cpln policy [SUBCOMMAND]
Commands:
cpln policy access-report <ref> Show the access report for the referenced policy
cpln policy add-binding <ref> Bind one or more permissions to the referenced policy and associate it with one or more users / service accounts / groups / identities
cpln policy audit [ref] Retrieve audit trail events for the referenced policy
cpln policy clone <ref> Clone a policy [aliases: copy]
cpln policy create Create a new policy
cpln policy delete <ref...> Delete one or more referenced policies
cpln policy edit <ref> Edit the referenced policy, as YAML, within an editor
cpln policy eventlog <ref> Show the event log of the referenced policy [aliases: log]
cpln policy get [ref...] Retrieve one or more referenced policies
cpln policy patch <ref> Update the referenced policy's metadata using an input file
cpln policy permissions Show the grantable permissions for a policy object type
cpln policy query Find all the policies based on the given query
cpln policy remove-binding <ref> Remove the bindings of one or more permissions from the referenced policy and disassociate it from one or more users / service accounts / groups / identities
cpln policy tag <ref...> Manage the tags belonging to one or more referenced policies
cpln policy update <ref> Update properties of the referenced policy
Options:
--help Show help [boolean]
policy access-report
Show the access report for the referenced policy Usagecpln policy access-report <ref> [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy access-report demo-policy --org demo-cpln-organization
+-----------+--------------------------------------------------------+--------+
|PERMISSION |PRINCIPAL |GRANTED |
|-----------|--------------------------------------------------------|--------|
|create |/org/demo-cpln-organization/group/superusers |manage |
|create |/org/demo-cpln-organization/serviceaccount/controlplane |manage |
|delete |/org/demo-cpln-organization/group/superusers |manage |
|delete |/org/demo-cpln-organization/serviceaccount/controlplane |manage |
|edit |/org/demo-cpln-organization/group/superusers |manage |
|edit |/org/demo-cpln-organization/serviceaccount/controlplane |manage |
|manage |/org/demo-cpln-organization/group/superusers |manage |
|manage |/org/demo-cpln-organization/serviceaccount/controlplane |manage |
|view |/org/demo-cpln-organization/group/viewers |view |
|view |/org/demo-cpln-organization/group/superusers |manage |
|view |/org/demo-cpln-organization/serviceaccount/controlplane |manage |
+-----------+--------------------------------------------------------+--------+
policy add-binding
Bind one or more permissions to the referenced policy and associate it with one or more users / service accounts / groups / identities Usagecpln policy add-binding <ref> --permission PERMISSION_NAME COMMAND_OPTIONS [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Command options:
--email User email to add permission
--serviceaccount Service account name to add permission
--group Group name to add permission
--identity Identity name OR link to add permission
--permission Permission to add [required]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
--gvc Override the global virtual cloud. The default global virtual cloud can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
- Bind the view permission to the referenced policy named `demo-policy-add-binding` and associate it with the built-in controlplane service account
cpln policy add-binding demo-policy --permission view --serviceaccount controlplane --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
policy audit
Retrieve audit trail events for the referenced policy Usagecpln policy audit [ref] [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource.
