Skip to main content
Manage access policies For a detailed overview, please visit the policy’s reference page.
cpln policy [SUBCOMMAND]
Commands:
  cpln policy access-report <ref>   Show the access report for the referenced policy
  cpln policy add-binding <ref>     Bind one or more permissions to the referenced policy and associate it with one or more users / service accounts / groups / identities
  cpln policy audit [ref]           Retrieve audit trail events for the referenced policy
  cpln policy clone <ref>           Clone a policy  [aliases: copy]
  cpln policy create                Create a new policy
  cpln policy delete <ref...>       Delete one or more referenced policies
  cpln policy edit <ref>            Edit the referenced policy, as YAML, within an editor
  cpln policy eventlog <ref>        Show the event log of the referenced policy  [aliases: log]
  cpln policy get [ref...]          Retrieve one or more referenced policies
  cpln policy patch <ref>           Update the referenced policy's metadata using an input file
  cpln policy permissions           Show the grantable permissions for a policy object type
  cpln policy query                 Find all the policies based on the given query
  cpln policy remove-binding <ref>  Remove the bindings of one or more permissions from the referenced policy and disassociate it from one or more users / service accounts / groups / identities
  cpln policy tag <ref...>          Manage the tags belonging to one or more referenced policies
  cpln policy update <ref>          Update properties of the referenced policy

Options:
  --help  Show help  [boolean]

policy access-report

Show the access report for the referenced policy Usage
cpln policy access-report <ref> [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy access-report demo-policy --org demo-cpln-organization
+-----------+--------------------------------------------------------+--------+
|PERMISSION |PRINCIPAL                                               |GRANTED |
|-----------|--------------------------------------------------------|--------|
|create     |/org/demo-cpln-organization/group/superusers            |manage  |
|create     |/org/demo-cpln-organization/serviceaccount/controlplane |manage  |
|delete     |/org/demo-cpln-organization/group/superusers            |manage  |
|delete     |/org/demo-cpln-organization/serviceaccount/controlplane |manage  |
|edit       |/org/demo-cpln-organization/group/superusers            |manage  |
|edit       |/org/demo-cpln-organization/serviceaccount/controlplane |manage  |
|manage     |/org/demo-cpln-organization/group/superusers            |manage  |
|manage     |/org/demo-cpln-organization/serviceaccount/controlplane |manage  |
|view       |/org/demo-cpln-organization/group/viewers               |view    |
|view       |/org/demo-cpln-organization/group/superusers            |manage  |
|view       |/org/demo-cpln-organization/serviceaccount/controlplane |manage  |
+-----------+--------------------------------------------------------+--------+

policy add-binding

Bind one or more permissions to the referenced policy and associate it with one or more users / service accounts / groups / identities Usage
cpln policy add-binding <ref> --permission PERMISSION_NAME COMMAND_OPTIONS [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Command options:
  --email           User email to add permission
  --serviceaccount  Service account name to add permission
  --group           Group name to add permission
  --identity        Identity name OR link to add permission
  --permission      Permission to add  [required]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
  --gvc      Override the global virtual cloud. The default global virtual cloud can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
  • Bind the view permission to the referenced policy named `demo-policy-add-binding` and associate it with the built-in controlplane service account
cpln policy add-binding demo-policy --permission view --serviceaccount controlplane --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org         |all     |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+

policy audit

Retrieve audit trail events for the referenced policy Usage
cpln policy audit [ref] [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.

Command options:
  --subject  Filter by subject (serviceaccount name or user email)  [string]
  --context  Audit context name (the 'cpln' context displays Control Plane actions)  [string] [default: "cpln"]
  --since    Relative lookback window from now (e.g., 1h, 24h, 7d). Mutually exclusive with --from/--to  [string] [default: "7d"]
  --from     Start time for audit events (ISO 8601 format or relative duration, e.g., 2025-10-23T07:00:00Z, 7d, 1h). Cannot be used with --since  [string]
  --to       End time for audit events (ISO 8601 format or relative duration, e.g., 2025-10-23T07:00:00Z, 1d, 30m)  [string]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference

policy clone

Clone a policy Usage
cpln policy clone <ref> --name CLONE_NAME [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Command options:
  --name         Set the name for the clone  [required]
  --description  Optional description, defaults to the name if not set
  --tag          Attach tags (e.g., --tag drink=water)

