Key commands:Run cone help in your terminal to show all available commands.Run cone <command> --help or cone <command> -h for help with a specific command.
Overview
Cone interacts with the ConductorOne API to manage access to entitlements.
Usage:
| Command | Subcommand | Description |
|---|
completion | bash fish powershell zsh | Generate the autocompletion script for the specified shell. |
drop | | Create a revoke access ticket for an entitlement by alias. |
get | | Create an access request for an entitlement by alias. |
get-user | | Get a user by ID. |
has | | Check if the current user has a specific entitlement for an app. |
help | | Help for any command |
login | | Authenticate to ConductorOne, creating config.yaml if it doesn’t exist. |
search | | |
task | approve comment deny escalate get search | Interact with tasks directly. |
whoami | | Show information about the current user. |
Global flags
| Flag | Description |
|---|
--client-id string | Client ID. |
--client-secret-string | Client secret. |
--debug | Enable debug logging. |
-i, --non-interactive | Disable prompts. |
-o, --output string | Output format. Valid values: table, json, json-pretty. (Default: table.) |
-p, --profile string | The config profile to use. (Default: default.) |
To see Cone’s current version number, run cone --version or cone -v.
Completion
Generate the autocompletion script for cone for the specified shell.
Usage:
cone completion [subcommand]
| Subcommand | Description |
|---|
bash | Generate the autocompletion script for Bash. |
fish | Generate the autocompletion script for Fish. |
powershell | Generate the autocompletion script for PowerShell. |
zsh | Generate the autocompletion script for Zsh. |
bash
Generate the autocompletion script for Bash.
Usage:
cone completion bash [flags]
| Flag | Description |
|---|
-h, --help | Help for bash. |
--no-descriptions | Disable completion descriptions. |
source <(cone completion bash)
To load completions for every new session, execute once:
For Linux: cone completion bash > /etc/bash_completion.d/cone
For macOS: cone completion bash > $(brew --prefix)/etc/bash_completion.d/cone
You will need to start a new shell for this setup to take effect.
fish
Generate the autocompletion script for Fish.
Usage:
cone completion fish [flags]
| Flag | Description |
|---|
-h, --help | Help for fish. |
--no-descriptions | Disable completion descriptions. |
cone completion fish | source
To load completions for every new session, execute once: cone completion fish > ~/.config/fish/completions/cone.fish
You will need to start a new shell for this setup to take effect.
powershell
Generate the autocompletion script for PowerShell.
Usage:
cone completion powershell [flags]
| Flag | Description |
|---|
-h, --help | Help for powershell. |
--no-descriptions | Disable completion descriptions. |
cone completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command to your PowerShell profile.
zsh
Generate the autocompletion script for Zsh.
Usage:
cone completion zsh [flags]
| Flag | Description |
|---|
-h, --help | Help for zsh. |
--no-descriptions | Disable completion descriptions. |
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session: source <(cone completion zsh)
To load completions for every new session, execute once:
For Linux: cone completion zsh > "${fpath[1]}/_cone"
For macOS: cone completion zsh > $(brew --prefix)/share/zsh/site-functions/\_cone
You will need to start a new shell for this setup to take effect.
Drop
Create a revoke access ticket for an entitlement by alias.
Usage:
cone drop <alias> [flags]
cone drop --query <query> [flags]
cone drop --app-id <app-id> --entitlement-id <entitlement-id> [flags]
| Flag | Description |
|---|
--alias string | The entitlement alias to filter by. |
-a, --app-id string | The app ID to filter by. |
--detailed | Show more details about the app and entitlement for this request. |
-e, --entitlement-id string | The entitlement ID to filter by. |
--force | Force the creation of a task even if the user already has (or doesn’t have) the entitlement. |
--form-data string | Form field data as JSON. See Custom form fields for details. |
-h, --help | Help for drop. |
-j, --justification string | The justification for the request. (Default: Made with cone.) |
-q, --query string | The query to filter by. |
-w, --wait | Wait for the task to be approved and provisioned. |
Get
Create an access request for an entitlement by alias.
Some entitlements may require custom form fields to be filled out when making an access request. If form fields are required, you will be prompted interactively to provide them, or you can provide them via the --form-data flag as JSON. See Custom form fields for more details.
Usage:
cone get <alias> [flags]
cone get --query <query> [flags]
cone get --app-id <app-id> --entitlement-id <entitlement-id> [flags]
| Flag | Description |
|---|
--alias string | The entitlement alias to filter.. by. |
-a, --app-id string | The app ID to filter by. |
--detailed | Show more details about the app and entitlement for this request. |
-d, --duration string | The length of time the entitlement is requested for, expressed as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “12h”, “1w2d” or “2h45m”. Valid units are (m)inutes, (h)ours, (d)ays, (w)eeks. |
--emergency-access | Request emergency access to the entitlement. |
-e, --entitlement-id string | The entitlement ID to filter by. |
--force | Force the creation of a task even if the user already has (or doesn’t have) the entitlement. |
--form-data string | Form field data as JSON. See Custom form fields for details. |
-h, --help | Help for get. |
-j, --justification string | The justification for the request. (Default: Made with cone.) |
-q, --query string | The query to filter by. |
-w, --wait | Wait for the task to be approved and provisioned. |
cone get without providing form data and the entitlement requires custom fields, Cone will interactively prompt you to enter values for each field. Fields may have default values that you can accept or override.
