From e1e58c736940550ec284366adb24ad4f6e4ef47f Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 13:20:25 -0600 Subject: [PATCH 01/24] docs(DOCS-395): document AI security features --- .github/lychee/.lycheeignore | 5 + .pre-commit-config.yaml | 7 +- docs/{AI => AI Security}/MCP/_order.yaml | 0 ...less-mcp-model-context-protocol-command.md | 0 .../MCP/akeyless-mcp-plugin-jetbrains-ides.md | 0 docs/{AI => AI Security}/MCP/index.md | 0 docs/{AI => AI Security}/_order.yaml | 6 +- docs/AI Security/agentic-runtime-authority.md | 232 ++++++++++++++++++ .../akeyless-ai-insight.md | 24 +- .../identity-and-secrets-intelligence.md | 118 +++++++++ docs/AI Security/index.md | 31 +++ ...ompt-injection-protection-for-ai-agents.md | 0 docs/AI/agentic-runtime-authority.md | 89 ------- .../customer-journeys/_order.yaml | 3 +- .../cli-reference-access-roles.md | 8 + docs/_order.yaml | 2 +- 16 files changed, 416 insertions(+), 109 deletions(-) rename docs/{AI => AI Security}/MCP/_order.yaml (100%) rename docs/{AI => AI Security}/MCP/akeyless-mcp-model-context-protocol-command.md (100%) rename docs/{AI => AI Security}/MCP/akeyless-mcp-plugin-jetbrains-ides.md (100%) rename docs/{AI => AI Security}/MCP/index.md (100%) rename docs/{AI => AI Security}/_order.yaml (69%) create mode 100644 docs/AI Security/agentic-runtime-authority.md rename docs/{AI => AI Security}/akeyless-ai-insight.md (88%) create mode 100644 docs/AI Security/identity-and-secrets-intelligence.md create mode 100644 docs/AI Security/index.md rename docs/{AI => AI Security}/prompt-injection-protection-for-ai-agents.md (100%) delete mode 100644 docs/AI/agentic-runtime-authority.md diff --git a/.github/lychee/.lycheeignore b/.github/lychee/.lycheeignore index 775bb35c8..84dfb242d 100644 --- a/.github/lychee/.lycheeignore +++ b/.github/lychee/.lycheeignore @@ -40,3 +40,8 @@ https://platform.openai.com/docs/api-reference/admin-api-keys ^https?://github\.com/akeylesslabs/akeyless-python-cloud-id(/|$) ^https?://github\.com/akeylesslabs/akeyless-grpc-java(/|$) ^https?://github\.com/akeylesslabs/akeyless-grpc-dotnet(/|$) + +# Docs pages not publicly published yet (linked intentionally from current docs) +^https?://docs\.akeyless\.io/docs/identity-and-secrets-intelligence(/|$) +^https?://docs\.akeyless\.io/docs/mcp-server(/|$) +^https?://docs\.akeyless\.io/docs/cli-reference-mcp-server(/|$) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07b3ef73c..59f2f0070 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,6 @@ repos: hooks: - id: gitleaks name: gitleaks (secret scan) - args: ["protect", "--staged", "--redact"] # Local hooks: markdownlint, cspell, lychee # Note: These run sequentially on edited markdown files. Markdownlint uses --fix to auto-correct issues. @@ -21,7 +20,7 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] - id: cspell name: cspell (edited markdown files) @@ -30,7 +29,7 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] - id: lychee name: lychee (edited markdown files) @@ -39,4 +38,4 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [commit] + stages: [pre-commit] diff --git a/docs/AI/MCP/_order.yaml b/docs/AI Security/MCP/_order.yaml similarity index 100% rename from docs/AI/MCP/_order.yaml rename to docs/AI Security/MCP/_order.yaml diff --git a/docs/AI/MCP/akeyless-mcp-model-context-protocol-command.md b/docs/AI Security/MCP/akeyless-mcp-model-context-protocol-command.md similarity index 100% rename from docs/AI/MCP/akeyless-mcp-model-context-protocol-command.md rename to docs/AI Security/MCP/akeyless-mcp-model-context-protocol-command.md diff --git a/docs/AI/MCP/akeyless-mcp-plugin-jetbrains-ides.md b/docs/AI Security/MCP/akeyless-mcp-plugin-jetbrains-ides.md similarity index 100% rename from docs/AI/MCP/akeyless-mcp-plugin-jetbrains-ides.md rename to docs/AI Security/MCP/akeyless-mcp-plugin-jetbrains-ides.md diff --git a/docs/AI/MCP/index.md b/docs/AI Security/MCP/index.md similarity index 100% rename from docs/AI/MCP/index.md rename to docs/AI Security/MCP/index.md diff --git a/docs/AI/_order.yaml b/docs/AI Security/_order.yaml similarity index 69% rename from docs/AI/_order.yaml rename to docs/AI Security/_order.yaml index 24eca2db8..a9c502def 100644 --- a/docs/AI/_order.yaml +++ b/docs/AI Security/_order.yaml @@ -1,4 +1,6 @@ +- index - akeyless-ai-insight -- prompt-injection-protection-for-ai-agents -- MCP +- identity-and-secrets-intelligence - agentic-runtime-authority +- MCP +- prompt-injection-protection-for-ai-agents diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md new file mode 100644 index 000000000..19b0e7388 --- /dev/null +++ b/docs/AI Security/agentic-runtime-authority.md @@ -0,0 +1,232 @@ +--- +title: Agentic Runtime Authority +deprecated: false +hidden: false +metadata: + robots: index +--- + +> ⚠️ **Warning:** +> +> Agentic Runtime Authority is currently in early access. Features, behavior, and availability can change between releases. + +Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported Dynamic Secrets without exposing long-lived credentials. + +**Agentic Runtime Authority** currently supports the following dynamic secret types: + +* **DB Dynamic Secrets** for database access. +* **Cloud Dynamic Secrets** for cloud environment access. +* **GitHub Dynamic Secrets** for GitHub repository access. + +Agentic Runtime Authority extends Akeyless AI security beyond secretless credential retrieval by adding runtime controls and reporting for agent access. + +The current implementation exposes Agentic Runtime Authority in these places: + +* The **Agentic Runtime Authority** step or details tab on supported Dynamic Secrets in the Akeyless Console +* The `runtime-authority` CLI command for direct runtime queries through the Gateway +* The `mcp-runtime-authority` CLI command for MCP-based agent integrations +* The `ara-reports-access` role rule for dashboard visibility +* Repeated `--input-rule` and `--output-rule` flags on Dynamic Secret create and update commands + +## Prerequisites + +* [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0`. +* CLI version `1.144.0`. +* [AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway when output rules are used. +* A Dynamic Secret configured with Agentic Runtime Authority enabled. +* A role with access to the relevant Dynamic Secret and, when required, reporting access to Agentic Runtime Authority. +* An authentication method associated with that role. +* A supported desktop client, such as Claude Desktop or Cursor, if you plan to use MCP. + +## Control Access With RBAC + +Use the `ara-reports-access` administrative rule on a role to control access to the Agentic Runtime Authority dashboard. + +Supported values are: + +* `none` +* `scoped` +* `all` + +Use `create-role` when creating a new role: + +```shell +akeyless create-role \ + --name \ + --ara-reports-access +``` + +Use `update-role` when modifying an existing role: + +```shell +akeyless update-role \ + --name \ + --ara-reports-access +``` + +This rule controls dashboard visibility. Access to the underlying Dynamic Secret still depends on the relevant secret permissions. + +In the current Console role editor, the administrative rules form also exposes **Agentic Runtime Authority** as a selectable administrative rule. + +## Configure Agentic Runtime Authority In The Console + +1. Open the Dynamic Secret that the AI agent will use. +2. Open the **Agentic Runtime Authority** step or details tab. +3. Turn on **Enable Agentic Runtime Authority**. +4. Review the **Input Rules** table. +5. Review the **Output Rules** table. +6. Add, edit, or delete rules as needed. +7. Save the Dynamic Secret. + +For new Dynamic Secrets, the current Console implementation can prepopulate default input rules for these producer types: + +* MySQL +* PostgreSQL +* Redshift +* MSSQL +* Oracle +* Snowflake +* HanaDB +* Cassandra +* Redis +* MongoDB + +These defaults are producer-specific. For example, SQL producers receive read-only and no-multi-statement input rules by default. + +## Configure Agentic Runtime Authority With The CLI + +Dynamic Secret create and update commands accept repeated `--input-rule` and `--output-rule` flags in `name=...,rule=...` format. + +Example input and output rule values: + +```text +name=read-only-sql,rule=Only allow read-only SQL statements: SELECT, SHOW, DESCRIBE, DESC, EXPLAIN, WITH. Reject any DML or DDL statements such as INSERT, UPDATE, DELETE, DROP, ALTER, CREATE, TRUNCATE, GRANT, REVOKE. +name=mask-email,rule=Mask email addresses in the returned results. +``` + +The current CLI parser requires both `name` and `rule` for each repeated flag. + +## Set Up The AI Agent + +To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. + +### For Claude + +Create the following file: `~/Library/"Application Support"/Claude/claude_desktop_config.json`. + +### For Cursor + +Create the following file: `~/.cursor/mcp.json`. + +Use the following configuration template for both **Claude** and **Cursor**. Replace the placeholder values with your environment details: + +```json +{ + "mcpServers": { + "akeyless-connector": { + "command": "akeyless", + "args": [ + "mcp-runtime-authority", + "--gateway-url", + "https://:8000", + "--secret-name", + "full/path/to/secret", + "--profile", + "profile_name" + ] + } + } +} +``` + +Where: + +* `gateway-url`: The Gateway URL where the Dynamic Secret exists. + +* `secret-name`: The full path of a specific Dynamic Secret to expose to the AI agent. Use this parameter when you want the agent to access only one secret. To allow access to all supported Dynamic Secrets, remove this parameter. Multiple specific secrets are not supported. + +* `profile`: The CLI profile with the required RBAC permissions for working with Agentic Runtime Authority. + +## Query Protected Resources With The CLI + +Use `runtime-authority` for direct runtime queries through the Gateway: + +```shell +akeyless runtime-authority \ + --name /demo/apps/analytics/postgres-ro \ + --payload 'SELECT current_user, current_database();' \ + --agent-id ai-assistant-01 \ + -u https://:8000 \ + --profile +``` + +Use `mcp-runtime-authority` when the agent connects through MCP: + +```shell +akeyless mcp-runtime-authority \ + --gateway-url https://:8000 \ + --secret-name /demo/apps/analytics/postgres-ro \ + --profile +``` + +## Query Protected Resources + +With Agentic Runtime Authority configured, you can now use Claude or Cursor to interact with your protected resources in natural language. The AI agent will authenticate requests and retrieve credentials dynamically without storing long-lived secrets. + +## Monitoring Access + +Each session and resource query is logged by the runtime services. + +In the current Console implementation, the verified UI coverage for Agentic Runtime Authority is on Dynamic Secret configuration surfaces (the **Agentic Runtime Authority** tab and rules tables). A dedicated Agentic Runtime Authority reporting page is not exposed in the frontend-react Console routes. + +## Control Agent Behavior With Rules + +For additional security, Agentic Runtime Authority supports both input rules and output rules on the Dynamic Secret. Use these rules to limit unsafe requests and reduce accidental exposure of sensitive information. + +To restrict certain queries or responses: + +1. Open the [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret) object in the Akeyless Console. +2. Add an **Input Rule** to block disallowed prompts. +3. Add an **Output Rule** to block disallowed response content. +4. When a request or response matches a blocked rule, the action is denied and the protected data is not returned. + +This approach keeps the AI agent useful for legitimate queries while ensuring access remains controlled and secure. + +## Examples + +Example CLI role setup for reporting access: + +```shell +akeyless create-role \ + --name \ + --ara-reports-access scoped +``` + +Example input rule for SQL producers: + +```text +name=read-only-sql,rule=Only allow read-only SQL statements: SELECT, SHOW, DESCRIBE, DESC, EXPLAIN, WITH. Reject any DML or DDL statements such as INSERT, UPDATE, DELETE, DROP, ALTER, CREATE, TRUNCATE, GRANT, REVOKE. +``` + +Example input rule for Redis producers: + +```text +name=denied-commands,rule=Deny the following Redis commands: KEYS, FLUSHALL, FLUSHDB, DEBUG, SHUTDOWN, BGSAVE, BGREWRITEAOF, SLAVEOF, REPLICAOF, CLUSTER, MIGRATE, MONITOR, SUBSCRIBE, PSUBSCRIBE, EVAL, EVALSHA, EVALRO, EVALSHA_RO, SCRIPT. Also deny CONFIG subcommands SET, REWRITE, and RESETSTAT. +``` + +Example direct runtime query: + +```shell +akeyless runtime-authority \ + --name /demo/apps/analytics/postgres-ro \ + --payload 'SELECT count(*) FROM customers;' \ + --agent-id ai-assistant-01 \ + -u https://:8000 \ + --profile +``` + +## Related AI Guides + +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) diff --git a/docs/AI/akeyless-ai-insight.md b/docs/AI Security/akeyless-ai-insight.md similarity index 88% rename from docs/AI/akeyless-ai-insight.md rename to docs/AI Security/akeyless-ai-insight.md index 9ede3adf7..1f8ac54dd 100644 --- a/docs/AI/akeyless-ai-insight.md +++ b/docs/AI Security/akeyless-ai-insight.md @@ -37,7 +37,7 @@ Before you begin, ensure you have the following: | 1 | Enable AI Insights at the account level | CLI | | 2 | Create an OpenAI / Gemini Target | CLI | | 3 | Configure the Akeyless Gateway for AI Insights | REST API | -| 4 | Validate the configuration and test | CLI or Web UI | +| 4 | Validate the configuration and test | CLI or Console | ### Step 1: Enable AI Insights at the Account Level @@ -47,7 +47,7 @@ To enable AI Insights, run the following command: akeyless update-account-settings --enable-ai-insights true ``` -AI Insights can also be enabled at the account level using the Web UI. +AI Insights can also be enabled at the account level using the Akeyless Console. ![Illustration for: Step 1: Enable AI Insights at the Account Level To enable AI Insights, run the following command: AI Insights can also be enabled at the account level using the Web UI.](https://files.readme.io/df738f5faf06a3befb13f4f8a90ec9445814754171e5f2b2228df221a140103b-AccountLevel.png) @@ -84,7 +84,7 @@ The following example creates an OpenAI target named `my-openai-target` with the ```shell akeyless target create openai \ --name my-openai-target \ - --api-key sk-xxxx \ + --api-key \ --model gpt-4 ``` @@ -125,8 +125,8 @@ curl -X PUT "http://localhost:8000/config/ai-insights" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -d '{ "cluster_identity": { - "account_id": "", - "access_id": "", + "account_id": "", + "access_id": "", "cluster_name": "" }, "ai_insights": { @@ -145,7 +145,7 @@ To disable AI Insights on the gateway, set the enable field to `false`: "ai_insights": { "enable": false } ``` -The Gateway can also be configured with the Web UI. +The Gateway can also be configured with the Akeyless Console. ![Illustration for: Disable AI Insights on the Gateway To disable AI Insights on the gateway, set the enable field to false: The Gateway can also be configured with the Web UI.](https://files.readme.io/3a98a777c3c391c38e6dc1818b5f6f242468d45db8ced474176d64f2e6a60076-GatewayLevel.png) @@ -177,11 +177,11 @@ To verify that the gateway is configured for AI Insights, run the following comm curl -X GET http://localhost:8000/config/ai-insights ``` -#### Test in the Web UI +#### Test in the Console -To test AI Insights in the Akeyless Web UI, follow these steps: +To test AI Insights in the Akeyless Console, follow these steps: -1. Open the Akeyless Web UI. +1. Open the Akeyless Console. 2. Navigate to AI Insights. 3. Start a chat session 4. Ask a natural language question. @@ -208,9 +208,11 @@ To test AI Insights in the Akeyless Web UI, follow these steps: * [ ] Store target ID * [ ] Configure gateway * [ ] Verify the Gateway configuration -* [ ] Test in the Web UI +* [ ] Test in the Console ## Related AI Guides -* +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) * [Beyond .env: Building a "Dynamic-Only" Secretless AI Agent with Google ADK](https://docs.akeyless.io/docs/beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk) diff --git a/docs/AI Security/identity-and-secrets-intelligence.md b/docs/AI Security/identity-and-secrets-intelligence.md new file mode 100644 index 000000000..54ba9b276 --- /dev/null +++ b/docs/AI Security/identity-and-secrets-intelligence.md @@ -0,0 +1,118 @@ +--- +title: Identity & Secrets Intelligence +excerpt: Review the current Identity & Secrets Intelligence surfaces, access controls, and how the feature fits with other Akeyless AI capabilities. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- + +> ⚠️ **Warning:** +> +> Identity and Secrets Intelligence is currently in early access. Features, behavior, and availability can change between releases. + +Identity and Secrets Intelligence is an alpha console surface for reviewing AI-related visibility and governance data in Akeyless. + +In the current Akeyless Console, Identity and Secrets Intelligence includes these sections: + +* Dashboard +* Inventory +* Scanners +* Policies + +Identity and Secrets Intelligence complements the broader Akeyless AI security model. Secretless runtime retrieval reduces exposure to static credentials, Identity and Secrets Intelligence adds visibility and governance, and [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) adds runtime control for supported dynamic secrets. + +## Access And Availability + +Identity and Secrets Intelligence is currently shown as an alpha feature in the Akeyless Console. + +In the current Console implementation, the menu is shown only when the account has the feature enabled and the user has admin-level Console access. The backend and CLI also expose a dedicated `isi-access` role rule. + +### Use Identity & Secrets Intelligence In The Console + +1. Sign in to the Akeyless Console. +2. In the left navigation, open **Identity & Secrets Intelligence (Alpha)**. +3. Use **Dashboard** for the high-level overview. +4. Use **Inventory** to review findings and drill into finding details. +5. Use **Scanners** to create scanners, start scans, stop running scans, and review scan history. +6. Use **Policies** to review available policies and change policy status. + +The current Inventory implementation exposes finding details for secret, identity, and certificate findings, and supports updating finding status. + +The current Scanner implementation supports creating scanners, starting scans, stopping active scans, reviewing scan history, and navigating from a running scan directly to **Inventory**. + +### Control Access With RBAC + +Use the `isi-access` administrative rule on a role to control access to Identity and Secrets Intelligence. + +Supported values are: + +* `none` +* `scoped` +* `all` + +Use `create-role` when creating a new role: + +```shell +akeyless create-role \ + --name \ + --isi-access +``` + +Use `update-role` when modifying an existing role: + +```shell +akeyless update-role \ + --name \ + --isi-access +``` + +Use `get-role` to verify the role after the update: + +```shell +akeyless get-role --name +``` + +The current CLI validation accepts `none`, `scoped`, and `all`. It does not accept the legacy `own` value for `isi-access`. + +## Example Workflow + +The following example shows one minimal workflow for granting access and reviewing results: + +1. Create or update a role with `--isi-access scoped` or `--isi-access all`. +2. Associate the role with the authentication method that your operators use. +3. Sign in to the Akeyless Console. +4. Open **Identity & Secrets Intelligence (Alpha)**. +5. Review the **Dashboard**. +6. Open **Scanners**, start a scan, and then use **Inventory** to review the findings. + +### CLI Example + +```shell +akeyless create-role \ + --name \ + --isi-access scoped +``` + +### Console Example + +1. Sign in to the Akeyless Console. +2. Open **Identity & Secrets Intelligence (Alpha)**. +3. Open **Scanners**, and start a scan. +4. Open **Inventory**, and review the generated findings. + +## How It Fits With Other AI Features + +Use Identity and Secrets Intelligence together with the other Akeyless AI surfaces: + +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) for natural-language interaction with the Akeyless identity security platform +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) for controlled runtime access to supported dynamic secrets +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) for guidance on reducing credential misuse risk in AI workflows + +## Related AI Guides + +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) +* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) diff --git a/docs/AI Security/index.md b/docs/AI Security/index.md new file mode 100644 index 000000000..db39ac788 --- /dev/null +++ b/docs/AI Security/index.md @@ -0,0 +1,31 @@ +--- +title: AI Security With Akeyless +excerpt: Overview of Akeyless AI offerings, key features, and documentation. +deprecated: false +hidden: false +metadata: + title: AI Security With Akeyless + description: Overview of Akeyless AI offerings, key features, and documentation pages. + robots: index +--- +Akeyless provides multiple AI-focused capabilities across the identity security platform. These capabilities help teams secure agent access, reduce credential exposure, control runtime behavior, and integrate AI clients with Akeyless services. + +This page summarizes the current AI offerings and links to the detailed guides. + +## AI Offerings At A Glance + +| Offering | Primary Purpose | Key Capabilities | Documentation | +| --- | --- | --- | --- | +| Akeyless AI Insights | Enable natural-language interaction with Akeyless resources | Account-level enablement, Gateway-level model configuration, LLM target setup, and validation flow | [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) | +| Agentic Runtime Authority | Control and audit runtime agent access to supported Dynamic Secrets | Runtime query execution, input and output rules, role-based reporting access, MCP runtime support, and session reporting | [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) | +| Identity and Secrets Intelligence | Provide AI-related visibility and governance surfaces in the Console | Dashboard, Inventory, Scanners, Policies, and dedicated RBAC control via `isi-access` | [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) | +| Prompt Injection Protection Guidance | Reduce credential misuse risk in AI workflows | Secretless architecture guidance, runtime retrieval model, and practical hardening recommendations | [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) | +| Akeyless MCP Server | Integrate MCP clients and tools with Akeyless services | MCP server setup, authentication methods, profile usage, and Gateway integration | [MCP Server](https://docs.akeyless.io/docs/mcp-server) | + +## MCP Documentation Pages + +For MCP-specific setup and usage, use these pages: + +* [MCP Server](https://docs.akeyless.io/docs/mcp-server) +* [CLI Reference - MCP Server](https://docs.akeyless.io/docs/cli-reference-mcp-server) +* [Akeyless MCP Plugin for JetBrains IDEs](https://docs.akeyless.io/docs/akeyless-mcp-plugin-jetbrains-ides) diff --git a/docs/AI/prompt-injection-protection-for-ai-agents.md b/docs/AI Security/prompt-injection-protection-for-ai-agents.md similarity index 100% rename from docs/AI/prompt-injection-protection-for-ai-agents.md rename to docs/AI Security/prompt-injection-protection-for-ai-agents.md diff --git a/docs/AI/agentic-runtime-authority.md b/docs/AI/agentic-runtime-authority.md deleted file mode 100644 index 2b1c6a9d1..000000000 --- a/docs/AI/agentic-runtime-authority.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Agentic Runtime Authority -deprecated: false -hidden: true -metadata: - robots: index ---- -Agentic Runtime Authority allows AI agents to securely communicate with your resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with protected environments without exposing long-lived credentials. - -**Agentic Runtime Authority** currently supports the following dynamic secret types: - -* **DB Dynamic Secrets** for database access. -* **Cloud Dynamic Secrets** for cloud environment access. -* **GitHub Dynamic Secrets** for GitHub repository access. - -# Prerequisites - -* [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0`. - -* CLI version `1.144.0`. - -* [AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway to power intelligent resource access. - -* A Dynamic Secret configured with Agentic Runtime Authority enabled. - -* An authentication method associated with a role that has Agentic Runtime Authority permissions. - -* Claude/Cursor Desktop installed. - -# Setting up the AI Agent - -To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. - -**For Claude** - -Create the following file: `~/Library/"Application Support"/Claude/claude_desktop_config.json`. - -**For Cursor** - -Create the following file: `~/.cursor/mcp.json`. - -Use the following configuration template for both **Claude** and **Cursor**. Replace the placeholder values with your environment details: - -```json -{ - "mcpServers": { - "akeyless-connector": { - "command": "akeyless", - "args": [ - "mcp-runtime-authority", - "--gateway-url", - "https://:8000", - "--secret-name", - "full/path/to/secret", - "--profile", - "profile_name" - ] - } - } -} -``` - -Where: - -* `gateway-url`: The Gateway URL where the Dynamic Secret exists. - -* `secret-name`: The full path of a specific Dynamic Secret to expose to the AI agent. Use this parameter when you want the agent to access only one secret. To allow access to all supported Dynamic Secrets, remove this parameter. Multiple specific secrets are not supported. - -* `profile`: The CLI profile with the required RBAC permissions for working with Agentic Runtime Authority. - -# Querying Your Resources - -With Agentic Runtime Authority configured, you can now use Claude or Cursor to interact with your protected resources in natural language. The AI agent will authenticate requests and retrieve credentials dynamically without storing long-lived secrets. - -## Monitoring Access - -Each session and resource query is automatically logged. You can view access activity under the **Agentic Runtime Authority** tab in the **Akeyless Console** to monitor which resources were accessed and when. - -## Controlling Access with Input Rules - -For additional security, you can control what users are allowed to ask the AI agent to do. This is useful for preventing accidental exposure of sensitive information. - -**To restrict certain queries:** - -1. Open the [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret) object in the Akeyless Console. -2. Add an **Input Rule** that matches patterns you want to block (for example: queries requesting **personal information**, **credentials**, or **internal records**). -3. When a user sends a request matching a blocked rule, the request is denied and restricted information is not returned from the database. - -This approach keeps the AI agent useful for legitimate queries while ensuring access remains controlled and secure. diff --git a/docs/Customer Journeys/customer-journeys/_order.yaml b/docs/Customer Journeys/customer-journeys/_order.yaml index ca77a780e..705ca2a13 100644 --- a/docs/Customer Journeys/customer-journeys/_order.yaml +++ b/docs/Customer Journeys/customer-journeys/_order.yaml @@ -1,4 +1,3 @@ - access-requests-with-sn -- >- - customer-use-case-automating-employee-onboarding-and-role-based-access-control-in-servicenow +- customer-use-case-automating-employee-onboarding-and-role-based-access-control-in-servicenow - beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md b/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md index f1cc2b4d4..b6575c13b 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md @@ -58,12 +58,16 @@ akeyless create-role --name `--sra-reports-access`: Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. +`--ara-reports-access`: Allow this role to view [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). Currently only `none`, `scoped`, and `all` values are supported. + `--usage-reports-access`: Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported. `--event-center-access`: Allow this role to view Event Center. Currently only 'none', 'own' and 'all' values are supported. `--event-forwarders-access`: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported. +`--isi-access`: Allow this role to access [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). Currently only `none`, `scoped`, and `all` values are supported. + `--reverse-rbac-access`: Allow this role to view Reverse RBAC. Supported values: '`own`', '`all`'. `description`: Description of the object @@ -279,12 +283,16 @@ akeyless update-role -n \ `--sra-reports-access`: Allow this role to view SRA Clusters. Currently only 'none', 'own' and 'all' values are supported. +`--ara-reports-access`: Allow this role to view [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). Currently only `none`, `scoped`, and `all` values are supported. + `--usage-reports-access`: Allow this role to view Usage reports. Currently only 'none' and 'all' values are supported. `--event-center-access`: Allow this role to view Event Center. Currently only 'none', 'own' and 'all' values are supported. `--event-forwarders-access`: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported. +`--isi-access`: Allow this role to access [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). Currently only `none`, `scoped`, and `all` values are supported. + `--reverse-rbac-access`: Allow this role to view Reverse RBAC. Supported values: '`own`', '`all`'. `--description`: Description of the object diff --git a/docs/_order.yaml b/docs/_order.yaml index 298d8aa77..c2111df61 100644 --- a/docs/_order.yaml +++ b/docs/_order.yaml @@ -9,7 +9,7 @@ - Password Manager - Secure Remote Access - Universal Secret Connector -- AI +- AI Security - Integrations & Plugins - Advanced Functionality - Customer Journeys From ce3cda805e72bf3c4c48b483a8c259780ba4412a Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 13:29:14 -0600 Subject: [PATCH 02/24] chore: remove lychee ignore additions from PR --- .github/lychee/.lycheeignore | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/lychee/.lycheeignore b/.github/lychee/.lycheeignore index 84dfb242d..775bb35c8 100644 --- a/.github/lychee/.lycheeignore +++ b/.github/lychee/.lycheeignore @@ -40,8 +40,3 @@ https://platform.openai.com/docs/api-reference/admin-api-keys ^https?://github\.com/akeylesslabs/akeyless-python-cloud-id(/|$) ^https?://github\.com/akeylesslabs/akeyless-grpc-java(/|$) ^https?://github\.com/akeylesslabs/akeyless-grpc-dotnet(/|$) - -# Docs pages not publicly published yet (linked intentionally from current docs) -^https?://docs\.akeyless\.io/docs/identity-and-secrets-intelligence(/|$) -^https?://docs\.akeyless\.io/docs/mcp-server(/|$) -^https?://docs\.akeyless\.io/docs/cli-reference-mcp-server(/|$) From 54b1b196e6270cba78b38ff385ce5a42f78d6b58 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 13:52:37 -0600 Subject: [PATCH 03/24] chore: change lychee hook stage from pre-commit to manual --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 59f2f0070..39b8ea669 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -38,4 +38,4 @@ repos: files: \.md$ pass_filenames: true require_serial: true - stages: [pre-commit] + stages: [manual] From cac6fcbdce3c290fcaa1f55ac70d37f227a39e42 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 13:56:00 -0600 Subject: [PATCH 04/24] docs: update Agentic Runtime Authority documentation for clarity and detail --- docs/AI Security/agentic-runtime-authority.md | 70 +++++++++++++------ 1 file changed, 50 insertions(+), 20 deletions(-) diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index 19b0e7388..c94edaa94 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -10,13 +10,14 @@ metadata: > > Agentic Runtime Authority is currently in early access. Features, behavior, and availability can change between releases. -Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported Dynamic Secrets without exposing long-lived credentials. +Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported secrets without exposing long-lived credentials. In this context, runtime control means the authorization checks and input or output rules that Akeyless enforces when an agent sends a live request to a protected resource. -**Agentic Runtime Authority** currently supports the following dynamic secret types: +**Agentic Runtime Authority** currently supports these target categories for runtime execution: -* **DB Dynamic Secrets** for database access. -* **Cloud Dynamic Secrets** for cloud environment access. -* **GitHub Dynamic Secrets** for GitHub repository access. +* **Database targets**: MySQL, PostgreSQL, MSSQL, Oracle, Snowflake, HanaDB, Redshift, MongoDB, Redis, and Cassandra. +* **Service targets**: AWS, GCP, Azure, Kubernetes, EKS, GKE, and GitHub. + +The `runtime-authority` command and the MCP execution tools operate on supported dynamic or rotated secrets. Agentic Runtime Authority extends Akeyless AI security beyond secretless credential retrieval by adding runtime controls and reporting for agent access. @@ -25,13 +26,15 @@ The current implementation exposes Agentic Runtime Authority in these places: * The **Agentic Runtime Authority** step or details tab on supported Dynamic Secrets in the Akeyless Console * The `runtime-authority` CLI command for direct runtime queries through the Gateway * The `mcp-runtime-authority` CLI command for MCP-based agent integrations +* The MCP tools exposed by `mcp-runtime-authority`: `list-secrets`, `query-db`, and `service-execute` * The `ara-reports-access` role rule for dashboard visibility +* The **Agentic Runtime Authority** role-rule type with the **Allow Access** capability in the Console role editor * Repeated `--input-rule` and `--output-rule` flags on Dynamic Secret create and update commands ## Prerequisites -* [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0`. -* CLI version `1.144.0`. +* [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0` or later. +* CLI version `1.144.0` or later. * [AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway when output rules are used. * A