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy clone demo-policy --name demo-policy-clone --org demo-cpln-organization
+------------------+---------------------+--------+------------+--------+--------+--------------+
|NAME              |DESCRIPTION          |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------------|---------------------|--------|------------|--------|--------|--------------|
|demo-policy-clone |Clone of demo-policy |Now     |org         |all     |default |drink="water" |
+------------------+---------------------+--------+------------+--------+--------+--------------+

policy create

Create a new policy Usage
cpln policy create --name POLICY_NAME --target-kind TARGET [OPTIONS]
Command options:
  --name                 Name of the new policy, type - to generate a valid name  [required]
  --description, --desc  Optional description, defaults to the name if not set
  --target-kind          Select a target kind for this policy  [required] [choices: "account", "agent", "auditctx", "cloudaccount", "domain", "dbcluster", "group", "gvc", "identity", "image", "location", "memcachecluster", "org", "policy", "quota", "secret", "serviceaccount", "spicedbcluster", "task", "user", "volumeset", "workload"]
  --all                  Apply policy to all instances of the kind  [boolean]
  --resource             Enumerate resource names to add to the policy
  --tag                  Attach tags (e.g., --tag drink=water)

Query spec options:
  --query-match     Query filter type  [choices: "all", "none", "any"] [default: "all"]
  --query-property  Property to query
  --query-tag       Tag to query
  --query-rel       Relation to query

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy create --name demo-policy --target-kind org --all --desc demo-policy --tag drink=water --org demo-cpln-organization
+------------+------------+--------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------|------------|--------|--------|--------------|
|demo-policy |demo-policy |Now     |org         |all     |default |drink="water" |
+------------+------------+--------+------------+--------+--------+--------------+

policy delete

Delete one or more referenced policies Usage
cpln policy delete <ref...> [OPTIONS]
Deleting a policy will remove all associated resources (targets, bindings, etc.)
Positionals:
  ref  One or more resource references. Usually it is the name of the resource.  [array] [required] [default: []]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy delete demo-policy --org demo-cpln-organization
If the delete was successful, a new command prompt will be shown.

policy edit

Edit the referenced policy, as YAML, within an editor Usage
cpln policy edit <ref> [OPTIONS]
The default editor can be set by using the EDITOR environment variable.
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Command options:
  --replace, -r  Replace instead of patch/merge  [boolean] [default: false]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy edit demo-policy --org demo-cpln-organization
Your default editor will be launched.

Once any modifications are saved, the updates will be sent to the API.

policy eventlog

Show the event log of the referenced policy Usage
cpln policy eventlog <ref> [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy eventlog demo-policy --org demo-cpln-organization
The event log for the referenced policy will be shown.

