ZLI Reference Manual

Overview

The BastionZero zli is an exec level command line interface client that provides users the ability to connect, tunnel, and manage their targets' policies.

Open Source & Distribution

The zli is an open-source project licensed under the Apache License, version 2.0. Details on how to download are available here.
Pro tip: For convenience, move your download of the zli into your bin $PATH. (Read more about $PATH)

Command Summary

The following tables list all the zli commands and their functions.
You can run zli help at any time to list all the available commands in the CLI.
Note: all commands are case-insensitive (lowercase and uppercase letters don't matter; e.g., zli login is the same as zli LoGiN)
Command
Description
login
Authenticates a user to the service using your SSO provider
connect
Connect to target
tunnel (Deprecated)
Tunnel to a Kubernetes cluster
Update the default target group used when tunneling to a Kubernetes cluster
policy
List existing policies and their BastionZero users, SSO groups, target users and target groups. Update these fields for a specific policy. Create a new cluster, target connect, session recording, or proxy policy.
Get detailed information about what policies apply to a certain cluster. This command has been refactored into zli policy.
Disconnect the bctl daemon
attach
Attach to an open zli connection
close
Close an open zli connection
List all targets
List all open zli connections
List all daemons running on this machine
user
List all of the organization's BastionZero users. Add or remove a policy's BastionZero users. This command has been refactored into zli policy.
group
List all of the organization's SSO groups. Add or remove a policy's SSO groups. This command has been refactored into zli policy.
List, add, or remove a policy's target users. This command has been refactored into zli policy.
List, add, or remove a policy's target groups. This command has been refactored into zli policy.
ssh-proxy-config (Deprecated)
Generate ssh configuration to be used with the ssh-proxy command
ssh-proxy
Tunnel an SSH connection to a BZero or SSM target
configure
Returns the configuration path for the zli client
generate-bash (Deprecated)
Generate a bash script to autodiscover an SSM target
Start an interactive onboarding session to add your SSH hosts to BastionZero
generate
Generate files for Kubernetes, SSH, SSH proxy or bash scripts
logout
Deauthenticate the client
kube
kubectl wrapper
target
Take administrative actions on BZero targets

Global Flag Options

The zli includes a few global options that can be used with any command.
Flag Option
Description
--version
Show zli version number
--debug
Show debug events
-s, --silent
Silence all zli output messages
--help
Show command help

Command Manual

The following section documents each zli command operation listed in the overview above.
For command specific help: zli help
Command arguments key:
  • <arg> is required
  • [arg] is optional or sometimes required

login

Synopsis

zli login [--mfa <code>]

Description

The login command authenticates a user to the BastionZero service. When executed, a new window is opened in the user's default browser. The user may then select their SSO provider and authenticate by supplying their username and password. This is accomplished using the Open ID Connect (OIDC) specification.

Options

  • -m, --mfa: MFA code to pass to BastionZero if the organization has required MFA.

completion

Synopsis

zli completion

Description

Note: This auto-completion feature is only supported by yargs for bash and zsh shells.
The completion command will generate an auto-completion script for the user to put into their shell configuration. The script will provide the user with installation commands that they may use. For example, if the user is using a zsh shell, the outputted script will look like the following:
#compdef zli
###-begin-zli-completions-###
#
# yargs command completion script
#
# Installation: zli completion >> ~/.zshrc
# or zli completion >> ~/.zprofile on OSX.
#
_zli_yargs_completions()
{
local reply
local si=$IFS
IFS=#x27;
' reply=($(COMP_CWORD="$((CURRENT-1))" COMP_LINE="$BUFFER" COMP_POINT="$CURSOR" zli --get-yargs-completions "${words[@]}"))
IFS=$si
_describe 'values' reply
}
compdef _zli_yargs_completions zli
###-end-zli-completions-###
Then run the following commands:
  • zli completion >> ~/.zshrc
  • source ~/.zshrc
If tab completion does not take effect after running the commands above, try restarting terminal.

What does it do?

