Set up the Conjur CLI

This topic describes how to set up the Conjur CLI v7.1.0.

The Conjur CLI implements the Conjur REST API, providing an alternate interface for managing Conjur resources, including roles, privileges, policy, and secrets.

System requirements

This section describes the system requirements for Conjur CLI v7.1.0.

Supported platforms

  • Windows 10 or later

  • Red Hat Enterprise Linux 7, 8

  • macOS Catalina or later

Supported Conjur version

Conjur Enterprise v11.2.1 (5.6.3) and later

Install the Conjur CLI

This section describes how to install the Conjur CLI.

 

All Conjur artifacts are cryptographically signed archives. We strongly recommend verifying archive signatures before installing them in your environment. For more information, see Verify signed Conjur artifacts.

  1. If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.

  2. Download latest Conjur CLI, archive file (conjur-cli-windows.zip) from the Conjur CLI Releases page in GitHub.

  3. Unzip the downloaded file.

  4. Recommended: To enable running the Conjur CLI from anywhere on your machine, add the path to the folder containing the conjur executable to your system's PATH environment variable.

    You can set PATH globally using the Windows Environment Variables configuration, which can be accessed by searching for 'path'

  5. To verify the Conjur CLI version, run conjur --version.

  6. Delete the archive file.

  1. If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.

  2. Download the latest Conjur CLI archive file (conjur-cli-<RHEL version>.tar.gz) from the Conjur CLI Releases page in GitHub.

  3. Extract the downloaded file.

     
    tar -xvf conjurcloud-cli-<RHEL version>.tar.gz
  4. Give execute permissions to the conjur executable:

     
    chmod +x conjur
  5. Recommended: To enable running the Conjur CLI from anywhere on your machine, do one of the following:

    • Move the conjur executable to your machine's /usr/local/bin directory:

       
      $ sudo mv conjur /usr/local/bin
    • Update your system's PATH variable with the path to the folder containing the conjur executable:

      1. Update your system's RC file (for example, .bashrc):

         
        PATH="/path/to/conjur/cli:$PATH"
      2. Force reload:

         
        source ~/<RC file>
  6. To verify the Conjur CLI version, run conjur --version.

    Alternatively, run ./conjur --version from the location of the executable.

  7. Delete the archive file.

This installation method supports macOS Big Sur and later. For macOS Catalina, use the PIP installation (see the PIP tab).

  1. If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.

  2. Download the latest Conjur CLI disk image file (conjurcli.dmg) from the Conjur CLI Releases page in GitHub.

  3. Double-click the file that you downloaded.

  4. Drag ConjurCLI.app to your Applications folder.

  5. Recommended: To enable running the Conjur CLI from anywhere on your machine, from the Terminal do one of the following:

    • Option 1: Create a symbolic link between the ConjurCLI application and your machine's /usr/local/bin directory:

       
      $ ln -s -f /Applications/ConjurCLI.app/Contents/Resources/conjur/conjur /usr/local/bin/conjur
    • Option 2: Update your system's PATH variable with the path to the folder containing the ConjurCLI application:

      1. Update your system's RC file (for example, .bashrc):

         
        $ export PATH=/Applications/ConjurCLI.app/Contents/Resources/conjur:$PATH
      2. Force reload:

         
        source ~/<RC file>

    Alternatively, you can run the conjur executable by detailing its absolute path:

     
    $ ./Applications/ConjurCLI.app/Contents/Resources/conjur/conjur --help
  6. To verify the Conjur CLI version, in the Terminal run conjur --version.

    Alternatively, run ./conjur --version from the location of the executable.

  7. Delete the conjurcli.dmg file.

If you have Python 3.10.1 or later installed on your machine, you can install the Conjur CLI from PyPI (supports all the supported platforms).

 

You must be connected to the Internet to use this installation method.

To install the Conjur CLI from PyPI:

  1. If you have an earlier version of the Conjur CLI installed, uninstall it. For details, see Uninstall the Conjur CLI.

  2. Run:

    pip3 install conjur==7.1.0
  3. To verify that you can use the CLI, run:

    conjur --version
 

When running the Conjur CLI for the first time, the initial setting up of the CLI might take a few moments. After that, all commands should run seamlessly.

Configure Conjur CLI access to Conjur

To start using the Conjur CLI to interface with Conjur:

  1. Initialize the Conjur CLI

    Provide the details of the Conjur server that you are working with (see init):

     
    conjur init --url https://<conjur-server-endpoint>

    where conjur-server-endpoint is the URL of the Conjur server, beginning with https://

  2. Authenticate to Conjur

    Log in to Conjur using your user credentials or the Conjur admin user. For more login options and information see login.

     
    conjur login
  3. Enter credentials (username and password) when prompted. Your credentials are saved to the operating system's credential store by default, or to the netrc file if there is no credential store. For more information, see Credential store below.

Credential store

When you log in to the Conjur CLI, your login credentials (username and password) are stored in the system's native credential store by default.

When the supported credential store for your platform is not native on your machine, or is not accessible, the Conjur CLI writes your credentials in plaintext to a config file (netrc) on the machine. In this case, for security purposes we strongly recommend that you log out of the CLI (conjur logout) when you are not using it. Logging out removes the credentials from the netrc file.

Supported credential stores

Platform

Supported Credentials store

Windows

Windows Credential Locker/Password Vault

RHEL

Free Desktop Secret Service

 
  • We strongly recommend that you install a credential store when working with RHEL.

  • RHEL servers that have only a command-line interface (no GUI) do not come with a native credential store. In this case, you must configure your environment to allow the Conjur CLI to save credentials to the Secret Service keyring backend. Make sure you have the following on the machine:

    • GNOME Keyring with a Secret Service backend

    • A running D-Bus session

    • An unlocked store

macOS

Apple macOS keychain