Skip to main content

What is Cone?

A CLI, or command-line interface, is a text-based user interface that allows users to interact with a computer by typing commands. CLIs are popular with developers, system administrators, and security engineers because of the speed, control, and flexibility they offer. We created the C1’s CLI, Cone, to bring the power of C1 to the command line.

Why is it called Cone?

Our product name is C1 — spell out the “1” and you get “C-one”. Cone!

What can I do with Cone?

Here are just a few of key C1 tasks you can perform on the command line by using Cone.

Search for available entitlements

The search command displays all entitlements currently available to you from all applicable access profiles: 
cone search

Get access to an entitlement

The get command retrieves a specific entitlement using its alias: 
cone get ${entitlement_alias}
For example: 
cone get aws-prod-admin
This command will find an entitlement in C1 with the alias aws-prod-admin. If you already have access to this entitlement, cone will exit successfully (exit status 0). However, if you don’t currently have access but the entitlement is available to you (in other words, it’s present in one of your access profiles), cone will create an access request in C1 and notify the necessary approvers. Based on the entitlement’s settings, the command may prompt you to enter a justification or length of access. Once the request is approved, you’ll be able to access the entitlement.

Drop an entitlement

The drop command revokes a specific entitlement using its alias: 
cone drop ${entitlement_alias}
For example: 
cone drop aws-prod-admin
If you currently have access to this entitlement, cone will create a revocation request in the C1 and, following any required review, deprovision the access. If you don’t have acccess to the entitlement, cone will exit successfully (exit status 0).

Use Cone with AWS SSO

If your organization uses AWS IAM Identity Center, Cone can request and retrieve AWS credentials directly from the AWS CLI. See Use Cone with AWS SSO for setup instructions.

Supported operating systems

C1 provides cone binaries for popular operating systems including macOS, Windows, and Linux on the x86 and ARM platforms. If your platform is not listed, please contact us or build from source.

Install Cone

To install cone, use one of the following two methods: 
brew install conductorone/cone/cone

Authorize Cone

To authorize cone:
1
Run cone login <tenant-name or tenant-url>, passing in the name (such as example.conductor.one) or URL (such as https://example.conductor.one) of your C1 instance.
2
A new browser window opens with an authorization message and code. Review the authorization code against the code shown in your terminal and click Authorize. Once you see the Cone has been authorized message, it’s safe to close this browser tab.
3
Cone generates an API key for you, and then creates a config file at $HOME/<user name>/.conductorone/config.yaml to store and access your credentials and user-specific data.
That’s it! You’re ready to start using cone. Check out the Cone command reference for an overview of all available commands, subcommands, and flags.

View and manage your API key

If needed, you can view your API key and its client-id. Go to your username in the C1 app and click API keys. You’ll see an API key named “Created by Cone”. On the API keys page, you can also generate a new API key for yourself, with the option of limiting its duration, source IPs, and scope. Go to Create a personal API key for instructions.

Working with the configuration file

The configuration file generated by cone during the authorization process file is in YAML format and is primarily used for storing profile details. Here’s an example configuration file: 
profiles:
  default:
    client-id: <Your-Client-ID-Goes-Here>
    client-secret: <Your-Client-Secret-Goes-Here>
You can add multiple profiles to the configuration file by adding another key to the profiles map, and cone will use this profile when the $CONE_PROFILE environment variable or --profile command line flag are passed to the tool.