Conjur CLI (Docker-based)

This section describes the Docker-based Conjur CLI.

  • The Docker-based Conjur CLI will be deprecated by the end of 2022.

    We recommend that all customers migrate to our new Conjur CLI which is already supported and available for use.

  • Summon: Currently the new Conjur CLI does not fully support Summon. If you are using Summon we recommend you continue to use the Docker-based Docker-based Conjur CLI.

The Conjur CLI implements the REST API, providing an alternate interface for managing Conjur resources, including roles, privileges, policy, and secrets. You can start a Conjur CLI session as a container local to the Conjur appliance, or remotely on a workstation. For details on how to start the Conjur CLI container, see Set up the Conjur CLI (Docker-based)

Commands

For all the CLI command line options, see the CLI documentation: For all the CLI command line options, see the CLI documentation: Run conjur --help.

Sub-commands

To see a list of sub-commands:

 
# conjur <command> --help

For example, to see the sub commands under the user command:

 
# conjur user --help
NAME
    user - Manage users

SYNOPSIS
    conjur [global options] user rotate_api_key [--user arg|-u arg]
    conjur [global options] user update_password [-p arg|--password arg]

COMMANDS
    rotate_api_key  - Rotate a user's API key
    update_password - Update the password of the logged-in user

To see help on a specific sub-command:

 
# conjur <command> <subcommand> --help

For example, get syntax and options for the user list subcommand:

 
# conjur user update_password --help
NAME
    update_password - Update the password of the logged-in user

SYNOPSIS
    conjur [global options] user update_password [command options] 

COMMAND OPTIONS
    -p, --password=arg - Password to use, otherwise you will be prompted (default: none)

Troubleshooting

Before you run a CLI command, use RESTCLIENT_LOG=stderr conjur <command> to see a list of the API queries used by the CLI.

RestClient is a gem Conjur uses in the CLI to make REST API calls and it supports debug mode with the RESTCLIENT_LOG environment variable.

For example, to see the list of API queries used by authn login:

 
$ RESTCLIENT_LOG=stderr conjur authn login

This syntax sets the environment variable RESTCLIENT_LOG to the value of stderr for the specified command.

You can redirect the output to a file:

 
$ export RESTCLIENT_LOG=conjur.log

 

 
$ conjur show variable:vaultName/lob8/safe_0/obj_832/password
{
  "created_at": "2019-03-07T11:36:11.391+00:00",
  "id": "cucumber:variable:vaultName/lob8/safe_0/obj_832/password",
  "owner": "cucumber:policy:vaultName/lob8/safe_0",
  "policy": "cucumber:policy:vaultName/lob8/safe_0",
  "permissions": [
    {
      "privilege": "execute",
      "role": "cucumber:group:vaultName/lob8/safe_0/delegation/consumers",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    },
    {
      "privilege": "read",
      "role": "cucumber:group:vaultName/lob8/safe_0/delegation/consumers",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    }
  ],
  "annotations": [
    {
      "name": "cyberark-vault",
      "value": "true",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    },
    {
      "name": "cyberark-vault/accounts",
      "value": "vaultName/safe_0/obj_832",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    }
  ],
  "secrets": [
    {
      "version": 1,
      "expires_at": null
    },
    {
      "version": 2,
      "expires_at": null
    },
    {
      "version": 3,
      "expires_at": null
    },
    {
      "version": 4,
      "expires_at": null
    },
    {
      "version": 5,
      "expires_at": null
    },
    {
      "version": 6,
      "expires_at": null
    },
    {
      "version": 7,
      "expires_at": null
    }
  ]
}
$ conjur variable value vaultName/lob8/safe_0/obj_832/password
secret123
$ cat conjur.log
RestClient.post "https://cuke-master/authn/cucumber/admin/authenticate", "3j1aqpew0f2m02njp46c1pg0rft1j23r8a2zx878p3q5nb251njvkqh", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"55", "Content-Type"=>"text/plain", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 568 bytes
RestClient.get "https://cuke-master/resources/cucumber/variable/vaultName%2Flob8%2Fsafe_0%2Fobj_832%2Fpassword", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkxTldVNVptRTNaVE01TkRrNFl6SXlaV1JsTkRReFpEazJNR05qTVdZNFlpSjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTFNak15TVRFME9IMD0iLCJzaWduYXR1cmUiOiJFYTVncVdRSG03aE83aE00SzZKVlA3X1lPWFU0VV9Sd0t1SWE2Y0s2Y2w0VkRVTERPZFEzQlJIM0tKQzRmdW9VMTNfT21wYTEtY190TTJacXJETFFZSFc4MWpvTG55TWpGZGZUX09TU3d3dWlNRnNMeENwMzU0N3l4Vzd2QkpXMUZzS21OU2RyblI2MXc4Yk9MUTVNeVNGa3BzRjVqSU1sWDQxT1pQWmRzNnFhX19lUExpbWFIcl9mbHk2X0M0dkE0WVdVX0JMQlhXUVJsZjdJYTFNYVphd0s1OXY5N2xKbU1nWUtiMFlVSFp1aTU0RGRvTTM4ZVFLdXVaWWJYWkZJUzJjSTBXdWk0OGFkYXBGampUM29VMTloN1VLUGxMZXZoZmxDOTdyS1dlU01lUThaN2kxQ2luMWlGSmlCQk9BUERoVjREamIyQ2lKbEdxeU43UFZPNjBJeUYzRlVGeW80b183amtXVVVIX2s4MlB2WTB4cFBZeDJBcm5sTXN4R3MifQ==\"", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 961 bytes
RestClient.post "https://cuke-master/authn/cucumber/admin/authenticate", "3j1aqpew0f2m02njp46c1pg0rft1j23r8a2zx878p3q5nb251njvkqh", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"55", "Content-Type"=>"text/plain", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 568 bytes
RestClient.get "https://cuke-master/secrets/cucumber/variable/vaultName%2Flob8%2Fsafe_0%2Fobj_832%2Fpassword/", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkxTldVNVptRTNaVE01TkRrNFl6SXlaV1JsTkRReFpEazJNR05qTVdZNFlpSjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTFNak15TVRFM00zMD0iLCJzaWduYXR1cmUiOiJlMGNmdkJpWVBxYUt1UVF1V05sU2tqSk9vYXVYMVhld05LbFpaSi1UU1hQdXdrdzZjZmp2Vjg5bXVNeEp6Mzczc3BEZWFrZGZia3dZS3gwdmNEdFJvYlJSOURrR2hTWFVkZ1M1Ny1xelVrYVFTZ0xSd2dqWGp2RWpTeXFvV3VPazdwQzktWGdOUlFMTHBrbEhSQllSUUFacUZTdk1hOHJWMnZWdkhGVDZzYTBHMEZ2VGROZlNKV0lqVkZ2S0NzMnNSOUstVUR4UU5JWTE0MFVpd1FHb3dUUHdKdW90eVRjYjhRNEVMUk5wUnotVnZpZ0R2QzNZcEpDSndiZEJtRmN2SE5xeXBOd3U0alRrbXdWTVYzWjJvZ096UHFmeG5za1FtSFVUa21YeVdfdlg4SzRkWHpfeW8zTDR0d1BxZy1Pcmg5d1RCbjVtNG43NlZNai04S1U5Zk52RXh4eXM4TlpoUWk5RnZCZnVZRUxYYlNfWFdON3M3dUdzTEVMZnBPbjIifQ==\"", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/octet-stream 9 bytes
 

This is a raw protocol dump and can contain secrets, like the API key above. Use caution when using this DEBUGGING-only feature.