Set up the Conjur CLI

This topic describes how to set up the Conjur CLI v8.x.

FIPS-enabled machines support Conjur CLI v7.x and v8.x only.
Conjur CLI v8.x does not store credentials in a .netrc file by default, which is required by Summon and other tools. If you use Summon, you must include the --force-netrc flag on calls to conjur init.

The Conjur CLI implements the Conjur REST API, providing an alternate interface for managing Conjur resources, including roles, privileges, policy, and secrets.

System requirements

This section describes the system requirements for Conjur CLI v8.x.

Supported platforms	Windows 10 or later Red Hat Enterprise Linux 7, 8 macOS Catalina or later
Supported Conjur version	Conjur Open Source v1.19.2 and later

Install the Conjur CLI

This section describes how to install the Conjur CLI.

All Conjur artifacts are cryptographically signed archives. We strongly recommend verifying archive signatures before installing them in your environment. For more information, see Verify signed Conjur artifacts.

Conjur CLIv8.x does not support installation from PIP.

If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.
Download latest Conjur CLI archive file. For download links, see Version 12.9.
Recommended: To enable running the Conjur CLI from anywhere on your machine, add the path to the folder containing the conjur executable to your system's PATH environment variable.

You can set PATH globally using the Windows Environment Variables configuration, which can be accessed by searching for 'path'
To verify the Conjur CLI version, run conjur --version.
Delete the archive file.

Use the installation method appropriate for your environment:

RHEL installation

Run the following command:

sudo rpm -i conjur-cli-go_8.0.1_amd64.rpm

Ubuntu/Debian installation

Run the following command:

sudo dpkg -i ./conjur-cli-go_8.0.1_amd64.deb

Manual steps

If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.
Download the latest Conjur CLI archive file for your environment. For download links, see Version 12.9.

Extract the downloaded file.

tar -xvf conjur-cli-go_8.0.1_<version>.tar.gz

Give execute permissions to the conjur executable:

chmod +x conjur

Recommended: To enable running the Conjur CLI from anywhere on your machine, do one of the following:

Move the conjur executable to your machine's /usr/local/bin directory:

$ sudo mv conjur /usr/local/bin

Update your system's PATH variable with the path to the folder containing the conjur executable:

Update your system's RC file (for example, .bashrc or .zshrc):

PATH="/path/to/conjur/cli:$PATH"

Force reload:

source ~/<RC file>

To verify the Conjur CLI version, run conjur --version.

Alternatively, run ./conjur --version from the location of the executable.
Delete the archive file.

If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.
Download latest Conjur CLI, archive file. For download links, see Version 12.9.

Extract the downloaded file.

tar -xvf conjur-cli-go_8.0.1_<version>.tar.gz

Give execute permissions to the conjur executable:

chmod +x conjur

Recommended: To enable running the Conjur CLI from anywhere on your machine, do one of the following:

Move the conjur executable to your machine's /usr/local/bin directory:

$ sudo mv conjur /usr/local/bin

Update your system's PATH variable with the path to the folder containing the conjur executable:

Update your system's RC file (for example, .bashrc or .zshrc):

PATH="/path/to/conjur/cli:$PATH"

Force reload:

source ~/<RC file>

To verify the Conjur CLI version, in the Terminal run conjur --version.

Alternatively, run ./conjur --version from the location of the executable.
Delete the archive file.

When running the Conjur CLI for the first time, the initial setting up of the CLI might take a few moments. After that, all commands should run seamlessly.

Configure Conjur CLI access to Conjur

To start using the Conjur CLI to interface with Conjur:

Initialize the Conjur CLI

Provide the details of the Conjur server that you are working with (see init). For instructions on using OIDC to authenticate to the Conjur CLI, see OIDC Authenticator for Conjur UI and Conjur CLI authentication.

conjur init --url https://<conjur-server-endpoint> --account <conjur-account>

conjur-server-endpoint	The URL of the Conjur server, beginning with `https://`
conjur-account	The organizational account assigned to this Conjur server during configuration

Authenticate to Conjur

conjur login

Enter credentials (username and password) when prompted. Your credentials are saved to the operating system's credential store by default, or to the netrc file if there is no credential store. For more information, see Credential store below.

Credential store

When you log in to the Conjur CLI, your login credentials (username and password) are stored in the system's native credential store by default.

When the supported credential store for your platform is not native on your machine, or is not accessible, the Conjur CLI writes your credentials in plaintext to a config file (netrc) on the machine. In this case, for security purposes we strongly recommend that you log out of the CLI (conjur logout) when you are not using it. Logging out removes the credentials from the netrc file.

Supported credential stores

Platform

Supported Credentials store

Windows

Windows Credential Locker/Password Vault

RHEL

Free Desktop Secret Service

We strongly recommend that you install a credential store when working with RHEL.
RHEL servers that have only a command-line interface (no GUI) do not come with a native credential store. In this case, you must configure your environment to allow the Conjur CLI to save credentials to the Secret Service keyring backend. Make sure you have the following on the machine:
- GNOME Keyring with a Secret Service backend
- A running D-Bus session
- An unlocked store

macOS

Apple macOS keychain