  • Pressing tab will attempt to complete the command, subcommand, or optional/required flags
  • If no command or flag exists with the specified prefix, then nothing happens
  • If there is more than one command or flag with the specified prefix, I.e the user enters zli log and hits tab, then all options that start with log will be presented to the user (zli login and zli logout). By continuing to press tab, the user will infinitely rotate through the presented options. Press space to pick one.
  • If the user enters zli li, then it will autocomplete zli list- because both commands have this in common. Then, hitting tab again will list zli list-connections and zli list-targets
  • When just zli[space] is entered, hitting tab will then show the commands alphabetically and rotate through them as the user keeps hitting tab.

connect

Synopsis

zli connect <targetString> [--targetType dynamic]

Description

The connect command spawns an interactive shell to any type of target (SSM, Kubernetes, Web, Db or dynamic access target (DAT)) as indicated by the <targetString>.

When connecting to SSM targets:

The <targetString> is required and must be in the format [targetUser]@targetName:
  • targetUser: The UNIX username to login as. In cases where only a single targetUser can be used to connect to this target via policy then targetUser may be omitted. In cases where there are more than one targetUsers that can be used to connect to this target targetUser is required and otherwise a warning will be printed and the command will fail. Use zli lt -d to see which target users are allowed for targets.
  • targetName: The name or UUID of an SSM target or DAT configuration. In cases where there is a name conflict, i.e., two or more targets with the same name, then the UUID must be supplied.
The logged-in zli user must have a Target Connect policy that covers this targetUser and target combination.

When connecting to non-SSM targets:

In addition to the connect features listed in the following sections for non-SSM targets, the <targetString> can specify the environment of the destination target. This argument is optional and is meant to allow a user to distinguish between two targets with the same name that are in different environments. If this feature is used for SSM targets, then the specified environment will be ignored.
The <targetString> can be in the format targetName.environmentName or targetName.environmentId.
  • targetName: The name of the target. (Name of Bzero target, Kubernetes cluster, Web target, or Db target)
  • environmentId/environmentName: The ID or name of the destination target's environment.
There are two ways to connect to targets that were named before zli v.6.7.3 and contain one or more periods:
  1. 1.
    Use the target id. Find the target id by executing zli lt -i
  2. 2.
    Use the target name as is. As long as the string after the first period is not also an environment name, the intended connection request will succeed. If for example, the target name is example.target.name and target.name is not an environment, then zli connect example.target.name will succeed.
Other options to disambiguate targets: The user can use the --targetType flag to disambiguate targets with the same name of different types. The user can also use the corresponding target ID instead of the target name. To list targets with their target IDs, run the command zli lt -i.
The logged-in zli user must still have the appropriate policies in place in order to connect. For Kubernetes, the user must have a Kubernetes policy that covers this targetUser and target combination. For Web and Db targets, the user must have a Proxy policy that covers this targetName.

When connecting to Kubernetes targets:

The <targetString> must be in the format [email protected]:
  • targetUser: The Kubernetes RBAC user to impersonate as. All Kubernetes API calls forwarded by the bctl daemon will authenticate as this user and assume that user's role and cluster bindings.
  • targetName: The name of the Kubernetes cluster.
The logged-in zli user must have a Kubernetes policy that covers this targetUser and target combination.

When connecting to Web and DB targets:

The <targetString> must be in the format targetName:
  • targetName: The name of the Web or DB target.
The logged-in zli user must have a Proxy policy that covers this targetName.
For Kubernetes, Web and DB targets, this command spawns the bctl daemon on an available port of the user's machine. The daemon interacts with the target specified by the <targetString>. Once executed, users can interact with their target using various tools (e.g. kubectl, psql, Lens, etc.)
Note for Kubernetes targets users will have to point their kubeconfig file to the daemon's localhost HTTP server. You can learn more about using third party tools with BastionZero and Kubernetes here.

