts. +3. Add an **Output Rule** to block disallowed response content. +4. When a request or response matches a blocked rule, the action is denied and the protected data is not returned. + +This approach keeps the AI agent useful for legitimate queries while ensuring access remains controlled and secure. + +## Examples + +Example CLI role setup for reporting access: + +```shell +akeyless create-role \ + --name \ + --ara-reports-access scoped +``` + +Example input rules: + +```text PostgreSQL +name=read-only-sql,rule=Only allow read-only SQL statements: SELECT, SHOW, DESCRIBE, DESC, EXPLAIN, WITH. Reject any DML or DDL statements such as INSERT, UPDATE, DELETE, DROP, ALTER, CREATE, TRUNCATE, GRANT, REVOKE. +``` +```text Redis +name=denied-commands,rule=Deny the following Redis commands: KEYS, FLUSHALL, FLUSHDB, DEBUG, SHUTDOWN, BGSAVE, BGREWRITEAOF, SLAVEOF, REPLICAOF, CLUSTER, MIGRATE, MONITOR, SUBSCRIBE, PSUBSCRIBE, EVAL, EVALSHA, EVALRO, EVALSHA_RO, SCRIPT. Also deny CONFIG subcommands SET, REWRITE, and RESETSTAT. +``` + +Example direct runtime query: + +```shell +akeyless runtime-authority \ + --name /demo/apps/analytics/postgres-ro \ + --payload 'SELECT count(*) FROM customers;' \ + --agent-id ai-assistant-01 \ + -u https://:8000 \ + --profile +``` + +## Related AI Guides + +* Identity and Secrets Intelligence +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) diff --git a/docs/AI Security/ai-security.md b/docs/AI Security/ai-security.md new file mode 100644 index 000000000..ec1ad1844 --- /dev/null +++ b/docs/AI Security/ai-security.md @@ -0,0 +1,33 @@ +--- +title: AI Security With Akeyless +excerpt: Overview of Akeyless AI offerings, key features, and documentation. +deprecated: false +hidden: false +metadata: + title: AI Security With Akeyless + description: Overview of Akeyless AI offerings, key features, and documentation pages. + robots: index +--- +Akeyless provides multiple AI-focused capabilities across the identity security platform. These capabilities help teams secure agent access, reduce credential exposure, control runtime behavior, and integrate AI clients with Akeyless services. + +This page summarizes the current AI offerings and links to the detailed guides. + +## AI Offerings At A Glance + +| Offering | Primary Purpose | Key Capabilities | Documentation | +| --- | --- | --- | --- | +| Akeyless AI Insights | Enable natural-language interaction with Akeyless resources | Account-level enablement, Gateway-level model configuration, Large Language Model (LLM) target setup, and validation flow | [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) | +| Agentic Runtime Authority | Control and audit runtime agent access to supported Dynamic Secrets | Runtime query execution, input and output rules, role-based reporting access, MCP runtime support, and session reporting | [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) | +| Identity and Secrets Intelligence | Provide AI-related visibility and governance surfaces in the Console | Dashboard, Inventory, Scanners, Policies, and dedicated RBAC control via `isi-access` | [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) | +| Prompt Injection Protection Guidance | Reduce credential misuse risk in AI workflows | Secretless architecture guidance, runtime retrieval model, and practical hardening recommendations | [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) | +| Akeyless MCP Server | Integrate MCP clients and tools with Akeyless services | MCP server setup, authentication methods, profile usage, and Gateway integration | [MCP Server](https://docs.akeyless.io/docs/mcp-server) | + +## MCP Documentation Pages + +For MCP-specific setup and usage, use these pages: + +* [MCP Server](https://docs.akeyless.io/docs/mcp-server) +* [Claude Desktop Integration](https://docs.akeyless.io/docs/mcp-claude-desktop) +* [Cursor Integration](https://docs.akeyless.io/docs/mcp-cursor) +* [GitHub Copilot Integration](https://docs.akeyless.io/docs/mcp-github-copilot) +* [Akeyless MCP Plugin for JetBrains IDEs](https://docs.akeyless.io/docs/mcp-jetbrains-ides) diff --git a/docs/AI/akeyless-ai-insight.md b/docs/AI Security/akeyless-ai-insight.md similarity index 84% rename from docs/AI/akeyless-ai-insight.md rename to docs/AI Security/akeyless-ai-insight.md index 9ede3adf7..a5413c1e3 100644 --- a/docs/AI/akeyless-ai-insight.md +++ b/docs/AI Security/akeyless-ai-insight.md @@ -1,8 +1,11 @@ --- title: Akeyless AI Insights +excerpt: Configure Akeyless AI Insights with supported LLM targets and gateway settings. deprecated: false hidden: false metadata: + title: Akeyless AI Insights + description: Configure Akeyless AI Insights at account and gateway levels with supported LLM targets. robots: index --- ## Overview @@ -37,7 +40,7 @@ Before you begin, ensure you have the following: | 1 | Enable AI Insights at the account level | CLI | | 2 | Create an OpenAI / Gemini Target | CLI | | 3 | Configure the Akeyless Gateway for AI Insights | REST API | -| 4 | Validate the configuration and test | CLI or Web UI | +| 4 | Validate the configuration and test | CLI or Console | ### Step 1: Enable AI Insights at the Account Level @@ -47,7 +50,7 @@ To enable AI Insights, run the following command: akeyless update-account-settings --enable-ai-insights true ``` -AI Insights can also be enabled at the account level using the Web UI. +AI Insights can also be enabled at the account level using the Akeyless Console. ![Illustration for: Step 1: Enable AI Insights at the Account Level To enable AI Insights, run the following command: AI Insights can also be enabled at the account level using the Web UI.](https://files.readme.io/df738f5faf06a3befb13f4f8a90ec9445814754171e5f2b2228df221a140103b-AccountLevel.png) @@ -84,7 +87,7 @@ The following example creates an OpenAI target named `my-openai-target` with the ```shell akeyless target create openai \ --name my-openai-target \ - --api-key sk-xxxx \ + --api-key \ --model gpt-4 ``` @@ -125,8 +128,8 @@ curl -X PUT "http://localhost:8000/config/ai-insights" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -d '{ "cluster_identity": { - "account_id": "", - "access_id": "", + "account_id": "", + "access_id": "", "cluster_name": "" }, "ai_insights": { @@ -145,7 +148,7 @@ To disable AI Insights on the gateway, set the enable field to `false`: "ai_insights": { "enable": false } ``` -The Gateway can also be configured with the Web UI. +The Gateway can also be configured with the Akeyless Console. ![Illustration for: Disable AI Insights on the Gateway To disable AI Insights on the gateway, set the enable field to false: The Gateway can also be configured with the Web UI.](https://files.readme.io/3a98a777c3c391c38e6dc1818b5f6f242468d45db8ced474176d64f2e6a60076-GatewayLevel.png) @@ -161,7 +164,7 @@ To verify that AI Insights is enabled at the account level, run the following co akeyless get-account-settings ``` -#### Verify the Target +### Verify the Target To verify that the OpenAI target is configured correctly, run the following command: @@ -169,7 +172,7 @@ To verify that the OpenAI target is configured correctly, run the following comm akeyless get-target --name my-openai-target ``` -#### Verify the Gateway Configuration +### Verify the Gateway Configuration To verify that the gateway is configured for AI Insights, run the following command: @@ -177,11 +180,11 @@ To verify that the gateway is configured for AI Insights, run the following comm curl -X GET http://localhost:8000/config/ai-insights ``` -#### Test in the Web UI +#### Test in the Console -To test AI Insights in the Akeyless Web UI, follow these steps: +To test AI Insights in the Akeyless Console, follow these steps: -1. Open the Akeyless Web UI. +1. Open the Akeyless Console. 2. Navigate to AI Insights. 3. Start a chat session 4. Ask a natural language question. @@ -208,9 +211,12 @@ To test AI Insights in the Akeyless Web UI, follow these steps: * [ ] Store target ID * [ ] Configure gateway * [ ] Verify the Gateway configuration -* [ ] Test in the Web UI +* [ ] Test in the Console ## Related AI Guides -* +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) +* [MCP Server](https://docs.akeyless.io/docs/mcp-server) +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) * [Beyond .env: Building a "Dynamic-Only" Secretless AI Agent with Google ADK](https://docs.akeyless.io/docs/beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk) diff --git a/docs/AI Security/identity-and-secrets-intelligence.md b/docs/AI Security/identity-and-secrets-intelligence.md new file mode 100644 index 000000000..1689ab6cd --- /dev/null +++ b/docs/AI Security/identity-and-secrets-intelligence.md @@ -0,0 +1,141 @@ +--- +title: Identity & Secrets Intelligence +excerpt: Review the current Identity & Secrets Intelligence surfaces, access controls, and how the feature fits with other Akeyless AI capabilities. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- + +> ⚠️ **Warning:** +> +> Identity and Secrets Intelligence is currently in early access. Features, behavior, and availability can change between releases. + +Identity and Secrets Intelligence is a console surface for reviewing AI-related visibility and governance data in Akeyless. + +In the current Akeyless Console, Identity and Secrets Intelligence includes these sections: + +* Dashboard +* Inventory +* Scanners +* Policies + +Identity and Secrets Intelligence complements the broader Akeyless AI security model. Secretless runtime retrieval reduces exposure to static credentials, Identity and Secrets Intelligence adds visibility and governance, and [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) adds runtime control for supported dynamic secrets. + +## Access And Availability + +In the current Console implementation, the menu is shown only when the account has the feature enabled and the user has admin-level Console access. The backend and CLI also expose a dedicated `isi-access` role rule. + +### Use Identity & Secrets Intelligence In The Console + +1. Sign in to the Akeyless Console. +2. In the left navigation, open **Identity & Secrets Intelligence**. +3. Use **Dashboard** for the high-level overview. +4. Use **Inventory** to review findings and drill into finding details. +5. Use **Scanners** to create scanners, start scans, stop running scans, and review scan history. +6. Use **Policies** to review available policies and change policy status. + +The current Inventory implementation exposes finding details for secret, identity, and certificate findings, and supports updating finding status. + +The current Scanner implementation supports creating scanners, starting scans, stopping active scans, reviewing scan history, and navigating from a running scan directly to **Inventory**. + +## Operational Views + +Use these views to move from high-level posture checks to specific remediation tasks: + +* **Dashboard**: Review high-level counts, trends, and status indicators that show where investigation is needed. +* **Inventory**: Drill into findings by type, status, and severity, then open finding details for follow-up actions. +* **Scanners**: Track scanner status, launch or stop scans, and review scan history before validating outcomes in **Inventory**. +* **Policies**: Review policy scope and status, then enable or adjust policies based on findings from Dashboard and Inventory. + +## Example Monitoring Workflow + +Use this workflow when you need a repeatable operating pattern for Identity and Secrets Intelligence: + +1. Open **Dashboard** to identify the highest-priority signals. +2. Open **Inventory** to filter and triage findings by type and status. +3. Open **Scanners** to run targeted scans for affected environments. +4. Open **Policies** to validate that controls match your risk posture. +5. Return to **Dashboard** and **Inventory** to verify that remediation changes are reflected. + +### Policy Types And Examples + +Identity and Secrets Intelligence policies are organized by finding type. In the current implementation, common policy categories include: + +* **Secrets policies**: Focus on secret exposure risks and secret hygiene. +* **Identity policies**: Focus on identity posture, privilege scope, and risky identity configurations. +* **Certificate policies**: Focus on certificate posture, lifecycle state, and