> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Cone command reference
> This page is a comprehensive reference for all the commands, subcommands, and flags for C1's CLI tool, Cone.
**Key commands:**
Run `cone help` in your terminal to show all available commands.
Run `cone --help` or `cone -h` for help with a specific command.
## Overview
Cone interacts with the C1 API to manage access to entitlements.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone [command]
```
| Command | Subcommand | Description |
| :--------------------- | :---------------------------------------------------- | :--------------------------------------------------------------- |
| `aws` | `setup` `credentials` | AWS SSO integration: configure profiles and get credentials. |
| `completion` | `bash` `fish` `powershell` `zsh` | Generate the autocompletion script for the specified shell. |
| `drop` | | Create a revoke access ticket for an entitlement by alias. |
| `generate-alias` | | Generate aliases for entitlements in C1. |
| `get` | | Create an access request for an entitlement by alias. |
| `get-user` | | Get a user by ID. |
| `has` | | Check if the current user has a specific entitlement for an app. |
| `help` | | Help for any command |
| `login` | | Authenticate to C1, creating config.yaml if it doesn't exist. |
| `search` | | |
| `task` | `approve` `comment` `deny` `escalate` `get` `search` | Interact with tasks directly. |
| `virtual-entitlements` | `create` | Create virtual (manually-managed) entitlements on an app. |
| `whoami` | | Show information about the current user. |
## Global flags
| Flag | Description |
| :------------------------ | :------------------------------------------------------------------------------- |
| `--client-id string` | Client ID. |
| `--client-secret-string` | Client secret. |
| `--debug` | Enable debug logging. |
| `-i`, `--non-interactive` | Disable prompts. |
| `-o`, `--output string` | Output format. Valid values: `table`, `json`, `json-pretty`. (Default: `table`.) |
| `-p`, `--profile string` | The config profile to use. (Default: `default`.) |
To see Cone's current version number, run `cone --version` or `cone -v`.
## AWS
AWS SSO integration commands. Cone can configure AWS CLI profiles backed by C1 access controls and fetch temporary credentials via AWS SSO.
For a full walkthrough, see [Using Cone with AWS SSO](/product/how-to/cone-aws-sso-integration).
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone aws [command]
```
| Subcommand | Description |
| :------------ | :------------------------------------------------------------------- |
| `setup` | Configure AWS SSO and create profiles for available permission sets. |
| `credentials` | Get temporary AWS credentials for a profile. |
### `setup`
Scans C1 for all AWS permission set entitlements available to you and creates corresponding profiles in `~/.aws/config`. Each profile uses `credential_process` to call `cone aws credentials` when the AWS CLI needs credentials.
On first run, provide your SSO start URL and regions. These are saved to `~/.conductorone/config.yaml` for future runs.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone aws setup [flags]
```
| Flag | Description |
| :-------------------- | :-------------------------------------------------------------------------------- |
| `-h`, `--help` | Help for setup. |
| `--region string` | Default AWS region for CLI profiles, such as `us-west-2`. (Default: `us-east-1`.) |
| `--sso-region string` | AWS region where SSO Identity Center is configured. (Default: `us-east-1`.) |
| `--sso-url string` | AWS SSO start URL. (Required on first run.) |
**Example:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# First-time setup
cone aws setup --sso-url https://myorg.awsapps.com/start --sso-region us-east-1 --region us-west-2
# Refresh profiles (reuses saved config)
cone aws setup
```
#### `setup show`
Display current AWS SSO configuration (SSO URL, SSO region, default region).
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone aws setup show
```
### `credentials`
Retrieve temporary AWS credentials for an AWS SSO profile managed by Cone.
This command checks C1 for an active grant. If you don't have access, it automatically submits an access request, polls for up to 90 seconds for auto-approval, and returns credentials if approved. If the request requires manual approval, it tells you the request is pending.
Can be used directly or as an AWS `credential_process`.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone aws credentials [flags]
```
| Flag | Description |
| :------------- | :-------------------- |
| `-h`, `--help` | Help for credentials. |
**Example:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# Use directly
cone aws credentials myaccount-admin
# Or let AWS CLI call it via credential_process (configured by setup)
aws s3 ls --profile myaccount-admin
```
## Completion
Generate the autocompletion script for cone for the specified shell.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone completion [subcommand]
```
| Subcommand | Description |
| :----------- | :------------------------------------------------- |
| `bash` | Generate the autocompletion script for Bash. |
| `fish` | Generate the autocompletion script for Fish. |
| `powershell` | Generate the autocompletion script for PowerShell. |
| `zsh` | Generate the autocompletion script for Zsh. |
### `bash`
Generate the autocompletion script for Bash.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone completion bash [flags]
```
| Flag | Description |
| :------------------ | :------------------------------- |
| `-h`, `--help` | Help for bash. |
| `--no-descriptions` | Disable completion descriptions. |
This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your operating system's package manager.
