We value your privacy

This website or its third-party tools process personal data. You can opt out of the sale of your personal information by clicking on the “Do Not Sell or Share My Personal Information” link.

Policy stores: CLI upload (Homebrew)

Installation

cerbosctl binaries are available via Homebrew for simple installation on macOS. To install the cerbosctl CLI tool, run the following command:

brew tap cerbos/tap
brew install cerbos
sh

Usage

The cerbosctl CLI tool can be used to upload policies to a policy store in Cerbos Hub.

First generate a set of client credentials for the policy store in Cerbos Hub - you can do this in the Client credentials section in the UI. Make sure to select the Read & Write option when creating the credentials to allow uploading policies.

Then export the following environment variables with the values from the generated client credentials and the store ID:

export CERBOS_HUB_CLIENT_ID=...
export CERBOS_HUB_CLIENT_SECRET=...
export CERBOS_HUB_STORE_ID=...
sh

The following command uploads policy files from the current directory and replaces all the files in the store.

cerbosctl hub store replace-files .
sh

Full CLI Reference

Usage: cerbosctl hub store --store-id=STRING --client-id=STRING --client-secret=STRING <command> [flags]

Interact with Cerbos Hub managed stores.

Requires an existing managed store and the API credentials to access it. The store ID and credentials can be provided using either command-line flags or
environment variables.

Flags:
  -h, --help                    Show context-sensitive help.

      --store-id=STRING         ID of the store to operate on ($CERBOS_HUB_STORE_ID)
      --client-id=STRING        Client ID of the access credential ($CERBOS_HUB_CLIENT_ID)
      --client-secret=STRING    Client secret of the access credential ($CERBOS_HUB_CLIENT_SECRET)

Commands:
  hub store list-files --store-id=STRING --client-id=STRING --client-secret=STRING [flags]
    List store files

  hub store get-files --store-id=STRING --client-id=STRING --client-secret=STRING --output-path=STRING <files> ... [flags]
    Download files from the store

  hub store download --store-id=STRING --client-id=STRING --client-secret=STRING <output-path> [flags]
    Download the entire store

  hub store replace-files --store-id=STRING --client-id=STRING --client-secret=STRING <path> [flags]
    Overwrite the store with the given set of files

  hub store add-files --store-id=STRING --client-id=STRING --client-secret=STRING <paths> ... [flags]
    Add files to the store

  hub store delete-files --store-id=STRING --client-id=STRING --client-secret=STRING <paths> ... [flags]
    Delete files from the store