certificate-related findings. + +Examples of policy-driven findings can include exposed secrets in connected sources, over-permissive identities, and certificates that require lifecycle attention. + +### Control Access With Role-Based Access Control (RBAC) + +Use the `isi-access` administrative rule on a role to control access to Identity and Secrets Intelligence. + +For command syntax, see [CLI Reference - Access Roles](https://docs.akeyless.io/docs/cli-reference-access-roles). + +Supported values are: + +* `none` +* `scoped` +* `all` + +Use `create-role` when creating a new role: + +```shell +akeyless create-role \ + --name \ + --isi-access +``` + +Use `update-role` when modifying an existing role: + +```shell +akeyless update-role \ + --name \ + --isi-access +``` + +Use `get-role` to verify the role after the update: + +```shell +akeyless get-role --name +``` + +The current CLI validation accepts `none`, `scoped`, and `all`. It does not accept the legacy `own` value for `isi-access`. + +## Example Workflow + +The following example shows one minimal workflow for granting access and reviewing results: + +1. Create or update a role with `--isi-access scoped` or `--isi-access all`. +2. Associate the role with the authentication method that your operators use. +3. Sign in to the Akeyless Console. +4. Open **Identity & Secrets Intelligence**. +5. Review the **Dashboard**. +6. Open **Scanners**, start a scan, and then use **Inventory** to review the findings. + +### CLI Example + +```shell +akeyless create-role \ + --name \ + --isi-access scoped +``` + +### Console Example + +1. Sign in to the Akeyless Console. +2. Open **Identity & Secrets Intelligence**. +3. Open **Scanners**, and start a scan. +4. Open **Inventory**, and review the generated findings. + +## How It Fits With Other AI Features + +Use Identity and Secrets Intelligence together with the other Akeyless AI surfaces: + +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) for natural-language interaction with the Akeyless identity security platform +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) for controlled runtime access to supported dynamic secrets +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) for guidance on reducing credential misuse risk in AI workflows diff --git a/docs/AI/prompt-injection-protection-for-ai-agents.md b/docs/AI Security/prompt-injection-protection-for-ai-agents.md similarity index 84% rename from docs/AI/prompt-injection-protection-for-ai-agents.md rename to docs/AI Security/prompt-injection-protection-for-ai-agents.md index 9aaf88269..424c846f1 100644 --- a/docs/AI/prompt-injection-protection-for-ai-agents.md +++ b/docs/AI Security/prompt-injection-protection-for-ai-agents.md @@ -1,8 +1,11 @@ --- title: Prompt Injection Protection for AI Agents +excerpt: Reduce prompt-injection credential risk in AI agents with secretless runtime access patterns. deprecated: false hidden: false metadata: + title: Prompt Injection Protection for AI Agents + description: Learn how secretless runtime access and layered controls reduce prompt-injection risk for AI agent workflows. robots: index --- ## Overview @@ -86,12 +89,16 @@ Use secretless runtime retrieval together with the following controls: This pattern is relevant anywhere an agent or AI-assisted workflow can reach protected systems: -* Akeyless AI Insights, when natural-language workflows interact with protected resources -* Akeyless MCP Server, when external agent frameworks call Akeyless-managed tools and credentials +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight), when natural-language workflows interact with protected resources +* [Akeyless MCP Server](https://docs.akeyless.io/docs/mcp-server), when external agent frameworks call Akeyless-managed tools and credentials +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority), when runtime agent access to protected resources needs enforcement and auditing +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence), when teams need AI-related visibility and governance surfaces * custom agent implementations that retrieve secrets or dynamic credentials from Akeyless at runtime ## Related AI Guides * [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) * [MCP Server](https://docs.akeyless.io/docs/mcp-server) * [Beyond .env: Building a "Dynamic-Only" Secretless AI Agent with Google ADK](https://docs.akeyless.io/docs/beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk) diff --git a/docs/AI/MCP/_order.yaml b/docs/AI/MCP/_order.yaml deleted file mode 100644 index 21ff8ce78..000000000 --- a/docs/AI/MCP/_order.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- index -- akeyless-mcp-plugin-jetbrains-ides -- akeyless-mcp-model-context-protocol-command \ No newline at end of file diff --git a/docs/AI/MCP/akeyless-mcp-model-context-protocol-command.md b/docs/AI/MCP/akeyless-mcp-model-context-protocol-command.md deleted file mode 100644 index ba94b46f3..000000000 --- a/docs/AI/MCP/akeyless-mcp-model-context-protocol-command.md +++ /dev/null @@ -1,168 +0,0 @@ ---- -title: CLI Reference - MCP Server -excerpt: '' -deprecated: false -hidden: false -metadata: - title: '' - description: '' - robots: index -next: - description: '' ---- -The `akeyless mcp` command starts an MCP server that enables AI assistants such as Cursor and GitHub Copilot to securely interact with Akeyless services through a standardized interface. - -If you use JetBrains IDEs, see the page for the IDE-specific setup flow. - -## What Is MCP? - -Model Context Protocol (MCP) is an open standard that allows AI assistants to securely access external data sources and tools. - -## With MCP, You Can - -* Safely authenticate AI assistants with Akeyless -* Interact with Akeyless secrets, targets, and other resources -* Leverage existing profiles and authentication methods -* Connect to Akeyless Gateway instances - -## Features - -* Secure Authentication – Uses Akeyless authentication mechanisms -* Tool Integration – Access Akeyless secrets, targets, RBAC, and more -* Profile Support – Uses your existing Akeyless CLI profiles for authentication context -* Gateway Integration – Supports both