Policy stores: CLI upload (binary)
Installation
cerbosctl binaries are available for multiple operating systems and architectures. See the releases page for all available downloads.
| OS | Arch | Bundle | 
|---|---|---|
| Linux | x86-64 | 
 | 
| Linux | arm64 | 
 | 
| MacOS | universal | 
 | 
| MacOS | x86-64 | 
 | 
| MacOS | arm64 | 
 | 
You can download the binaries by running the following command. Substitute <BUNDLE> with the appropriate value from the above table.
curl -L -o cerbosctl.tar.gz "https://github.com/cerbos/cerbos/releases/download/v0.45.1/<BUNDLE>"
tar xvf cerbosctl.tar.gz
chmod +x cerbosctl
mv cerbosctl /usr/local/bin/ # or somewhere on your PATH| Cerbos binaries are signed using sigstore tools during the automated build process and the verification bundle is published along with the binary as  The following example demonstrates how to verify the Linux X86_64 bundle archive. sh | 
Usage
The cerbosctl CLI tool can be used to upload policies to a policy store in Cerbos Hub.
First generate a set of client credentials for the policy store in Cerbos Hub - you can do this in the Client credentials section in the UI. Make sure to select the Read & Write option when creating the credentials to allow uploading policies.
Then export the following environment variables with the values from the generated client credentials and the store ID:
export CERBOS_HUB_CLIENT_ID=...
export CERBOS_HUB_CLIENT_SECRET=...
export CERBOS_HUB_STORE_ID=...The following command uploads policy files from the current directory and replaces all the files in the store.
cerbosctl hub store replace-files .Full CLI Reference
Usage: cerbosctl hub store --store-id=STRING --client-id=STRING --client-secret=STRING <command> [flags]
Interact with Cerbos Hub managed stores.
Requires an existing managed store and the API credentials to access it. The store ID and credentials can be provided using either command-line flags or
environment variables.
Flags:
  -h, --help                    Show context-sensitive help.
      --store-id=STRING         ID of the store to operate on ($CERBOS_HUB_STORE_ID)
      --client-id=STRING        Client ID of the access credential ($CERBOS_HUB_CLIENT_ID)
      --client-secret=STRING    Client secret of the access credential ($CERBOS_HUB_CLIENT_SECRET)
Commands:
  hub store list-files --store-id=STRING --client-id=STRING --client-secret=STRING [flags]
    List store files
  hub store get-files --store-id=STRING --client-id=STRING --client-secret=STRING --output-path=STRING <files> ... [flags]
    Download files from the store
  hub store download --store-id=STRING --client-id=STRING --client-secret=STRING <output-path> [flags]
    Download the entire store
  hub store replace-files --store-id=STRING --client-id=STRING --client-secret=STRING <path> [flags]
    Overwrite the store with the given set of files
  hub store add-files --store-id=STRING --client-id=STRING --client-secret=STRING <paths> ... [flags]
    Add files to the store
  hub store delete-files --store-id=STRING --client-id=STRING --client-secret=STRING <paths> ... [flags]
    Delete files from the store