Options

  • --targetType [ssm, dynamic, cluster, bzero, web, db]: Specifies the type of target the connection is for.
  • --targetGroup system:masters: For Kubernetes connections only, comma separated list of Kubernetes RBAC groups to impersonate as. In addition to authenticating as the specified targetUser, the bctl daemon will authenticate as these groups and assume their role and cluster bindings. The logged-in zli user must have a Kubernetes Access policy that covers this list of groups and cluster target.
  • --customPort: Forces the bctl daemon to run on a specific port.

Examples

  • zli connect [email protected] - Connect as UNIX user ssm-user to the uniquely named SSM target my-target.
  • zli connect my-target - Connects as a default UNIX user if only exactly one is allowed by policy to the uniquely named SSM target my-target
  • zli connect [email protected] - Connect as UNIX user john to an SSM target by referring to its unique UUID.
  • zli connect [email protected] --targetType dynamic - Connect to a DAT backed by the my-dat-config Dynamic Access configuration.
  • zli connect [email protected] - Start the bctl daemon and connect it to my-cluster as Kubernetes RBAC user admin.
  • zli connect [email protected] --targetGroup system:masters - Start the bctl daemon and connect it to my-cluster as Kubernetes RBAC user alice and RBAC group system:masters.
  • zli connect my-db-target - Start the bctl daemon and connect it to my-db-target.
  • zli connect [email protected]- Connects as UNIX user ec2-user to the bzero target bzero-target in the environment environmentName.
  • zli connect bzero-target.1d3a89b0-1c99-46c2-b411-e5e21261e40f - Connects as default UNIX user to the bzero target bzero-target in the environment 1d3a89b0-1c99-46c2-b411-e5e21261e40f.
  • zli connect database-target.environmentName - Connects as default UNIX user to the db target database-target in the environment environmentName.

tunnel

Tunnel has been deprecated in favor of connect in zli version 5.5.0
zli tunnel has been deprecated across all version of zli, to connect to Kubernetes targets please make sure to update zli to version >=5.5.0

default-targetgroup

Synopsis

zli default-targetgroup [--set <groupName>[,...]]

Description

The default-targetgroup command updates a local configuration value that specifies the default target groups to use when executing zli tunnel. If no argument is provided, this command displays what is currently set as the default targetGroup.

Options

  • --set: Comma separated list of Kubernetes RBAC groups. Pass no value in order to remove any default target groups set (i.e. zli default-targetgroup -set). This will reset your default target group and no default will be assigned.

policy

Synopsis

zli policy (list [--type <policyType>])
| (describe-cluster-policy <clusterName>)
| (users [--json])
| (groups <policyName> <groupName> [--json])
| (targetusers <policyName> [--json])
| (targetgroups <policyName> [--json])
| (add-user <policyName> <idpEmail>)
| (add-group <policyName> <groupName>)
| (add-targetuser <policyName> <targetUser>)
| (add-targetgroup <policyName> <targetGroup>)
| (create-cluster [name][users][groups][clusters][environments][targetUsers][targetGroups])
| (create-tconnect [name][users][groups][targets][environments][targetUsers][verbs])
| (create-recording [name][users][groups][recordInput])
| (create-proxy [name][users][groups][targets][environments])
| (delete-user <policyName> <idpEmail>)
| (delete-group <policyName> <groupName>)
| (delete-targetuser <policyName> <targetUser>)
| (delete-targetgroup <policyName> <targetGroup>)