Command options:
--subject Filter by subject (serviceaccount name or user email) [string]
--context Audit context name (the 'cpln' context displays Control Plane actions) [string] [default: "cpln"]
--since Relative lookback window from now (e.g., 1h, 24h, 7d). Mutually exclusive with --from/--to [string] [default: "7d"]
--from Start time for audit events (ISO 8601 format or relative duration, e.g., 2025-10-23T07:00:00Z, 7d, 1h). Cannot be used with --since [string]
--to End time for audit events (ISO 8601 format or relative duration, e.g., 2025-10-23T07:00:00Z, 1d, 30m) [string]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
policy clone
Clone a policy Usagecpln policy clone <ref> --name CLONE_NAME [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Command options:
--name Set the name for the clone [required]
--description Optional description, defaults to the name if not set
--tag Attach tags (e.g., --tag drink=water)
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy clone demo-policy --name demo-policy-clone --org demo-cpln-organization
+------------------+---------------------+--------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|---------------------|--------|------------|--------|--------|--------------|
|demo-policy-clone |Clone of demo-policy |Now |org |all |default |drink="water" |
+------------------+---------------------+--------+------------+--------+--------+--------------+
policy create
Create a new policy Usagecpln policy create --name POLICY_NAME --target-kind TARGET [OPTIONS]
Reference
Reference
Command options:
--name Name of the new policy, type - to generate a valid name [required]
--description, --desc Optional description, defaults to the name if not set
--target-kind Select a target kind for this policy [required] [choices: "account", "agent", "auditctx", "cloudaccount", "domain", "dbcluster", "group", "gvc", "identity", "image", "location", "memcachecluster", "org", "policy", "quota", "secret", "serviceaccount", "spicedbcluster", "task", "user", "volumeset", "workload"]
--all Apply policy to all instances of the kind [boolean]
--resource Enumerate resource names to add to the policy
--tag Attach tags (e.g., --tag drink=water)
Query spec options:
--query-match Query filter type [choices: "all", "none", "any"] [default: "all"]
--query-property Property to query
--query-tag Tag to query
--query-rel Relation to query
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy create --name demo-policy --target-kind org --all --desc demo-policy --tag drink=water --org demo-cpln-organization
+------------+------------+--------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------|------------|--------|--------|--------------|
|demo-policy |demo-policy |Now |org |all |default |drink="water" |
+------------+------------+--------+------------+--------+--------+--------------+
policy delete
Delete one or more referenced policies Usagecpln policy delete <ref...> [OPTIONS]
Deleting a policy will remove all associated resources (targets, bindings, etc.)
Reference
Reference
Positionals:
ref One or more resource references. Usually it is the name of the resource. [array] [required] [default: []]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy delete demo-policy --org demo-cpln-organization
If the delete was successful, a new command prompt will be shown.
policy edit
Edit the referenced policy, as YAML, within an editor Usagecpln policy edit <ref> [OPTIONS]
The default editor can be set by using the EDITOR environment variable.
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Command options:
--replace, -r Replace instead of patch/merge [boolean] [default: false]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy edit demo-policy --org demo-cpln-organization
Your default editor will be launched.
Once any modifications are saved, the updates will be sent to the API.
policy eventlog
Show the event log of the referenced policy Usagecpln policy eventlog <ref> [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy eventlog demo-policy --org demo-cpln-organization
The event log for the referenced policy will be shown.
policy get
Retrieve one or more referenced policies Usagecpln policy get [ref...] [OPTIONS]
An empty reference will return all references
Reference
Reference
Positionals:
ref One or more resource references. Usually it is the name of the resource. [array] [default: []]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
- Get all policies
cpln policy get --org demo-cpln-organization
+---------------------------+-----------------------------------------+--------------+----------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|---------------------------|-----------------------------------------|--------------|----------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
|demo-policy-get-1 |demo-policy-get-1 |Now |org |all |default | |
|demo-policy-get-2 |demo-policy-get-2 |Now |org |all |default | |
|superusers-agent |Built-in policy granting full access ... |5 years ago |agent |all |builtin | |
|superusers-auditctx |Built-in policy granting full access ... |5 years ago |auditctx |all |builtin | |
|superusers-cloudaccount |Built-in policy granting full access ... |5 years ago |cloudaccount |all |builtin | |
|superusers-domain |Built-in policy granting full access ... |5 years ago |domain |all |builtin | |
