ConductorOne docs

Install Cone, the ConductorOne CLI

ConductorOne's CLI brings key access request workflows to the command line.

What is Cone?

A CLI, or command-line interface, is a text-based user interface that allows users to interact with a computer by typing commands. CLIs are popular with developers, system administrators, and security engineers because of the speed, control, and flexibility they offer.

We created the ConductorOne’s CLI, Cone, to bring the power of ConductorOne to the command line.

Why is it called Cone?

For informal use we like to shorten “ConductorOne” to “C1”. If you spell out the number … you get “Cone”!

What can I do with Cone?

Here are just a few of key ConductorOne tasks you can perform on the command line by using Cone.

Search for available entitlements

The search command displays all entitlements currently available to you from all applicable access profiles:

$ cone search

Get access to an entitlement

The get command retrieves a specific entitlement using its alias:

$ cone get ${entitlement_alias}

For example:

$ cone get aws-prod-admin

This command will find an entitlement in ConductorOne with the alias aws-prod-admin. If you already have access to this entitlement, cone will exit successfully (exit status 0). However, if you don’t currently have access but the entitlement is available to you (in other words, it’s present in one of your access profiles), cone will create an access request in ConductorOne and notify the necessary approvers. Based on the entitlement’s settings, the command may prompt you to enter a justification or length of access.

Once the request is approved, you’ll be able to access the entitlement.

Drop an entitlement

The drop command revokes a specific entitlement using its alias:

$ cone drop ${entitlement_alias}

For example:

$ cone drop aws-prod-admin

If you currently have access to this entitlement, cone will create a revocation request in the ConductorOne and, following any required review, deprovision the access. If you don’t have acccess to the entitlement, cone will exit successfully (exit status 0).

Supported operating systems

ConductorOne provides cone binaries for popular operating systems including macOS, Windows, and Linux on the x86 and ARM platforms. If your platform is not listed, please contact us or build from source.

Install Cone

To install cone, use one of the following two methods:

Download the latest release from GitHub.
Install via Homebrew. If you have Homebrew installed on your system, you can use the following command to install cone:

$ brew install conductorone/cone/cone

Authorize Cone

To authorize cone:

Run cone login <tenant-name or tenant-url>, passing in the name (such as example.conductor.one) or URL (such as https://example.conductor.one) of your ConductorOne instance.
A new browser window opens with an authorization message and code. Review the authorization code against the code shown in your terminal and click Authorize. Once you see the Cone has been authorized message, it’s safe to close this browser tab.
Cone generates an API key for you, and then creates a config file at $HOME/<user name>/.conductorone/config.yaml to store and access your credentials and user-specific data.

That’s it! You’re ready to start using cone. Check out the Cone command reference for an overview of all available commands, subcommands, and flags.

View and manage your API key

If needed, you can view your API key and its client-id. Go to your username in the ConductorOne app and click API keys. You’ll see an API key named “Created by Cone”.

On the API keys page, you can also generate a new API key for yourself, with the option of limiting its duration, source IPs, and scope. Go to Generate a personal API key for instructions.

Working with the configuration file

The configuration file generated by cone during the authorization process file is in YAML format and is primarily used for storing profile details. Here’s an example configuration file:

profiles:
  default:
    client-id: <Your-Client-ID-Goes-Here>
    client-secret: <Your-Client-Secret-Goes-Here>

You can add multiple profiles to the configuration file by adding another key to the profiles map, and cone will use this profile when the $CONE_PROFILE environment variable or --profile command line flag are passed to the tool.