Policy stores: CLI upload (binary)
Installation
cerbosctl binaries are available for multiple operating systems and architectures. See the releases page for all available downloads.
| OS | Arch | Bundle |
|---|---|---|
Linux |
x86-64 |
|
Linux |
arm64 |
|
MacOS |
universal |
|
MacOS |
x86-64 |
|
MacOS |
arm64 |
|
You can download the binaries by running the following command. Substitute <BUNDLE> with the appropriate value from the above table.
curl -L -o cerbosctl.tar.gz "https://github.com/cerbos/cerbos/releases/download/v0.45.1/<BUNDLE>"
tar xvf cerbosctl.tar.gz
chmod +x cerbosctl
mv cerbosctl /usr/local/bin/ # or somewhere on your PATH|
Cerbos binaries are signed using sigstore tools during the automated build process and the verification bundle is published along with the binary as The following example demonstrates how to verify the Linux X86_64 bundle archive. sh |
Usage
The cerbosctl CLI tool can be used to upload policies to a policy store in Cerbos Hub.
First generate a set of client credentials for the policy store in Cerbos Hub - you can do this in the Client credentials section in the UI. Make sure to select the Read & Write option when creating the credentials to allow uploading policies.
Then export the following environment variables with the values from the generated client credentials and the store ID:
export CERBOS_HUB_CLIENT_ID=...
export CERBOS_HUB_CLIENT_SECRET=...
export CERBOS_HUB_STORE_ID=...The following command uploads policy files from the current directory and replaces all the files in the store.
cerbosctl hub store replace-files .Full CLI Reference
Usage: cerbosctl hub store --store-id=STRING --client-id=STRING --client-secret=STRING <command> [flags]
Interact with Cerbos Hub managed stores.
Requires an existing managed store and the API credentials to access it. The store ID and credentials can be provided using either command-line flags or
environment variables.
Flags:
-h, --help Show context-sensitive help.
--store-id=STRING ID of the store to operate on ($CERBOS_HUB_STORE_ID)
--client-id=STRING Client ID of the access credential ($CERBOS_HUB_CLIENT_ID)
--client-secret=STRING Client secret of the access credential ($CERBOS_HUB_CLIENT_SECRET)
Commands:
hub store list-files --store-id=STRING --client-id=STRING --client-secret=STRING [flags]
List store files
hub store get-files --store-id=STRING --client-id=STRING --client-secret=STRING --output-path=STRING <files> ... [flags]
Download files from the store
hub store download --store-id=STRING --client-id=STRING --client-secret=STRING <output-path> [flags]
Download the entire store
hub store replace-files --store-id=STRING --client-id=STRING --client-secret=STRING <path> [flags]
Overwrite the store with the given set of files
hub store add-files --store-id=STRING --client-id=STRING --client-secret=STRING <paths> ... [flags]
Add files to the store
hub store delete-files --store-id=STRING --client-id=STRING --client-secret=STRING <paths> ... [flags]
Delete files from the store