Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Cone command reference

This page is a comprehensive reference for all the commands, subcommands, and flags for ConductorOne's CLI tool, Cone.

Key commands:

Run cone help in your terminal to show all available commands.

Run cone <command> --help or cone <command> -h for help with a specific command.

Overview

Cone interacts with the ConductorOne API to manage access to entitlements.

Usage:

cone [command]
CommandSubcommandDescription
completionbash fish powershell zshGenerate the autocompletion script for the specified shell.
dropCreate a revoke access ticket for an entitlement by alias.
getCreate an access request for an entitlement by alias.
get-userGet a user by ID.
hasCheck if the current user has a specific entitlement for an app.
helpHelp for any command
loginAuthenticate to ConductorOne, creating config.yaml if it doesn’t exist.
search
taskapprove  comment deny escalate get searchInteract with tasks directly.
whoamiShow information about the current user.

Global flags

FlagDescription
--client-id stringClient ID.
--client-secret-stringClient secret.
--debugEnable debug logging.
-i, --non-interactiveDisable prompts.
-o, --output stringOutput format. Valid values: table, json, json-pretty. (Default: table.)
-p, --profile stringThe config profile to use. (Default: default.)

To see Cone’s current version number, run cone --version or cone -v.

Completion

Generate the autocompletion script for cone for the specified shell.

Usage:

cone completion [subcommand]
SubcommandDescription
bashGenerate the autocompletion script for Bash.
fishGenerate the autocompletion script for Fish.
powershellGenerate the autocompletion script for PowerShell.
zshGenerate the autocompletion script for Zsh.

bash

Generate the autocompletion script for Bash.

Usage:

cone completion bash [flags]
FlagDescription
-h, --helpHelp for bash.
--no-descriptionsDisable completion descriptions.

This script depends on the ‘bash-completion’ package. If it is not installed already, you can install it via your operating system’s package manager.

To load completions in your current shell session: source <(cone completion bash)

To load completions for every new session, execute once:

For Linux: cone completion bash > /etc/bash_completion.d/cone

For macOS: cone completion bash > $(brew --prefix)/etc/bash_completion.d/cone

You will need to start a new shell for this setup to take effect.

fish

Generate the autocompletion script for Fish.

Usage:

cone completion fish [flags]
FlagDescription
-h, --helpHelp for fish.
--no-descriptionsDisable completion descriptions.

To load completions in your current shell session: cone completion fish | source

To load completions for every new session, execute once: cone completion fish > ~/.config/fish/completions/cone.fish

You will need to start a new shell for this setup to take effect.

powershell

Generate the autocompletion script for PowerShell.

Usage:

cone completion powershell [flags]
FlagDescription
-h, --helpHelp for powershell.
--no-descriptionsDisable completion descriptions.

To load completions in your current shell session: cone completion powershell | Out-String | Invoke-Expression

To load completions for every new session, add the output of the above command to your PowerShell profile.

zsh

Generate the autocompletion script for Zsh.

Usage:

cone completion zsh [flags]
FlagDescription
-h, --helpHelp for zsh.
--no-descriptionsDisable completion descriptions.

If shell completion is not already enabled in your environment you must enable it. You can execute the following once: echo "autoload -U compinit; compinit" >> ~/.zshrc

To load completions in your current shell session: source <(cone completion zsh)

To load completions for every new session, execute once:

For Linux: cone completion zsh > "${fpath[1]}/_cone"

For macOS: cone completion zsh > $(brew --prefix)/share/zsh/site-functions/\_cone

You will need to start a new shell for this setup to take effect.

Drop

Create a revoke access ticket for an entitlement by alias.

Usage:

  cone drop <alias> [flags]
  cone drop --query <query> [flags]
  cone drop --app-id <app-id> --entitlement-id <entitlement-id> [flags]
FlagDescription
--alias stringThe entitlement alias to filter by.
-a, --app-id stringThe app ID to filter by.
detailedShow more details about the app and entitlement for this request.
-e, --entitlement-id stringThe entitlement ID to filter by.
--forceForce the creation of a task even if the user already has (or doesn’t have) the entitlement.
-h, --helpHelp for drop.
-j, --justification stringThe justification for the request. (Default: Made with cone.)
-q, --query stringThe query to filter by.
-w, --waitWait for the task to be approved and provisioned.

Get

Create an access request for an entitlement by alias.