Description

The policy commands allow the user to list existing policies and their BastionZero users, SSO groups, target users and target groups, update these fields for a specific policy, and create a new cluster, target connect, session recording, or proxy policy.
zli policy list [--type <policyType>] returns the existing policies in the user's organization. These policies can also be filtered by type using the --type flag.
zli policy describe-cluster-policy <clusterName> returns detailed information about what policies apply to the <clusterName> cluster.
\
zli policy create-cluster [name][users][groups][clusters][environments][targetUsers][targetGroups] creates a new cluster policy.
Note:
When creating a cluster policy, the following flags are required:
<name>: Name of the policy
<users>: SSO emails of users for the policy
<clusters> OR <environments>: Resources for the policy (must exclusively provide one).
The following flags are optional:
<groups>: SSO groups for the policy
<targetUsers>: Allowed target users for the policy
<targetGroups>: Allowed target groups for the policy
<description>: Description of the policy
You can use the resource UUID instead of name for the <clusters> and <environments> options.
\
zli policy create-tconnect [name][users][groups][targets][environments][targetUsers][verbs] creates a new target connect policy.
Note:
When creating a target connect policy, the following flags are required:
<name>: Name of the policy
<users>: SSO emails of users for the policy
<targetUsers>: Allowed target users for the policy
<verbs>: Actions allowed by the policy. Choices: "shell", "tunnel", or "filetransfer"
<targets> OR <environments>: Resources for the policy (must exclusively provide one).
The following flags are optional:
<groups>: SSO groups for the policy
<description>: Description of the policy
You can use the resource UUID instead of name for the <targets> and <environments> options.
\
zli policy create-recording [name][users][groups][recordInput] creates a new session recording policy.
Note:
When creating a session recording, the following flags are required:
<name>: Name of the policy
<users>: SSO emails of users for the policy
The following flags are optional:
<groups>: SSO groups for the policy
<recordInput>: Boolean indicating input should be recorded (any argument that is not "true" will be interpreted as false i.e "tru" equates to false)
<description>: Description of the policy
\
zli policy create-proxy [name][users][groups][targets][environments] creates a new proxy policy.
Note:
When creating a proxy policy, the following flags are required:
<name>: Name of the policy
<users>: SSO emails of users for the policy
<targets> OR <environments>: Resources for the policy (must exclusively provide one).
The following flags are optional:
<groups>: SSO groups for the policy
<description>: Description of the policy
You can use the resource UUID instead of name for the <targets> and <environments> options.
\
zli policy users returns the BastionZero users in the organization. The returned table includes the user's name, the user's <idpEmail>, role in BastionZero (admin or user), and time of last login.
zli policy add-user <policyName> <idpEmail> adds the specified SSO user to the specified policy.
zli policy delete-user <policyName> <idpEmail> deletes the specified SSO user from the specified policy.
Note: When adding or deleting a user from a policy, both <policyName> and <idpEmail> must be provided. <policyName> should refer to a policy that exists in the list of the organization's policies. To list all policies, you can run the zli policy list command and optionally use the --type flag to specify a policy type. <idpEmail> should refer to the email of one of the organization's users.
zli policy groups returns the organization's SSO groups. The returned table includes all of the organization's groups by name.
zli policy add-group <policyName> <groupName> adds the specified SSO group to the specified policy.
zli policy delete-group <policyName> <groupName> deletes the specified SSO group from the specified policy.
Note: When adding or deleting a group from a policy, both <policyName> and <groupName> must be provided. <policyName> should refer to a policy that exists in the list of the organization's policies. To list all policies, you can run the zli policy list command and optionally use the --type flag to specify a policy type. <groupName> should refer to the name of one of the organization's groups. <groupName> is case sensitive.
zli policy targetusers <policyName> returns the target users for a specific policy. Target users determine what UNIX users or Kubernetes RBAC users are permissible to use in the connect and tunnel commands respectively.
zli policy add-targetuser <policyName> <targetUser> adds the specified target user to the specified policy.
zli policy delete-targetuser <policyName> <targetUser> deletes the specified target user from the specified policy.
Note: When adding or deleting a target user from a policy, <targetUser> must be provided. When editing a Target Connect policy, <targetUser> refers to a UNIX username. When editing a Kubernetes Access policy, <targetUser> refers to a Kubernetes RBAC user.
zli policy targetgroups <policyName> returns the target groups for a specific policy. Target groups determine which Kubernetes RBAC groups are permissible to use in the connect command. This command only applies to Kubernetes Access policies.
zli policy add-targetgroup <policyName> <targetGroup> adds the specified target user to the specified policy.
zli policy delete-targetgroup <policyName> <targetGroup> deletes the specified target user from the specified policy.
Note: When adding or deleting a user from a policy, <targetGroup> must be provided. <targetGroup> refers to a Kubernetes RBAC group.

