CLI Client Reference

This section describes the CLI Client help documentation.

The CLI Client implements the REST API, providing an alternate interface for managing Conjur resources, including roles, privileges, policy, and secrets. You can start a CLI client session as a container local to the Conjur appliance, or remotely on a workstation.

For details on how to install the CLI Client, see CLI Client Setup

Commands

For CLI documentation, use the command line help options:

To see a list of CLI commands, enter conjur --help .

 
# conjur --help
NAME
    conjur - Command-line toolkit for managing roles, resources and privileges

SYNOPSIS
    conjur [global options] command [command options] [arguments...]

VERSION
    6.2.0

GLOBAL OPTIONS
    --help    - Show this message
    --version - Display the program version

COMMANDS
    authn       - Login and logout
    check       - Check for a privilege on a resource
    env         - Use values of Conjur variables in local context
    help        - Shows a list of commands or help for one command
    host        - Manage hosts
    hostfactory - Manage host factories
    init        - Initialize the Conjur configuration
    ldap-sync   - LDAP sync management commands
    list        - List objects
    plugin      - Manage plugins
    policy      - Manage policies
    pubkeys     - Public keys service operations
    resource    - Manage resources
    role        - Manage roles
    show        - Show an object
    user        - Manage users
    variable    - Manage variables

Sub-commands

To see a list of sub-commands:

 
# conjur <command> --help

For example, to see the sub commands under the user command:

 
# conjur user --help
NAME
    user - Manage users

SYNOPSIS
    conjur [global options] user rotate_api_key [--user arg|-u arg]
    conjur [global options] user update_password [-p arg|--password arg]

COMMANDS
    rotate_api_key  - Rotate a user's API key
    update_password - Update the password of the logged-in user

To see help on a specific sub-command:

 
# conjur <command> <subcommand> --help

For example, get syntax and options for the user list subcommand:

 
# conjur user update_password --help
NAME
    update_password - Update the password of the logged-in user

SYNOPSIS
    conjur [global options] user update_password [command options] 

COMMAND OPTIONS
    -p, --password=arg - Password to use, otherwise you will be prompted (default: none)

Troubleshooting

Before you run a CLI command, use RESTCLIENT_LOG=stderr conjur <command> to see a list of the API queries used by the CLI.

RestClient is a gem Conjur uses in the CLI to make REST API calls and it supports debug mode with the RESTCLIENT_LOG environment variable.

For example, to see the list of API queries used by authn login:

 
$ RESTCLIENT_LOG=stderr conjur authn login

This syntax sets the environment variable RESTCLIENT_LOG to the value of stderr for the specified command.

You can redirect the output to a file:

 
$ export RESTCLIENT_LOG=conjur.log

 