To load completions in your current shell session: `source <(cone completion bash)`
To load completions for every new session, execute once:
**For Linux:** `cone completion bash > /etc/bash_completion.d/cone`
**For macOS:** `cone completion bash > $(brew --prefix)/etc/bash_completion.d/cone`
You will need to start a new shell for this setup to take effect.
### `fish`
Generate the autocompletion script for Fish.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone completion fish [flags]
```
| Flag | Description |
| :------------------ | :------------------------------- |
| `-h`, `--help` | Help for fish. |
| `--no-descriptions` | Disable completion descriptions. |
To load completions in your current shell session: `cone completion fish | source`
To load completions for every new session, execute once: `cone completion fish > ~/.config/fish/completions/cone.fish`
You will need to start a new shell for this setup to take effect.
### `powershell`
Generate the autocompletion script for PowerShell.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone completion powershell [flags]
```
| Flag | Description |
| :------------------ | :------------------------------- |
| `-h`, `--help` | Help for powershell. |
| `--no-descriptions` | Disable completion descriptions. |
To load completions in your current shell session: `cone completion powershell | Out-String | Invoke-Expression`
To load completions for every new session, add the output of the above command to your PowerShell profile.
### `zsh`
Generate the autocompletion script for Zsh.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone completion zsh [flags]
```
| Flag | Description |
| :------------------ | :------------------------------- |
| `-h`, `--help` | Help for zsh. |
| `--no-descriptions` | Disable completion descriptions. |
If shell completion is not already enabled in your environment you must enable it. You can execute the following once: `echo "autoload -U compinit; compinit" >> ~/.zshrc`
To load completions in your current shell session: `source <(cone completion zsh)`
To load completions for every new session, execute once:
**For Linux:** `cone completion zsh > "${fpath[1]}/_cone"`
**For macOS:** `cone completion zsh > $(brew --prefix)/share/zsh/site-functions/\_cone`
You will need to start a new shell for this setup to take effect.
## Drop
Create a revoke access ticket for an entitlement by alias.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone drop [flags]
cone drop --query [flags]
cone drop --app-id --entitlement-id [flags]
```
| Flag | Description |
| :------------------------------ | :------------------------------------------------------------------------------------------- |
| `--alias string` | The entitlement alias to filter by. |
| `-a`, `--app-id string` | The app ID to filter by. |
| `--detailed` | Show more details about the app and entitlement for this request. |
| `-e`, `--entitlement-id string` | The entitlement ID to filter by. |
| `--force` | Force the creation of a task even if the user already has (or doesn't have) the entitlement. |
| `--form-data string` | Form field data as JSON. See [Custom form fields](#custom-form-fields) for details. |
| `-h`, `--help` | Help for drop. |
| `-j`, `--justification string` | The justification for the request. (Default: `Made with cone`.) |
| `-q`, `--query string` | The query to filter by. |
| `-w`, `--wait` | Wait for the task to be approved and provisioned. |
## Generate-alias
Generate aliases for entitlements in C1. This command scans entitlements, generates aliases based on a configurable schema, and updates them via the C1 API.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone generate-alias [flags]
```
| Flag | Description |
| :------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--dry-run` | Preview changes without making them. |
| `--entitlement-id strings` | Process only these entitlements. |
| `--force` | Override ALL existing aliases (including AWS permission sets). |
| `--force-non-aws` | Override existing aliases for non-AWS entitlements. |
| `--format string` | Custom format string (only used with `schema=custom`). (Default: `%r-%e`.) |
| `-h`, `--help` | Help for generate-alias. |
| `--resource-type strings` | Only process entitlements with these resource types. |
| `--schema string` | Alias schema: `resource-entitlement`, `app-entitlement`, `app-resource-entitlement`, `resource-type-entitlement`, `custom`. (Default: `resource-entitlement`.) |
| `--separator string` | Separator between components. (Default: `-`.) |
| `--skip-aws` | Skip AWS permission sets entirely. |
**Schemas:**
| Schema | Format | Example |
| :-------------------------- | :---------------------------------------------------------------------------------------- | :---------------------- |
| `resource-entitlement` | resource + entitlement | `my-group-admin` |
| `app-entitlement` | app + entitlement | `github-admin` |
| `app-resource-entitlement` | app + resource + entitlement | `github-my-group-admin` |
| `resource-type-entitlement` | resource type + entitlement | `group-admin` |
| `custom` | Use `--format` with `%a` (app), `%r` (resource), `%t` (resource type), `%e` (entitlement) | `%a-%r-%e` |
**Examples:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# Preview aliases without making changes
cone generate-alias --dry-run
# Generate with default schema
cone generate-alias
# Use app-based schema
cone generate-alias --schema app-entitlement
# Custom format
cone generate-alias --schema custom --format "%a-%r-%e"
```
## Get
Create an access request for an entitlement by alias.