local and cloud Akeyless Gateways - -## Usage - -> Important: `akeyless mcp` does not use the `gateway_url` value configured in a CLI profile. You must pass `--gateway-url` directly in every `akeyless mcp` command (or MCP client args). - -### Basic Commands - -```shell -# Start MCP server with access key authentication -akeyless mcp --access-id --access-key --access-type access_key --gateway-url https://:8000/api/v2 - -# Start MCP server with SAML authentication -akeyless mcp --access-id --access-type saml --gateway-url https://:8000/api/v2 -``` - -### Supported Authentication Methods - -```shell ---access-type [=access_key] -(access_key / password / saml / ldap / k8s / azure_ad / oidc / aws_iam / universal_identity / jwt / gcp / cert / oci / kerberos) -``` - -The `mcp` command accepts the same authentication parameters as standard Akeyless CLI auth commands. For more details, see [Akeyless Authentication Documentation](https://docs.akeyless.io/docs/access-and-authentication-methods) - -## Common Parameters - -`--access-id`: Your Akeyless Access ID - -`--access-key`: Your Akeyless Access Key (for `access_key` auth) - -`--access-type`: Authentication method (see list above) - -`--gateway-url`: Gateway URL (required for `akeyless mcp`; must be supplied in-line) - -`--profile`: Use an existing CLI profile - -## Setting Up MCP With Cursor - -1. Install Akeyless CLI: - Ensure the Akeyless CLI is installed and configured. - -2. Update Cursor Settings: - Open settings (Cmd/Ctrl + Shift + P → Preferences: Open Settings (JSON)) and add: - - ```json - { - "mcp.servers": { - "akeyless": { - "command": "akeyless", - "args": ["mcp", "--profile", "your-profile-name", "--gateway-url", "https://:8000/api/v2"] - }, - "akeyless-saml": { - "command": "akeyless", - "args": ["mcp", "--access-id", "your-access-id", "--access-type", "saml", "--gateway-url", "https://:8000/api/v2"] - }, - "akeyless-oidc": { - "command": "akeyless", - "args": ["mcp", "--access-id", "your-access-id", "--access-type", "oidc", "--gateway-url", "https://:8000/api/v2"] - } - } - } - ``` - -3. Restart Cursor for the changes to take effect. - -4. Verify that you can now run queries such as: - - * “Show me my Akeyless secrets” - * “Create a new secret called `api-key`” - * “List all my targets” - -## Setting Up MCP With GitHub Copilot - -1. Install Copilot CLI - - ```shell - npm install -g @githubnext/github-copilot-cli - ``` - -2. Configure Copilot - - Edit `~/.copilot/mcp-config.json` to include: - - ```json - mcpServers: - akeyless: - command: akeyless - args: ["mcp", "--profile", "your-profile-name", "--gateway-url", "https://:8000/api/v2"] - akeyless-saml: - command: akeyless - args: ["mcp", "--access-id", "your-access-id", "--access-type", "saml", "--gateway-url", "https://:8000/api/v2"] - akeyless-oidc: - command: akeyless - args: ["mcp", "--access-id", "your-access-id", "--access-type", "oidc", "--gateway-url", "https://:8000/api/v2"] - ``` - -3. Start Copilot with MCP - - ```shell - copilot mcp - ``` - -4. Use Copilot - - You can now manage secrets, configure targets, and perform infrastructure tasks through Copilot. - -## Examples - -### Secret Operations - -```shell -# Start MCP server -akeyless mcp --profile production --gateway-url https://:8000/api/v2 - -# In Cursor/Copilot -# "Create a secret called 'database-password' with value 'secure123'" -# "Show me all secrets in the /prod/ path" -``` - -### Target Management - -```shell -# "List all my AWS targets" -# "Update the SSH target with new credentials" -``` - -### Production Setup - -```shell -# Production -akeyless mcp --profile prod --gateway-url https://:8000/api/v2 - -# Development / Testing -akeyless mcp --profile dev --gateway-url https://:8000/api/v2 -``` diff --git a/docs/AI/MCP/index.md b/docs/AI/MCP/index.md deleted file mode 100644 index e507f07c0..000000000 --- a/docs/AI/MCP/index.md +++ /dev/null @@ -1,403 +0,0 @@ ---- -title: MCP Server -excerpt: Use the Akeyless MCP Server with MCP clients and JetBrains IDE integration. -deprecated: false -hidden: false -link: - new_tab: false -metadata: - title: Akeyless MCP Server - description: Use the Akeyless MCP Server with supported MCP clients and JetBrains IDE integration. - robots: index ---- -## Overview - -The Akeyless Model Context Protocol (MCP) Server is a robust integration that enables AI systems to securely interact with your Akeyless Identity Security Platform. It provides a standardized interface for AI models to access, manage, and manipulate secrets, keys, certificates, and other sensitive data stored in Akeyless. - -## What Is the MCP? - -The Model Context Protocol is a standardized protocol that allows AI systems to connect to external data sources and services. It provides a secure, authenticated method for AI models to: - -* Access external APIs and services -* Retrieve and manage sensitive data -* Perform operations on behalf of users -* Maintain security boundaries and access controls - -Read more about the [Model Context Protocol](https://modelcontextprotocol.io/). - -## Akeyless MCP Server Features - -The Akeyless MCP Server provides comprehensive access to Akeyless functionality, including: - -### Core Capabilities - -* Secrets Management: Create, read, update, and delete Static Secrets -* Encryption and Key Management: Generate, rotate, and manage encryption keys -* Certificate Lifecycle Management: Issue, renew, and manage PKI and SSH certificates -* Dynamic Secrets: Generate temporary credentials for databases and cloud services -* Access Control: Manage roles, permissions, and authentication methods -* Analytics: Retrieve usage analytics and audit data - -### Supported Operations - -* List and describe items (such as secrets, keys, certificates) -* Create and update secrets -* Generate Dynamic Secrets -* Manage authentication methods and roles -* Retrieve analytics data -* Handle targets and associations - -## Configuration - -### Prerequisites - -* The Akeyless CLI must be successfully installed and **updated to version 1.130.0** or newer. - * Read more about the [Akeyless CLI](https://docs.akeyless.io/docs/cli). - * Learn about [updating the Akeyless