Dynamic Secret configured with Agentic Runtime Authority enabled. * A role with access to the relevant Dynamic Secret and, when required, reporting access to Agentic Runtime Authority. @@ -40,6 +43,10 @@ The current implementation exposes Agentic Runtime Authority in these places: ## Control Access With RBAC +Agentic Runtime Authority uses separate RBAC controls for dashboard visibility and runtime execution. + +### Control Dashboard Visibility + Use the `ara-reports-access` administrative rule on a role to control access to the Agentic Runtime Authority dashboard. Supported values are: @@ -48,7 +55,15 @@ Supported values are: * `scoped` * `all` -Use `create-role` when creating a new role: +Use the Console when you want to configure dashboard visibility on a role without using the CLI: + +1. Open the relevant access role in the Akeyless Console. +2. Open the administrative rules section. +3. Locate **Agentic Runtime Authority**. +4. Set the reporting scope to `None`, `Scoped`, or `All`. +5. Save the role. + +For command syntax, see [CLI Reference - Access Roles](https://docs.akeyless.io/docs/cli-reference-access-roles). Use the create role command when creating a new role: ```shell akeyless create-role \ @@ -56,7 +71,7 @@ akeyless create-role \ --ara-reports-access ``` -Use `update-role` when modifying an existing role: +Use the update role command when modifying an existing role: ```shell akeyless update-role \ @@ -64,9 +79,19 @@ akeyless update-role \ --ara-reports-access ``` -This rule controls dashboard visibility. Access to the underlying Dynamic Secret still depends on the relevant secret permissions. +This rule controls dashboard visibility. Runtime execution also depends on the relevant Agentic Runtime Authority role rule and underlying secret permissions. + +### Grant Runtime Execution Access + +Use the role-rule workflow when you want a role to execute Agentic Runtime Authority operations on a path. + +1. Open the access role that should run Agentic Runtime Authority queries. +2. Add a role rule with the type **Agentic Runtime Authority**. +3. Set the path to the relevant ARA-enabled secret path. +4. Select the **Allow Access** capability. +5. Save the role. -In the current Console role editor, the administrative rules form also exposes **Agentic Runtime Authority** as a selectable administrative rule. +Use the administrative rule separately when you also want reporting visibility. ## Configure Agentic Runtime Authority In The Console @@ -95,7 +120,7 @@ These defaults are producer-specific. For example, SQL producers receive read-on ## Configure Agentic Runtime Authority With The CLI -Dynamic Secret create and update commands accept repeated `--input-rule` and `--output-rule` flags in `name=...,rule=...` format. +Dynamic Secret [create](https://docs.akeyless.io/docs/cli-reference-dynamic-secrets#create) and [update](https://docs.akeyless.io/docs/cli-reference-dynamic-secrets#update) commands accept repeated `--input-rule` and `--output-rule` flags in `name=...,rule=...` format. Example input and output rule values: @@ -108,7 +133,7 @@ The current CLI parser requires both `name` and `rule` for each repeated flag. ## Set Up The AI Agent -To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. +To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. For general MCP concepts and client setup patterns, including Claude Desktop and Cursor, see [MCP Server](https://docs.akeyless.io/docs/mcp-server) and [CLI Reference - MCP Server](https://docs.akeyless.io/docs/cli-reference-mcp-server). The configuration below is specific to the `mcp-runtime-authority` subcommand. ### For Claude @@ -143,10 +168,18 @@ Where: * `gateway-url`: The Gateway URL where the Dynamic Secret exists. -* `secret-name`: The full path of a specific Dynamic Secret to expose to the AI agent. Use this parameter when you want the agent to access only one secret. To allow access to all supported Dynamic Secrets, remove this parameter. Multiple specific secrets are not supported. +* `secret-name`: An optional default secret path for the `query-db` MCP tool. This does not replace RBAC scoping for the server. Use role rules and secret permissions to restrict which secrets the profile can access. * `profile`: The CLI profile with the required RBAC permissions for working with Agentic Runtime Authority. +When the MCP server is running, it exposes these workflows: + +* `list-secrets`: Lists ARA-supported secrets that the current profile can access. +* `query-db`: Runs database queries. `payload` and `agent-id` are required, and `secret-name` is required unless the server was started with a default secret. +* `service-execute`: Runs service actions against supported service targets. `secret-name`, `payload`, and `agent-id` are required. + +For OAuth-backed service flows, `service-execute` can also require `auth-code` and `state` on the follow-up call after the server returns an authorization URL. + ## Query Protected Resources With The CLI Use `runtime-authority` for direct runtime queries through the Gateway: @@ -202,15 +235,12 @@ akeyless create-role \ --ara-reports-access scoped ``` -Example input rule for SQL producers: +Example input rules: -```text +```text PostgreSQL name=read-only-sql,rule=Only allow read-only SQL statements: SELECT, SHOW, DESCRIBE, DESC, EXPLAIN, WITH. Reject any DML or DDL statements such as INSERT, UPDATE, DELETE, DROP, ALTER, CREATE, TRUNCATE, GRANT, REVOKE. ``` - -Example input rule for Redis producers: - -```text +```text Redis name=denied-commands,rule=Deny the following Redis commands: KEYS, FLUSHALL, FLUSHDB, DEBUG, SHUTDOWN, BGSAVE, BGREWRITEAOF, SLAVEOF, REPLICAOF, CLUSTER, MIGRATE, MONITOR, SUBSCRIBE, PSUBSCRIBE, EVAL, EVALSHA, EVALRO, EVALSHA_RO, SCRIPT. Also deny CONFIG subcommands SET, REWRITE, and RESETSTAT. ``` From 2390ee5a93ed563bea43bd9d1ee5b114e303c1e2 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:29:32 -0600 Subject: [PATCH 05/24] Refactor MCP documentation and add integration guides - Updated the main MCP Server documentation to provide a clearer overview and usage flow. - Created separate integration pages for Claude Desktop, Cursor, GitHub Copilot, and JetBrains IDEs, detailing configuration and verification steps. - Removed redundant links from the main AI Security index and consolidated MCP references. - Enhanced clarity on requirements and command usage across all MCP-related documentation. --- docs/AI Security/MCP/_order.yaml | 6 +- ...less-mcp-model-context-protocol-command.md | 168 ------- docs/AI Security/MCP/index.md | 432 ++++-------------- docs/AI Security/MCP/mcp-claude-desktop.md | 88 ++++ docs/AI Security/MCP/mcp-cursor.md | 88 ++++ docs/AI Security/MCP/mcp-github-copilot.md | 101 ++++ ...etbrains-ides.md => mcp-jetbrains-ides.md} | 1 + docs/AI Security/index.md | 6 +- docs/Integrations & Plugins/MCPs.md | 20 +- 9 files changed, 389 insertions(+), 521 deletions(-) delete mode 100644 docs/AI Security/MCP/akeyless-mcp-model-context-protocol-command.md create mode 100644 docs/AI Security/MCP/mcp-claude-desktop.md create mode 100644 docs/AI Security/MCP/mcp-cursor.md create mode 100644 docs/AI Security/MCP/mcp-github-copilot.md rename docs/AI Security/MCP/{akeyless-mcp-plugin-jetbrains-ides.md => mcp-jetbrains-ides.md} (99%) diff --git a/docs/AI Security/MCP/_order.yaml b/docs/AI Security/MCP/_order.yaml index 21ff8ce78..e90732014 100644 --- a/docs/AI Security/MCP/_order.yaml +++ b/docs/AI Security/MCP/_order.yaml @@ -1,3 +1,5 @@ - index -- akeyless-mcp-plugin-jetbrains-ides -- akeyless-mcp-model-context-protocol-command \ No newline at end of file +- mcp-claude-desktop +- mcp-cursor +- mcp-github-copilot +- mcp-jetbrains-ides diff --git a/docs/AI Security/MCP/akeyless-mcp-model-context-protocol-command.md b/docs/AI Security/MCP/akeyless-mcp-model-context-protocol-command.md deleted file mode 100644 index ba94b46f3..000000000 --- a/docs/AI Security/MCP/akeyless-mcp-model-context-protocol-command.md +++ /dev/null @@ -1,168 +0,0 @@ ---- -title: CLI Reference - MCP Server -excerpt: '' -deprecated: false -hidden: false -metadata: - title: '' - description: '' - robots: index -next: - description: '' ---- -The `akeyless mcp` command starts an MCP server that enables AI assistants such as Cursor and GitHub Copilot to securely interact with Akeyless services through a standardized interface. - -If you use JetBrains IDEs, see the page for the IDE-specific setup flow. - -## What Is MCP? - -Model Context Protocol (MCP) is an open standard that allows AI assistants to securely access external data sources and tools. - -## With MCP, You Can - -* Safely authenticate AI assistants with Akeyless -* Interact with Akeyless secrets, targets, and other resources -* Leverage existing profiles and authentication methods -* Connect to Akeyless Gateway instances - -## Features - -* Secure Authentication – Uses Akeyless authentication mechanisms -* Tool Integration – Access Akeyless secrets, targets, RBAC, and more -* Profile Support – Uses your existing Akeyless CLI profiles for authentication context -* Gateway Integration – Supports both local and cloud Akeyless Gateways - -## Usage - -> Important: `akeyless mcp` does not use the `gateway_url` value configured in a CLI profile. You must pass `--gateway-url` directly in every `akeyless mcp` command (or MCP client args). - -### Basic Commands - -```shell -# Start MCP server with access key authentication -akeyless mcp --access-id --access-key --access-type access_key --gateway-url https://:8000/api/v2 - -# Start MCP server with SAML authentication -akeyless mcp --access-id --access-type saml --gateway-url https://:8000/api/v2 -``` - -### Supported Authentication Methods - -```shell ---access-type [=access_key] -(access_key / password / saml / ldap / k8s / azure_ad / oidc / aws_iam / universal_identity / jwt / gcp / cert / oci / kerberos) -``` - -The `mcp` command accepts the same authentication parameters as standard Akeyless CLI auth commands. For more details, see [Akeyless Authentication Documentation](https://docs.akeyless.io/docs/access-and-authentication-methods) - -## Common Parameters - -`--access-id`: Your Akeyless Access ID - -`--access-key`: Your Akeyless Access Key (for `access_key` auth) - -`--access-type`: Authentication method (see list above) - -`--gateway-url`: Gateway URL (required for `akeyless mcp`; must be supplied in-line) - -`--profile`: Use an existing CLI profile - -## Setting Up MCP With Cursor - -1. Install Akeyless CLI: - Ensure the Akeyless CLI is installed and configured. - -2. Update Cursor Settings: - Open settings (Cmd/Ctrl + Shift + P → Preferences: Open Settings (JSON)) and add: - - ```json - { - "mcp.servers": { - "akeyless": { - "command": "akeyless", - "args": ["mcp", "--profile", "your-profile-name", "--gateway-url", "https://:8000/api/v2"] - }, - "akeyless-saml": { - "command": "akeyless", - "args": ["mcp", "--access-id", "your-access-id", "--access-type", "saml", "--gateway-url", "https://:8000/api/v2"] - }, - "akeyless-oidc": { - "command": "akeyless", - "args": ["mcp", "--access-id", "your-access-id", "--access-type", "oidc", "--gateway-url", "https://:8000/api/v2"] - } - } - } - ``` - -3. Restart Cursor for the changes to take effect. - -4. Verify that you can now run queries such as: - - * “Show me my Akeyless secrets” - * “Create a new secret called `api-key`” - * “List all my targets” - -## Setting Up MCP With GitHub Copilot - -1. Install Copilot CLI - - ```shell - npm install -g @githubnext/github-copilot-cli - ``` - -2. Configure Copilot - - Edit `~/.copilot/mcp-config.json` to include: - - ```json - mcpServers: - akeyless: - command: akeyless - args: ["mcp", "--profile", "your-profile-name", "--gateway-url", "https://:8000/api/v2"] - akeyless-saml: - command: akeyless - args: ["mcp", "--access-id", "your-access-id", "--access-type", "saml", "--gateway-url", "https://:8000/api/v2"] - akeyless-oidc: - command: akeyless - args: ["mcp", "--access-id", "your-access-id", "--access-type", "oidc", "--gateway-url", "https://:8000/api/v2"] - ``` - -3. Start Copilot with MCP - - ```shell - copilot mcp - ``` - -4. Use Copilot - - You can now manage secrets, configure targets, and perform infrastructure tasks through Copilot. - -## Examples - -### Secret Operations - -```shell -# Start MCP server -akeyless mcp --profile production --gateway-url https://:8000/api/v2 - -# In Cursor/Copilot -# "Create a secret called 'database-password' with value 'secure123'" -# "Show me all secrets in the /prod/ path" -``` - -### Target Management - -```shell -# "List all my AWS targets" -# "Update the SSH target with new credentials" -``` - -### Production Setup - -```shell -# Production -akeyless mcp --profile prod --gateway-url https://:8000/api/v2 - -# Development / Testing -akeyless mcp --profile dev --gateway-url https://:8000/api/v2 -``` diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md index e507f07c0..ce75e4b2e 100644 --- a/docs/AI Security/MCP/index.md +++ b/docs/AI Security/MCP/index.md @@ -1,403 +1,145 @@ --- title: MCP Server -excerpt: Use the Akeyless MCP Server with MCP clients and JetBrains IDE integration. +excerpt: Overview of Akeyless MCP content, requirements, and supported integrations. deprecated: false hidden: false link: new_tab: false metadata: title: Akeyless MCP Server - description: Use the Akeyless MCP Server with supported MCP clients and JetBrains IDE integration. + description: Overview of Akeyless MCP content, requirements, and supported integrations. robots: index --- ## Overview -The Akeyless Model Context Protocol (MCP) Server is a robust integration that enables AI systems to securely interact with your Akeyless Identity Security Platform. It provides a standardized interface for AI models to access, manage, and manipulate secrets, keys, certificates, and other sensitive data stored in Akeyless. +The Akeyless Model Context Protocol (MCP) Server lets MCP-enabled tools connect to your Akeyless identity security platform through the Akeyless CLI. This section explains the MCP server, its command syntax, and the supported client integrations documented by Akeyless. -## What Is the MCP? +Model Context Protocol (MCP) is an open protocol that standardizes how an AI client discovers tools and sends tool calls to an external server. In this model, your MCP client (for example, Claude Desktop, Cursor, or GitHub Copilot) launches the Akeyless MCP server locally over `stdio`, then uses it to run authorized operations against Akeyless resources. -The Model Context Protocol is a standardized protocol that allows AI systems to connect to external data sources and services. It provides a secure, authenticated method for AI models to: +## What This Section Covers -* Access external APIs and services -* Retrieve and manage sensitive data -* Perform operations on behalf of users -* Maintain security boundaries and access controls +Use the pages in this section for the following goals: -Read more about the [Model Context Protocol](https://modelcontextprotocol.io/). - -## Akeyless MCP Server Features - -The Akeyless MCP Server provides comprehensive access to Akeyless functionality, including: - -### Core Capabilities +* Understand what the Akeyless MCP Server does and when to use it. +* Configure a supported MCP client integration. +* Review the `akeyless mcp` command syntax and authentication options. +* Follow the JetBrains IDE plugin flow when you need an IDE-native integration. -* Secrets Management: Create, read, update, and delete Static Secrets -* Encryption and Key Management: Generate, rotate, and manage encryption keys -* Certificate Lifecycle Management: Issue, renew, and manage PKI and SSH certificates -* Dynamic Secrets: Generate temporary credentials for databases and cloud services -* Access Control: Manage roles, permissions, and authentication methods -* Analytics: Retrieve usage analytics and audit data +## Common Requirements -### Supported Operations +All documented MCP integrations share these requirements: -* List and describe items (such as secrets, keys, certificates) -* Create and update secrets -* Generate Dynamic Secrets -* Manage authentication methods and roles -* Retrieve analytics data -* Handle targets and associations +* Akeyless CLI version `1.130.0` or later. +* An Akeyless account and a configured CLI profile, or explicit authentication flags. +* A Gateway URL passed directly in the client configuration or command arguments. +* A client that can launch the Akeyless MCP server over `stdio`. -## Configuration - -### Prerequisites - -* The Akeyless CLI must be successfully installed and **updated to version 1.130.0** or newer. - * Read more about the [Akeyless CLI](https://docs.akeyless.io/docs/cli). - * Learn about [updating the Akeyless CLI](https://docs.akeyless.io/docs/cli-reference#/update). -* An Akeyless account must be created and a corresponding profile configured with the Akeyless CLI. +Read more about the [Model Context Protocol](https://modelcontextprotocol.io/). -### Client Setup +## General MCP Usage Flow -Configure the Akeyless MCP server in your MCP client configuration file. For example, Cursor uses `~/.cursor/mcp.json`. A list of supported MCP clients is available at https://modelcontextprotocol.io/clients. +Use this high-level flow for any supported MCP integration: -If you use JetBrains IDEs, see for the IDE-specific setup and usage flow. +1. Install and configure the Akeyless CLI and authentication profile. +2. Configure your MCP client to run the Akeyless MCP server command. +3. Start or reload the MCP client so it discovers the Akeyless tools. +4. Invoke Akeyless tools from the client prompt and review the response. +5. Use RBAC and scoped secret permissions to control what the client can access. -#### Sample Configuration Structure +## MCP-Related CLI Commands -```json -{ - "mcpServers": { - "akeyless": { - "command": "/path/to/akeyless", - "args": [ - "mcp", - "--access-id", "your-access-id", - "--access-key", "your-access-key", - "--access-type", "access_key", - "--gateway-url", "https://:8000/api/v2" - ], - "env": {} - } - } -} -``` +The Akeyless CLI currently exposes two MCP-related commands: -#### Configuration Parameters - -| Configuration | Description | Required | Default Value | -| --- | --- | --- | --- | -| `command` | Path to the Akeyless CLI binary | Yes | (none) | -| `args.