Some entitlements may require custom form fields to be filled out when making an access request. If form fields are required, you will be prompted interactively to provide them, or you can provide them via the `--form-data` flag as JSON. See [Custom form fields](#custom-form-fields) for more details.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone get [flags]
cone get --query [flags]
cone get --app-id --entitlement-id [flags]
```
| Flag | Description |
| :------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--alias string` | The entitlement alias to filter.. by. |
| `-a`, `--app-id string` | The app ID to filter by. |
| `--detailed` | Show more details about the app and entitlement for this request. |
| `-d`, `--duration string` | The length of time the entitlement is requested for, expressed as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "12h", "1w2d" or "2h45m". Valid units are (m)inutes, (h)ours, (d)ays, (w)eeks. |
| `--emergency-access` | Request emergency access to the entitlement. |
| `-e`, `--entitlement-id string` | The entitlement ID to filter by. |
| `--force` | Force the creation of a task even if the user already has (or doesn't have) the entitlement. |
| `--form-data string` | Form field data as JSON. See [Custom form fields](#custom-form-fields) for details. |
| `-h`, `--help` | Help for get. |
| `-j`, `--justification string` | The justification for the request. (Default: `Made with cone`.) |
| `-q`, `--query string` | The query to filter by. |
| `-w`, `--wait` | Wait for the task to be approved and provisioned. |
### Custom form fields
Some entitlements are configured with custom form fields that must be filled out when requesting access. These fields allow administrators to collect additional information needed for the access request, such as a reason, project name, or other context-specific data.
**Interactive mode:** When you run `cone get` without providing form data and the entitlement requires custom fields, Cone will interactively prompt you to enter values for each field. Fields may have default values that you can accept or override.
**Non-interactive mode:** When using the `-i` or `--non-interactive` flag, you must provide all required form field values using the `--form-data` flag. Any fields with default values will automatically use those defaults if not explicitly provided.
**Providing form data via flag:**
Use the `--form-data` flag to provide form field values as a JSON object:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone get my-entitlement --form-data '{"field1":"value1","field2":"value2"}'
```
**Supported field types:**
* **String fields:** Text values, may have validation rules for minimum/maximum length
* **Boolean fields:** `true` or `false` values
* **Integer fields:** Numeric values, may have validation rules for min/max values
* **String list fields:** Arrays of string values, provided as JSON arrays (e.g., `["value1","value2"]`)
**Example with form data:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone get github-admin --justification "Need admin access for release" --form-data '{"project":"myproject","reason":"quarterly-release"}'
```
## Get-user
Get a user by ID.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone get-user [flags]
```
| Flag | Description |
| :------------- | :----------------- |
| `-h`, `--help` | Help for get-user. |
## Has
Check if the current user has a specific entitlement for an app.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone has [flags]
```
| Flag | Description |
| :------------- | :------------ |
| `-h`, `--help` | Help for has. |
## Help
Help provides help for any CLI command. Type `cone help [path to command]` for full details.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone help [command] [flags]
```
| Flag | Description |
| :------------- | :------------- |
| `-h`, `--help` | Help for help. |
## Login
Authenticate to C1, creating the config.yaml file if it doesn't exist.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone login [flags]
```
| Flag | Description |
| :----------------- | :-------------------------------------------------------- |
| `-h`, `--help` | Help for login. |
| `--profile string` | Config profile to create or update. (Default: `default`.) |
## Search
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone search [flags]
```
| Flag | Description |
| :--------------------- | :---------------------------------------- |
| `--alias string` | The entitlement alias to filter by. |
| `--app string` | The display name of the app to filter by. |
| `--granted` | Only return granted tasks. |
| `-h`, `--help` | Help for search. |
| `--not-granted` | Only return ungranted tasks. |
| `-q`, `--query string` | The query to filter by. |
## Task
A group of commands related to interacting with tasks directly.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task [flags]
cone task [command]
```
| Subcommand | Description |
| :--------- | :--------------------------------------------------- |