CLI](https://docs.akeyless.io/docs/cli-reference#/update). -* An Akeyless account must be created and a corresponding profile configured with the Akeyless CLI. - -### Client Setup - -Configure the Akeyless MCP server in your MCP client configuration file. For example, Cursor uses `~/.cursor/mcp.json`. A list of supported MCP clients is available at https://modelcontextprotocol.io/clients. - -If you use JetBrains IDEs, see for the IDE-specific setup and usage flow. - -#### Sample Configuration Structure - -```json -{ - "mcpServers": { - "akeyless": { - "command": "/path/to/akeyless", - "args": [ - "mcp", - "--access-id", "your-access-id", - "--access-key", "your-access-key", - "--access-type", "access_key", - "--gateway-url", "https://:8000/api/v2" - ], - "env": {} - } - } -} -``` - -#### Configuration Parameters - -| Configuration | Description | Required | Default Value | -| --- | --- | --- | --- | -| `command` | Path to the Akeyless CLI binary | Yes | (none) | -| `args.--access-id` | The Akeyless access ID to authenticate with | Yes* (if using the `access_key` access type) | (none) | -| `args.--access-key` | The Akeyless access key to authenticate with | Yes* (if using the `access_key` access type) | (none) | -| `args.--access-type` | Authentication method type to use. See [Access type values](#access-type-values). | Yes | `access_key` | -| `args.--account-id` | Used to select which Akeyless account to use if the `--admin-email` is associated with more than one account | No | (none) | -| `args.--admin-password` | The Akeyless account password to authenticate with | Yes* (if using the `password` access type) | (none) | -| `args.--admin-email` | The Akeyless account email address to authenticate with | Yes* (if using the `password` access type) | (none) | -| `args.--cert-challenge` | Certificate challenge encoded in base64 (relevant only for the `cert` access type) | Yes* (if using the `cert` access type and `args.--key-file-name` or `args.--key-data` is not used) | (none) | -| `args.--cert-data` | Certificate data encoded in base64, used if a file was not provided (relevant only for the `cert` access type) | Yes* (if using the `cert` access type and `args.--cert-file-name` is not used) | (none) | -| `args.--cert-file-name` | Path to where the certificate file for certificate authentication is located | Yes* (if using the `cert` access type and `args.--cert-data` is not used) | (none) | -| `args.--cloud-id` | The identity for the chosen cloud provider. See [Cloud ID values](#cloud-id-values). | Yes* (if using the `aws_iam`, `azure_id`, `gcp`, or `oci` access types) | (none) | -| `args.--debug` | Enable debug logging | No | `false` | -| `args.--disable-kerberos-fast` | Disable Kerberos FAST negotiation | No | `true` | -| `args.--gateway-spn` | The service principal name of the gateway as registered in LDAP | No | (none) | -| `args.--gateway-url` | Akeyless Gateway URL | Yes (must be passed in-line for `akeyless mcp`) | (none) | -| `args.--gcp.audience` | GCP audience to use with signed JWT (relevant only for the `gcp` access type) | No | `akeyless.io` | -| `args.--jwt` | The JSON Web Token | Yes* (if using the `jwt` or `oidc` access type) | (none) | -| `args.--k8s-auth-config-name` | The Kubernetes Auth config name | Yes* (if using the `k8s` access type) | (none) | -| `args.--k8s-service-account-token` | The Kubernetes ServiceAccount token | Yes* (if using the `k8s` access type) | (none) | -| `args.--kerberos-token` | Kerberos token for the gateway SPN, used by SPNEGO for authentication | No | (none) | -| `args.--kerberos-username` | The username for the entry within the keytab to authenticate by way of Kerberos | No | (none) | -| `args.--key-data` | Private key data encoded in base64 | Yes* (if using the `cert` access type and `args.--key-file-name` or `args.--cert-challenge` is not used) | (none) | -| `args.--key-file-name` | Path to where the key file is located | Yes* (if using the `cert` access type and `args.--key-data` or `args.--cert-challenge` is not used) | (none) | -| `args.--keytab-file-data` | Base64-encoded content of a valid keytab file, containing the service account's entry | Yes* (if using the `kerberos` access type and `args.--keytab-file-path` is not used) | (none) | -| `args.--keytab-file-path` | The path to a valid keytab file, containing the user entry | Yes* (if using the `kerberos` access type and `args.--keytab-file-data` is not used) | (none) | -| `args.--krb5conf-file-data` | Base64-encoded content of a valid `krb5.conf` file, specifying the settings and parameters required for Kerberos authentication | Yes* (if using the `kerberos` access type and `args.--krb5conf-file-path` is not used) | (none) | -| `args.--krb5conf-file-path` | Path to a valid `krb5.conf` file, specifying the settings and parameters required for Kerberos authentication | Yes* (if using the `kerberos` access type and `args.--krb5conf-file-data` is not used) | (none) | -| `args.--ldap-proxy-url` | Address URL for LDAP proxy | Yes* (if using the `ldap` access type) | (none) | -| `args.--oci-auth-type` | The type of the OCI configuration to use. See [OCI auth type values](#oci-auth-type-values). | No | `apikey` | -| `args.--oci-group-ocid` | A list of Oracle Cloud IDs groups | Yes* (if using the `oci` access type) | (none) | -| `args.--oidc-sp` | OIDC Service Provider (relevant only for the `oidc` access type). Inferred if empty. Supported SPs: `google`, `github`. | No | (inferred) | -| `args.--password` | LDAP password | Yes* (if using the `ldap` access type) | (none) | -| `args.--profile` | The CLI profile name to use for authentication context (the profile `gateway_url` is not used by `akeyless mcp`) | No | `default` | -| `args.--signed-cert-challenge` | Signed certificate challenge encoded in base64 (relevant only for the `cert` access type) | No | (none) | -| `args.--uid-token` | The Universal Identity token | Yes* (if using the `universal_identity` access type) | (none) | -| `args.--use-remote-browser` | Returns a link to complete authentication remotely (relevant only for the `saml` and `oidc` access types) | No | (none) | -| `args.