Skip to content
Rune

rune login / context

The CLI keeps named contexts in ~/.rune/config.yaml. Each context is a (server, token, namespace, tls) tuple. Switch between them with rune use-context.

rune login

Section titled “rune login”

Shortcut for “create or update a context, optionally make it the current one.”

Terminal window
rune login dev \
  --server localhost:7863 \
  --token-file ~/.rune/dev.token \
  --default-namespace default

If you omit <context-name>, it defaults to default.

FlagNotes
--servergRPC address (host:port).
--tokenInline token value.
--token-filePath to a file containing the token.
--token-stdinRead the token from stdin. Designed for CI — see below.
--default-namespaceDefault namespace for this context (used when commands omit --namespace).
--no-verifySkip server verification — just set the context.
--set-currentMake this the active context (default: yes).

rune login verifies the server is reachable and the token works (unless --no-verify).

The legacy --namespace flag on rune login is a deprecated alias for --default-namespace; it still works for one release but emits a warning. The rename disambiguates it from the per-operation --namespace flag used everywhere else (cast, get, delete).

--token-stdin for CI

Section titled “--token-stdin for CI”

For automation (GitHub Actions, GitLab CI, etc.) prefer piping the token over stdin so it never lands on the process argv — invisible to /proc, ps, shell history, or naive log capture:

Terminal window
printf '%s' "$RUNE_TOKEN" | rune login ci \
  --server runed.example.com:443 \
  --token-stdin

This is what runestack/rune-cast-action uses internally. See the CI deployments guide.

About the rune_ token prefix

Section titled “About the rune_ token prefix”

All bearer tokens issued from v0.0.1-dev.25 onward look like rune_<uuid>.<uuid>. The prefix is mandatory — tokens without it are rejected by the server. It exists so secret scanners (Gitleaks, GitHub secret scanning, TruffleHog) can match Rune tokens by a stable distinctive marker, the same way ghp_ or glpat- work.

rune context

Section titled “rune context”

Sub-commands:

Terminal window
rune context view                      # show current config
rune context list             # list all
rune context use <name>        # switch active context
rune context set <name> [...]  # create or update a context
rune context delete <name>     # remove

context set

Section titled “context set”
Terminal window
rune context set prod \
  --server runed.example.com:7863 \
  --token-file /etc/rune/prod.token \
  --namespace prod \
  --tls-ca /etc/rune/ca.crt \
  --tls-cert /etc/rune/client.crt \
  --tls-key /etc/rune/client.key

Update one field on an existing context:

Terminal window
rune context set dev --namespace=staging

Aliases

Section titled “Aliases”

rune use-context is a top-level alias for rune context use:

Terminal window
rune use-context prod

Config file layout

Section titled “Config file layout”

~/.rune/config.yaml:

current-context: dev
contexts:
  dev:
    server: localhost:7863
    namespace: default
    token: <bearer>
  prod:
    server: runed.example.com:7863
    namespace: prod
    token-file: /etc/rune/prod.token
    tls:
      ca: /etc/rune/ca.crt
      cert: /etc/rune/client.crt
      key: /etc/rune/client.key

The file is created with mode 0600.

Tips

Section titled “Tips”
  • Prefer token-file over inline token for shared machines.
  • Use one context per environment, not one per cluster — same context, different namespace works fine for many “envs” inside a single Rune.
  • rune whoami will tell you which context you’re in and whether the token works.

See also

Section titled “See also”