|superusers-group |Built-in policy granting full access ... |5 years ago |group |all |builtin | |
|superusers-gvc |Built-in policy granting full access ... |5 years ago |gvc |all |builtin | |
|superusers-identity |Built-in policy granting full access ... |5 years ago |identity |all |builtin | |
|superusers-image |Built-in policy granting full access ... |5 years ago |image |all |builtin | |
|superusers-ipset |Built-in policy granting full access ... |1 year ago |ipset |all |builtin | |
|superusers-location |Built-in policy granting full access ... |5 years ago |location |all |builtin | |
|superusers-memcachecluster |Built-in policy granting full access ... |3 years ago |memcachecluster |all |builtin | |
|superusers-mk8s |Built-in policy granting full access ... |3 years ago |mk8s |all |builtin | |
|superusers-org |Built-in policy granting full access ... |5 years ago |org |all |builtin | |
|superusers-policy |Built-in policy granting full access ... |5 years ago |policy |all |builtin | |
|superusers-quota |Built-in policy granting full access ... |5 years ago |quota |all |builtin | |
|superusers-secret |Built-in policy granting full access ... |5 years ago |secret |all |builtin | |
|superusers-serviceaccount |Built-in policy granting full access ... |5 years ago |serviceaccount |all |builtin | |
|superusers-spicedbcluster |Built-in policy granting full access ... |2 years ago |spicedbcluster |all |builtin | |
|superusers-task |Built-in policy granting full access ... |5 years ago |task |all |builtin | |
|superusers-user |Built-in policy granting full access ... |5 years ago |user |all |builtin | |
|superusers-volumeset |Built-in policy granting full access ... |3 years ago |volumeset |all |builtin | |
|superusers-workload |Built-in policy granting full access ... |5 years ago |workload |all |builtin | |
|viewers-agent |Built-in policy granting read-only ac... |5 years ago |agent |all |builtin | |
|viewers-auditctx |Built-in policy granting read-only ac... |5 years ago |auditctx |all |builtin | |
|viewers-cloudaccount |Built-in policy granting read-only ac... |5 years ago |cloudaccount |all |builtin | |
|viewers-domain |Built-in policy granting read-only ac... |5 years ago |domain |all |builtin | |
|viewers-group |Built-in policy granting read-only ac... |5 years ago |group |all |builtin | |
|viewers-gvc |Built-in policy granting read-only ac... |5 years ago |gvc |all |builtin | |
|viewers-identity |Built-in policy granting read-only ac... |5 years ago |identity |all |builtin | |
|viewers-image |Built-in policy granting read-only ac... |5 years ago |image |all |builtin | |
|viewers-ipset |Built-in policy granting read-only ac... |1 year ago |ipset |all |builtin | |
|viewers-location |Built-in policy granting read-only ac... |5 years ago |location |all |builtin | |
|viewers-memcachecluster |Built-in policy granting read-only ac... |3 years ago |memcachecluster |all |builtin | |
|viewers-mk8s |Built-in policy granting read-only ac... |3 years ago |mk8s |all |builtin | |
|viewers-policy |Built-in policy granting read-only ac... |5 years ago |policy |all |builtin | |
|viewers-quota |Built-in policy granting read-only ac... |5 years ago |quota |all |builtin | |
|viewers-secret |Built-in policy granting read-only ac... |5 years ago |secret |all |builtin | |
|viewers-serviceaccount |Built-in policy granting read-only ac... |5 years ago |serviceaccount |all |builtin | |
|viewers-spicedbcluster |Built-in policy granting read-only ac... |2 years ago |spicedbcluster |all |builtin | |
|viewers-task |Built-in policy granting read-only ac... |5 years ago |task |all |builtin | |
|viewers-user |Built-in policy granting read-only ac... |5 years ago |user |all |builtin | |
|viewers-volumeset |Built-in policy granting read-only ac... |3 years ago |volumeset |all |builtin | |
|viewers-workload |Built-in policy granting read-only ac... |5 years ago |workload |all |builtin | |
+---------------------------+-----------------------------------------+--------------+----------------+--------+--------+--------------+
- Get one policy
cpln policy get demo-policy-get-1 --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-get-1 |demo-policy-get-1 |Now |org |all |default | |
+------------------+------------------+--------+------------+--------+--------+-----+
- Get multiple policies
cpln policy get demo-policy-get-1 demo-policy-get-2 --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-get-1 |demo-policy-get-1 |Now |org |all |default | |
|demo-policy-get-2 |demo-policy-get-2 |Now |org |all |default | |
+------------------+------------------+--------+------------+--------+--------+-----+
policy patch
Update the referenced policy’s metadata using an input file Usagecpln policy patch <ref> --file FILE_NAME [OPTIONS]
Running this command with the option
--file - sets the input to stdin. The input is required to be a valid JSON or YAML string (e.g., {"description": "My new description"} or description: My new description). To complete the update, press Control-D (or Control-Z if you are using Windows).Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Command options:
--file, -f File to load the patch from. Use `--file -` to enable input from stdin. [required]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy patch demo-policy --file update.json --org demo-cpln-organization
The changes within the JSON file will be performed against the referenced policy.