--username` | LDAP username | Yes* (if using the `ldap` access type) | (none) | - -##### Access type values - -Acceptable values for `args.--access-type`: - -* [access_key](https://docs.akeyless.io/docs/auth-with-api-key) -* [aws_iam](https://docs.akeyless.io/docs/auth-with-aws) -* [azure_ad](https://docs.akeyless.io/docs/auth-with-azure) -* [cert](https://docs.akeyless.io/docs/auth-with-certificate) -* [gcp](https://docs.akeyless.io/docs/auth-with-gcp) -* [jwt](https://docs.akeyless.io/docs/auth-with-oauth-jwt) -* [k8s](https://docs.akeyless.io/docs/auth-with-kubernetes) -* [kerberos](https://docs.akeyless.io/docs/auth-with-kerberos) -* [ldap](https://docs.akeyless.io/docs/auth-with-ldap) -* [oci](https://docs.akeyless.io/docs/auth-with-oci) -* [oidc](https://docs.akeyless.io/docs/auth-with-oidc) -* [password](https://docs.akeyless.io/docs/auth-with-email) -* [saml](https://docs.akeyless.io/docs/auth-with-saml) -* [universal_identity](https://docs.akeyless.io/docs/auth-with-universal-identity) - -##### Cloud ID values - -Acceptable values for `args.--cloud-id`: - -* `aws_iam` -* `azure_id` -* `gcp` -* `oci` - -##### OCI auth type values - -Acceptable values for `args.--oci-auth-type`: - -* `apikey` -* `instance` -* `resource` - -#### Example Authentication Method Configurations - -The Akeyless MCP server supports multiple [Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods): - -##### Access Key Authentication (Default) - -```json -{ - "args": [ - "mcp", - "--access-id", "p-xxxxxxxxxxxxx", - "--access-key", "your-access-key", - "--access-type", "access_key", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### Certificate Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "cert", - "--cert-file-name", "/path/to/cert.pem", - "--key-file-name", "/path/to/key.pem", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### Cloud Provider Authentication - -```json AWS -{ - "args": [ - "mcp", - "--access-type", "aws_iam", - "--cloud-id", "your-aws-role-arn", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` -```json Azure -{ - "args": [ - "mcp", - "--access-type", "azure_ad", - "--cloud-id", "your-azure-client-id", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` -```json GCP -{ - "args": [ - "mcp", - "--access-type", "gcp", - "--cloud-id", "your-gcp-service-account", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### Kubernetes Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "k8s", - "--k8s-auth-config-name", "your-config-object", - "--k8s-service-account-token", "your-service-account-token", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### LDAP Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "ldap", - "--ldap-proxy-url", "ldap://your-ldap-server", - "--username", "your-username", - "--password", "your-password", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### OIDC/JWT Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "oidc", - "--jwt", "your-jwt-token", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### Password Authentication - -```json -{ - "args": [ - "mcp", - "--admin-email", "user@example.com", - "--admin-password", "your-password", - "--access-type", "password", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -##### SAML Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "saml", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` - -### Client Notes - -* Pass `--gateway-url` directly in the MCP client configuration or command line. -* If you use JetBrains IDEs, install the dedicated plugin instead of wiring the server manually. -* Keep the CLI profile name consistent across your MCP clients so authentication behavior stays predictable. - -## Best Practices - -### Security Best Practices - -* Use Environment Variables: Store sensitive credentials in environment variables rather than hardcoding them -* Principle of Least Privilege: Create dedicated access keys with minimal required permissions -* Regular Rotation: Rotate access keys regularly -* Secure Storage: Use secure credential storage solutions -* Network Security: Use HTTPS endpoints and consider VPN access - -For prompt injection risk reduction guidance for agent-based workflows, see . - -### Configuration Management - -* Version Control: Keep MCP configuration files in version control (excluding secrets) -* Environment Separation: Use separate configurations for different environments -* Documentation: Document your configuration choices and rationale -* Testing: Test configurations in development before deploying to production - -### Monitoring and Logging - -* Enable Debug Mode: Use the `--debug` flag for troubleshooting -* Monitor Access: Regularly review access logs and analytics -* Set Up Alerts: Configure alerts for unusual access patterns -* Audit Trail: Maintain audit trails for compliance requirements - -### Performance Optimization - -* Connection Pooling: Reuse connections when possible -* Caching: Implement appropriate caching strategies -* Batch Operations: Use batch operations for multiple items -* Resource Limits: Set appropriate resource limits - -## Troubleshooting: Common Issues and Solutions - -### Authentication Failures - -#### Akeyless MCP Server Fails to Authenticate - -1. Verify access ID and access key are correct -2. Check if credentials have expired -3. Ensure proper permissions are assigned -4. Verify gateway URL is accessible - - -```shell -# Test authentication manually -akeyless auth --access-id "your-access-id" --access-key "your-access-key" -``` - -### Connection Issues - -#### Cannot Connect to the Akeyless Gateway - -* Check network connectivity -* Verify gateway URL format -* Check firewall settings -* Test with curl or wget: - -```shell -# Test connectivity -curl -I https://:8000/api/v2 -``` -```text Sample Output -HTTP/2 405 -date: Fri, 03 Oct 2025 20:36:32 GMT -content-type: application/json -content-length: 68 -cache-control: no-cache, no-store, must-revalidate, private -content-security-policy: img-src 'self' data:; -cross-origin-opener-policy: same-origin -cross-origin-resource-policy: same-origin -expires: 0 -permissions-policy: geolocation=(self), microphone=(self), camera=(self), payment=(self) -pragma: no-cache -referrer-policy: no-referrer-when-downgrade -vary: Origin -x-content-type-options: nosniff -x-frame-options: SAMEORIGIN -``` - -### Permission Errors - -#### Insufficient Permissions for Operations - -* Review role assignments -* Check item-level permissions -* Verify authentication method permissions -* Contact administrator for access - -### Configuration Errors - -#### MCP Server Fails to Start - -* Validate JSON configuration syntax -* Check file paths are correct -* Verify command arguments -* Review environment variables - -## Related AI Guides - -* diff --git a/docs/AI/agentic-runtime-authority.md b/docs/AI/agentic-runtime-authority.md deleted file mode 100644 index 2b1c6a9d1..000000000 --- a/docs/AI/agentic-runtime-authority.