policy get

Retrieve one or more referenced policies Usage
cpln policy get [ref...] [OPTIONS]
An empty reference will return all references
Positionals:
  ref  One or more resource references. Usually it is the name of the resource.  [array] [default: []]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
  • Get all policies
cpln policy get --org demo-cpln-organization
+---------------------------+-----------------------------------------+--------------+----------------+--------+--------+--------------+
|NAME                       |DESCRIPTION                              |CREATED       |TARGET KIND     |MATCHES |ORIGIN  |TAGS          |
|---------------------------|-----------------------------------------|--------------|----------------|--------|--------|--------------|
|demo-policy                |demo-policy                              |7 minutes ago |org             |all     |default |drink="water" |
|demo-policy-get-1          |demo-policy-get-1                        |Now           |org             |all     |default |              |
|demo-policy-get-2          |demo-policy-get-2                        |Now           |org             |all     |default |              |
|superusers-agent           |Built-in policy granting full access ... |5 years ago   |agent           |all     |builtin |              |
|superusers-auditctx        |Built-in policy granting full access ... |5 years ago   |auditctx        |all     |builtin |              |
|superusers-cloudaccount    |Built-in policy granting full access ... |5 years ago   |cloudaccount    |all     |builtin |              |
|superusers-domain          |Built-in policy granting full access ... |5 years ago   |domain          |all     |builtin |              |
|superusers-group           |Built-in policy granting full access ... |5 years ago   |group           |all     |builtin |              |
|superusers-gvc             |Built-in policy granting full access ... |5 years ago   |gvc             |all     |builtin |              |
|superusers-identity        |Built-in policy granting full access ... |5 years ago   |identity        |all     |builtin |              |
|superusers-image           |Built-in policy granting full access ... |5 years ago   |image           |all     |builtin |              |
|superusers-ipset           |Built-in policy granting full access ... |1 year ago    |ipset           |all     |builtin |              |
|superusers-location        |Built-in policy granting full access ... |5 years ago   |location        |all     |builtin |              |
|superusers-memcachecluster |Built-in policy granting full access ... |3 years ago   |memcachecluster |all     |builtin |              |
|superusers-mk8s            |Built-in policy granting full access ... |3 years ago   |mk8s            |all     |builtin |              |
|superusers-org             |Built-in policy granting full access ... |5 years ago   |org             |all     |builtin |              |
|superusers-policy          |Built-in policy granting full access ... |5 years ago   |policy          |all     |builtin |              |
|superusers-quota           |Built-in policy granting full access ... |5 years ago   |quota           |all     |builtin |              |
|superusers-secret          |Built-in policy granting full access ... |5 years ago   |secret          |all     |builtin |              |
|superusers-serviceaccount  |Built-in policy granting full access ... |5 years ago   |serviceaccount  |all     |builtin |              |
|superusers-spicedbcluster  |Built-in policy granting full access ... |2 years ago   |spicedbcluster  |all     |builtin |              |
|superusers-task            |Built-in policy granting full access ... |5 years ago   |task            |all     |builtin |              |
|superusers-user            |Built-in policy granting full access ... |5 years ago   |user            |all     |builtin |              |
|superusers-volumeset       |Built-in policy granting full access ... |3 years ago   |volumeset       |all     |builtin |              |
|superusers-workload        |Built-in policy granting full access ... |5 years ago   |workload        |all     |builtin |              |
|viewers-agent              |Built-in policy granting read-only ac... |5 years ago   |agent           |all     |builtin |              |
|viewers-auditctx           |Built-in policy granting read-only ac... |5 years ago   |auditctx        |all     |builtin |              |
|viewers-cloudaccount       |Built-in policy granting read-only ac... |5 years ago   |cloudaccount    |all     |builtin |              |
|viewers-domain             |Built-in policy granting read-only ac... |5 years ago   |domain          |all     |builtin |              |
|viewers-group              |Built-in policy granting read-only ac... |5 years ago   |group           |all     |builtin |              |
|viewers-gvc                |Built-in policy granting read-only ac... |5 years ago   |gvc             |all     |builtin |              |
|viewers-identity           |Built-in policy granting read-only ac... |5 years ago   |identity        |all     |builtin |              |
|viewers-image              |Built-in policy granting read-only ac... |5 years ago   |image           |all     |builtin |              |
|viewers-ipset              |Built-in policy granting read-only ac... |1 year ago    |ipset           |all     |builtin |              |
|viewers-location           |Built-in policy granting read-only ac... |5 years ago   |location        |all     |builtin |              |
|viewers-memcachecluster    |Built-in policy granting read-only ac... |3 years ago   |memcachecluster |all     |builtin |              |
|viewers-mk8s               |Built-in policy granting read-only ac... |3 years ago   |mk8s            |all     |builtin |              |
|viewers-policy             |Built-in policy granting read-only ac... |5 years ago   |policy          |all     |builtin |              |
|viewers-quota              |Built-in policy granting read-only ac... |5 years ago   |quota           |all     |builtin |              |
|viewers-secret             |Built-in policy granting read-only ac... |5 years ago   |secret          |all     |builtin |              |
|viewers-serviceaccount     |Built-in policy granting read-only ac... |5 years ago   |serviceaccount  |all     |builtin |              |
|viewers-spicedbcluster     |Built-in policy granting read-only ac... |2 years ago   |spicedbcluster  |all     |builtin |              |
|viewers-task               |Built-in policy granting read-only ac... |5 years ago   |task            |all     |builtin |              |
|viewers-user               |Built-in policy granting read-only ac... |5 years ago   |user            |all     |builtin |              |
|viewers-volumeset          |Built-in policy granting read-only ac... |3 years ago   |volumeset       |all     |builtin |              |
|viewers-workload           |Built-in policy granting read-only ac... |5 years ago   |workload        |all     |builtin |              |
+---------------------------+-----------------------------------------+--------------+----------------+--------+--------+--------------+
  • Get one policy
cpln policy get demo-policy-get-1 --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-get-1 |demo-policy-get-1 |Now     |org         |all     |default |     |
+------------------+------------------+--------+------------+--------+--------+-----+
  • Get multiple policies
cpln policy get demo-policy-get-1 demo-policy-get-2 --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-get-1 |demo-policy-get-1 |Now     |org         |all     |default |     |
|demo-policy-get-2 |demo-policy-get-2 |Now     |org         |all     |default |     |
+------------------+------------------+--------+------------+--------+--------+-----+

policy patch

Update the referenced policy’s metadata using an input file Usage
cpln policy patch <ref> --file FILE_NAME [OPTIONS]
Running this command with the option --file - sets the input to stdin. The input is required to be a valid JSON or YAML string (e.g., {"description": "My new description"} or description: My new description). To complete the update, press Control-D (or Control-Z if you are using Windows).
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Command options:
  --file, -f  File to load the patch from. Use `--file -` to enable input from stdin.  [required]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy patch demo-policy --file update.json --org demo-cpln-organization
The changes within the JSON file will be performed against the referenced policy.