Options

  • -j, --json: Output the list of policies, users, groups, target users, or target groups in JSON format. Not applicable to describe-cluster-policy.

Examples

  • zli policy list --json --silent | jq - List all policies. Output as JSON. Pipe into jq for pretty formatting.
  • zli policy list --type kubernetes - List all Kubernetes policies. Regular table output.
  • zli policy describe-cluster-policy test-cluster - List all existing policies for test-cluster. Regular table output.
  • zli policy create-cluster -n policy_name -u [email protected] -c test_cluster --targetUsers ec2-user - Create a new cluster policy with the specified arguments.
  • zli policy create-tconnect -n policy_name -u [email protected] -t bzero-target --targetUsers ec2-user -v shell - Create a new target connect policy with the specified arguments.
  • zli policy create-recording -n policy_name -u [email protected] -g Engineering Legal -r true - Create a new session recording policy with the specified arguments.
  • zli policy create-proxy -n policy_name -u [email protected] -g Engineering Legal -e test-environment - Create a new proxy policy with the specified arguments.
  • zli policy users --json --silent | jq - List all of the organization's users. Output as JSON. Pipe into jq for pretty formatting.
  • zli policy add-user my-policy [email protected] - Adds SSO user with email [email protected] to the my-policy policy.
  • zli policy delete-user my-policy [email protected] - Removes SSO user with email [email protected] from the my-policy policy.
  • zli policy groups --json --silent | jq - List all of the organization's groups. Output as JSON. Pipe into jq for pretty formatting.
  • zli policy add-group my-policy Engineering - Adds SSO group with name Engineering to the my-policy policy.
  • zli policy delete-group my-policy Engineering - Removes SSO group with name Engineering from the my-policy policy.
  • zli policy targetusers my-policy -j - List all of the target users for a specific policy. Output as JSON, pipeable.
  • zli policy add-targetuser my-policy ec2-user - Adds a new target user ec2-user to the my-policy policy.
  • zli policy delete-targetuser my-policy ec2-user - Removes the target user with name ec2-user from the my-policy policy.
  • zli policy targetgroups my-policy -j - List all of the target groups for a specific policy. Output as JSON, pipeable.
  • zli policy add-targetgroup my-policy system:masters - Adds a new target group with name system:masters to the my-policy policy.
  • zli policy delete-targetgroup my-policy system:masters - Removes the target group with name system:masters from the my-policy policy.

describe-cluster-policy

describe-cluster-policy has been refactored into policy in zli version 6.7.15
You can find more information on the policy command here.

disconnect

Synopsis

zli disconnect

Description

The disconnect command stops the tunnel connection to a Kubernetes cluster if there is one currently running. The bctl daemon process is killed.

Options

There are no options for this command besides the global ones.

attach

Synopsis

zli attach <connectionId>

Description

The attach command attaches to an open zli connection. A zli connection is defined as one that exists in the cli-space; all connections created with the connect command exist in this space.

Options

There are no options for this command besides the global ones.

close

Synopsis

zli close (<connectionId>|--all [--type (shell|db)])

Description

The close command closes an open shell or db connection. A connection that has been closed can no longer be attached to.

Options

  • -a, --all: Closes all shell and db connections
  • -t, --type: Filter for specific connection type when using the --all flag

list-targets

Synopsis

zli list-targets [--targetType (ssm|dynamic|cluster)] [--env <environmentName>] [--name <targetName>]
[--status (notactivated|offline|online|terminated|error)] [--user <userEmail>] [--detail] [--showId] [--json]

Description

The list-targets command lists all the organization's targets. Optional result filters can be applied by passing in flags as described below. The returned table of targets includes the type, name, and environment of all targets.
Alias: lt

Options

  • -u, --user: Admin-only option. Filter targets based on targets that a particular user in your organization has access to via policy. A valid user email address must be provided. To help find the email address of any user in your organization you can use zli user to list all users.
  • -t, --targetType: Target type filter. Use zli lt --help to see full list of valid target types.
  • -e, --env: Environment name filter.
  • -n, --name: Target name filter.
  • -u, --status: Target status filter. Use zli lt --help to see full list of valid statuses.
  • -d, --detail: Returns extra detail in the output. The additional information includes the target's agent version, status, and suitable target users to use in the user portion of the <targetString> and <tunnelString> syntax.
  • -i, --showId: Display the target's UUID in the output.
  • -j, --json: Output the list of targets in JSON format.

