login

Use the login command to log in a user or host to Conjur Cloud.

For users, the login process triggers authentication against your identity provider (IdP), whether you are using CyberArk Identity or an external IdP.

Usage

conjur [global options] login [options] [args]

You can add the login credentials in the arguments of the login command. If these are not provided, when the login command runs the user/host is prompted to enter required login credentials.

The username/host id and Conjur Cloud access token are saved to the operating system's credential store, or to the conjur_credentials file if there is no credential store. For more information, see Credential store.

Global options

Option	Description
-d, --debug	Enable debugging output.

Options

Option	Description
-i VALUE, --id VALUE	(Optional) A login name to log in to Conjur Cloud. For a host, the login name should be `host/<full host path>`. If the login name contains special characters that might interfere with your terminal, surround it with single quotes, for example, `-i 'alice@example.com'` If you do not provide a login name, Conjur Cloud prompts for one.
-p VALUE, --password VALUE	(Optional) A password or API key for the specified login name. Relevant when logging in to Conjur Cloud using CyberArk Identity. The password is stored in the shell's history together with the rest of the data from the CLI call. It is strongly recommended to clean this sensitive data from the history at the end of the session. If the password/API key contains special characters that might interfere with your terminal, surround it with single quotes, for example, `-p 'Myp@ssw0rd!'` If you do not provide a password/API key, Conjur Cloud prompts for one Password is not relevant for federated users from an external IdP
-h, --help	Display the help screen.

Option

Description

-i VALUE, --id VALUE

(Optional) A login name to log in to Conjur Cloud.

For a host, the login name should be host/<full host path>.

If the login name contains special characters that might interfere with your terminal, surround it with single quotes, for example, -i 'alice@example.com'
If you do not provide a login name, Conjur Cloud prompts for one.

-p VALUE, --password VALUE

(Optional) A password or API key for the specified login name.

Relevant when logging in to Conjur Cloud using CyberArk Identity.

The password is stored in the shell's history together with the rest of the data from the CLI call. It is strongly recommended to clean this sensitive data from the history at the end of the session.

If the password/API key contains special characters that might interfere with your terminal, surround it with single quotes, for example, -p 'Myp@ssw0rd!'
If you do not provide a password/API key, Conjur Cloud prompts for one
Password is not relevant for federated users from an external IdP

-h, --help

Display the help screen.

Examples

The following command prompts for the user/host's credentials for logging in to Conjur Cloud:

conjur login

For users, the username triggers authentication through the ISPSS or through an external IdP, depending on how your tenant is configured.

The following command prompts for the alice@example.com user's password:

conjur login -i alice@example.com

The following command opens a browser for authentication through a configured external IdP:

conjur login -i alice@external-idp.com

The following command prompts for the /data/myhost host's API key:

conjur login -i host/data/myhost

The following command logs the alice@example.com user in without prompting for any credentials:

conjur login -i alice@example.com -p Myp@ssw0rd!

When you log in to the Conjur Cloud CLI, your login credentials (username and Conjur Cloud access token) are stored in the system's native credential store by default.

When the supported credential store for your platform is not native on your machine, or is not accessible, the Conjur Cloud CLI writes your credentials in plaintext to a config file (conjur_credentials) on the machine. In this case, for security purposes we strongly recommend that you log out of the CLI (conjur logout) when you are not using it. Logging out removes the credentials from the conjur_credentials file.

In addition, when the -p ( or --password) option is passed, the password is stored in the shell's history together with the rest of the data from the CLI call. We strongly recommend cleaning this sensitive data from the history at the end of the CLI session.