--access-id` | The Akeyless access ID to authenticate with | Yes* (if using the `access_key` access type) | (none) | -| `args.--access-key` | The Akeyless access key to authenticate with | Yes* (if using the `access_key` access type) | (none) | -| `args.--access-type` | Authentication method type to use. See [Access type values](#access-type-values). | Yes | `access_key` | -| `args.--account-id` | Used to select which Akeyless account to use if the `--admin-email` is associated with more than one account | No | (none) | -| `args.--admin-password` | The Akeyless account password to authenticate with | Yes* (if using the `password` access type) | (none) | -| `args.--admin-email` | The Akeyless account email address to authenticate with | Yes* (if using the `password` access type) | (none) | -| `args.--cert-challenge` | Certificate challenge encoded in base64 (relevant only for the `cert` access type) | Yes* (if using the `cert` access type and `args.--key-file-name` or `args.--key-data` is not used) | (none) | -| `args.--cert-data` | Certificate data encoded in base64, used if a file was not provided (relevant only for the `cert` access type) | Yes* (if using the `cert` access type and `args.--cert-file-name` is not used) | (none) | -| `args.--cert-file-name` | Path to where the certificate file for certificate authentication is located | Yes* (if using the `cert` access type and `args.--cert-data` is not used) | (none) | -| `args.--cloud-id` | The identity for the chosen cloud provider. See [Cloud ID values](#cloud-id-values). | Yes* (if using the `aws_iam`, `azure_id`, `gcp`, or `oci` access types) | (none) | -| `args.--debug` | Enable debug logging | No | `false` | -| `args.--disable-kerberos-fast` | Disable Kerberos FAST negotiation | No | `true` | -| `args.--gateway-spn` | The service principal name of the gateway as registered in LDAP | No | (none) | -| `args.--gateway-url` | Akeyless Gateway URL | Yes (must be passed in-line for `akeyless mcp`) | (none) | -| `args.--gcp.audience` | GCP audience to use with signed JWT (relevant only for the `gcp` access type) | No | `akeyless.io` | -| `args.--jwt` | The JSON Web Token | Yes* (if using the `jwt` or `oidc` access type) | (none) | -| `args.--k8s-auth-config-name` | The Kubernetes Auth config name | Yes* (if using the `k8s` access type) | (none) | -| `args.--k8s-service-account-token` | The Kubernetes ServiceAccount token | Yes* (if using the `k8s` access type) | (none) | -| `args.--kerberos-token` | Kerberos token for the gateway SPN, used by SPNEGO for authentication | No | (none) | -| `args.--kerberos-username` | The username for the entry within the keytab to authenticate by way of Kerberos | No | (none) | -| `args.--key-data` | Private key data encoded in base64 | Yes* (if using the `cert` access type and `args.--key-file-name` or `args.--cert-challenge` is not used) | (none) | -| `args.--key-file-name` | Path to where the key file is located | Yes* (if using the `cert` access type and `args.--key-data` or `args.--cert-challenge` is not used) | (none) | -| `args.--keytab-file-data` | Base64-encoded content of a valid keytab file, containing the service account's entry | Yes* (if using the `kerberos` access type and `args.--keytab-file-path` is not used) | (none) | -| `args.--keytab-file-path` | The path to a valid keytab file, containing the user entry | Yes* (if using the `kerberos` access type and `args.--keytab-file-data` is not used) | (none) | -| `args.--krb5conf-file-data` | Base64-encoded content of a valid `krb5.conf` file, specifying the settings and parameters required for Kerberos authentication | Yes* (if using the `kerberos` access type and `args.--krb5conf-file-path` is not used) | (none) | -| `args.--krb5conf-file-path` | Path to a valid `krb5.conf` file, specifying the settings and parameters required for Kerberos authentication | Yes* (if using the `kerberos` access type and `args.--krb5conf-file-data` is not used) | (none) | -| `args.--ldap-proxy-url` | Address URL for LDAP proxy | Yes* (if using the `ldap` access type) | (none) | -| `args.--oci-auth-type` | The type of the OCI configuration to use. See [OCI auth type values](#oci-auth-type-values). | No | `apikey` | -| `args.--oci-group-ocid` | A list of Oracle Cloud IDs groups | Yes* (if using the `oci` access type) | (none) | -| `args.--oidc-sp` | OIDC Service Provider (relevant only for the `oidc` access type). Inferred if empty. Supported SPs: `google`, `github`. | No | (inferred) | -| `args.--password` | LDAP password | Yes* (if using the `ldap` access type) | (none) | -| `args.--profile` | The CLI profile name to use for authentication context (the profile `gateway_url` is not used by `akeyless mcp`) | No | `default` | -| `args.--signed-cert-challenge` | Signed certificate challenge encoded in base64 (relevant only for the `cert` access type) | No | (none) | -| `args.--uid-token` | The Universal Identity token | Yes* (if using the `universal_identity` access type) | (none) | -| `args.--use-remote-browser` | Returns a link to complete authentication remotely (relevant only for the `saml` and `oidc` access types) | No | (none) | -| `args.--username` | LDAP username | Yes* (if using the `ldap` access type) | (none) | - -##### Access type values - -Acceptable values for `args.--access-type`: - -* [access_key](https://docs.akeyless.io/docs/auth-with-api-key) -* [aws_iam](https://docs.akeyless.io/docs/auth-with-aws) -* [azure_ad](https://docs.akeyless.io/docs/auth-with-azure) -* [cert](https://docs.akeyless.io/docs/auth-with-certificate) -* [gcp](https://docs.akeyless.io/docs/auth-with-gcp) -* [jwt](https://docs.akeyless.io/docs/auth-with-oauth-jwt) -* [k8s](https://docs.akeyless.io/docs/auth-with-kubernetes) -* [kerberos](https://docs.akeyless.io/docs/auth-with-kerberos) -* [ldap](https://docs.akeyless.io/docs/auth-with-ldap) -* [oci](https://docs.akeyless.io/docs/auth-with-oci) -* [oidc](https://docs.akeyless.io/docs/auth-with-oidc) -* [password](https://docs.akeyless.io/docs/auth-with-email) -* [saml](https://docs.akeyless.io/docs/auth-with-saml) -* [universal_identity](https://docs.akeyless.io/docs/auth-with-universal-identity) - -##### Cloud ID values - -Acceptable values for `args.--cloud-id`: - -* `aws_iam` -* `azure_id` -* `gcp` -* `oci` - -##### OCI auth type values - -Acceptable values for `args.--oci-auth-type`: - -* `apikey` -* `instance` -* `resource` - -#### Example Authentication Method Configurations - -The Akeyless MCP server supports multiple [Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods): - -##### Access Key Authentication (Default) - -```json -{ - "args": [ - "mcp", - "--access-id", "p-xxxxxxxxxxxxx", - "--access-key", "your-access-key", - "--access-type", "access_key", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` +| Command | Purpose | +| --- | --- | +| `akeyless mcp` | Starts the general Akeyless MCP server for standard Akeyless tools. | +| `akeyless mcp-runtime-authority` | Starts the Agentic Runtime Authority MCP server for runtime query workflows (`list-secrets`, `query-db`, `service-execute`). | -##### Certificate Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "cert", - "--cert-file-name", "/path/to/cert.pem", - "--key-file-name", "/path/to/key.pem", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` +## Command: akeyless mcp -##### Cloud Provider Authentication - -```json AWS -{ - "args": [ - "mcp", - "--access-type", "aws_iam", - "--cloud-id", "your-aws-role-arn", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` -```json Azure -{ - "args": [ - "mcp", - "--access-type", "azure_ad", - "--cloud-id", "your-azure-client-id", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` -```json GCP -{ - "args": [ - "mcp", - "--access-type", "gcp", - "--cloud-id", "your-gcp-service-account", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` +The `akeyless mcp` command starts an MCP server so AI assistants can securely interact with Akeyless services through a standardized interface. -##### Kubernetes Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "k8s", - "--k8s-auth-config-name", "your-config-object", - "--k8s-service-account-token", "your-service-account-token", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` +> Important: `akeyless mcp` does not use the `gateway_url` value configured in a CLI profile. You must pass `--gateway-url` directly in every `akeyless mcp` command (or MCP client args). -##### LDAP Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "ldap", - "--ldap-proxy-url", "ldap://your-ldap-server", - "--username", "your-username", - "--password", "your-password", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` +### Basic Commands -##### OIDC/JWT Authentication - -```json -{ - "args": [ - "mcp", - "--access-type", "oidc", - "--jwt", "your-jwt-token", - "--gateway-url", "https://:8000/api/v2" - ] -} -``` +```shell +# Start MCP server with access key authentication +akeyless mcp --access-id --access-key --access-type access_key --gateway-url https://:8000/api/v2 -##### Password Authentication - -```json -{ - "args": [ - "mcp", - "--admin-email", "user@example.com", - "--admin-password", "your-password", - "--access-type", "password", - "--gateway-url", "https://:8000/api/v2" - ] -} +# Start MCP server with SAML authentication +akeyless mcp --access-id --access-type saml --gateway-url https://:8000/api/v2 ``` -##### SAML Authentication +### Supported Authentication Methods -```json -{ - "args": [ - "mcp", - "--access-type", "saml", - "--gateway-url", "https://:8000/api/v2" - ] -} +```shell +--access-type [=access_key] +(access_key / password / saml / ldap / k8s / azure_ad / oidc / aws_iam / universal_identity / jwt / gcp / cert / oci / kerberos) ``` -### Client Notes - -* Pass `--gateway-url` directly in the MCP client configuration or command line. -* If you use JetBrains IDEs, install the dedicated plugin instead of wiring the server manually. -* Keep the CLI profile name consistent across your MCP clients so authentication behavior stays predictable. - -## Best Practices - -### Security Best Practices - -* Use Environment Variables: Store sensitive credentials in environment variables rather than hardcoding them -* Principle of Least Privilege: Create dedicated access keys with minimal required permissions -* Regular Rotation: Rotate access keys regularly -* Secure Storage: Use secure credential storage solutions -* Network Security: Use HTTPS endpoints and consider VPN access - -For prompt injection risk reduction guidance for agent-based workflows, see . - -### Configuration Management +The `mcp` command accepts the same authentication parameters as standard Akeyless CLI auth commands. For details, see [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods). -* Version Control: Keep MCP configuration files in version control (excluding secrets) -* Environment Separation: Use separate configurations for different environments -* Documentation: Document your configuration choices and rationale -* Testing: Test configurations in development before deploying to production +### Common Parameters -### Monitoring and Logging +* `--access-id`: Your Akeyless Access ID. +* `--access-key`: Your Akeyless Access Key (for `access_key` auth). +* `--access-type`: Authentication method. +* `--gateway-url`: Gateway URL (required for `akeyless mcp`; must be supplied in-line). +* `--profile`: Use an existing CLI profile. -* Enable Debug Mode: Use the `--debug` flag for troubleshooting -* Monitor Access: Regularly review access logs and analytics -* Set Up Alerts: Configure alerts for unusual access patterns -* Audit Trail: Maintain audit trails for compliance requirements +### Examples -### Performance Optimization - -* Connection Pooling: Reuse connections when possible -* Caching: Implement appropriate caching strategies -* Batch Operations: Use batch operations for multiple items -* Resource Limits: Set appropriate resource limits - -## Troubleshooting: Common Issues and Solutions - -### Authentication Failures +```shell +# Production +akeyless mcp --profile prod --gateway-url https://:8000/api/v2 -#### Akeyless MCP Server Fails to Authenticate +# Development / Testing +akeyless mcp --profile dev --gateway-url https://:8000/api/v2 +``` -1. Verify access ID and access key are correct -2. Check if credentials have expired -3. Ensure proper permissions are assigned -4. Verify gateway URL is accessible +## Command: akeyless mcp-runtime-authority - -```shell -# Test authentication manually -akeyless auth --access-id "your-access-id" --access-key "your-access-key" -``` +The `akeyless mcp-runtime-authority` command starts the MCP server for Agentic Runtime Authority runtime-query tools. -### Connection Issues +### Runtime Authority Parameters -#### Cannot Connect to the Akeyless Gateway +* `--gateway-url`: Gateway URL (required). +* `--profile`: Use an existing CLI profile. +* `--secret-name`: Optional default secret path for `query-db`. If omitted, the client must provide `secret-name` in tool calls. +* Authentication flags: Same auth model as `akeyless mcp`. -* Check network connectivity -* Verify gateway URL format -* Check firewall settings -* Test with curl or wget: +### Runtime Authority Example ```shell -# Test connectivity -curl -I https://:8000/api/v2 -``` -```text Sample Output -HTTP/2 405 -date: Fri, 03 Oct 2025 20:36:32 GMT -content-type: application/json -content-length: 68 -cache-control: no-cache, no-store, must-revalidate, private -content-security-policy: img-src 'self' data:; -cross-origin-opener-policy: same-origin -cross-origin-resource-policy: same-origin -expires: 0 -permissions-policy: geolocation=(self), microphone=(self), camera=(self), payment=(self) -pragma: no-cache -referrer-policy: no-referrer-when-downgrade -vary: Origin -x-content-type-options: nosniff -x-frame-options: SAMEORIGIN +akeyless mcp-runtime-authority \ + --gateway-url https://:8000 \ + --secret-name /demo/apps/analytics/postgres-ro \ + --profile ``` -### Permission Errors +For Runtime Authority behavior, prerequisites, and tool semantics, see [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). -#### Insufficient Permissions for Operations +## Supported Integrations -* Review role assignments -* Check item-level permissions -* Verify authentication method permissions -* Contact administrator for access +| Integration | Primary use case | Configuration surface | +| --- | --- | --- | +| Claude Desktop | Desktop AI assistant workflow with local MCP client configuration | `~/Library/"Application Support"/Claude/claude_desktop_config.json` | +| Cursor | Editor-based MCP workflow in Cursor | `~/.cursor/mcp.json` or Cursor settings JSON | +| GitHub Copilot | MCP workflow with GitHub Copilot CLI | `~/.copilot/mcp-config.json` | +| JetBrains IDEs | IDE-native plugin workflow for JetBrains products | JetBrains plugin settings | -### Configuration Errors +The dedicated integration pages in this section provide client-specific setup details for Claude Desktop, Cursor, GitHub Copilot, and JetBrains IDEs. -#### MCP Server Fails to Start +Use these pages for client-specific configuration: -* Validate JSON configuration syntax -* Check file paths are correct -* Verify command arguments -* Review environment variables +* [Claude Desktop Integration](https://docs.akeyless.io/docs/mcp-claude-desktop) +* [Cursor Integration](https://docs.akeyless.io/docs/mcp-cursor) +* [GitHub Copilot Integration](https://docs.akeyless.io/docs/mcp-github-copilot) +* [JetBrains IDEs Integration](https://docs.akeyless.io/docs/mcp-jetbrains-ides) -## Related AI Guides +## How To Use This Section -* +1. Start with this page when you need to understand the MCP content set. +2. Open the integration-specific page for the MCP client you plan to use. +3. Use [Akeyless CLI](https://docs.akeyless.io/docs/cli) and [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods) when you need installation or authentication background. diff --git a/docs/AI Security/MCP/mcp-claude-desktop.md b/docs/AI Security/MCP/mcp-claude-desktop.md new file mode 100644 index 000000000..6eb7c7994 --- /dev/null +++ b/docs/AI Security/MCP/mcp-claude-desktop.md @@ -0,0 +1,88 @@ +--- +title: Claude Desktop +slug: mcp-claude-desktop +excerpt: Connect Claude Desktop to the Akeyless MCP Server. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- +Connect Claude Desktop to the Akeyless MCP Server when you want Claude Desktop to access Akeyless tools through MCP. + +For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +## Requirements + +* Akeyless CLI version `1.130.0` or later. +* A configured Akeyless profile, or the authentication values required by your chosen access type. +* A Gateway URL passed directly in the client configuration. + +## Configure Claude Desktop + +1. Install and configure the Akeyless CLI. +2. Edit `~/Library/"Application Support"/Claude/claude_desktop_config.json`. +3. Add the Akeyless MCP server configuration. +4. Restart Claude Desktop. + +Use one of the following examples: + +```json Default +{ + "mcpServers": { + "akeyless": { + "command": "akeyless", + "args": [ + "mcp", + "--profile", "", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json SAML +{ + "mcpServers": { + "akeyless-saml": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "saml", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json OIDC +{ + "mcpServers": { + "akeyless-oidc": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "oidc", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` + +## Verify The Integration + +After Claude Desktop restarts, verify that Claude can run MCP-backed requests such as: + +* "Show me my Akeyless secrets" +* "List all my targets" +* "Create a new secret called `api-key`" + +## Notes + +* The Akeyless CLI serves MCP over `stdio`, so Claude Desktop must invoke the `akeyless mcp` command directly. +* When `--profile` is used, the saved CLI profile supplies the authentication settings. +* Pass `--gateway-url` directly in the Claude Desktop configuration even when the profile already has a saved Gateway value. diff --git a/docs/AI Security/MCP/mcp-cursor.md b/docs/AI Security/MCP/mcp-cursor.md new file mode 100644 index 000000000..af6fb1f02 --- /dev/null +++ b/docs/AI Security/MCP/mcp-cursor.md @@ -0,0 +1,88 @@ +--- +title: Cursor +slug: mcp-cursor +excerpt: Connect Cursor to the Akeyless MCP Server. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- +Connect Cursor to the Akeyless MCP Server when you want MCP access inside the Cursor editor. + +For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +## Requirements + +* Akeyless CLI version `1.130.0` or later. +* A configured Akeyless profile, or the authentication values required by your chosen access type. +* A Gateway URL passed directly in the client configuration. + +## Configure Cursor + +1. Install and configure the Akeyless CLI. +2. Open Cursor settings JSON. +3. Add the Akeyless MCP server configuration. +4. Restart Cursor. + +Use one of the following examples: + +```json Default +{ + "mcp.servers": { + "akeyless": { + "command": "akeyless", + "args": [ + "mcp", + "--profile", "", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json SAML +{ + "mcp.servers": { + "akeyless-saml": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "saml", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json OIDC +{ + "mcp.servers": { + "akeyless-oidc": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "oidc", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` + +## Verify The Integration + +After Cursor restarts, verify that Cursor can run MCP-backed requests such as: + +* "Show me my Akeyless secrets" +* "Create a new secret called `api-key`" +* "List all my targets" + +## Notes + +* The Akeyless CLI serves MCP over `stdio`, so Cursor must invoke the `akeyless mcp` command directly. +* When `--profile` is used, the saved CLI profile supplies the authentication settings. +* Pass `--gateway-url` directly in the Cursor configuration even when the profile already has a saved Gateway value. diff --git a/docs/AI Security/MCP/mcp-github-copilot.md b/docs/AI Security/MCP/mcp-github-copilot.md new file mode 100644 index 000000000..e6459c3e6 --- /dev/null +++ b/docs/AI Security/MCP/mcp-github-copilot.md @@ -0,0 +1,101 @@ +--- +title: GitHub Copilot +slug: mcp-github-copilot +excerpt: Connect GitHub Copilot to the Akeyless MCP Server. +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +--- +Connect GitHub Copilot to the Akeyless MCP Server when you want Copilot to access Akeyless tools through MCP. + +For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +## Requirements + +* Akeyless CLI version `1.130.0` or later. +* GitHub Copilot CLI installed. +* A configured Akeyless profile, or the authentication values required by your chosen access type. +* A Gateway URL passed directly in the client configuration. + +## Install GitHub Copilot CLI + +```shell +npm install -g @githubnext/github-copilot-cli +``` + +## Configure GitHub Copilot + +1. Install and configure the Akeyless CLI. +2. Edit `~/.copilot/mcp-config.json`. +3. Add the Akeyless MCP server configuration. +4. Start GitHub Copilot with MCP enabled. + +Use one of the following examples: + +```json Default +{ + "mcpServers": { + "akeyless": { + "command": "akeyless", + "args": [ + "mcp", + "--profile", "", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json SAML +{ + "mcpServers": { + "akeyless-saml": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "saml", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` +```json OIDC +{ + "mcpServers": { + "akeyless-oidc": { + "command": "akeyless", + "args": [ + "mcp", + "--access-id", "", + "--access-type", "oidc", + "--gateway-url", "https://:8000/api/v2" + ] + } + } +} +``` + +Start Copilot with MCP: + +```shell +copilot mcp +``` + +## Verify The Integration + +After GitHub Copilot starts with MCP enabled, verify that it can run MCP-backed requests such as: + +* "Show me my Akeyless secrets" +* "List all my targets" +* "Create a new secret called `api-key`" + +## Notes + +* The Akeyless CLI serves MCP over `stdio`, so GitHub Copilot must invoke the `akeyless mcp` command directly. +* When `--profile` is used, the saved CLI profile supplies the authentication settings. +* Pass `--gateway-url` directly in the Copilot configuration even when the profile already has a saved Gateway value. diff --git a/docs/AI Security/MCP/akeyless-mcp-plugin-jetbrains-ides.md b/docs/AI Security/MCP/mcp-jetbrains-ides.md similarity index 99% rename from docs/AI Security/MCP/akeyless-mcp-plugin-jetbrains-ides.md rename to docs/AI Security/MCP/mcp-jetbrains-ides.md index fc69476b8..5dfdf6d02 100644 --- a/docs/AI Security/MCP/akeyless-mcp-plugin-jetbrains-ides.md +++ b/docs/AI Security/MCP/mcp-jetbrains-ides.md @@ -1,5 +1,6 @@ --- title: Akeyless MCP Plugin for JetBrains IDEs +slug: mcp-jetbrains-ides excerpt: Integrate Akeyless secrets management directly into JetBrains IDEs with MCP deprecated: false hidden: false diff --git a/docs/AI Security/index.md b/docs/AI Security/index.md index db39ac788..69373099f 100644 --- a/docs/AI Security/index.md +++ b/docs/AI Security/index.md @@ -24,8 +24,4 @@ This page summarizes the current AI offerings and links to the detailed guides. ## MCP Documentation Pages -For MCP-specific setup and usage, use these pages: - -* [MCP Server](https://docs.akeyless.io/docs/mcp-server) -* [CLI Reference - MCP Server](https://docs.akeyless.io/docs/cli-reference-mcp-server) -* [Akeyless MCP Plugin for JetBrains IDEs](https://docs.akeyless.io/docs/akeyless-mcp-plugin-jetbrains-ides) +For MCP-specific setup and usage, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). diff --git a/docs/Integrations & Plugins/MCPs.md b/docs/Integrations & Plugins/MCPs.md index 5d91cbbce..9cec4b94f 100644 --- a/docs/Integrations & Plugins/MCPs.md +++ b/docs/Integrations & Plugins/MCPs.md @@ -12,6 +12,24 @@ next: --- ## Model Context Protocol (MCP) -See the Akeyless Model Context Protocol (MCP) overview in [Akeyless MCP Server](https://docs.akeyless.io/docs/mcp-server). +Model Context Protocol (MCP) is an open protocol that lets AI clients connect to external tool servers through a standard interface. With Akeyless MCP, your client starts an Akeyless MCP server process and uses it to run authorized operations against your Akeyless identity security platform. + +General usage flow: + +1. Configure the Akeyless CLI and authentication profile. +2. Configure your MCP client to launch the Akeyless MCP server command. +3. Reload the MCP client and invoke Akeyless tools from your prompt. + +Use MCP documentation in this order: + +1. Start with [Akeyless MCP Server](https://docs.akeyless.io/docs/mcp-server) for the general model, requirements, and usage flow. +2. Open your integration-specific page for client setup details. + +Integration guides: + +* [Claude Desktop Integration](https://docs.akeyless.io/docs/mcp-claude-desktop) +* [Cursor Integration](https://docs.akeyless.io/docs/mcp-cursor) +* [GitHub Copilot Integration](https://docs.akeyless.io/docs/mcp-github-copilot) +* [JetBrains IDEs Integration](https://docs.akeyless.io/docs/mcp-jetbrains-ides) If you use Cursor, see [Akeyless Secrets Manager for Cursor](https://docs.akeyless.io/docs/cursor-akeyless-secrets-manager) for the separate secret-scanning extension. From 2d46e1557f83b4f837b1b701261dd858d7e8b60b Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:32:31 -0600 Subject: [PATCH 06/24] docs: enhance clarity in Agentic Runtime Authority documentation --- docs/AI Security/agentic-runtime-authority.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index c94edaa94..f5859ffe4 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -10,7 +10,7 @@ metadata: > > Agentic Runtime Authority is currently in early access. Features, behavior, and availability can change between releases. -Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported secrets without exposing long-lived credentials. In this context, runtime control means the authorization checks and input or output rules that Akeyless enforces when an agent sends a live request to a protected resource. +Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported secrets without exposing long-lived credentials. In this context, **runtime control** means the authorization checks and input or output rules that Akeyless enforces when an agent sends a live request to a protected resource. **Agentic Runtime Authority** currently supports these target categories for runtime execution: @@ -133,7 +133,7 @@ The current CLI parser requires both `name` and `rule` for each repeated flag. ## Set Up The AI Agent -To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. For general MCP concepts and client setup patterns, including Claude Desktop and Cursor, see [MCP Server](https://docs.akeyless.io/docs/mcp-server) and [CLI Reference - MCP Server](https://docs.akeyless.io/docs/cli-reference-mcp-server). The configuration below is specific to the `mcp-runtime-authority` subcommand. +To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. For general MCP concepts, command syntax, and client setup patterns, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). The configuration below is specific to the `mcp-runtime-authority` subcommand. ### For Claude From 8a18ea6031cda4c5cff7734c974a26cc061f5666 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:33:24 -0600 Subject: [PATCH 07/24] docs: add additional MCP integration documentation links --- docs/AI Security/index.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/AI Security/index.md b/docs/AI Security/index.md index 69373099f..557e51059 100644 --- a/docs/AI Security/index.md +++ b/docs/AI Security/index.md @@ -24,4 +24,10 @@ This page summarizes the current AI offerings and links to the detailed guides. ## MCP Documentation Pages -For MCP-specific setup and usage, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). +For MCP-specific setup and usage, use these pages: + +* [MCP Server](https://docs.akeyless.io/docs/mcp-server) +* [Claude Desktop Integration](https://docs.akeyless.io/docs/mcp-claude-desktop) +* [Cursor Integration](https://docs.akeyless.io/docs/mcp-cursor) +* [GitHub Copilot Integration](https://docs.akeyless.io/docs/mcp-github-copilot) +* [Akeyless MCP Plugin for JetBrains IDEs](https://docs.akeyless.io/docs/mcp-jetbrains-ides) From cbb89d508a0177cff5f9dc56c49f8d262629e803 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:33:43 -0600 Subject: [PATCH 08/24] docs: enhance prompt injection protection documentation with additional links --- .../prompt-injection-protection-for-ai-agents.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/AI Security/prompt-injection-protection-for-ai-agents.md b/docs/AI Security/prompt-injection-protection-for-ai-agents.md index 9aaf88269..3d0d5a27e 100644 --- a/docs/AI Security/prompt-injection-protection-for-ai-agents.md +++ b/docs/AI Security/prompt-injection-protection-for-ai-agents.md @@ -86,12 +86,16 @@ Use secretless runtime retrieval together with the following controls: This pattern is relevant anywhere an agent or AI-assisted workflow can reach protected systems: -* Akeyless AI Insights, when natural-language workflows interact with protected resources -* Akeyless MCP Server, when external agent frameworks call Akeyless-managed tools and credentials +* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight), when natural-language workflows interact with protected resources +* [Akeyless MCP Server](https://docs.akeyless.io/docs/mcp-server), when external agent frameworks call Akeyless-managed tools and credentials +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority), when runtime agent access to protected resources needs enforcement and auditing +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence), when teams need AI-related visibility and governance surfaces * custom agent implementations that retrieve secrets or dynamic credentials from Akeyless at runtime ## Related AI Guides * [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) +* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) +* [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) * [MCP Server](https://docs.akeyless.io/docs/mcp-server) * [Beyond .env: Building a "Dynamic-Only" Secretless AI Agent with Google ADK](https://docs.akeyless.io/docs/beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk) From 25cb02fa76bae58b2a33c4e6167041d49200488d Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:35:26 -0600 Subject: [PATCH 09/24] docs: add MCP Server documentation link to AI Insights guide --- docs/AI Security/akeyless-ai-insight.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/AI Security/akeyless-ai-insight.md b/docs/AI Security/akeyless-ai-insight.md index 1f8ac54dd..58e8e2682 100644 --- a/docs/AI Security/akeyless-ai-insight.md +++ b/docs/AI Security/akeyless-ai-insight.md @@ -214,5 +214,6 @@ To test AI Insights in the Akeyless Console, follow these steps: * [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) * [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) +* [MCP Server](https://docs.akeyless.io/docs/mcp-server) * [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) * [Beyond .env: Building a "Dynamic-Only" Secretless AI Agent with Google ADK](https://docs.akeyless.io/docs/beyond-env-building-a-dynamic-only-secretless-ai-agent-with-google-adk) From ed7de3e2e6d0fe5cd94dbdc138341f8a98bb4dfe Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:35:47 -0600 Subject: [PATCH 10/24] docs: add links to CLI commands in Agentic Runtime Authority documentation for clarity --- docs/AI Security/agentic-runtime-authority.