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Agentic Runtime Authority -deprecated: false -hidden: true -metadata: - robots: index ---- -Agentic Runtime Authority allows AI agents to securely communicate with your resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with protected environments without exposing long-lived credentials. - -**Agentic Runtime Authority** currently supports the following dynamic secret types: - -* **DB Dynamic Secrets** for database access. -* **Cloud Dynamic Secrets** for cloud environment access. -* **GitHub Dynamic Secrets** for GitHub repository access. - -# Prerequisites - -* [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0`. - -* CLI version `1.144.0`. - -* [AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway to power intelligent resource access. - -* A Dynamic Secret configured with Agentic Runtime Authority enabled. - -* An authentication method associated with a role that has Agentic Runtime Authority permissions. - -* Claude/Cursor Desktop installed. - -# Setting up the AI Agent - -To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. - -**For Claude** - -Create the following file: `~/Library/"Application Support"/Claude/claude_desktop_config.json`. - -**For Cursor** - -Create the following file: `~/.cursor/mcp.json`. - -Use the following configuration template for both **Claude** and **Cursor**. Replace the placeholder values with your environment details: - -```json -{ - "mcpServers": { - "akeyless-connector": { - "command": "akeyless", - "args": [ - "mcp-runtime-authority", - "--gateway-url", - "https://:8000", - "--secret-name", - "full/path/to/secret", - "--profile", - "profile_name" - ] - } - } -} -``` - -Where: - -* `gateway-url`: The Gateway URL where the Dynamic Secret exists. - -* `secret-name`: The full path of a specific Dynamic Secret to expose to the AI agent. Use this parameter when you want the agent to access only one secret. To allow access to all supported Dynamic Secrets, remove this parameter. Multiple specific secrets are not supported. - -* `profile`: The CLI profile with the required RBAC permissions for working with Agentic Runtime Authority. - -# Querying Your Resources - -With Agentic Runtime Authority configured, you can now use Claude or Cursor to interact with your protected resources in natural language. The AI agent will authenticate requests and retrieve credentials dynamically without storing long-lived secrets. - -## Monitoring Access - -Each session and resource query is automatically logged. You can view access activity under the **Agentic Runtime Authority** tab in the **Akeyless Console** to monitor which resources were accessed and when. - -## Controlling Access with Input Rules - -For additional security, you can control what users are allowed to ask the AI agent to do. This is useful for preventing accidental exposure of sensitive information. - -**To restrict certain queries:** - -1. Open the [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret) object in the Akeyless Console. -2. Add an **Input Rule** that matches patterns you want to block (for example: queries requesting **personal information**, **credentials**, or **internal records**). -3. When a user sends a request matching a blocked rule, the request is denied and restricted information is not returned from the database. - -This approach keeps the AI agent useful for legitimate queries while ensuring access remains controlled and secure. diff --git a/docs/Customer Journeys/customer-journeys/_order.yaml b/docs/Customer Journeys/customer-journeys/_order.yaml index ca77a780e..705ca2a13 100644 --- a/docs/Customer Journeys/customer-journeys/_order.yaml +++ b/docs/Customer Journeys/customer-journeys/_order.yaml @@ -1,4 +1,3 @@ - access-requests-with-sn -- >- - customer-use-case-automating-employee-onboarding-and-role-based-access-control-in-servicenow +- customer-use-case-automating-employee-onboarding-and-role-based-access-control-in-servicenow - beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk diff --git a/docs/Integrations & Plugins/MCPs.md b/docs/Integrations & Plugins/MCPs.md index 5d91cbbce..9cec4b94f 100644 --- a/docs/Integrations & Plugins/MCPs.md +++ b/docs/Integrations & Plugins/MCPs.md @@ -12,6 +12,24 @@ next: --- ## Model Context Protocol (MCP) -See the Akeyless Model Context Protocol (MCP) overview in [Akeyless MCP Server](https://docs.akeyless.io/docs/mcp-server). +Model Context Protocol (MCP) is an open protocol that lets AI clients connect to external tool servers through a standard interface. With Akeyless MCP, your client starts an Akeyless MCP server process and uses it to run authorized operations against your Akeyless identity security platform. + +General usage flow: + +1. Configure the Akeyless CLI and authentication profile. +2. Configure your MCP client to launch the Akeyless MCP server command. +3. Reload the MCP client and invoke Akeyless tools from your prompt. + +Use MCP documentation in this order: + +1. Start with [Akeyless MCP Server](https://docs.akeyless.io/docs/mcp-server) for the general model, requirements, and usage flow. +2. Open your integration-specific page for client setup details. + +Integration guides: + +* [Claude Desktop Integration](https://docs.akeyless.io/docs/mcp-claude-desktop) +* [Cursor Integration](https://docs.akeyless.io/docs/mcp-cursor) +* [GitHub Copilot