Key commands:Run cone help in your terminal to show all available commands.Run cone <command> --help or cone <command> -h for help with a specific command.
Overview
Cone interacts with the C1 API to manage access to entitlements.
Usage:
| Command | Subcommand | Description |
|---|
aws | setup credentials | AWS SSO integration: configure profiles and get credentials. |
completion | bash fish powershell zsh | Generate the autocompletion script for the specified shell. |
drop | | Create a revoke access ticket for an entitlement by alias. |
generate-alias | | Generate aliases for entitlements in C1. |
get | | Create an access request for an entitlement by alias. |
get-user | | Get a user by ID. |
has | | Check if the current user has a specific entitlement for an app. |
help | | Help for any command |
login | | Authenticate to C1, creating config.yaml if it doesn’t exist. |
search | | |
task | approve comment deny escalate get search | Interact with tasks directly. |
virtual-entitlements | create | Create virtual (manually-managed) entitlements on an app. |
whoami | | Show information about the current user. |
Global flags
| Flag | Description |
|---|
--client-id string | Client ID. |
--client-secret-string | Client secret. |
--debug | Enable debug logging. |
-i, --non-interactive | Disable prompts. |
-o, --output string | Output format. Valid values: table, json, json-pretty. (Default: table.) |
-p, --profile string | The config profile to use. (Default: default.) |
To see Cone’s current version number, run cone --version or cone -v.
AWS
AWS SSO integration commands. Cone can configure AWS CLI profiles backed by C1 access controls and fetch temporary credentials via AWS SSO.
For a full walkthrough, see Using Cone with AWS SSO.
Usage:
| Subcommand | Description |
|---|
setup | Configure AWS SSO and create profiles for available permission sets. |
credentials | Get temporary AWS credentials for a profile. |
setup
Scans C1 for all AWS permission set entitlements available to you and creates corresponding profiles in ~/.aws/config. Each profile uses credential_process to call cone aws credentials when the AWS CLI needs credentials.
On first run, provide your SSO start URL and regions. These are saved to ~/.conductorone/config.yaml for future runs.
Usage:
| Flag | Description |
|---|
-h, --help | Help for setup. |
--region string | Default AWS region for CLI profiles, such as us-west-2. (Default: us-east-1.) |
--sso-region string | AWS region where SSO Identity Center is configured. (Default: us-east-1.) |
--sso-url string | AWS SSO start URL. (Required on first run.) |
# First-time setup
cone aws setup --sso-url https://myorg.awsapps.com/start --sso-region us-east-1 --region us-west-2
# Refresh profiles (reuses saved config)
cone aws setup
setup show
Display current AWS SSO configuration (SSO URL, SSO region, default region).
credentials
Retrieve temporary AWS credentials for an AWS SSO profile managed by Cone.
This command checks C1 for an active grant. If you don’t have access, it automatically submits an access request, polls for up to 90 seconds for auto-approval, and returns credentials if approved. If the request requires manual approval, it tells you the request is pending.
Can be used directly or as an AWS credential_process.
Usage:
cone aws credentials <profile-name> [flags]
| Flag | Description |
|---|
-h, --help | Help for credentials. |
# Use directly
cone aws credentials myaccount-admin
# Or let AWS CLI call it via credential_process (configured by setup)
aws s3 ls --profile myaccount-admin
Completion
Generate the autocompletion script for cone for the specified shell.
Usage:
cone completion [subcommand]
| Subcommand | Description |
|---|
bash | Generate the autocompletion script for Bash. |
fish | Generate the autocompletion script for Fish. |
powershell | Generate the autocompletion script for PowerShell. |
zsh | Generate the autocompletion script for Zsh. |
bash
Generate the autocompletion script for Bash.
Usage:
cone completion bash [flags]
| Flag | Description |
|---|
-h, --help | Help for bash. |
--no-descriptions | Disable completion descriptions. |
source <(cone completion bash)
To load completions for every new session, execute once:
For Linux: cone completion bash > /etc/bash_completion.d/cone
For macOS: cone completion bash > $(brew --prefix)/etc/bash_completion.d/cone
You will need to start a new shell for this setup to take effect.
fish
Generate the autocompletion script for Fish.
Usage:
cone completion fish [flags]
| Flag | Description |
|---|
-h, --help | Help for fish. |
--no-descriptions | Disable completion descriptions. |
cone completion fish | source
To load completions for every new session, execute once: cone completion fish > ~/.config/fish/completions/cone.fish
You will need to start a new shell for this setup to take effect.
powershell
Generate the autocompletion script for PowerShell.
Usage:
cone completion powershell [flags]
| Flag | Description |
|---|
-h, --help | Help for powershell. |
--no-descriptions | Disable completion descriptions. |
cone completion powershell | Out-String | Invoke-Expression
To load completions for every new session, add the output of the above command to your PowerShell profile.
zsh
Generate the autocompletion script for Zsh.