policy permissions

Show the grantable permissions for a policy object type Usage
cpln policy permissions [OPTIONS]
Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
cpln policy permissions --org demo-cpln-organization
+-------+-------------------------+-----------------------------------+
|NAME   |DESCRIPTION              |IMPLIES                            |
|-------|-------------------------|-----------------------------------|
|create |Create new policies      |                                   |
|delete |Delete existing policies |                                   |
|edit   |Modify existing policies |view                               |
|manage |Full access              |create, delete, edit, manage, view |
|view   |Read-only view           |                                   |
+-------+-------------------------+-----------------------------------+

policy query

Find all the policies based on the given query Usage
cpln policy query QUERY_OPTIONS [OPTIONS]
Query options:
  --match             Query filter type  [choices: "all", "none", "any"] [default: "all"]
  --property, --prop  Property to query
  --tag               Tag to query
  --rel               Relation to query

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
Use the --match option to display all, none, or any of the results based on a given property or tag
  • Search for a policy based on the name property
cpln policy query --match any --prop name=demo-policy --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org         |all     |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
  • Search for a policy based on the description property
cpln policy query --match any --prop description="demo-policy" --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org         |all     |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
  • Search for a policy based on a tag
cpln policy query --match any --tag drink=water --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org         |all     |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
  • Search for a policy based on a property and tag
cpln policy query --match any --prop description="demo-policy" --tag drink=water --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org         |all     |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+

policy remove-binding

Remove the bindings of one or more permissions from the referenced policy and disassociate it from one or more users / service accounts / groups / identities Usage
cpln policy remove-binding <ref> --permission PERMISSION_NAME COMMAND_OPTIONS [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Command options:
  --email           User email to remove permission
  --serviceaccount  Service account name to remove permission
  --group           Group name to remove permission
  --identity        Identity name OR link to remove permission
  --permission      Permission to remove  [required]

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
  --gvc      Override the global virtual cloud. The default global virtual cloud can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
  • Remove the binding of the view permission from the policy named demo-policy and disassociate it with the built-in controlplane service account.
cpln policy remove-binding demo-policy --permission manage --serviceaccount controlplane --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org         |all     |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+

policy tag

Manage the tags belonging to one or more referenced policies Usage
cpln policy tag <ref...> --tag KEY=VALUE [OPTIONS]
Built-in tags, which begin with cpln/*, can’t be modified.
Positionals:
  ref  One or more resource references. Usually it is the name of the resource.  [array] [required] [default: []]

Command options:
  --tag         Attach tags (e.g., --tag drink=water)
  --remove-tag  Remove tags (e.g., --remove-tag tagname)

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
  • Add a tag to a policy
cpln policy tag demo-policy-tag-1 --tag drink=water --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+--------------+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------------|------------------|--------|------------|--------|--------|--------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now     |org         |all     |default |drink="water" |
+------------------+------------------+--------+------------+--------+--------+--------------+
  • Update same tag (after running the example above)
cpln policy tag demo-policy-tag-1 --tag drink=coffee --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+---------------+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS           |
|------------------|------------------|--------|------------|--------|--------|---------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now     |org         |all     |default |drink="coffee" |
+------------------+------------------+--------+------------+--------+--------+---------------+
  • Remove tag (after running the example above)
cpln policy tag demo-policy-tag-1 --remove drink --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-tag-1 |demo-policy-tag-1 |Now     |org         |all     |default |     |
+------------------+------------------+--------+------------+--------+--------+-----+
  • Add same tag to multiple policies
cpln policy tag demo-policy-tag-1 demo-policy-tag-2 --tag multiple-policies=true --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-------------------------+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS                     |
|------------------|------------------|--------|------------|--------|--------|-------------------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now     |org         |all     |default |multiple-policies="true" |
|demo-policy-tag-2 |demo-policy-tag-2 |Now     |org         |all     |default |multiple-policies="true" |
+------------------+------------------+--------+------------+--------+--------+-------------------------+
  • Update same tag on multiple policies (after running the example above)
cpln policy tag demo-policy-tag-1 demo-policy-tag-2 --tag multiple-policies=demo-policy --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+--------------------------------+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS                            |
|------------------|------------------|--------|------------|--------|--------|--------------------------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now     |org         |all     |default |multiple-policies="demo-policy" |
|demo-policy-tag-2 |demo-policy-tag-2 |Now     |org         |all     |default |multiple-policies="demo-policy" |
+------------------+------------------+--------+------------+--------+--------+--------------------------------+
  • Remove same tag from multiple policies (after running the example above)
cpln policy tag demo-policy-tag-1 demo-policy-tag-2 --remove multiple-policies --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME              |DESCRIPTION       |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-tag-1 |demo-policy-tag-1 |Now     |org         |all     |default |     |
|demo-policy-tag-2 |demo-policy-tag-2 |Now     |org         |all     |default |     |
+------------------+------------------+--------+------------+--------+--------+-----+