Examples

  • zli lt -i -t cluster - List all Kubernetes cluster targets. Display the target's UUID.
  • zli lt --json --silent | jq - List all targets. Output as JSON. Pipe into jq for pretty formatting.
  • zli lt --user [email protected] - Lists all targets that [email protected] has access to through policy

list-connections

Synopsis

zli list-connections [--type (shell|db)] [--json]

Description

The list-connections command lists open shell and db connections the logged-in zli user has made across all their machines.
Alias: lc

Options

  • -j, --json: Output the list of connections in JSON format.
  • -t, --type: Filter for a specific connection type.

list-daemons

Synopsis

zli list-daemons [kube|db|web]

Description

The list-daemons command lists all daemons running on this machine.
By default, all types of daemons are displayed. Appending the target type after list-daemons filters for a specific daemon type.
Alias: ld

Options

There are no options for this command besides the global ones.

user

user has been refactored into policy users in zli version 6.7.15
You can find more information on the policy command here.

group

group has been refactored into policy groups in zli version 6.7.15
You can find more information on the policy command here.

targetuser

targetuser has been refactored into policy targetusers in zli version 6.7.15
You can find more information on the policy command here.

targetgroup

targetgroup has been refactored into policy targetgroups in zli version 6.7.15
You can find more information on the policy command here.

ssh-proxy-config

ssh-proxy-config has been deprecated in favor of generate ssh-proxy in zli version 6.0.8

Synopsis

zli ssh-proxy-config

Description

The ssh-proxy-config command generates an ssh configuration block to be added to the user's ssh_config file. The generated configuration block allows the ssh command to tunnel SSH connections to SSM targets by calling the zli's ssh-proxy command behind the scenes.
This command only needs to be executed once, with the user taking the actions as specified in the output of the command to modify their ssh_config ($HOME/.ssh/config) file. After doing so, the user may utilize SSH tunneling by using ssh and specifying the correct hostname prefix (i.e., bzero-*).
See the following article for more information.

Options

There are no options for this command besides the global ones.

ssh-proxy

Synopsis

zli ssh-proxy <hostString> <userName> <portNumber> <identityFile>

Description

The ssh-proxy command allows for proxying an SSH connection to an SSM or BZero target. The captured SSH connection can be an interactive shell or a port forwarding tunnel.
Users should typically not use this command directly. Instead, they should let ssh call it via the ProxyCommand directive.
<hostString> includes the target's name or UUID in the case there are two or more targets with the same name. <userName> is the UNIX username to log in as. <portNumber> refers to the port number on the target running the sshd daemon. <identityFile> refers to the private SSH key generated by the zli.
The logged-in zli user must have a Target Connect policy that covers this userName and target combination. The Tunnel action must be enabled in the policy.
See the following article for more information.

Options

There are no options for this command besides the global ones.

configure

Synopsis

zli configure
zli configure default-targetuser [targetUser] [--reset]

Description

The configure command returns the file path of both the zli's configuration and the logs kept as part of normal client operation. These files typically do not need to be configured or modified by a user.
zli configure default-targetuser [targetUser] [--reset] allows the user to set a default target user for shell, SSH, and SCP.
  • For shell connections, if a target user is not set in the target string (i.e bzerotarget.environment), and the user configures a default target user using this command, then the zli will automatically use the set target user.
  • For SSH and SCP, you will need to run this command in conjunction with zli generate sshConfig. If you have a default target user set, then when you run zli generate sshConfig, it will overwrite the User field for all your configurations with the default configuration. To undo this or revert to original configuration, reset the default target user using zli configure default-targetuser --reset and then run zli generate sshConfig.
  • In all cases, if you set a target user in the target string (i.e [email protected]), then you will connect with this target user and not the default.
You must exclusively set the targetUser or use the --reset option. You cannot do both or neither.