Usage:
cone completion zsh [flags]
| Flag | Description |
|---|
-h, --help | Help for zsh. |
--no-descriptions | Disable completion descriptions. |
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session: source <(cone completion zsh)
To load completions for every new session, execute once:
For Linux: cone completion zsh > "${fpath[1]}/_cone"
For macOS: cone completion zsh > $(brew --prefix)/share/zsh/site-functions/\_cone
You will need to start a new shell for this setup to take effect.
Drop
Create a revoke access ticket for an entitlement by alias.
Usage:
cone drop <alias> [flags]
cone drop --query <query> [flags]
cone drop --app-id <app-id> --entitlement-id <entitlement-id> [flags]
| Flag | Description |
|---|
--alias string | The entitlement alias to filter by. |
-a, --app-id string | The app ID to filter by. |
--detailed | Show more details about the app and entitlement for this request. |
-e, --entitlement-id string | The entitlement ID to filter by. |
--force | Force the creation of a task even if the user already has (or doesn’t have) the entitlement. |
--form-data string | Form field data as JSON. See Custom form fields for details. |
-h, --help | Help for drop. |
-j, --justification string | The justification for the request. (Default: Made with cone.) |
-q, --query string | The query to filter by. |
-w, --wait | Wait for the task to be approved and provisioned. |
Generate-alias
Generate aliases for entitlements in C1. This command scans entitlements, generates aliases based on a configurable schema, and updates them via the C1 API.
Usage:
cone generate-alias [flags]
| Flag | Description |
|---|
--dry-run | Preview changes without making them. |
--entitlement-id strings | Process only these entitlements. |
--force | Override ALL existing aliases (including AWS permission sets). |
--force-non-aws | Override existing aliases for non-AWS entitlements. |
--format string | Custom format string (only used with schema=custom). (Default: %r-%e.) |
-h, --help | Help for generate-alias. |
--resource-type strings | Only process entitlements with these resource types. |
--schema string | Alias schema: resource-entitlement, app-entitlement, app-resource-entitlement, resource-type-entitlement, custom. (Default: resource-entitlement.) |
--separator string | Separator between components. (Default: -.) |
--skip-aws | Skip AWS permission sets entirely. |
| Schema | Format | Example |
|---|
resource-entitlement | resource + entitlement | my-group-admin |
app-entitlement | app + entitlement | github-admin |
app-resource-entitlement | app + resource + entitlement | github-my-group-admin |
resource-type-entitlement | resource type + entitlement | group-admin |
custom | Use --format with %a (app), %r (resource), %t (resource type), %e (entitlement) | %a-%r-%e |
# Preview aliases without making changes
cone generate-alias --dry-run
# Generate with default schema
cone generate-alias
# Use app-based schema
cone generate-alias --schema app-entitlement
# Custom format
cone generate-alias --schema custom --format "%a-%r-%e"
Get
Create an access request for an entitlement by alias.
Some entitlements may require custom form fields to be filled out when making an access request. If form fields are required, you will be prompted interactively to provide them, or you can provide them via the --form-data flag as JSON. See Custom form fields for more details.
Usage:
cone get <alias> [flags]
cone get --query <query> [flags]
cone get --app-id <app-id> --entitlement-id <entitlement-id> [flags]
| Flag | Description |
|---|
--alias string | The entitlement alias to filter.. by. |
-a, --app-id string | The app ID to filter by. |
--detailed | Show more details about the app and entitlement for this request. |
-d, --duration string | The length of time the entitlement is requested for, expressed as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “12h”, “1w2d” or “2h45m”. Valid units are (m)inutes, (h)ours, (d)ays, (w)eeks. |
--emergency-access | Request emergency access to the entitlement. |
-e, --entitlement-id string | The entitlement ID to filter by. |
--force | Force the creation of a task even if the user already has (or doesn’t have) the entitlement. |
--form-data string | Form field data as JSON. See Custom form fields for details. |
-h, --help | Help for get. |
-j, --justification string | The justification for the request. (Default: Made with cone.) |
-q, --query string | The query to filter by. |
-w, --wait | Wait for the task to be approved and provisioned. |
cone get without providing form data and the entitlement requires custom fields, Cone will interactively prompt you to enter values for each field. Fields may have default values that you can accept or override.
Non-interactive mode: When using the -i or --non-interactive flag, you must provide all required form field values using the --form-data flag. Any fields with default values will automatically use those defaults if not explicitly provided.
Providing form data via flag:
Use the --form-data flag to provide form field values as a JSON object:
cone get my-entitlement --form-data '{"field1":"value1","field2":"value2"}'
- String fields: Text values, may have validation rules for minimum/maximum length
- Boolean fields:
true or false values
- Integer fields: Numeric values, may have validation rules for min/max values
- String list fields: Arrays of string values, provided as JSON arrays (e.g.,
["value1","value2"])
Example with form data:
cone get github-admin --justification "Need admin access for release" --form-data '{"project":"myproject","reason":"quarterly-release"}'
Get-user
Get a user by ID.
