Bootstrap & first user
The very first call to a fresh runed is rune admin bootstrap. It mints a root token with full privileges. After that, you should create scoped users — never share the root token.
1. Bootstrap the root token
Section titled “1. Bootstrap the root token”AdminBootstrap is the only RPC that doesn’t require auth. It’s also gated to localhost on the server side unless auth.allow_remote_admin is true. Run it on the server:
rune admin bootstrap --out-file ~/.rune/tokenThe token is written with mode 0600. It’s a one-time mint — calling bootstrap a second time on a server that already has tokens will fail.
2. Configure your CLI to use the root token
Section titled “2. Configure your CLI to use the root token”rune login admin \ --server localhost:7863 \ --token-file ~/.rune/token \ --namespace defaultrune whoamiYou’re now root with the built-in root policy (* verb on * resource in * namespace).
3. Create a real user
Section titled “3. Create a real user”Built-in policies seeded at startup:
| Policy | Verbs | Use for |
|---|---|---|
root | * on * in * | Emergency access only. |
admin | * on * in * | Operators. |
readwrite | get, list, watch, create, update, delete, scale, exec on * | Service developers. |
readonly | get, list, watch on * | Dashboards, on-call. |
Create a developer user and attach readwrite:
rune admin policy attach readwrite --to-user alice4. Issue a token for that user
Section titled “4. Issue a token for that user”rune admin token create alice-laptop \ --subject-name alice \ --policies readwrite \ --ttl 720h \ --out-file ./alice.token--ttl is optional; omit for a non-expiring token. The token secret is printed once and written to the file. Store it like any other credential.
5. Switch contexts
Section titled “5. Switch contexts”Alice can now log in:
rune login dev \ --server runed.example.com:7863 \ --token-file ./alice.token \ --namespace defaultrune whoamiThe CLI keeps named contexts in ~/.rune/config.yaml:
rune context listrune use-context dev6. Stand up scoped policies (optional)
Section titled “6. Stand up scoped policies (optional)”Built-ins are wide. To restrict alice to a namespace:
name: alice-devdescription: Read/write only in 'dev' namespacerules: - resource: "*" verbs: ["get", "list", "watch", "create", "update", "delete", "scale", "exec"] namespace: "dev"rune admin policy create -f alice-dev-policy.yamlrune admin policy detach readwrite --from-user alicerune admin policy attach alice-dev --to-user aliceNow alice can only act inside dev.
7. Revoke when needed
Section titled “7. Revoke when needed”rune admin token listrune admin token revoke <token-id>Revocation is immediate — the next request with that token returns Unauthenticated.
What’s next
Section titled “What’s next”- Identity & RBAC — the policy model in detail.
rune admin— full reference for user, policy, and token commands.- Security hardening — turning on TLS, rotating the KEK, restricting CORS.