 
$ conjur show variable:vaultName/lob8/safe_0/obj_832/password
{
  "created_at": "2019-03-07T11:36:11.391+00:00",
  "id": "cucumber:variable:vaultName/lob8/safe_0/obj_832/password",
  "owner": "cucumber:policy:vaultName/lob8/safe_0",
  "policy": "cucumber:policy:vaultName/lob8/safe_0",
  "permissions": [
    {
      "privilege": "execute",
      "role": "cucumber:group:vaultName/lob8/safe_0/delegation/consumers",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    },
    {
      "privilege": "read",
      "role": "cucumber:group:vaultName/lob8/safe_0/delegation/consumers",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    }
  ],
  "annotations": [
    {
      "name": "cyberark-vault",
      "value": "true",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    },
    {
      "name": "cyberark-vault/accounts",
      "value": "vaultName/safe_0/obj_832",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    }
  ],
  "secrets": [
    {
      "version": 1,
      "expires_at": null
    },
    {
      "version": 2,
      "expires_at": null
    },
    {
      "version": 3,
      "expires_at": null
    },
    {
      "version": 4,
      "expires_at": null
    },
    {
      "version": 5,
      "expires_at": null
    },
    {
      "version": 6,
      "expires_at": null
    },
    {
      "version": 7,
      "expires_at": null
    }
  ]
}
$ conjur variable value vaultName/lob8/safe_0/obj_832/password
secret123
$ cat conjur.log
RestClient.post "https://cuke-master/authn/cucumber/admin/authenticate", "3j1aqpew0f2m02njp46c1pg0rft1j23r8a2zx878p3q5nb251njvkqh", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"55", "Content-Type"=>"text/plain", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 568 bytes
RestClient.get "https://cuke-master/resources/cucumber/variable/vaultName%2Flob8%2Fsafe_0%2Fobj_832%2Fpassword", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkxTldVNVptRTNaVE01TkRrNFl6SXlaV1JsTkRReFpEazJNR05qTVdZNFlpSjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTFNak15TVRFME9IMD0iLCJzaWduYXR1cmUiOiJFYTVncVdRSG03aE83aE00SzZKVlA3X1lPWFU0VV9Sd0t1SWE2Y0s2Y2w0VkRVTERPZFEzQlJIM0tKQzRmdW9VMTNfT21wYTEtY190TTJacXJETFFZSFc4MWpvTG55TWpGZGZUX09TU3d3dWlNRnNMeENwMzU0N3l4Vzd2QkpXMUZzS21OU2RyblI2MXc4Yk9MUTVNeVNGa3BzRjVqSU1sWDQxT1pQWmRzNnFhX19lUExpbWFIcl9mbHk2X0M0dkE0WVdVX0JMQlhXUVJsZjdJYTFNYVphd0s1OXY5N2xKbU1nWUtiMFlVSFp1aTU0RGRvTTM4ZVFLdXVaWWJYWkZJUzJjSTBXdWk0OGFkYXBGampUM29VMTloN1VLUGxMZXZoZmxDOTdyS1dlU01lUThaN2kxQ2luMWlGSmlCQk9BUERoVjREamIyQ2lKbEdxeU43UFZPNjBJeUYzRlVGeW80b183amtXVVVIX2s4MlB2WTB4cFBZeDJBcm5sTXN4R3MifQ==\"", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 961 bytes
RestClient.post "https://cuke-master/authn/cucumber/admin/authenticate", "3j1aqpew0f2m02njp46c1pg0rft1j23r8a2zx878p3q5nb251njvkqh", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"55", "Content-Type"=>"text/plain", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 568 bytes
RestClient.get "https://cuke-master/secrets/cucumber/variable/vaultName%2Flob8%2Fsafe_0%2Fobj_832%2Fpassword/", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkxTldVNVptRTNaVE01TkRrNFl6SXlaV1JsTkRReFpEazJNR05qTVdZNFlpSjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTFNak15TVRFM00zMD0iLCJzaWduYXR1cmUiOiJlMGNmdkJpWVBxYUt1UVF1V05sU2tqSk9vYXVYMVhld05LbFpaSi1UU1hQdXdrdzZjZmp2Vjg5bXVNeEp6Mzczc3BEZWFrZGZia3dZS3gwdmNEdFJvYlJSOURrR2hTWFVkZ1M1Ny1xelVrYVFTZ0xSd2dqWGp2RWpTeXFvV3VPazdwQzktWGdOUlFMTHBrbEhSQllSUUFacUZTdk1hOHJWMnZWdkhGVDZzYTBHMEZ2VGROZlNKV0lqVkZ2S0NzMnNSOUstVUR4UU5JWTE0MFVpd1FHb3dUUHdKdW90eVRjYjhRNEVMUk5wUnotVnZpZ0R2QzNZcEpDSndiZEJtRmN2SE5xeXBOd3U0alRrbXdWTVYzWjJvZ096UHFmeG5za1FtSFVUa21YeVdfdlg4SzRkWHpfeW8zTDR0d1BxZy1Pcmg5d1RCbjVtNG43NlZNai04S1U5Zk52RXh4eXM4TlpoUWk5RnZCZnVZRUxYYlNfWFdON3M3dUdzTEVMZnBPbjIifQ==\"", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/octet-stream 9 bytes
 

This is raw protocol dump and can contain secrets, like the API key above. Use caution when using this DEBUGGING-only feature.

 
True