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index f5859ffe4..55184a5d7 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -24,8 +24,8 @@ Agentic Runtime Authority extends Akeyless AI security beyond secretless credent The current implementation exposes Agentic Runtime Authority in these places: * The **Agentic Runtime Authority** step or details tab on supported Dynamic Secrets in the Akeyless Console -* The `runtime-authority` CLI command for direct runtime queries through the Gateway -* The `mcp-runtime-authority` CLI command for MCP-based agent integrations +* The [runtime-authority CLI command](https://docs.akeyless.io/docs/cli-reference#runtime-authority) for direct runtime queries through the Gateway +* The [mcp-runtime-authority CLI command](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority) for MCP-based agent integrations * The MCP tools exposed by `mcp-runtime-authority`: `list-secrets`, `query-db`, and `service-execute` * The `ara-reports-access` role rule for dashboard visibility * The **Agentic Runtime Authority** role-rule type with the **Allow Access** capability in the Console role editor @@ -133,7 +133,7 @@ The current CLI parser requires both `name` and `rule` for each repeated flag. ## Set Up The AI Agent -To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. For general MCP concepts, command syntax, and client setup patterns, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). The configuration below is specific to the `mcp-runtime-authority` subcommand. +To integrate Akeyless with your AI agent, add the **Akeyless MCP server** configuration to the agent’s config file. For general MCP concepts, command syntax, and client setup patterns, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). The configuration below is specific to the [mcp-runtime-authority subcommand](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). ### For Claude @@ -182,7 +182,7 @@ For OAuth-backed service flows, `service-execute` can also require `auth-code` a ## Query Protected Resources With The CLI -Use `runtime-authority` for direct runtime queries through the Gateway: +Use the [runtime-authority command](https://docs.akeyless.io/docs/cli-reference#runtime-authority) for direct runtime queries through the Gateway: ```shell akeyless runtime-authority \ @@ -193,7 +193,7 @@ akeyless runtime-authority \ --profile ``` -Use `mcp-runtime-authority` when the agent connects through MCP: +Use the [mcp-runtime-authority command](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority) when the agent connects through MCP: ```shell akeyless mcp-runtime-authority \ From de040838c1869b0e323ba5224c0409b679f78a8f Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:36:05 -0600 Subject: [PATCH 11/24] docs: add CLI reference links for MCP commands to enhance usage clarity --- docs/AI Security/MCP/index.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md index ce75e4b2e..8fb149490 100644 --- a/docs/AI Security/MCP/index.md +++ b/docs/AI Security/MCP/index.md @@ -55,10 +55,14 @@ The Akeyless CLI currently exposes two MCP-related commands: | `akeyless mcp` | Starts the general Akeyless MCP server for standard Akeyless tools. | | `akeyless mcp-runtime-authority` | Starts the Agentic Runtime Authority MCP server for runtime query workflows (`list-secrets`, `query-db`, `service-execute`). | +For full command flags and usage details, see [CLI Reference](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). + ## Command: akeyless mcp The `akeyless mcp` command starts an MCP server so AI assistants can securely interact with Akeyless services through a standardized interface. +For complete command usage and flags, see [CLI Reference - mcp](https://docs.akeyless.io/docs/cli-reference#mcp). + > Important: `akeyless mcp` does not use the `gateway_url` value configured in a CLI profile. You must pass `--gateway-url` directly in every `akeyless mcp` command (or MCP client args). ### Basic Commands @@ -102,6 +106,8 @@ akeyless mcp --profile dev --gateway-url https://:8000/api/v2 The `akeyless mcp-runtime-authority` command starts the MCP server for Agentic Runtime Authority runtime-query tools. +For complete command usage and flags, see [CLI Reference - mcp-runtime-authority](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). + ### Runtime Authority Parameters * `--gateway-url`: Gateway URL (required). From 5a3dab80cd49f340a643f1009ed634eec07098fd Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:36:22 -0600 Subject: [PATCH 12/24] docs: add MCP and runtime authority command documentation for enhanced CLI reference --- .../cli-reference/index.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/docs/Integrations & Plugins/cli-reference/index.md b/docs/Integrations & Plugins/cli-reference/index.md index fe4c6d30e..c27960ed5 100644 --- a/docs/Integrations & Plugins/cli-reference/index.md +++ b/docs/Integrations & Plugins/cli-reference/index.md @@ -205,6 +205,61 @@ akeyless move-objects --source \ `-o, --objects-type[=item]`: The objects type to move (item/auth_method/role) +### `mcp` + +Starts the general Akeyless MCP server so MCP-compatible AI clients can interact with Akeyless tools. + +#### Usage + +```shell +akeyless mcp \ + --gateway-url https://:8000/api/v2 \ + --profile +``` + +#### Flags + +`--gateway-url`: Required, Gateway URL + +`--profile`: Use an existing CLI profile + +`--access-type`: Authentication method when not using `--profile`, options: `[access_key/password/saml/ldap/k8s/azure_ad/oidc/aws_iam/universal_identity/jwt/gcp/cert/oci/kerberos]` + +`--access-id`: Access ID for the selected authentication method + +`--access-key`: Access Key (relevant for `access-type=access_key`) + +For MCP concepts and integration setup, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). + +### `mcp-runtime-authority` + +Starts the MCP server for Agentic Runtime Authority runtime-query tools. + +#### Usage + +```shell +akeyless mcp-runtime-authority \ + --gateway-url https://:8000 \ + --secret-name /demo/apps/analytics/postgres-ro \ + --profile +``` + +#### Flags + +`--gateway-url`: Required, Gateway URL + +`--secret-name`: Optional default secret path for database query workflows + +`--profile`: Use an existing CLI profile + +`--access-type`: Authentication method when not using `--profile`, options: `[access_key/password/saml/ldap/k8s/azure_ad/oidc/aws_iam/universal_identity/jwt/gcp/cert/oci/kerberos]` + +`--access-id`: Access ID for the selected authentication method + +`--access-key`: Access Key (relevant for `access-type=access_key`) + +For Runtime Authority behavior and workflow context, see [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). + ### `set-item-state` Set an item's state (Enabled, Disabled) @@ -222,6 +277,33 @@ akeyless set-item-state --name \ `-s, --desired-state`: Required, Desired item state +### `runtime-authority` + +Execute a target query or service action through the Gateway runtime authority endpoint. + +#### Usage + +```shell +akeyless runtime-authority \ + --name /demo/apps/analytics/postgres-ro \ + --payload 'SELECT current_user, current_database();' \ + --agent-id ai-assistant-01 \ + --gateway-url https://:8000 \ + --profile +``` + +#### Flags + +`-n, --name`: Required, Full path of the Akeyless secret (dynamic or rotated) + +`--payload`: Required, Query or action to run (for example SQL or `aws s3 ls`) + +`--agent-id`: Required, Agent identifier for auditing + +`-u, --gateway-url`: Required, Gateway URL + +`--profile`: Use an existing CLI profile + ### `unconfigure` Remove configuration of client profile From a6838d2283b1da0e0068613282c9d0d362603d21 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:36:34 -0600 Subject: [PATCH 13/24] docs: update Identity & Secrets Intelligence documentation to remove alpha references and enhance clarity --- .../AI Security/identity-and-secrets-intelligence.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/AI Security/identity-and-secrets-intelligence.md b/docs/AI Security/identity-and-secrets-intelligence.md index 54ba9b276..c6ad5135f 100644 --- a/docs/AI Security/identity-and-secrets-intelligence.md +++ b/docs/AI Security/identity-and-secrets-intelligence.md @@ -13,7 +13,7 @@ metadata: > > Identity and Secrets Intelligence is currently in early access. Features, behavior, and availability can change between releases. -Identity and Secrets Intelligence is an alpha console surface for reviewing AI-related visibility and governance data in Akeyless. +Identity and Secrets Intelligence is a console surface for reviewing AI-related visibility and governance data in Akeyless. In the current Akeyless Console, Identity and Secrets Intelligence includes these sections: @@ -26,14 +26,12 @@ Identity and Secrets Intelligence complements the broader Akeyless AI security m ## Access And Availability -Identity and Secrets Intelligence is currently shown as an alpha feature in the Akeyless Console. - In the current Console implementation, the menu is shown only when the account has the feature enabled and the user has admin-level Console access. The backend and CLI also expose a dedicated `isi-access` role rule. ### Use Identity & Secrets Intelligence In The Console 1. Sign in to the Akeyless Console. -2. In the left navigation, open **Identity & Secrets Intelligence (Alpha)**. +2. In the left navigation, open **Identity & Secrets Intelligence**. 3. Use **Dashboard** for the high-level overview. 4. Use **Inventory** to review findings and drill into finding details. 5. Use **Scanners** to create scanners, start scans, stop running scans, and review scan history. @@ -47,6 +45,8 @@ The current Scanner implementation supports creating scanners, starting scans, s Use the `isi-access` administrative rule on a role to control access to Identity and Secrets Intelligence. +For command syntax, see [CLI Reference - Access Roles](https://docs.akeyless.io/docs/cli-reference-access-roles). + Supported values are: * `none` @@ -84,7 +84,7 @@ The following example shows one minimal workflow for granting access and reviewi 1. Create or update a role with `--isi-access scoped` or `--isi-access all`. 2. Associate the role with the authentication method that your operators use. 3. Sign in to the Akeyless Console. -4. Open **Identity & Secrets Intelligence (Alpha)**. +4. Open **Identity & Secrets Intelligence**. 5. Review the **Dashboard**. 6. Open **Scanners**, start a scan, and then use **Inventory** to review the findings. @@ -99,7 +99,7 @@ akeyless create-role \ ### Console Example 1. Sign in to the Akeyless Console. -2. Open **Identity & Secrets Intelligence (Alpha)**. +2. Open **Identity & Secrets Intelligence**. 3. Open **Scanners**, and start a scan. 4. Open **Inventory**, and review the generated findings. From 40cbd4ad5e5237452b5d758b64d427a74e793bcb Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:43:25 -0600 Subject: [PATCH 14/24] docs: update authentication examples in MCP documentation for clarity --- docs/AI Security/MCP/mcp-claude-desktop.md | 2 +- docs/AI Security/MCP/mcp-cursor.md | 2 +- docs/AI Security/MCP/mcp-github-copilot.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/AI Security/MCP/mcp-claude-desktop.md b/docs/AI Security/MCP/mcp-claude-desktop.md index 6eb7c7994..f089539e1 100644 --- a/docs/AI Security/MCP/mcp-claude-desktop.md +++ b/docs/AI Security/MCP/mcp-claude-desktop.md @@ -26,7 +26,7 @@ For general MCP background and command syntax, see [MCP Server](https://docs.ake 3. Add the Akeyless MCP server configuration. 4. Restart Claude Desktop. -Use one of the following examples: +The following examples show common authentication configurations: ```json Default { diff --git a/docs/AI Security/MCP/mcp-cursor.md b/docs/AI Security/MCP/mcp-cursor.md index af6fb1f02..30041eb17 100644 --- a/docs/AI Security/MCP/mcp-cursor.md +++ b/docs/AI Security/MCP/mcp-cursor.md @@ -26,7 +26,7 @@ For general MCP background and command syntax, see [MCP Server](https://docs.ake 3. Add the Akeyless MCP server configuration. 4. Restart Cursor. -Use one of the following examples: +The following examples show common authentication configurations: ```json Default { diff --git a/docs/AI Security/MCP/mcp-github-copilot.md b/docs/AI Security/MCP/mcp-github-copilot.md index e6459c3e6..66a0360f7 100644 --- a/docs/AI Security/MCP/mcp-github-copilot.md +++ b/docs/AI Security/MCP/mcp-github-copilot.md @@ -33,7 +33,7 @@ npm install -g @githubnext/github-copilot-cli 3. Add the Akeyless MCP server configuration. 4. Start GitHub Copilot with MCP enabled. -Use one of the following examples: +The following examples show common authentication configurations: ```json Default { From f3fff9b4fa1c8cd87c080607d75533ea00e7b8d0 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:43:34 -0600 Subject: [PATCH 15/24] docs: streamline MCP documentation by removing redundant sections and enhancing command clarity --- docs/AI Security/MCP/index.md | 74 +++-------------------------------- 1 file changed, 5 insertions(+), 69 deletions(-) diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md index 8fb149490..249231269 100644 --- a/docs/AI Security/MCP/index.md +++ b/docs/AI Security/MCP/index.md @@ -10,21 +10,10 @@ metadata: description: Overview of Akeyless MCP content, requirements, and supported integrations. robots: index --- -## Overview - The Akeyless Model Context Protocol (MCP) Server lets MCP-enabled tools connect to your Akeyless identity security platform through the Akeyless CLI. This section explains the MCP server, its command syntax, and the supported client integrations documented by Akeyless. Model Context Protocol (MCP) is an open protocol that standardizes how an AI client discovers tools and sends tool calls to an external server. In this model, your MCP client (for example, Claude Desktop, Cursor, or GitHub Copilot) launches the Akeyless MCP server locally over `stdio`, then uses it to run authorized operations against Akeyless resources. -## What This Section Covers - -Use the pages in this section for the following goals: - -* Understand what the Akeyless MCP Server does and when to use it. -* Configure a supported MCP client integration. -* Review the `akeyless mcp` command syntax and authentication options. -* Follow the JetBrains IDE plugin flow when you need an IDE-native integration. - ## Common Requirements All documented MCP integrations share these requirements: @@ -55,74 +44,21 @@ The Akeyless CLI currently exposes two MCP-related commands: | `akeyless mcp` | Starts the general Akeyless MCP server for standard Akeyless tools. | | `akeyless mcp-runtime-authority` | Starts the Agentic Runtime Authority MCP server for runtime query workflows (`list-secrets`, `query-db`, `service-execute`). | -For full command flags and usage details, see [CLI Reference](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). +For full command flags and usage details, see [CLI Reference](https://docs.akeyless.io/docs/cli-reference#mcp). ## Command: akeyless mcp -The `akeyless mcp` command starts an MCP server so AI assistants can securely interact with Akeyless services through a standardized interface. - -For complete command usage and flags, see [CLI Reference - mcp](https://docs.akeyless.io/docs/cli-reference#mcp). +The `akeyless mcp` command starts an MCP server so AI assistants can securely interact with Akeyless services through a standardized interface. It accepts the same authentication flags as other Akeyless CLI commands. For details, see [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods). > Important: `akeyless mcp` does not use the `gateway_url` value configured in a CLI profile. You must pass `--gateway-url` directly in every `akeyless mcp` command (or MCP client args). -### Basic Commands - -```shell -# Start MCP server with access key authentication -akeyless mcp --access-id --access-key --access-type access_key --gateway-url https://:8000/api/v2 - -# Start MCP server with SAML authentication -akeyless mcp --access-id --access-type saml --gateway-url https://:8000/api/v2 -``` - -### Supported Authentication Methods - -```shell ---access-type [=access_key] -(access_key / password / saml / ldap / k8s / azure_ad / oidc / aws_iam / universal_identity / jwt / gcp / cert / oci / kerberos) -``` - -The `mcp` command accepts the same authentication parameters as standard Akeyless CLI auth commands. For details, see [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods). - -### Common Parameters - -* `--access-id`: Your Akeyless Access ID. -* `--access-key`: Your Akeyless Access Key (for `access_key` auth). -* `--access-type`: Authentication method. -* `--gateway-url`: Gateway URL (required for `akeyless mcp`; must be supplied in-line). -* `--profile`: Use an existing CLI profile. - -### Examples - -```shell -# Production -akeyless mcp --profile prod --gateway-url https://:8000/api/v2 - -# Development / Testing -akeyless mcp --profile dev --gateway-url https://:8000/api/v2 -``` +For full command syntax and flags, see [CLI Reference - mcp](https://docs.akeyless.io/docs/cli-reference#mcp). ## Command: akeyless mcp-runtime-authority -The `akeyless mcp-runtime-authority` command starts the MCP server for Agentic Runtime Authority runtime-query tools. - -For complete command usage and flags, see [CLI Reference - mcp-runtime-authority](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). - -### Runtime Authority Parameters - -* `--gateway-url`: Gateway URL (required). -* `--profile`: Use an existing CLI profile. -* `--secret-name`: Optional default secret path for `query-db`. If omitted, the client must provide `secret-name` in tool calls. -* Authentication flags: Same auth model as `akeyless mcp`. - -### Runtime Authority Example +The `akeyless mcp-runtime-authority` command starts the MCP server for Agentic Runtime Authority runtime-query tools (`list-secrets`, `query-db`, `service-execute`). It uses the same authentication model as `akeyless mcp`, and accepts an optional `--secret-name` flag to set a default secret path for `query-db`. -```shell -akeyless mcp-runtime-authority \ - --gateway-url https://:8000 \ - --secret-name /demo/apps/analytics/postgres-ro \ - --profile -``` +For full command syntax and flags, see [CLI Reference - mcp-runtime-authority](https://docs.akeyless.io/docs/cli-reference#mcp-runtime-authority). For Runtime Authority behavior, prerequisites, and tool semantics, see [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority). From c9bad8bf138ce8541f7d17d444ed4a921afb9bcf Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:45:44 -0600 Subject: [PATCH 