policy permissions
Show the grantable permissions for a policy object type Usagecpln policy permissions [OPTIONS]
Reference
Reference
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
cpln policy permissions --org demo-cpln-organization
+-------+-------------------------+-----------------------------------+
|NAME |DESCRIPTION |IMPLIES |
|-------|-------------------------|-----------------------------------|
|create |Create new policies | |
|delete |Delete existing policies | |
|edit |Modify existing policies |view |
|manage |Full access |create, delete, edit, manage, view |
|view |Read-only view | |
+-------+-------------------------+-----------------------------------+
policy query
Find all the policies based on the given query Usagecpln policy query QUERY_OPTIONS [OPTIONS]
Reference
Reference
Query options:
--match Query filter type [choices: "all", "none", "any"] [default: "all"]
--property, --prop Property to query
--tag Tag to query
--rel Relation to query
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
Use the
--match option to display all, none, or any of the results based on a given property or tag- Search for a policy based on the name property
cpln policy query --match any --prop name=demo-policy --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
- Search for a policy based on the description property
cpln policy query --match any --prop description="demo-policy" --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
- Search for a policy based on a tag
cpln policy query --match any --tag drink=water --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
- Search for a policy based on a property and tag
cpln policy query --match any --prop description="demo-policy" --tag drink=water --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
policy remove-binding
Remove the bindings of one or more permissions from the referenced policy and disassociate it from one or more users / service accounts / groups / identities Usagecpln policy remove-binding <ref> --permission PERMISSION_NAME COMMAND_OPTIONS [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Command options:
--email User email to remove permission
--serviceaccount Service account name to remove permission
--group Group name to remove permission
--identity Identity name OR link to remove permission
--permission Permission to remove [required]
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
--gvc Override the global virtual cloud. The default global virtual cloud can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
- Remove the binding of the view permission from the policy named
demo-policyand disassociate it with the built-in controlplane service account.
cpln policy remove-binding demo-policy --permission manage --serviceaccount controlplane --org demo-cpln-organization
+------------+------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------------|------------|--------|--------|--------------|
|demo-policy |demo-policy |7 minutes ago |org |all |default |drink="water" |
+------------+------------+--------------+------------+--------+--------+--------------+
policy tag
Manage the tags belonging to one or more referenced policies Usagecpln policy tag <ref...> --tag KEY=VALUE [OPTIONS]
Built-in tags, which begin with cpln/*, can’t be modified.
Reference
Reference
Positionals:
ref One or more resource references. Usually it is the name of the resource. [array] [required] [default: []]
Command options:
--tag Attach tags (e.g., --tag drink=water)
--remove-tag Remove tags (e.g., --remove-tag tagname)
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Example
Example
- Add a tag to a policy
cpln policy tag demo-policy-tag-1 --tag drink=water --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|--------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now |org |all |default |drink="water" |
+------------------+------------------+--------+------------+--------+--------+--------------+
- Update same tag (after running the example above)
cpln policy tag demo-policy-tag-1 --tag drink=coffee --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+---------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|---------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now |org |all |default |drink="coffee" |
+------------------+------------------+--------+------------+--------+--------+---------------+
- Remove tag (after running the example above)
cpln policy tag demo-policy-tag-1 --remove drink --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-tag-1 |demo-policy-tag-1 |Now |org |all |default | |
+------------------+------------------+--------+------------+--------+--------+-----+
- Add same tag to multiple policies
cpln policy tag demo-policy-tag-1 demo-policy-tag-2 --tag multiple-policies=true --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-------------------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|-------------------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now |org |all |default |multiple-policies="true" |
|demo-policy-tag-2 |demo-policy-tag-2 |Now |org |all |default |multiple-policies="true" |
+------------------+------------------+--------+------------+--------+--------+-------------------------+
- Update same tag on multiple policies (after running the example above)
cpln policy tag demo-policy-tag-1 demo-policy-tag-2 --tag multiple-policies=demo-policy --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+--------------------------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|--------------------------------|
|demo-policy-tag-1 |demo-policy-tag-1 |Now |org |all |default |multiple-policies="demo-policy" |
|demo-policy-tag-2 |demo-policy-tag-2 |Now |org |all |default |multiple-policies="demo-policy" |
+------------------+------------------+--------+------------+--------+--------+--------------------------------+
- Remove same tag from multiple policies (after running the example above)
cpln policy tag demo-policy-tag-1 demo-policy-tag-2 --remove multiple-policies --org demo-cpln-organization
+------------------+------------------+--------+------------+--------+--------+-----+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------------|------------------|--------|------------|--------|--------|-----|
|demo-policy-tag-1 |demo-policy-tag-1 |Now |org |all |default | |
|demo-policy-tag-2 |demo-policy-tag-2 |Now |org |all |default | |
+------------------+------------------+--------+------------+--------+--------+-----+
policy update
Update properties of the referenced policy Usagecpln policy update <ref> --set UPDATE_PROPERTY [OPTIONS]
Reference
Reference
Positionals:
ref The resource reference. Usually it is the name of the resource. [required]
Update Properties:
--set Update the following properties (e.g., --set description="Updated Description"):
description string
tags.<key> string
targetLinks string[]
target { 'all' }
Arrays can be appended to, replaced, or removed using the `+=`, `=`, or `-=` operators, respectively.
