Set up the Conjur Cloud CLI

This topic describes how to set up the Conjur Cloud CLI v1.0.x.

The Conjur Cloud CLI implements the Conjur Cloud REST API, providing an alternate interface for managing Conjur Cloud resources, including roles, privileges, policy, and secrets.

System requirements

This section describes the system requirements for Conjur Cloud CLI v1.0.x.

Supported platforms

  • Windows 10 or later

  • Red Hat Enterprise Linux 7, 8

  • macOS Catalina or later

TLS requirements

Conjur Cloud requires TLS v1.2.

The client must support following TLS ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

Install the Conjur Cloud CLI

This section describes how to install the Conjur Cloud CLI.

All Conjur Cloud artifacts are cryptographically signed archives. We strongly recommend verifying archive signatures before installing them in your environment. For more information, see Verify signed artifacts.

  1. If you have an earlier version of the Conjur Cloud CLI installed, uninstall it. For details, see Uninstall the Conjur Cloud CLI.

  2. Download latest Conjur Cloud CLI, archive file (conjurcloudcli-windows-Rls-<latest CLI>.zip) from the CyberArk Marketplace.

  3. Unzip the downloaded file.

  4. Recommended: To enable running the Conjur Cloud CLI from anywhere on your machine, add the path to the folder containing the conjur executable to your system's PATH environment variable.

    You can set PATH globally using the Windows Environment Variables configuration, which can be accessed by searching for 'path'.

  5. To verify the Conjur Cloud CLI version, run conjur --version.

  6. Delete the archive file.

  1. If you have an earlier version of the Conjur Cloud CLI installed, uninstall it. For details, see Uninstall the Conjur Cloud CLI.

  2. Download the latest Conjur Cloud CLI archive file (conjurcloudcli-rhel<RHEL version>-Rls-<latest CLI>.zip) from the CyberArk Marketplace.

  3. Extract the downloaded file.

      
    tar -xvf conjurcloudcli-rhel<RHEL version>-Rls-v1.0.x.zip

  4. Give execute permissions to the conjur executable:

      
    chmod +x conjur

  5. Recommended: To enable running the Conjur Cloud CLI from anywhere on your machine, do one of the following:

    • Move the conjur executable to your machine's /usr/local/bin directory:

        
      $ sudo mv conjur /usr/local/bin

    • Update your system's PATH variable with the path to the folder containing the conjur executable:

      1. Update your system's RC file (for example, .bashrc):

          
        PATH="/path/to/conjurcloud/cli:$PATH"

      2. Force reload:

          
        source ~/<RC file>

  6. To verify the Conjur Cloud CLI version, run conjur --version.

    Alternatively, run ./conjur --version from the location of the executable.

  7. Delete the archive file.

  1. If you have an earlier version of the Conjur Cloud CLI installed, uninstall it. For details, see Uninstall the Conjur Cloud CLI.

  2. Download the latest Conjur Cloud CLI disk image file (conjurcloudcli-mac-Rls-<latest CLI>.dmg) from the CyberArk Marketplace.

  3. Double-click the file that you downloaded.

  4. Drag ConjurCloudCLI.app to your Applications folder.

  5. Recommended: To enable running the Conjur Cloud CLI from anywhere on your machine, from the Terminal do one of the following:

    • Option 1: Create a symbolic link between the ConjurCLI application and your machine's /usr/local/bin directory:

        
      $ ln -s -f /Applications/ConjurCloudCLI.app/Contents/Resources/conjur/conjur /usr/local/bin/conjur

    • Option 2: Update your system's PATH variable with the path to the folder containing the ConjurCLI application:

      1. Update your system's RC file (for example, .bashrc):

          
        $ export PATH=/Applications/ConjurCloudCLI.app/Contents/Resources/conjur:$PATH

      2. Force reload:

          
        source ~/<RC file>

    Alternatively, you can run the conjur executable by detailing its absolute path:

      
    $ ./Applications/ConjurCloudCLI.app/Contents/Resources/conjur/conjur --help

  6. To verify the Conjur Cloud CLI version, in the Terminal run conjur --version.

    Alternatively, run ./conjur --version from the location of the executable.

  7. Delete the conjurcloudcli-mac-Rls-v1.0.x.dmg file.

 

When running the Conjur Cloud CLI for the first time, the initial setting up of the CLI might take a few moments. After that, all commands should run seamlessly.

Configure Conjur Cloud CLI access to Conjur Cloud

To use the Conjur Cloud CLI you must be a Conjur Cloud admin or standard user, that is, you. must belong to one of the user groups in Conjur Cloud. For more information, contact your tenant admin.

To start using the Conjur Cloud CLI to interface with Conjur Cloud:

  1. Initialize the Conjur Cloud CLI

    Provide the details of the Conjur Cloud server that you are working with (see init):

      
    conjur init --url https://<subdomain>.secretsmgr.cyberark.cloud/api

    where subdomain is the tenant subdomain for your organization in the CyberArk Identity Security Platform Shared Services. You can find the subdomain in the URL provided in the Welcome email you received when you were invited to the platform.

  2. Authenticate to Conjur Cloud

    Log in to Conjur Cloud using your user credentials. For more login options and information see login.

      
    conjur login

    3. Enter credentials (username and password, or host id and API key for non-human identities) when prompted. Your credentials (username/host id and Conjur Cloud access token) are saved to the operating system's credential store by default, or to the conjur_credentials file if there is no credential store. For more information, see Credential store below.

    Troubleshooting

    Reason: When you use the ‘conjur login’ command, an SSL certificate error occurs (‘unable to get local issuer certificate’) if a firewall is used. The firewall has signed the Conjur Cloud certificate, therefore, the certificate provided in the init stage does not match the certificate received from the CLI request.

    Solution:

    1. Connect to Conjur Cloud using the browser with the same URL provided in the init stage, on the same machine that runs the CLI.

    2. Download the root certificate - ‘GTS Root R1’ from the browser. The file type should be .crt or .cer and the format should be as the image below (it might require you to convert the formats, depending on the operating system in use).

      The file name and format should be cert file.

    3. Re-run the 'Initialize the Conjur CLI' step, and use the newly created certificate in the 'conjur init’ command.

Credential store

When you log in to the Conjur Cloud CLI, your login credentials (username and Conjur Cloud access token) are stored in the system's native credential store by default.

When the supported credential store for your platform is not native on your machine, or is not accessible, the Conjur Cloud CLI writes your credentials in plaintext to a config file (conjur_credentials) on the machine. In this case, for security purposes we strongly recommend that you log out of the CLI (conjur logout) when you are not using it. Logging out removes the credentials from the conjur_credentials file.

Supported credential stores

Platform

Supported credential store

Windows

Windows Credential Locker/Password Vault

RHEL

Free Desktop Secret Service

 

  • We strongly recommend that you install a credential store when working with RHEL.

  • RHEL servers that have only a command-line interface (no GUI) do not come with a native credential store. In this case, you must configure your environment to allow the Conjur Cloud CLI to save credentials to the Secret Service keyring backend. Make sure you have the following on the machine:

    • GNOME Keyring with a Secret Service backend

    • A running D-Bus session

    • An unlocked store

macOS

Apple macOS keychain