Usage:

cone get <alias> [flags]
cone get --query <query> [flags]
cone get --app-id <app-id> --entitlement-id <entitlement-id> [flags]
FlagDescription
--alias stringThe entitlement alias to filter.. by.
-a, --app-id stringThe app ID to filter by.
--detailedShow more details about the app and entitlement for this request.
-d, --duration stringThe length of time the entitlement is requested for, expressed as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “12h”, “1w2d” or “2h45m”. Valid units are (m)inutes, (h)ours, (d)ays, (w)eeks.
--emergency-accessRequest emergency access to the entitlement.
-e, --entitlement-id stringThe entitlement ID to filter by.
--forceForce the creation of a task even if the user already has (or doesn’t have) the entitlement.
-h, --helpHelp for get.
-j, --justification stringThe justification for the request. (Default: Made with cone.)
-q, --query stringThe query to filter by.
-w, --waitWait for the task to be approved and provisioned.

Get-user

Get a user by ID.

Usage:

cone get-user [flags]
FlagDescription
-h, --helpHelp for get-user.

Has

Check if the current user has a specific entitlement for an app.

Usage:

cone has <app-id> <app-entitlement-id> [flags]
FlagDescription
-h, --helpHelp for has.

Help

Help provides help for any CLI command. Type cone help [path to command] for full details.

Usage:

cone help [command] [flags]
FlagDescription
-h, --helpHelp for help.

Login

Authenticate to ConductorOne, creating the config.yaml file if it doesn’t exist.

Usage:

cone login <tenant-name or tenant-url> [flags]
FlagDescription
-h, --helpHelp for login.
--profile stringConfig profile to create or update. (Default: default.)

Usage:

cone search [flags]
FlagDescription
--alias stringThe entitlement alias to filter by.
--app stringThe display name of the app to filter by.
--grantedOnly return granted tasks.
-h, --helpHelp for search.
--not-grantedOnly return ungranted tasks.
-q, --query stringThe query to filter by.

Task

A group of commands related to interacting with tasks directly.

Usage:

cone task [flags]
cone task [command]
SubcommandDescription
approveMark a task as approved.
commentAdds the specified comment to a task.
denyMark a task as denied.
escalateEscalate an access request task to emergency access.
getGets a task by ID.
searchSearch for tasks using various filters.

approve

Mark a task as approved.

Usage:

cone task approve <task-id> [flags]
FlagDescription
--comment stringComment to add to the task when performing an action.
-h, --helpHelp for approve.
-w, --waitWait for the task to be approved and provisioned.

comment

Adds the specified comment to a task.

Usage:

cone task comment <task-id> <comment> [flags]
FlagDescription
-h, --helpHelp for comment.

deny

Mark a task as denied.

Usage:

cone task deny <task-id> [flags]
FlagDescription
--comment stringComment to add to the task when performing an action.
-h, --helpHelp for deny.
-w, --waitWait for the task to be approved and provisioned.

escalate

Escalate an access request task to emergency access.

Usage:

cone task escalate <task-id> [flags]
FlagDescription
-h, --helpHelp for escalate.

get

Gets a task by ID.

Usage:

cone task get <task-id> [flags]
FlagDescription
-h, --helpHelp for get.

search

Search for tasks using various filters.

Usage:

cone task search [flags]
FlagDescription
--access-review-ids stringsFilter tasks by access review ids (access review campaign this task belongs to).
--app-entitlement-ids stringsFilter tasks by app entitlement ids (target app entitlement of the ticket).
--app-ids stringsFilter tasks by app application ids (target application of the task).
--app-resource-ids stringsFilter tasks by app resource ids (target resource of the ticket).
--app-resource-type-ids stringsFilter tasks by app resource type ids (target resource type of the task).
--app-user-subject-ids stringsFilter tasks by app user subject ids (target of the task).
--assignee-ids stringsFilter tasks by who is currently assigned to them.
-h, --helpHelp for search.
--include-deletedInclude deleted tasks in the results.
--query stringQuery string to filter tasks.
--state stringFilter tasks by their state (open, closed).
--task-type stringFilter tasks by their task type (grant, revoke, certify).
--user-subject-ids stringsFilter tasks by user subject IDs (C1 user target of the task).

Whoami

Information about the current user.

Usage:

cone whoami [flags]
FlagDescription
-h, --helpHelp for whoami.