Non-interactive mode: When using the -i or --non-interactive flag, you must provide all required form field values using the --form-data flag. Any fields with default values will automatically use those defaults if not explicitly provided.
Providing form data via flag:
Use the --form-data flag to provide form field values as a JSON object:
cone get my-entitlement --form-data '{"field1":"value1","field2":"value2"}'
- String fields: Text values, may have validation rules for minimum/maximum length
- Boolean fields:
true or false values
- Integer fields: Numeric values, may have validation rules for min/max values
- String list fields: Arrays of string values, provided as JSON arrays (e.g.,
["value1","value2"])
Example with form data:
cone get github-admin --justification "Need admin access for release" --form-data '{"project":"myproject","reason":"quarterly-release"}'
Get-user
Get a user by ID.
Usage:
| Flag | Description |
|---|
-h, --help | Help for get-user. |
Has
Check if the current user has a specific entitlement for an app.
Usage:
cone has <app-id> <app-entitlement-id> [flags]
| Flag | Description |
|---|
-h, --help | Help for has. |
Help
Help provides help for any CLI command. Type cone help [path to command] for full details.
Usage:
cone help [command] [flags]
| Flag | Description |
|---|
-h, --help | Help for help. |
Login
Authenticate to ConductorOne, creating the config.yaml file if it doesn’t exist.
Usage:
cone login <tenant-name or tenant-url> [flags]
| Flag | Description |
|---|
-h, --help | Help for login. |
--profile string | Config profile to create or update. (Default: default.) |
Search
Usage:
| Flag | Description |
|---|
--alias string | The entitlement alias to filter by. |
--app string | The display name of the app to filter by. |
--granted | Only return granted tasks. |
-h, --help | Help for search. |
--not-granted | Only return ungranted tasks. |
-q, --query string | The query to filter by. |
Task
A group of commands related to interacting with tasks directly.
Usage:
cone task [flags]
cone task [command]
| Subcommand | Description |
|---|
approve | Mark a task as approved. |
comment | Adds the specified comment to a task. |
deny | Mark a task as denied. |
escalate | Escalate an access request task to emergency access. |
get | Gets a task by ID. |
search | Search for tasks using various filters. |
approve
Mark a task as approved.
Usage:
cone task approve <task-id> [flags]
| Flag | Description |
|---|
--comment string | Comment to add to the task when performing an action. |
-h, --help | Help for approve. |
-w, --wait | Wait for the task to be approved and provisioned. |
cone task comment <task-id> <comment> [flags]
| Flag | Description |
|---|
-h, --help | Help for comment. |
deny
Mark a task as denied.
Usage:
cone task deny <task-id> [flags]
| Flag | Description |
|---|
--comment string | Comment to add to the task when performing an action. |
-h, --help | Help for deny. |
-w, --wait | Wait for the task to be approved and provisioned. |
escalate
Escalate an access request task to emergency access.
Usage:
cone task escalate <task-id> [flags]
| Flag | Description |
|---|
-h, --help | Help for escalate. |
get
Gets a task by ID.
Usage:
cone task get <task-id> [flags]
| Flag | Description |
|---|
-h, --help | Help for get. |
search
Search for tasks using various filters.
Usage:
| Flag | Description |
|---|
--access-review-ids strings | Filter tasks by access review ids (access review campaign this task belongs to). |
--app-entitlement-ids strings | Filter tasks by app entitlement ids (target app entitlement of the ticket). |
--app-ids strings | Filter tasks by app application ids (target application of the task). |
--app-resource-ids strings | Filter tasks by app resource ids (target resource of the ticket). |
--app-resource-type-ids strings | Filter tasks by app resource type ids (target resource type of the task). |
--app-user-subject-ids strings | Filter tasks by app user subject ids (target of the task). |
--assignee-ids strings | Filter tasks by who is currently assigned to them. |
-h, --help | Help for search. |
--include-deleted | Include deleted tasks in the results. |
--query string | Query string to filter tasks. |
--state string | Filter tasks by their state (open, closed). |
--task-type string | Filter tasks by their task type (grant, revoke, certify). |
--user-subject-ids strings | Filter tasks by user subject IDs (C1 user target of the task). |
Whoami
Information about the current user.
Usage:
| Flag | Description |
|---|
-h, --help | Help for whoami. |