| `approve` | Mark a task as approved. |
| `comment` | Adds the specified comment to a task. |
| `deny` | Mark a task as denied. |
| `escalate` | Escalate an access request task to emergency access. |
| `get` | Gets a task by ID. |
| `search` | Search for tasks using various filters. |
### `approve`
Mark a task as approved.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task approve [flags]
```
| Flag | Description |
| :----------------- | :---------------------------------------------------- |
| `--comment string` | Comment to add to the task when performing an action. |
| `-h`, `--help` | Help for approve. |
| `-w`, `--wait` | Wait for the task to be approved and provisioned. |
### `comment`
Adds the specified comment to a task.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task comment [flags]
```
| Flag | Description |
| :------------- | :---------------- |
| `-h`, `--help` | Help for comment. |
### `deny`
Mark a task as denied.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task deny [flags]
```
| Flag | Description |
| :----------------- | :---------------------------------------------------- |
| `--comment string` | Comment to add to the task when performing an action. |
| `-h`, `--help` | Help for deny. |
| `-w`, `--wait` | Wait for the task to be approved and provisioned. |
### `escalate`
Escalate an access request task to emergency access.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task escalate [flags]
```
| Flag | Description |
| :------------- | :----------------- |
| `-h`, `--help` | Help for escalate. |
### `get`
Gets a task by ID.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task get [flags]
```
| Flag | Description |
| :------------- | :------------ |
| `-h`, `--help` | Help for get. |
### `search`
Search for tasks using various filters.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone task search [flags]
```
| Flag | Description |
| :-------------------------------- | :------------------------------------------------------------------------------- |
| `--access-review-ids strings` | Filter tasks by access review ids (access review campaign this task belongs to). |
| `--app-entitlement-ids strings` | Filter tasks by app entitlement ids (target app entitlement of the ticket). |
| `--app-ids strings` | Filter tasks by app application ids (target application of the task). |
| `--app-resource-ids strings` | Filter tasks by app resource ids (target resource of the ticket). |
| `--app-resource-type-ids strings` | Filter tasks by app resource type ids (target resource type of the task). |
| `--app-user-subject-ids strings` | Filter tasks by app user subject ids (target of the task). |
| `--assignee-ids strings` | Filter tasks by who is currently assigned to them. |
| `-h`, `--help` | Help for search. |
| `--include-deleted` | Include deleted tasks in the results. |
| `--query string` | Query string to filter tasks. |
| `--state string` | Filter tasks by their state (open, closed). |
| `--task-type string` | Filter tasks by their task type (grant, revoke, certify). |
| `--user-subject-ids strings` | Filter tasks by user subject IDs (C1 user target of the task). |
## Virtual-entitlements
Create virtual (manually-managed) resource types, resources, and entitlements on a C1 app.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone virtual-entitlements [command]
```
| Subcommand | Description |
| :--------- | :-------------------------------------------------------------------- |
| `create` | Create virtual resource types, resources, and entitlements on an app. |
### `create`
Create virtual entitlements on an app. You can specify resources and entitlements via CLI flags or a YAML file.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone virtual-entitlements create --app --resource "My Group" --type GROUP --entitlements "Member" --entitlements "Admin"
cone virtual-entitlements create --app --from-file entitlements.yaml
```
| Flag | Description |
| :------------------------- | :----------------------------------------------------------------------------------------------------------------------- |
| `--app string` | App ID or display name. (Required.) |
| `--entitlements strings` | Entitlement names. (Repeatable.) |
| `-f`, `--from-file string` | YAML file with resource/entitlement definitions. |
| `-h`, `--help` | Help for create. |
| `--resource string` | Resource display name. |
| `-t`, `--type string` | Resource type: `ROLE`, `GROUP`, `LICENSE`, `PROJECT`, `CATALOG`, `CUSTOM`, `VAULT`, `PROFILE_TYPE`. (Default: `CUSTOM`.) |
**YAML file format:**
```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
resources:
- name: "My Group"
type: GROUP
description: "optional"
entitlements:
- "Member"
- "Admin"
- name: "Another Resource"
type: ROLE
entitlements:
- "Viewer"
- "Editor"
```
## Whoami
Information about the current user.
**Usage:**
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
cone whoami [flags]
```
| Flag | Description |
| :------------- | :--------------- |
| `-h`, `--help` | Help for whoami. |