Options

There are no options for the base command besides the global ones.
  • -r, --reset: Reset the local default target user for shell, SSH, and SCP

Examples

  • zli configure - Retrieve paths for config file, zli logs and daemon logs.
  • zli configure defaultTargetUser ec2-user - Set ec2-user as a local default target user for shell, SSH, and SCP.
  • zli configure defaultTargetUser --reset - Removes the local default target user for shell, SSH, and SCP.

generate-bash

generate-bash has been deprecated in favor of generate bash in zli version 6.0.8
You can find more information on the generate command here.

quickstart

Synopsis

zli quickstart [--sshConfigFile <filePath>]

Description

The quickstart command starts an interactive onboarding session that adds the user's SSH hosts, as specified by the the ssh_config file, to BastionZero.
See the following article for more information.

Options

  • -c, --sshConfigFile: Path to ssh_config file. Defaults to $HOME/.ssh/config if this flag is not provided.

generate

Synopsis

zli generate (kubeConfig [--customPort <portNumber>] [--outputFile <filePath>] [--update])
| (kubeYaml <clusterName> [--labels <labelName>[,...]] [--environmentName <environmentName>] [--namespace <namespaceName>] [--outputFile <filePath>])
| (sshConfig) [--mySshPath <path/to/config>] [--bzSshPath <path/to/bz-config>]
| (ssh-proxy)
| (bash [--environment <environmentName>] [--agentVersion <version>] [--os (centos|ubuntu|universal)] [--outputFile <filePath>] [(--targetName <name>|--targetNameScheme (do|aws|time|hostname))] )

Description

The generate command generates files for Kubernetes or SSH
zli generate kubeConfig (Access):
zli generate kubeConfig creates the kubeconfig file that sets up the user's local Kubernetes tools (e.g. kubectl, Lens) to communicate with a registered Kubernetes cluster. The generated kubeconfig configures a new context, bctl-agent-context, which when set as the current-context, allows for local Kubernetes tools to talk with the bctl daemon. The bctl daemon forwards all Kubernetes API calls to the currently connected Kubernetes cluster (see connect command).
zli generate kubeYaml <clusterName> (Registration):
zli generate kubeYaml <clusterName> creates a Kubernetes .yaml file that can be applied via kubectl apply to a cluster the user wishes to register with BastionZero. See the following article for more information on using YAML.
zli generate sshConfig:
zli generate sshConfig creates an SSH config file based on the targets to which you have SSH tunnel and file transfer access, so that your connection to those targets can be proxied through BastionZero. Specifically, it will write to a new file (stored by default in $HOME/.ssh/bzero-bz-config), and link it to your existing configuration (by default in $HOME/.ssh/config) via the Include keyword. After this file is generated, you will not need to provide an identity file or proxy command when SSHing to your BastionZero targets.
Starting in ZLI version 6.8.1, after running zli generate sshConfig, you will now be able to connect to non-SSM targets via ssh using the dot environment feature to disambiguate targets with the same name. For example, if you have bzero target named bzero-target in an environment test-environment. You will now be able to connect to the target via ssh bzero-target.test-environment. You can find more information on the dot environment feature here.
Starting in ZLI version 6.8.5, your /.ssh/config and bzero-bz-config files now provide context for users to quickly understand the contents of the file. To update your configuration files to include these new descriptions, re-run zli generate sshConfig.
zli generate bash:
zli generate bash generates a bash script that is used to autodiscover an SSM target. The script should be executed on the target machine to connect with BastionZero.
zli generate ssh-proxy:
zli generate ssh-proxy generates an ssh configuration block to be added to the user's ssh_config file. The generated configuration block allows the ssh command to tunnel SSH connections to SSM targets by calling the zli's ssh-proxy command behind the scenes.
This command only needs to be executed once, with the user taking the actions as specified in the output of the command to modify their ssh_config ($HOME/.ssh/config) file. After doing so, the user may utilize SSH tunneling by using ssh and specifying the correct hostname prefix (i.e., bzero-*).
See the following article for more information.

