Conjur CLI (Docker-based)

This section describes the Docker-based Conjur CLI.

The Docker-based Conjur CLI is deprecated and will not be supported after August 2023.

We strongly recommend that all customers migrate to our new Conjur CLI which is already supported and available for use. See Migrate from the Docker-based Conjur CLI for information about migrating to Conjur CLI v8.0.1.

The Conjur CLI implements the REST API, providing an alternate interface for managing Conjur resources, including roles, privileges, policy, and secrets. You can start a Conjur CLI session as a container local to the Conjur appliance, or remotely on a workstation. For details on how to start the Conjur CLI container, see Set up the Conjur CLI (Docker-based)

Commands

For all the CLI command line options, see the CLI documentation: For all the CLI command line options, see the CLI documentation: Run conjur --help.

Sub-commands

To see a list of sub-commands:

# conjur <command> --help

For example, to see the sub commands under the user command:

# conjur user --help

NAME
    user - Manage users

SYNOPSIS
    conjur [global options] user rotate_api_key [--user arg|-u arg]
    conjur [global options] user update_password [-p arg|--password arg]

COMMANDS
    rotate_api_key  - Rotate a user's API key
    update_password - Update the password of the logged-in user

To see help on a specific sub-command:

# conjur <command> <subcommand> --help

For example, get syntax and options for the user list subcommand:

# conjur user update_password --help

NAME
    update_password - Update the password of the logged-in user

SYNOPSIS
    conjur [global options] user update_password [command options] 

COMMAND OPTIONS
    -p, --password=arg - Password to use, otherwise you will be prompted (default: none)

Troubleshooting

Before you run a CLI command, use RESTCLIENT_LOG=stderr conjur <command> to see a list of the API queries used by the CLI.

RestClient is a gem Conjur uses in the CLI to make REST API calls and it supports debug mode with the RESTCLIENT_LOG environment variable.

For example, to see the list of API queries used by authn login:

$ RESTCLIENT_LOG=stderr conjur authn login

This syntax sets the environment variable RESTCLIENT_LOG to the value of stderr for the specified command.

You can redirect the output to a file:

$ export RESTCLIENT_LOG=conjur.log

$ conjur show variable:vaultName/lob8/safe_0/obj_832/password
{
  "created_at": "2019-03-07T11:36:11.391+00:00",
  "id": "cucumber:variable:vaultName/lob8/safe_0/obj_832/password",
  "owner": "cucumber:policy:vaultName/lob8/safe_0",
  "policy": "cucumber:policy:vaultName/lob8/safe_0",
  "permissions": [
    {
      "privilege": "execute",
      "role": "cucumber:group:vaultName/lob8/safe_0/delegation/consumers",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    },
    {
      "privilege": "read",
      "role": "cucumber:group:vaultName/lob8/safe_0/delegation/consumers",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    }
  ],
  "annotations": [
    {
      "name": "cyberark-vault",
      "value": "true",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    },
    {
      "name": "cyberark-vault/accounts",
      "value": "vaultName/safe_0/obj_832",
      "policy": "cucumber:policy:vaultName/lob8/safe_0"
    }
  ],
  "secrets": [
    {
      "version": 1,
      "expires_at": null
    },
    {
      "version": 2,
      "expires_at": null
    },
    {
      "version": 3,
      "expires_at": null
    },
    {
      "version": 4,
      "expires_at": null
    },
    {
      "version": 5,
      "expires_at": null
    },
    {
      "version": 6,
      "expires_at": null
    },
    {
      "version": 7,
      "expires_at": null
    }
  ]
}
$ conjur variable value vaultName/lob8/safe_0/obj_832/password
secret123
$ cat conjur.log
RestClient.post "https://cuke-master/authn/cucumber/admin/authenticate", "3j1aqpew0f2m02njp46c1pg0rft1j23r8a2zx878p3q5nb251njvkqh", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"55", "Content-Type"=>"text/plain", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 568 bytes
RestClient.get "https://cuke-master/resources/cucumber/variable/vaultName%2Flob8%2Fsafe_0%2Fobj_832%2Fpassword", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkxTldVNVptRTNaVE01TkRrNFl6SXlaV1JsTkRReFpEazJNR05qTVdZNFlpSjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTFNak15TVRFME9IMD0iLCJzaWduYXR1cmUiOiJFYTVncVdRSG03aE83aE00SzZKVlA3X1lPWFU0VV9Sd0t1SWE2Y0s2Y2w0VkRVTERPZFEzQlJIM0tKQzRmdW9VMTNfT21wYTEtY190TTJacXJETFFZSFc4MWpvTG55TWpGZGZUX09TU3d3dWlNRnNMeENwMzU0N3l4Vzd2QkpXMUZzS21OU2RyblI2MXc4Yk9MUTVNeVNGa3BzRjVqSU1sWDQxT1pQWmRzNnFhX19lUExpbWFIcl9mbHk2X0M0dkE0WVdVX0JMQlhXUVJsZjdJYTFNYVphd0s1OXY5N2xKbU1nWUtiMFlVSFp1aTU0RGRvTTM4ZVFLdXVaWWJYWkZJUzJjSTBXdWk0OGFkYXBGampUM29VMTloN1VLUGxMZXZoZmxDOTdyS1dlU01lUThaN2kxQ2luMWlGSmlCQk9BUERoVjREamIyQ2lKbEdxeU43UFZPNjBJeUYzRlVGeW80b183amtXVVVIX2s4MlB2WTB4cFBZeDJBcm5sTXN4R3MifQ==\"", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 961 bytes
RestClient.post "https://cuke-master/authn/cucumber/admin/authenticate", "3j1aqpew0f2m02njp46c1pg0rft1j23r8a2zx878p3q5nb251njvkqh", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"55", "Content-Type"=>"text/plain", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/json 568 bytes
RestClient.get "https://cuke-master/secrets/cucumber/variable/vaultName%2Flob8%2Fsafe_0%2Fobj_832%2Fpassword/", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkxTldVNVptRTNaVE01TkRrNFl6SXlaV1JsTkRReFpEazJNR05qTVdZNFlpSjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTFNak15TVRFM00zMD0iLCJzaWduYXR1cmUiOiJlMGNmdkJpWVBxYUt1UVF1V05sU2tqSk9vYXVYMVhld05LbFpaSi1UU1hQdXdrdzZjZmp2Vjg5bXVNeEp6Mzczc3BEZWFrZGZia3dZS3gwdmNEdFJvYlJSOURrR2hTWFVkZ1M1Ny1xelVrYVFTZ0xSd2dqWGp2RWpTeXFvV3VPazdwQzktWGdOUlFMTHBrbEhSQllSUUFacUZTdk1hOHJWMnZWdkhGVDZzYTBHMEZ2VGROZlNKV0lqVkZ2S0NzMnNSOUstVUR4UU5JWTE0MFVpd1FHb3dUUHdKdW90eVRjYjhRNEVMUk5wUnotVnZpZ0R2QzNZcEpDSndiZEJtRmN2SE5xeXBOd3U0alRrbXdWTVYzWjJvZ096UHFmeG5za1FtSFVUa21YeVdfdlg4SzRkWHpfeW8zTDR0d1BxZy1Pcmg5d1RCbjVtNG43NlZNai04S1U5Zk52RXh4eXM4TlpoUWk5RnZCZnVZRUxYYlNfWFdON3M3dUdzTEVMZnBPbjIifQ==\"", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
# => 200 OK | application/octet-stream 9 bytes

This is a raw protocol dump and can contain secrets, like the API key above. Use caution when using this DEBUGGING-only feature.