login command to log in a user or host to Conjur Cloud.
For users, the login process triggers authentication against your identity provider (IdP), whether you are using CyberArk Identity or an external IdP.
You can add the login credentials in the arguments of the
login command. If these are not provided, when the
login command runs the user/host is prompted to enter required login credentials.
The username/host id and Conjur Cloud access token are saved to the operating system's credential store, or to the conjur_credentials file if there is no credential store. For more information, see Credential store.
Enable debugging output.
-i VALUE, --id VALUE
(Optional) A login name to log in to Conjur Cloud.
For a host, the login name should be
-p VALUE, --password VALUE
(Optional) A password or API key for the specified login name.
Relevant when logging in to Conjur Cloud using CyberArk Identity.
The password is stored in the shell's history together with the rest of the data from the CLI call. It is strongly recommended to clean this sensitive data from the history at the end of the session.
Display the help screen.
The following command prompts for the user/host's credentials for logging in to Conjur Cloud:
For users, the username triggers authentication through the ISPSS or through an external IdP, depending on how your tenant is configured.
The following command prompts for the firstname.lastname@example.org user's password:
conjur login -i email@example.com
The following command opens a browser for authentication through a configured external IdP:
conjur login -i firstname.lastname@example.org
The following command prompts for the /data/myhost host's API key:
conjur login -i host/data/myhost
The following command logs the email@example.com user in without prompting for any credentials:
conjur login -i firstname.lastname@example.org -p Myp@ssw0rd!
When you log in to the Conjur Cloud CLI, your login credentials (username and
When the supported credential store for your platform is not native on your machine, or is not accessible, the Conjur Cloud CLI writes your credentials in plaintext to a config file (
conjur logout) when you are not using it. Logging out removes the credentials from the
In addition, when the -p ( or --password) option is passed, the password is stored in the shell's history together with the rest of the data from the CLI call. We strongly recommend cleaning this sensitive data from the history at the end of the CLI session.