Options

  • --customPort: Configures the bctl-agent-context to connect to the bctl daemon server on a different port than the one currently listed in the user's local configuration.
  • -o, --outputFile: Writes the generated configuration to a file on the user's machine.
  • --update: Updates the user's existing kubeconfig file (defaults to $HOME/.kube/config unless KUBECONFIG is set). Requires kubectl to be installed on the user's machine and exist in their $PATH.
  • --labels: Comma separated list of Kubernetes labels to add to the bctl-agent deployment that is installed when registering a cluster with BastionZero.
  • --environmentName: Sets the BastionZero environment this cluster should be added to once registered.
  • --namespace: Sets the namespace for all bctl-agent-related Kubernetes objects that are created during registration and used during the lifetime of the agent.
  • --mySshPath: (only used with generate sshConfig) specify an alternate location for your personal SSH config file
  • --bzSshPath: (only used with generate sshConfig) specify an alternate location for the BastionZero config file to be written
  • -e, --environment: (only used with generate bash) Specifies the environment the target will belong to once registered. Defaults to the Default environment if this flag is not provided.
  • --agentVersion: (only used with generate bash) Use a specific version of the agent when installing the agent on the target. Defaults to the latest version if this flag is not provided.
  • -o, --outputFile: (only used with generate bash) Writes the bash script to a file on the user's machine.
  • --targetNameScheme: (only used with generate bash) Configures the target name from a specific source. Defaults to the hostname source if this flag is not provided.
    • do: If the target machine is a DigitalOcean droplet, the target name will be set to the droplet's name.
    • aws: If the target machine is an AWS EC2 machine, the target name will be set to the instance's ID.
    • time: The target name will be set to target-%m%d-%H%M%S, where the variables are date formats. The formatted timestamp is the time the script is executed on the target machine.
    • hostname: The target name will be set to the machine's hostname.

Examples

  • zli generate kubeYaml testcluster
  • zli generate kubeYaml --labels testkey:testvalue
  • zli generate kubeConfig
  • zli generate kubeConfig --update kube config - Defaults KUBECONFIG to $HOME/.kube/config
  • zli generate sshConfig - Create and link an ssh config file based on your organization's policies
  • zli generate sshConfig --mySshPath path/to/config --bzSshPath path/to/bz-config - Optionally specify filepaths (defaults to $HOME/.ssh/config and $HOME/.ssh/bz-config respectively)
  • zli generate bash --targetNameScheme time
  • zli generate bash -o script.sh - Writes the script to a file "script.sh" in the current directory
  • zli generate ssh-proxy

logout

Synopsis

zli logout

Description

The logout command de-authenticates the client. The user must run login again to be able to run other zli commands.

Options

There are no options for this command besides the global ones.

kube

Synopsis

zli kube -- <kubeCtlArg> ...

Description

The kube command passes all the supplied <kubeCtlArg> arguments to the kubectl CLI tool.
The user should not run this command unless the following requirements have been met:

Options

There are no options for this command besides the global ones.

target

Synopsis

zli target restart <targetNameOrId>

Description

The target command is used by administrators to manage their organization's BZero targets by communicating directly with the BZero agent running on those targets. Currently, the only supported action is restart, which causes the BZero agent to gracefully shut down and restart itself. This can be used as a failsafe measure in case the target is still communicating with BastionZero but is not accepting user connections.

Options

There are no options for this command besides the global ones.
Copy link
On this page
Overview
Open Source & Distribution
Command Summary
Global Flag Options
Command Manual
login
completion
connect
tunnel
default-targetgroup
policy
describe-cluster-policy
disconnect
attach
close
list-targets
list-connections
list-daemons
user
group
targetuser
targetgroup
ssh-proxy-config
ssh-proxy
configure
generate-bash
quickstart
generate
logout
kube
target