--unset Unset a property (same paths as --set, e.g., --unset description)
Context options:
--profile Override the profile. The default profile can be set using the `cpln profile set-default` command or by setting the CPLN_PROFILE environment variable
--org Override the organization. The default organization can be set in your profile by using the `cpln profile update` command
Format options:
--output, -o Set the output format [choices: "text", "json", "yaml", "json-slim", "yaml-slim", "tf", "crd", "names"]
--color Colorize the output [boolean] [default: true]
--ts Timestamp format if the output format is text (e.g., --output=text) [choices: "iso", "local", "age"]
--max Maximum number of records to show. A value less than 1 will return all records. [number] [default: 50]
Request options:
--token Override the authorization token
--endpoint Override the API URL
--insecure, -k Ignore TLS errors [boolean]
Debug options:
--verbose, -v Enable verbose output to stderr [boolean] [default: false]
--debug, -d Show all HTTP communications [boolean] [default: false]
Options:
--help Show help [boolean]
Options
Options
- The
--setoption allows the modification of the following policy properties:description- Description of the policy
- Type: string
tags- Tags (key=value) associated with the policy
- Type: string
targetLinks- Array of target links belonging to the policy
- Type: string
target- The target of the policy
- Type: string
- Allowed values: ‘all’
Example
Example
- For the examples below, the initial policy is configured as:
+------------+------------+--------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|------------|--------|------------|--------|--------|--------------|
|demo-policy |demo-policy |Now |org |all |default |drink="water" |
+------------+------------+--------+------------+--------+--------+--------------+
- Update a policy’s description
cpln policy update demo-policy --set description="new description" --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+--------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|----------------|--------------|------------|--------|--------|--------------|
|demo-policy |new description |8 minutes ago |org |all |default |drink="water" |
+------------+----------------+--------------+------------+--------+--------+--------------+
- Update a policy’s tags
cpln policy update demo-policy --set tags.demo-key=demo-value --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org |all |default |demo-key="demo-value" |
| | | | | | |drink="water" |
+------------+----------------+--------------+------------+--------+--------+----------------------+
- Add to a policy’s target links.
cpln policy update demo-policy --set targetLinks+="/org/demo-cpln-organization/gvc/demo-gvc-policy" --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org |all |default |demo-key="demo-value" |
| | | | | | |drink="water" |
+------------+----------------+--------------+------------+--------+--------+----------------------+
- Remove from a policy’s target links.
cpln policy update demo-policy --set targetLinks-="/org/demo-cpln-organization/gvc/demo-gvc-policy" --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org |all |default |demo-key="demo-value" |
| | | | | | |drink="water" |
+------------+----------------+--------------+------------+--------+--------+----------------------+
- Update a policy’s target to all
cpln policy update demo-policy --set target=all --org demo-cpln-organization
+------------+----------------+--------------+------------+--------+--------+----------------------+
|NAME |DESCRIPTION |CREATED |TARGET KIND |MATCHES |ORIGIN |TAGS |
|------------|----------------|--------------|------------|--------|--------|----------------------|
|demo-policy |new description |8 minutes ago |org |all |default |demo-key="demo-value" |
| | | | | | |drink="water" |
+------------+----------------+--------------+------------+--------+--------+----------------------+