Integration](https://docs.akeyless.io/docs/mcp-github-copilot) +* [JetBrains IDEs Integration](https://docs.akeyless.io/docs/mcp-jetbrains-ides) If you use Cursor, see [Akeyless Secrets Manager for Cursor](https://docs.akeyless.io/docs/cursor-akeyless-secrets-manager) for the separate secret-scanning extension. diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md b/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md index f1cc2b4d4..c2abbe143 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md @@ -58,12 +58,16 @@ akeyless create-role --name `--sra-reports-access`: Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. +`--ara-reports-access`: Allow this role to view [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). Currently only `none`, `scoped`, and `all` values are supported. + `--usage-reports-access`: Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported. `--event-center-access`: Allow this role to view Event Center. Currently only 'none', 'own' and 'all' values are supported. `--event-forwarders-access`: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported. +`--isi-access`: Allow this role to access **Identity & Secrets Intelligence**. Currently only `none`, `scoped`, and `all` values are supported. For details, see [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). + `--reverse-rbac-access`: Allow this role to view Reverse RBAC. Supported values: '`own`', '`all`'. `description`: Description of the object @@ -279,12 +283,16 @@ akeyless update-role -n \ `--sra-reports-access`: Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. +`--ara-reports-access`: Allow this role to view [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). Currently only `none`, `scoped`, and `all` values are supported. + `--usage-reports-access`: Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported. `--event-center-access`: Allow this role to view Event Center. Currently only 'none', 'own' and 'all' values are supported. `--event-forwarders-access`: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported. +`--isi-access`: Allow this role to access **Identity & Secrets Intelligence**. Currently only `none`, `scoped`, and `all` values are supported. For details, see [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). + `--reverse-rbac-access`: Allow this role to view Reverse RBAC. Supported values: '`own`', '`all`'. `--description`: Description of the object diff --git a/docs/Integrations & Plugins/cli-reference/index.md b/docs/Integrations & Plugins/cli-reference/index.md index fe4c6d30e..c27960ed5 100644 --- a/docs/Integrations & Plugins/cli-reference/index.md +++ b/docs/Integrations & Plugins/cli-reference/index.md @@ -205,6 +205,61 @@ akeyless move-objects --source \ `-o, --objects-type[=item]`: The objects type to move (item/auth_method/role) +### `mcp` + +Starts the general Akeyless MCP server so MCP-compatible AI clients can interact with Akeyless tools. + +#### Usage + +```shell +akeyless mcp \ + --gateway-url https://:8000/api/v2 \ + --profile +``` + +#### Flags + +`--gateway-url`: Required, Gateway URL + +`--profile`: Use an existing CLI profile + +`--access-type`: Authentication method when not using `--profile`, options: `[access_key/password/saml/ldap/k8s/azure_ad/oidc/aws_iam/universal_identity/jwt/gcp/cert/oci/kerberos]` + +`--access-id`: Access ID for the selected authentication method + +`--access-key`: Access Key (relevant for `access-type=access_key`) + +For MCP concepts and integration setup, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +### `mcp-runtime-authority` + +Starts the MCP server for Agentic Runtime Authority runtime-query tools. + +#### Usage + +```shell +akeyless mcp-runtime-authority \ + --gateway-url https://:8000 \ + --secret-name /demo/apps/analytics/postgres-ro \ + --profile +``` + +#### Flags + +`--gateway-url`: Required, Gateway URL + +`--secret-name`: Optional default secret path for database query workflows + +`--profile`: Use an existing CLI profile + +`--access-type`: Authentication method when not using `--profile`, options: `[access_key/password/saml/ldap/k8s/azure_ad/oidc/aws_iam/universal_identity/jwt/gcp/cert/oci/kerberos]` + +`--access-id`: Access ID for the selected authentication method + +`--access-key`: Access Key (relevant for `access-type=access_key`) + +For Runtime Authority behavior and workflow context, see [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). + ### `set-item-state` Set an item's state (Enabled, Disabled) @@ -222,6 +277,33 @@ akeyless set-item-state --name \ `-s, --desired-state`: Required, Desired item state +### `runtime-authority` + +Execute a target query or service action through the Gateway runtime authority endpoint. + +#### Usage + +```shell +akeyless runtime-authority \ + --name /demo/apps/analytics/postgres-ro \ + --payload 'SELECT current_user, current_database();' \ + --agent-id ai-assistant-01 \ + --gateway-url https://:8000 \ + --profile +``` + +#### Flags + +`-n, --name`: Required, Full path of the Akeyless secret (dynamic or rotated) + +`--payload`: Required, Query or action to run (for example SQL or `aws s3 ls`) + +`--agent-id`: Required, Agent identifier for auditing + +`-u, --gateway-url`: Required, Gateway URL + +`--profile`: Use an existing CLI profile + ### `unconfigure` Remove configuration of client profile diff --git a/docs/Secure Remote Access/_order.yaml b/docs/Secure Remote Access/_order.yaml index 4ead415ab..799aaf706 100644 --- a/docs/Secure Remote Access/_order.yaml +++ b/docs/Secure Remote Access/_order.yaml @@ -1,3 +1,4 @@ +- secure-remote-access - sra-getting-started - sra-setup - sra-admin-guides diff --git a/docs/Secure Remote Access/index.md b/docs/Secure Remote Access/secure-remote-access.md similarity index 100% rename from docs/Secure Remote Access/index.md rename to docs/Secure Remote Access/secure-remote-access.md diff --git a/docs/_order.yaml b/docs/_order.yaml index 298d8aa77..c2111df61 100644 --- a/docs/_order.yaml +++ b/docs/_order.yaml @@ -9,7 +9,7 @@ - Password Manager - Secure Remote Access - Universal Secret Connector -- AI +- AI Security - Integrations & Plugins - Advanced Functionality - Customer Journeys