16/24] docs: enhance MCP command documentation with clearer headings and integration details --- docs/AI Security/MCP/index.md | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md index 249231269..dda77e35d 100644 --- a/docs/AI Security/MCP/index.md +++ b/docs/AI Security/MCP/index.md @@ -46,7 +46,7 @@ The Akeyless CLI currently exposes two MCP-related commands: For full command flags and usage details, see [CLI Reference](https://docs.akeyless.io/docs/cli-reference#mcp). -## Command: akeyless mcp +### Command: akeyless mcp The `akeyless mcp` command starts an MCP server so AI assistants can securely interact with Akeyless services through a standardized interface. It accepts the same authentication flags as other Akeyless CLI commands. For details, see [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods). @@ -54,7 +54,7 @@ The `akeyless mcp` command starts an MCP server so AI assistants can securely in For full command syntax and flags, see [CLI Reference - mcp](https://docs.akeyless.io/docs/cli-reference#mcp). -## Command: akeyless mcp-runtime-authority +### Command: akeyless mcp-runtime-authority The `akeyless mcp-runtime-authority` command starts the MCP server for Agentic Runtime Authority runtime-query tools (`list-secrets`, `query-db`, `service-execute`). It uses the same authentication model as `akeyless mcp`, and accepts an optional `--secret-name` flag to set a default secret path for `query-db`. @@ -66,22 +66,7 @@ For Runtime Authority behavior, prerequisites, and tool semantics, see [Agentic | Integration | Primary use case | Configuration surface | | --- | --- | --- | -| Claude Desktop | Desktop AI assistant workflow with local MCP client configuration | `~/Library/"Application Support"/Claude/claude_desktop_config.json` | -| Cursor | Editor-based MCP workflow in Cursor | `~/.cursor/mcp.json` or Cursor settings JSON | -| GitHub Copilot | MCP workflow with GitHub Copilot CLI | `~/.copilot/mcp-config.json` | -| JetBrains IDEs | IDE-native plugin workflow for JetBrains products | JetBrains plugin settings | - -The dedicated integration pages in this section provide client-specific setup details for Claude Desktop, Cursor, GitHub Copilot, and JetBrains IDEs. - -Use these pages for client-specific configuration: - -* [Claude Desktop Integration](https://docs.akeyless.io/docs/mcp-claude-desktop) -* [Cursor Integration](https://docs.akeyless.io/docs/mcp-cursor) -* [GitHub Copilot Integration](https://docs.akeyless.io/docs/mcp-github-copilot) -* [JetBrains IDEs Integration](https://docs.akeyless.io/docs/mcp-jetbrains-ides) - -## How To Use This Section - -1. Start with this page when you need to understand the MCP content set. -2. Open the integration-specific page for the MCP client you plan to use. -3. Use [Akeyless CLI](https://docs.akeyless.io/docs/cli) and [Access and Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods) when you need installation or authentication background. +| [Claude Desktop](https://docs.akeyless.io/docs/mcp-claude-desktop) | Desktop AI assistant workflow with local MCP client configuration | `~/Library/"Application Support"/Claude/claude_desktop_config.json` | +| [Cursor](https://docs.akeyless.io/docs/mcp-cursor) | Editor-based MCP workflow in Cursor | `~/.cursor/mcp.json` or Cursor settings JSON | +| [GitHub Copilot](https://docs.akeyless.io/docs/mcp-github-copilot) | MCP workflow with GitHub Copilot CLI | `~/.copilot/mcp-config.json` | +| [JetBrains IDEs](https://docs.akeyless.io/docs/mcp-jetbrains-ides) | IDE-native plugin workflow for JetBrains products | JetBrains plugin settings | From f50edcffa3cbf2fc2da974da154e569396011884 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 14:52:31 -0600 Subject: [PATCH 17/24] docs: correct file paths and enhance section headings for clarity in MCP and AI documentation --- docs/AI Security/MCP/index.md | 2 +- docs/AI Security/MCP/mcp-claude-desktop.md | 2 +- docs/AI Security/MCP/mcp-cursor.md | 6 +++--- docs/AI Security/MCP/mcp-jetbrains-ides.md | 6 +++--- docs/AI Security/agentic-runtime-authority.md | 10 ++-------- docs/AI Security/akeyless-ai-insight.md | 4 ++-- docs/AI Security/identity-and-secrets-intelligence.md | 6 ------ 7 files changed, 12 insertions(+), 24 deletions(-) diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md index dda77e35d..703aca27a 100644 --- a/docs/AI Security/MCP/index.md +++ b/docs/AI Security/MCP/index.md @@ -66,7 +66,7 @@ For Runtime Authority behavior, prerequisites, and tool semantics, see [Agentic | Integration | Primary use case | Configuration surface | | --- | --- | --- | -| [Claude Desktop](https://docs.akeyless.io/docs/mcp-claude-desktop) | Desktop AI assistant workflow with local MCP client configuration | `~/Library/"Application Support"/Claude/claude_desktop_config.json` | +| [Claude Desktop](https://docs.akeyless.io/docs/mcp-claude-desktop) | Desktop AI assistant workflow with local MCP client configuration | `~/Library/Application Support/Claude/claude_desktop_config.json` | | [Cursor](https://docs.akeyless.io/docs/mcp-cursor) | Editor-based MCP workflow in Cursor | `~/.cursor/mcp.json` or Cursor settings JSON | | [GitHub Copilot](https://docs.akeyless.io/docs/mcp-github-copilot) | MCP workflow with GitHub Copilot CLI | `~/.copilot/mcp-config.json` | | [JetBrains IDEs](https://docs.akeyless.io/docs/mcp-jetbrains-ides) | IDE-native plugin workflow for JetBrains products | JetBrains plugin settings | diff --git a/docs/AI Security/MCP/mcp-claude-desktop.md b/docs/AI Security/MCP/mcp-claude-desktop.md index f089539e1..afb6ff6d3 100644 --- a/docs/AI Security/MCP/mcp-claude-desktop.md +++ b/docs/AI Security/MCP/mcp-claude-desktop.md @@ -22,7 +22,7 @@ For general MCP background and command syntax, see [MCP Server](https://docs.ake ## Configure Claude Desktop 1. Install and configure the Akeyless CLI. -2. Edit `~/Library/"Application Support"/Claude/claude_desktop_config.json`. +2. Edit `~/Library/Application Support/Claude/claude_desktop_config.json`. 3. Add the Akeyless MCP server configuration. 4. Restart Claude Desktop. diff --git a/docs/AI Security/MCP/mcp-cursor.md b/docs/AI Security/MCP/mcp-cursor.md index 30041eb17..26e57c4f1 100644 --- a/docs/AI Security/MCP/mcp-cursor.md +++ b/docs/AI Security/MCP/mcp-cursor.md @@ -30,7 +30,7 @@ The following examples show common authentication configurations: ```json Default { - "mcp.servers": { + "mcpServers": { "akeyless": { "command": "akeyless", "args": [ @@ -44,7 +44,7 @@ The following examples show common authentication configurations: ``` ```json SAML { - "mcp.servers": { + "mcpServers": { "akeyless-saml": { "command": "akeyless", "args": [ @@ -59,7 +59,7 @@ The following examples show common authentication configurations: ``` ```json OIDC { - "mcp.servers": { + "mcpServers": { "akeyless-oidc": { "command": "akeyless", "args": [ diff --git a/docs/AI Security/MCP/mcp-jetbrains-ides.md b/docs/AI Security/MCP/mcp-jetbrains-ides.md index 5dfdf6d02..bdfc22904 100644 --- a/docs/AI Security/MCP/mcp-jetbrains-ides.md +++ b/docs/AI Security/MCP/mcp-jetbrains-ides.md @@ -115,9 +115,9 @@ For profile details and advanced options, see [CLI Profiles](https://docs.akeyle Note that the project uses a JDK 17 compile toolchain. If the Gradle wrapper fails to start because the default Java version is too new, set `org.gradle.java.home` in `gradle.properties` to a JDK 17 or JDK 21 installation. 1. In your JetBrains IDE, go to **Settings → Plugins**. -1. Select the gear icon, and then select **Install Plugin from Disk...**. -1. Select the generated ZIP file from the `build/distributions/` directory. -1. Restart the IDE when prompted. +2. Select the gear icon, and then select **Install Plugin from Disk...**. +3. Select the generated ZIP file from the `build/distributions/` directory. +4. Restart the IDE when prompted. ### Step 4: Configure the Plugin diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index 55184a5d7..6cdb300d6 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -137,7 +137,7 @@ To integrate Akeyless with your AI agent, add the **Akeyless MCP server** config ### For Claude -Create the following file: `~/Library/"Application Support"/Claude/claude_desktop_config.json`. +Create the following file: `~/Library/Application Support/Claude/claude_desktop_config.json`. ### For Cursor @@ -202,15 +202,9 @@ akeyless mcp-runtime-authority \ --profile ``` -## Query Protected Resources - -With Agentic Runtime Authority configured, you can now use Claude or Cursor to interact with your protected resources in natural language. The AI agent will authenticate requests and retrieve credentials dynamically without storing long-lived secrets. - ## Monitoring Access -Each session and resource query is logged by the runtime services. - -In the current Console implementation, the verified UI coverage for Agentic Runtime Authority is on Dynamic Secret configuration surfaces (the **Agentic Runtime Authority** tab and rules tables). A dedicated Agentic Runtime Authority reporting page is not exposed in the frontend-react Console routes. +Each session and resource query is logged by the runtime services. Use the `ara-reports-access` role rule to grant access to Agentic Runtime Authority reporting data. See [Control Access With RBAC](#control-access-with-rbac) for role setup details. ## Control Agent Behavior With Rules diff --git a/docs/AI Security/akeyless-ai-insight.md b/docs/AI Security/akeyless-ai-insight.md index 58e8e2682..b612804d8 100644 --- a/docs/AI Security/akeyless-ai-insight.md +++ b/docs/AI Security/akeyless-ai-insight.md @@ -161,7 +161,7 @@ To verify that AI Insights is enabled at the account level, run the following co akeyless get-account-settings ``` -#### Verify the Target +### Verify the Target To verify that the OpenAI target is configured correctly, run the following command: @@ -169,7 +169,7 @@ To verify that the OpenAI target is configured correctly, run the following comm akeyless get-target --name my-openai-target ``` -#### Verify the Gateway Configuration +### Verify the Gateway Configuration To verify that the gateway is configured for AI Insights, run the following command: diff --git a/docs/AI Security/identity-and-secrets-intelligence.md b/docs/AI Security/identity-and-secrets-intelligence.md index c6ad5135f..c7a868d7e 100644 --- a/docs/AI Security/identity-and-secrets-intelligence.md +++ b/docs/AI Security/identity-and-secrets-intelligence.md @@ -110,9 +110,3 @@ Use Identity and Secrets Intelligence together with the other Akeyless AI surfac * [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) for natural-language interaction with the Akeyless identity security platform * [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) for controlled runtime access to supported dynamic secrets * [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) for guidance on reducing credential misuse risk in AI workflows - -## Related AI Guides - -* [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) -* [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) -* [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) From 62f03bfe6a308141b97b78c0a69d584ccb294164 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 15:01:03 -0600 Subject: [PATCH 18/24] docs: add AI Security and Secure Remote Access documentation with structured content and links --- docs/AI Security/_order.yaml | 2 +- docs/AI Security/{index.md => ai-security.md} | 0 docs/Secure Remote Access/_order.yaml | 1 + docs/Secure Remote Access/{index.md => secure-remote-access.md} | 0 4 files changed, 2 insertions(+), 1 deletion(-) rename docs/AI Security/{index.md => ai-security.md} (100%) rename docs/Secure Remote Access/{index.md => secure-remote-access.md} (100%) diff --git a/docs/AI Security/_order.yaml b/docs/AI Security/_order.yaml index a9c502def..b5458eef3 100644 --- a/docs/AI Security/_order.yaml +++ b/docs/AI Security/_order.yaml @@ -1,4 +1,4 @@ -- index +- ai-security - akeyless-ai-insight - identity-and-secrets-intelligence - agentic-runtime-authority diff --git a/docs/AI Security/index.md b/docs/AI Security/ai-security.md similarity index 100% rename from docs/AI Security/index.md rename to docs/AI Security/ai-security.md diff --git a/docs/Secure Remote Access/_order.yaml b/docs/Secure Remote Access/_order.yaml index 4ead415ab..799aaf706 100644 --- a/docs/Secure Remote Access/_order.yaml +++ b/docs/Secure Remote Access/_order.yaml @@ -1,3 +1,4 @@ +- secure-remote-access - sra-getting-started - sra-setup - sra-admin-guides diff --git a/docs/Secure Remote Access/index.md b/docs/Secure Remote Access/secure-remote-access.md similarity index 100% rename from docs/Secure Remote Access/index.md rename to docs/Secure Remote Access/secure-remote-access.md From 9b277c9687984699177060a51f86cacde8d2432b Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 15:41:36 -0600 Subject: [PATCH 19/24] docs: address AI security review comments and constraints --- docs/AI Security/MCP/mcp-claude-desktop.md | 2 +- docs/AI Security/MCP/mcp-jetbrains-ides.md | 2 ++ docs/AI Security/agentic-runtime-authority.md | 5 ++++- docs/AI Security/ai-security.md | 2 +- docs/AI Security/akeyless-ai-insight.md | 3 +++ docs/AI Security/identity-and-secrets-intelligence.md | 2 +- .../AI Security/prompt-injection-protection-for-ai-agents.md | 3 +++ .../cli-reference/cli-reference-access-roles.md | 4 ++-- 8 files changed, 17 insertions(+), 6 deletions(-) diff --git a/docs/AI Security/MCP/mcp-claude-desktop.md b/docs/AI Security/MCP/mcp-claude-desktop.md index afb6ff6d3..097b078d3 100644 --- a/docs/AI Security/MCP/mcp-claude-desktop.md +++ b/docs/AI Security/MCP/mcp-claude-desktop.md @@ -9,7 +9,7 @@ metadata: description: '' robots: index --- -Connect Claude Desktop to the Akeyless MCP Server when you want Claude Desktop to access Akeyless tools through MCP. +Connect Claude Desktop to the Akeyless Model Context Protocol (MCP) Server when you want Claude Desktop to access Akeyless tools through MCP. For general MCP background and command syntax, see [MCP Server](https://docs.akeyless.io/docs/mcp-server). diff --git a/docs/AI Security/MCP/mcp-jetbrains-ides.md b/docs/AI Security/MCP/mcp-jetbrains-ides.md index bdfc22904..060957151 100644 --- a/docs/AI Security/MCP/mcp-jetbrains-ides.md +++ b/docs/AI Security/MCP/mcp-jetbrains-ides.md @@ -114,6 +114,8 @@ For profile details and advanced options, see [CLI Profiles](https://docs.akeyle Note that the project uses a JDK 17 compile toolchain. If the Gradle wrapper fails to start because the default Java version is too new, set `org.gradle.java.home` in `gradle.properties` to a JDK 17 or JDK 21 installation. +Install the generated plugin from disk: + 1. In your JetBrains IDE, go to **Settings → Plugins**. 2. Select the gear icon, and then select **Install Plugin from Disk...**. 3. Select the generated ZIP file from the `build/distributions/` directory. diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index 6cdb300d6..f1b44405c 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -1,8 +1,11 @@ --- title: Agentic Runtime Authority +excerpt: Configure Agentic Runtime Authority for controlled AI agent access and runtime query governance. deprecated: false hidden: false metadata: + title: Agentic Runtime Authority + description: Configure Agentic Runtime Authority to apply runtime controls, role-based access, and MCP workflows for AI agent access. robots: index --- @@ -87,7 +90,7 @@ Use the role-rule workflow when you want a role to execute Agentic Runtime Autho 1. Open the access role that should run Agentic Runtime Authority queries. 2. Add a role rule with the type **Agentic Runtime Authority**. -3. Set the path to the relevant ARA-enabled secret path. +3. Set the path to the relevant Agentic Runtime Authority (ARA)-enabled secret path. 4. Select the **Allow Access** capability. 