Usage:
| Flag | Description |
|---|
-h, --help | Help for get-user. |
Has
Check if the current user has a specific entitlement for an app.
Usage:
cone has <app-id> <app-entitlement-id> [flags]
| Flag | Description |
|---|
-h, --help | Help for has. |
Help
Help provides help for any CLI command. Type cone help [path to command] for full details.
Usage:
cone help [command] [flags]
| Flag | Description |
|---|
-h, --help | Help for help. |
Login
Authenticate to C1, creating the config.yaml file if it doesn’t exist.
Usage:
cone login <tenant-name or tenant-url> [flags]
| Flag | Description |
|---|
-h, --help | Help for login. |
--profile string | Config profile to create or update. (Default: default.) |
Search
Usage:
| Flag | Description |
|---|
--alias string | The entitlement alias to filter by. |
--app string | The display name of the app to filter by. |
--granted | Only return granted tasks. |
-h, --help | Help for search. |
--not-granted | Only return ungranted tasks. |
-q, --query string | The query to filter by. |
Task
A group of commands related to interacting with tasks directly.
Usage:
cone task [flags]
cone task [command]
| Subcommand | Description |
|---|
approve | Mark a task as approved. |
comment | Adds the specified comment to a task. |
deny | Mark a task as denied. |
escalate | Escalate an access request task to emergency access. |
get | Gets a task by ID. |
search | Search for tasks using various filters. |
approve
Mark a task as approved.
Usage:
cone task approve <task-id> [flags]
| Flag | Description |
|---|
--comment string | Comment to add to the task when performing an action. |
-h, --help | Help for approve. |
-w, --wait | Wait for the task to be approved and provisioned. |
cone task comment <task-id> <comment> [flags]
| Flag | Description |
|---|
-h, --help | Help for comment. |
deny
Mark a task as denied.
Usage:
cone task deny <task-id> [flags]
| Flag | Description |
|---|
--comment string | Comment to add to the task when performing an action. |
-h, --help | Help for deny. |
-w, --wait | Wait for the task to be approved and provisioned. |
escalate
Escalate an access request task to emergency access.
Usage:
cone task escalate <task-id> [flags]
| Flag | Description |
|---|
-h, --help | Help for escalate. |
get
Gets a task by ID.
Usage:
cone task get <task-id> [flags]
| Flag | Description |
|---|
-h, --help | Help for get. |
search
Search for tasks using various filters.
Usage:
| Flag | Description |
|---|
--access-review-ids strings | Filter tasks by access review ids (access review campaign this task belongs to). |
--app-entitlement-ids strings | Filter tasks by app entitlement ids (target app entitlement of the ticket). |
--app-ids strings | Filter tasks by app application ids (target application of the task). |
--app-resource-ids strings | Filter tasks by app resource ids (target resource of the ticket). |
--app-resource-type-ids strings | Filter tasks by app resource type ids (target resource type of the task). |
--app-user-subject-ids strings | Filter tasks by app user subject ids (target of the task). |
--assignee-ids strings | Filter tasks by who is currently assigned to them. |
-h, --help | Help for search. |
--include-deleted | Include deleted tasks in the results. |
--query string | Query string to filter tasks. |
--state string | Filter tasks by their state (open, closed). |
--task-type string | Filter tasks by their task type (grant, revoke, certify). |
--user-subject-ids strings | Filter tasks by user subject IDs (C1 user target of the task). |
Virtual-entitlements
Create virtual (manually-managed) resource types, resources, and entitlements on a C1 app.
Usage:
cone virtual-entitlements [command]
| Subcommand | Description |
|---|
create | Create virtual resource types, resources, and entitlements on an app. |
create
Create virtual entitlements on an app. You can specify resources and entitlements via CLI flags or a YAML file.
Usage:
cone virtual-entitlements create --app <app-id-or-name> --resource "My Group" --type GROUP --entitlements "Member" --entitlements "Admin"
cone virtual-entitlements create --app <app-id-or-name> --from-file entitlements.yaml
| Flag | Description |
|---|
--app string | App ID or display name. (Required.) |
--entitlements strings | Entitlement names. (Repeatable.) |
-f, --from-file string | YAML file with resource/entitlement definitions. |
-h, --help | Help for create. |
--resource string | Resource display name. |
-t, --type string | Resource type: ROLE, GROUP, LICENSE, PROJECT, CATALOG, CUSTOM, VAULT, PROFILE_TYPE. (Default: CUSTOM.) |
resources:
- name: "My Group"
type: GROUP
description: "optional"
entitlements:
- "Member"
- "Admin"
- name: "Another Resource"
type: ROLE
entitlements:
- "Viewer"
- "Editor"
Whoami
Information about the current user.
Usage:
| Flag | Description |
|---|
-h, --help | Help for whoami. |