policy update

Update properties of the referenced policy Usage
cpln policy update <ref> --set UPDATE_PROPERTY [OPTIONS]
Positionals:
  ref  The resource reference. Usually it is the name of the resource.  [required]

Update Properties:
  --set    Update the following properties (e.g., --set description="Updated Description"):

           description    string
           tags.<key>     string
           targetLinks    string[]
           target         { 'all' }

           Arrays can be appended to, replaced, or removed using the `+=`, `=`, or `-=` operators, respectively.
  --unset  Unset a property (same paths as --set, e.g., --unset description)

Context options:
  --profile  Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
  --org      Override the organization. The default organization can be set in your profile by using the `cpln profile update` command

Format options:
  --output, -o  Set the output format  [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
  --color       Colorize the output  [boolean] [default: true]
  --ts          Timestamp format if the output format is text (e.g., --output=text)  [choices: "iso", "local", "age"]
  --max         Maximum number of records to show. A value less than 1 will return all records.  [number] [default: 50]

Request options:
  --token         Override the authorization token
  --endpoint      Override the API URL
  --insecure, -k  Ignore TLS errors  [boolean]

Debug options:
  --verbose, -v  Enable verbose output to stderr  [boolean] [default: false]
  --debug, -d    Show all HTTP communications  [boolean] [default: false]

Options:
  --help  Show help  [boolean]
Common Options Reference
  • The --set option allows the modification of the following policy properties:
    • description
      • Description of the policy
      • Type: string
    • tags
      • Tags (key=value) associated with the policy
      • Type: string
    • targetLinks
      • Array of target links belonging to the policy
      • Type: string
    • target
      • The target of the policy
      • Type: string
      • Allowed values: ‘all’
  • For the examples below, the initial policy is configured as:
+------------+------------+--------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|------------|--------|------------|--------|--------|--------------|
|demo-policy |demo-policy |Now     |org         |all     |default |drink="water" |
+------------+------------+--------+------------+--------+--------+--------------+
  • Update a policy’s description
cpln policy update demo-policy --set description="new description" --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+--------------+
|NAME        |DESCRIPTION     |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS          |
|------------|----------------|--------------|------------|--------|--------|--------------|
|demo-policy |new description |8 minutes ago |org         |all     |default |drink="water" |
+------------+----------------+--------------+------------+--------+--------+--------------+
  • Update a policy’s tags
cpln policy update demo-policy --set tags.demo-key=demo-value --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME        |DESCRIPTION     |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS                  |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org         |all     |default |demo-key="demo-value" |
|            |                |              |            |        |        |drink="water"         |
+------------+----------------+--------------+------------+--------+--------+----------------------+
  • Add to a policy’s target links.
cpln policy update demo-policy --set targetLinks+="/org/demo-cpln-organization/gvc/demo-gvc-policy" --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME        |DESCRIPTION     |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS                  |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org         |all     |default |demo-key="demo-value" |
|            |                |              |            |        |        |drink="water"         |
+------------+----------------+--------------+------------+--------+--------+----------------------+
  • Remove from a policy’s target links.
cpln policy update demo-policy --set targetLinks-="/org/demo-cpln-organization/gvc/demo-gvc-policy" --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME        |DESCRIPTION     |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS                  |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org         |all     |default |demo-key="demo-value" |
|            |                |              |            |        |        |drink="water"         |
+------------+----------------+--------------+------------+--------+--------+----------------------+
  • Update a policy’s target to all
cpln policy update demo-policy --set target=all --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME        |DESCRIPTION     |CREATED       |TARGET KIND |MATCHES |ORIGIN  |TAGS                  |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org         |all     |default |demo-key="demo-value" |
|            |                |              |            |        |        |drink="water"         |
+------------+----------------+--------------+------------+--------+--------+----------------------+