5. Save the role. diff --git a/docs/AI Security/ai-security.md b/docs/AI Security/ai-security.md index 557e51059..ec1ad1844 100644 --- a/docs/AI Security/ai-security.md +++ b/docs/AI Security/ai-security.md @@ -16,7 +16,7 @@ This page summarizes the current AI offerings and links to the detailed guides. | Offering | Primary Purpose | Key Capabilities | Documentation | | --- | --- | --- | --- | -| Akeyless AI Insights | Enable natural-language interaction with Akeyless resources | Account-level enablement, Gateway-level model configuration, LLM target setup, and validation flow | [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) | +| Akeyless AI Insights | Enable natural-language interaction with Akeyless resources | Account-level enablement, Gateway-level model configuration, Large Language Model (LLM) target setup, and validation flow | [Akeyless AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) | | Agentic Runtime Authority | Control and audit runtime agent access to supported Dynamic Secrets | Runtime query execution, input and output rules, role-based reporting access, MCP runtime support, and session reporting | [Agentic Runtime Authority](https://docs.akeyless.io/docs/agentic-runtime-authority) | | Identity and Secrets Intelligence | Provide AI-related visibility and governance surfaces in the Console | Dashboard, Inventory, Scanners, Policies, and dedicated RBAC control via `isi-access` | [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence) | | Prompt Injection Protection Guidance | Reduce credential misuse risk in AI workflows | Secretless architecture guidance, runtime retrieval model, and practical hardening recommendations | [Prompt Injection Protection for AI Agents](https://docs.akeyless.io/docs/prompt-injection-protection-for-ai-agents) | diff --git a/docs/AI Security/akeyless-ai-insight.md b/docs/AI Security/akeyless-ai-insight.md index b612804d8..a5413c1e3 100644 --- a/docs/AI Security/akeyless-ai-insight.md +++ b/docs/AI Security/akeyless-ai-insight.md @@ -1,8 +1,11 @@ --- title: Akeyless AI Insights +excerpt: Configure Akeyless AI Insights with supported LLM targets and gateway settings. deprecated: false hidden: false metadata: + title: Akeyless AI Insights + description: Configure Akeyless AI Insights at account and gateway levels with supported LLM targets. robots: index --- ## Overview diff --git a/docs/AI Security/identity-and-secrets-intelligence.md b/docs/AI Security/identity-and-secrets-intelligence.md index c7a868d7e..9bad2d247 100644 --- a/docs/AI Security/identity-and-secrets-intelligence.md +++ b/docs/AI Security/identity-and-secrets-intelligence.md @@ -41,7 +41,7 @@ The current Inventory implementation exposes finding details for secret, identit The current Scanner implementation supports creating scanners, starting scans, stopping active scans, reviewing scan history, and navigating from a running scan directly to **Inventory**. -### Control Access With RBAC +### Control Access With Role-Based Access Control (RBAC) Use the `isi-access` administrative rule on a role to control access to Identity and Secrets Intelligence. diff --git a/docs/AI Security/prompt-injection-protection-for-ai-agents.md b/docs/AI Security/prompt-injection-protection-for-ai-agents.md index 3d0d5a27e..424c846f1 100644 --- a/docs/AI Security/prompt-injection-protection-for-ai-agents.md +++ b/docs/AI Security/prompt-injection-protection-for-ai-agents.md @@ -1,8 +1,11 @@ --- title: Prompt Injection Protection for AI Agents +excerpt: Reduce prompt-injection credential risk in AI agents with secretless runtime access patterns. deprecated: false hidden: false metadata: + title: Prompt Injection Protection for AI Agents + description: Learn how secretless runtime access and layered controls reduce prompt-injection risk for AI agent workflows. robots: index --- ## Overview diff --git a/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md b/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md index b6575c13b..c2abbe143 100644 --- a/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md +++ b/docs/Integrations & Plugins/cli-reference/cli-reference-access-roles.md @@ -66,7 +66,7 @@ akeyless create-role --name `--event-forwarders-access`: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported. -`--isi-access`: Allow this role to access [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). Currently only `none`, `scoped`, and `all` values are supported. +`--isi-access`: Allow this role to access **Identity & Secrets Intelligence**. Currently only `none`, `scoped`, and `all` values are supported. For details, see [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). `--reverse-rbac-access`: Allow this role to view Reverse RBAC. Supported values: '`own`', '`all`'. @@ -291,7 +291,7 @@ akeyless update-role -n \ `--event-forwarders-access`: Allow this role to manage Event Forwarders. Currently only 'none' and 'all' values are supported. -`--isi-access`: Allow this role to access [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). Currently only `none`, `scoped`, and `all` values are supported. +`--isi-access`: Allow this role to access **Identity & Secrets Intelligence**. Currently only `none`, `scoped`, and `all` values are supported. For details, see [Identity and Secrets Intelligence](https://docs.akeyless.io/docs/identity-and-secrets-intelligence). `--reverse-rbac-access`: Allow this role to view Reverse RBAC. Supported values: '`own`', '`all`'. From 645cbc908b55397e448d951f84f0fed046b41bb4 Mon Sep 17 00:00:00 2001 From: harrison-akeyless Date: Thu, 14 May 2026 10:09:45 -0600 Subject: [PATCH 20/24] Update docs/AI Security/MCP/index.md Co-authored-by: EldadH89 <79397481+EldadH89@users.noreply.github.com> --- docs/AI Security/MCP/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/AI Security/MCP/index.md b/docs/AI Security/MCP/index.md index 703aca27a..d7bde3ae0 100644 --- a/docs/AI Security/MCP/index.md +++ b/docs/AI Security/MCP/index.md @@ -10,7 +10,7 @@ metadata: description: Overview of Akeyless MCP content, requirements, and supported integrations. robots: index --- -The Akeyless Model Context Protocol (MCP) Server lets MCP-enabled tools connect to your Akeyless identity security platform through the Akeyless CLI. This section explains the MCP server, its command syntax, and the supported client integrations documented by Akeyless. +The Akeyless Model Context Protocol (MCP) Server lets MCP-enabled tools connect to your Akeyless identity security platform through the Akeyless CLI or Gateway. This section explains the MCP server, its command syntax, and the supported client integrations documented by Akeyless. Model Context Protocol (MCP) is an open protocol that standardizes how an AI client discovers tools and sends tool calls to an external server. In this model, your MCP client (for example, Claude Desktop, Cursor, or GitHub Copilot) launches the Akeyless MCP server locally over `stdio`, then uses it to run authorized operations against Akeyless resources. From 98c77334011500e4c44a1b5f30edcd62ba1dfa12 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 10:16:47 -0600 Subject: [PATCH 21/24] docs: expand ISI operational views and monitoring workflow --- .../identity-and-secrets-intelligence.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/AI Security/identity-and-secrets-intelligence.md b/docs/AI Security/identity-and-secrets-intelligence.md index 15dd495a8..1689ab6cd 100644 --- a/docs/AI Security/identity-and-secrets-intelligence.md +++ b/docs/AI Security/identity-and-secrets-intelligence.md @@ -41,6 +41,25 @@ The current Inventory implementation exposes finding details for secret, identit The current Scanner implementation supports creating scanners, starting scans, stopping active scans, reviewing scan history, and navigating from a running scan directly to **Inventory**. +## Operational Views + +Use these views to move from high-level posture checks to specific remediation tasks: + +* **Dashboard**: Review high-level counts, trends, and status indicators that show where investigation is needed. +* **Inventory**: Drill into findings by type, status, and severity, then open finding details for follow-up actions. +* **Scanners**: Track scanner status, launch or stop scans, and review scan history before validating outcomes in **Inventory**. +* **Policies**: Review policy scope and status, then enable or adjust policies based on findings from Dashboard and Inventory. + +## Example Monitoring Workflow + +Use this workflow when you need a repeatable operating pattern for Identity and Secrets Intelligence: + +1. Open **Dashboard** to identify the highest-priority signals. +2. Open **Inventory** to filter and triage findings by type and status. +3. Open **Scanners** to run targeted scans for affected environments. +4. Open **Policies** to validate that controls match your risk posture. +5. Return to **Dashboard** and **Inventory** to verify that remediation changes are reflected. + ### Policy Types And Examples Identity and Secrets Intelligence policies are organized by finding type. In the current implementation, common policy categories include: From d136c00532e85e5f012600f67699415d0ce37b9e Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 10:22:42 -0600 Subject: [PATCH 22/24] docs: make mcp secret-name optional in ARA setup --- docs/AI Security/agentic-runtime-authority.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index 88fff3fc8..07a5b946a 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -159,8 +159,6 @@ Use the following configuration template for both **Claude** and **Cursor**. Rep "mcp-runtime-authority", "--gateway-url", "https://:8000", - "--secret-name", - "full/path/to/secret", "--profile", "profile_name" ] @@ -173,14 +171,14 @@ Where: * `gateway-url`: The Gateway URL where the Dynamic Secret exists. -* `secret-name`: An optional default secret path for the `query-db` MCP tool. This does not replace RBAC scoping for the server. Use role rules and secret permissions to restrict which secrets the profile can access. If the profile has access to multiple paths, the agent can resolve the target secret path at runtime. +* `secret-name`: Optional. Use this only when you want to set a default path for the `query-db` MCP tool. This does not replace RBAC scoping for the server. Use role rules and secret permissions to restrict which secrets the profile can access. * `profile`: The CLI profile with the required RBAC permissions for working with Agentic Runtime Authority. When the MCP server is running, it exposes these workflows: * `list-secrets`: Lists ARA-supported secrets that the current profile can access. -* `query-db`: Runs database queries. `payload` and `agent-id` are required, and `secret-name` is required unless the server was started with a default secret. +* `query-db`: Runs database queries. `payload` and `agent-id` are required. `secret-name` is required per request only when no default `--secret-name` was provided at server startup. * `service-execute`: Runs service actions against supported service targets. `secret-name`, `payload`, and `agent-id` are required. For OAuth-backed service flows, `service-execute` can also require `auth-code` and `state` on the follow-up call after the server returns an authorization URL. From 7d831ddf1fb47501d6f0b8d584e983e031b1c1da Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 10:24:03 -0600 Subject: [PATCH 23/24] docs: add explicit ARA policy and traceability summary --- docs/AI Security/agentic-runtime-authority.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index 07a5b946a..5e767d60f 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -26,6 +26,12 @@ Agentic Runtime Authority extends Akeyless AI security beyond secretless credent Agentic Runtime Authority policy controls are central to secure agent execution. Input and output rules define what the agent can send and what data it can receive, and each runtime session is traceable for monitoring and audit workflows. +## Policy Control And Traceability Summary + +* **What the agent can do**: Input rules constrain allowed requests, and output rules constrain what can be returned. +* **How access is enforced**: Runtime behavior is scoped by role rules and secret permissions. +* **How actions are traced**: Each runtime session and query event is recorded for monitoring and audit use cases. + The current implementation exposes Agentic Runtime Authority in these places: * The **Agentic Runtime Authority** step or details tab on supported Dynamic Secrets in the Akeyless Console From c9e161fe5be48a61455fb0d34025897c4768995a Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Thu, 14 May 2026 10:31:33 -0600 Subject: [PATCH 24/24] DOCS-395: Update Agentic Runtime Authority documentation with policy controls and secret type clarifications - Highlight policy controls and traceability summary with dedicated subsections - Clarify support for dynamic, rotated, and static secrets - Emphasize AI Insights as required prerequisite - Make CLI optional for MCP-based workflows - Add policy context to input/output rules - Mention rotated and static secrets in control descriptions --- docs/AI Security/agentic-runtime-authority.md | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/docs/AI Security/agentic-runtime-authority.md b/docs/AI Security/agentic-runtime-authority.md index 5e767d60f..1a7936a09 100644 --- a/docs/AI Security/agentic-runtime-authority.md +++ b/docs/AI Security/agentic-runtime-authority.md @@ -13,24 +13,35 @@ metadata: > > Agentic Runtime Authority is currently in early access. Features, behavior, and availability can change between releases. -Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported secrets without exposing long-lived credentials. In this context, **runtime control** means the authorization checks and input or output rules that Akeyless enforces when an agent sends a live request to a protected resource. +Agentic Runtime Authority allows AI agents to securely communicate with protected resources through the [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview). It provides controlled, authorized access so agents can interact with supported secrets without exposing long-lived credentials. In this context, **runtime control** means the authorization checks and input or output rules that Akeyless enforces when an agent sends a live request to a protected resource. Policies on Dynamic Secrets define what agents can and cannot do—input rules restrict allowed operations, and output rules filter returned data—ensuring secure and compliant runtime execution. **Agentic Runtime Authority** currently supports these target categories for runtime execution: * **Database targets**: MySQL, PostgreSQL, MSSQL, Oracle, Snowflake, HanaDB, Redshift, MongoDB, Redis, and Cassandra. * **Service targets**: AWS, GCP, Azure, and GitHub. -The `runtime-authority` command and the MCP execution tools operate on supported dynamic, rotated, and static secrets. Static secrets are typically used for OAuth 2.1-based MCP workflows and connection-string-based integrations. +The `runtime-authority` command and the MCP execution tools operate on supported: -Agentic Runtime Authority extends Akeyless AI security beyond secretless credential retrieval by adding runtime controls and reporting for agent access. +* **Dynamic secrets**: For temporary, rotated credentials. +* **Rotated secrets**: For regularly rotated credentials. +* **Static secrets**: Typically used for OAuth 2.1-based MCP workflows and connection-string-based integrations. -Agentic Runtime Authority policy controls are central to secure agent execution. Input and output rules define what the agent can send and what data it can receive, and each runtime session is traceable for monitoring and audit workflows. +Agentic Runtime Authority extends Akeyless AI security beyond secretless credential retrieval by adding runtime controls and reporting for agent access. ## Policy Control And Traceability Summary -* **What the agent can do**: Input rules constrain allowed requests, and output rules constrain what can be returned. -* **How access is enforced**: Runtime behavior is scoped by role rules and secret permissions. -* **How actions are traced**: Each runtime session and query event is recorded for monitoring and audit use cases. +Agentic Runtime Authority policy controls are central to secure agent execution. **Input and output rules define what the agent can send and what data it can receive**, and each runtime session is traceable for monitoring and audit workflows. + +### Control: What the Agent Can and Cannot Do + +* **Input rules**: Constrain what the agent is allowed to send (queries, prompts, commands) when accessing dynamic, rotated, or static secrets. Blocked requests are denied before reaching the target. +* **Output rules**: Constrain what data can be returned to the agent from protected resources. Blocked response content is filtered or redacted. + +### Traceability: Full Audit Trail + +* **Session recording**: Each runtime session and query event is recorded with full context. +* **Access scope**: Runtime behavior is scoped by role rules and secret permissions. +* **Monitoring and audit**: Use the `ara-reports-access` role rule to grant access to Agentic Runtime Authority reporting data for compliance and investigation workflows. The current implementation exposes Agentic Runtime Authority in these places: @@ -45,12 +56,12 @@ The current implementation exposes Agentic Runtime Authority in these places: ## Prerequisites * [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) version `4.51.0` or later. -* [AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway. +* **[AI Insights](https://docs.akeyless.io/docs/akeyless-ai-insight) enabled on the Gateway.** This is required for runtime authority functionality. * A Dynamic Secret configured with Agentic Runtime Authority enabled. * A role with access to the relevant Dynamic Secret and, when required, reporting access to Agentic Runtime Authority. * An authentication method associated with that role. * A supported desktop client, such as Claude Desktop or Cursor, if you plan to use MCP. -* CLI version `1.144.0` or later, only when you plan to use CLI-based setup or execution flows. +* _(Optional)_ Akeyless CLI version `1.144.0` or later when you plan to use CLI-based setup or execution flows. CLI is not required for MCP-based workflows or direct Gateway queries via API. ## Control Access With RBAC