Manage Kestra Flows, IAM, and Plugins with kestractl
For the complete documentation index, see llms.txt. For a full content snapshot, see llms-full.txt. Append.mdto anykestra.io/docs/*URL for plain Markdown.
Use kestractl to manage flows, executions, triggers, namespaces, namespace files, key-value pairs, plugins, IAM resources, dashboards, apps, assets, blueprints, test suites, execution logs, secrets, and server administration. Most commands interact with the Kestra host API; workers registration-tokens generate runs entirely offline.
For server components and system maintenance commands (starting standalone servers, server-side plugin installation), see the Kestra Server CLI.
Installation
Source code and releases are available at github.com/kestra-io/kestractl.
curl -fsSL https://raw.githubusercontent.com/kestra-io/kestractl/main/install-scripts/install.sh | bashQuick Setup
Open Source (basic auth)
kestractl config add default http://localhost:8080 main --username YOUR_USERNAME --password YOUR_PASSWORD --defaultEnterprise (API token)
kestractl config add default https://kestra.example.com production --token YOUR_TOKEN --defaultYour configuration is saved at ~/.kestractl/config.yaml and the default context is used automatically.
contexts: default: host: https://kestra.example.com tenant: production auth_method: token token: YOUR_TOKENdefault_context: defaultFor basic auth contexts, auth_method is basicAuth and the file stores username and password instead of a token.
Usage
Examples
# Deploy flows, then run one and wait for completionkestractl flows deploy ./flows --namespace prod --override --fail-fastkestractl executions run prod nightly-refresh --wait --output json# Sync namespace files for a releasekestractl nsfiles upload prod ./assets --path resources --override --fail-fast# List flows as JSONkestractl flows list my.namespace --output jsonCommand groups
config: manage authentication contexts.flows: list, get, deploy, validate, enable, disable, delete, export, import, and sync flows.executions: run, inspect, control, and bulk-manage executions.triggers: list, enable, disable, unlock, delete, manage backfills, and export triggers.namespaces: list, get, create, update, delete namespaces and manage their plugin defaults.nsfiles: list, get, upload, and delete namespace files.kv: list, set (with optional TTL), update, get, and delete key-value pairs. Note:kv listrequires token auth and returns 401 with basic auth.dashboards: list, get, create, update, and delete dashboards. Requires Kestra EE.apps: list, get, deploy, update, and delete apps. Requires Kestra EE.assets: list, get, create, and delete assets. Requires Kestra EE.blueprints: search and retrieve community blueprints; manage internal flow blueprints (EE).test-suites: create, run, validate, and manage test suites and their results. Requires Kestra EE.users: list, get, create, update, delete, set group membership, set passwords, and manage API tokens for users. Requires Kestra EE; operates at the instance level (not tenant-scoped).groups: list, get, create, update, delete groups and manage their members. Requires Kestra EE; tenant-scoped.roles: list, get, create, update, and delete roles with resource-level permissions. Requires Kestra EE; tenant-scoped.service-accounts(aliases:service-account,sa): list, get, create, update, delete service accounts and manage their API tokens. Requires Kestra EE; instance-level (not tenant-scoped).bindings: list, get, create (including bulk), and delete role bindings. Requires Kestra EE; tenant-scoped.invitations: list, get, create, and delete user invitations. Requires Kestra EE; tenant-scoped.logs: list, search, download, and delete execution logs.secrets: list, set, patch, and delete secrets. Requires Kestra EE.server: view license info, list server actions, and generate statistics reports.server licenserequires Kestra EE.plugins: list compatible plugins for a Kestra version and download them to a local directory.workers: manage worker registration tokens.
Use kestractl --help or kestractl <command> --help for the full command reference.
Flow management
# List flows (all namespaces, or filter by namespace)kestractl flows listkestractl flows list my.namespace --output json
# List flows in a namespace with paginationkestractl flows list-by-namespace my.namespace --page 1 --size 50
# List deprecated flowskestractl flows list-deprecated
# Search flows across all namespaces (paginated; no query filter)kestractl flows searchkestractl flows search --page 1 --size 50
# List distinct namespaces that have flowskestractl flows namespaces
# Get a flow's YAML source (aliases: show, describe)kestractl flows get my.namespace my-flow
# Get a specific task definition within a flowkestractl flows task my.namespace my-flow my-task-id
# Deploy flowskestractl flows deploy path/to/flow.yamlkestractl flows deploy ./flows/ --namespace prod --override --fail-fast
# Import flows from a ZIP archivekestractl flows import flows.zip
# Validate a flow or directorykestractl flows validate path/to/flow.yamlkestractl flows validate ./flows/
# Validate a task or trigger definition from a YAML filekestractl flows validate-task --file task.yamlkestractl flows validate-trigger --file trigger.yaml
# Enable / disable / delete a flowkestractl flows enable my.namespace my-flowkestractl flows disable my.namespace my-flowkestractl flows delete my.namespace my-flow
# Bulk operations by querykestractl flows enable-by-query --namespace my.namespacekestractl flows disable-by-query --namespace my.namespacekestractl flows delete-by-query --namespace my.namespace --query old-
# Search flows by source contentkestractl flows search-by-source --query "http.request"
# Bulk-update flows from a YAML filekestractl flows bulk-update --file flows.yaml
# Export flowskestractl flows export --namespace my.namespace --output-file flows.zipkestractl flows export-by-ids my.namespace/flow-a my.namespace/flow-b --output-file export.zipkestractl flows export-by-query --namespace my.namespace --output-file export.zip
# Sync an entire namespace from a YAML file (deletes flows absent from the file)kestractl flows namespace-sync my.namespace flows.yaml --delete --override
# Manage flow revisionskestractl flows revisions my.namespace my-flowkestractl flows delete-revisions my.namespace my-flow --revisions 5
# Manage concurrency limitskestractl flows concurrency-limitskestractl flows update-concurrency my.namespace my-flow --running 10
# Generate a graph topology from a flow source file (without deploying)kestractl flows generate-graph-from-source --file flow.yaml
# Show the graph topology of an existing deployed flowkestractl flows graph my.namespace my-flowkestractl flows graph my.namespace my-flow --revision 3 --output jsonkestractl flows graph my.namespace my-flow --subflow task-a --subflow task-b
# List available Pebble expressions for a flow YAML filekestractl flows expressions --file my-flow.yamlkestractl flows expressions --file my-flow.yaml --task-id my-task
# Show namespace-level or flow-level dependency treeskestractl flows namespace-dependencies my.namespacekestractl flows dependencies my.namespace my-flowExecution management
# Run a flow and optionally wait for completionkestractl executions run my.namespace my-flowkestractl executions run my.namespace my-flow --wait --output json
# List executionskestractl executions list --namespace my.namespace --flow my-flow
# Get execution details (aliases: show, describe)kestractl executions get 2TLGqHrXC9k8BczKJe5djX
# Get the latest execution per flowkestractl executions latest --flow my.namespace:my-flow --flow my.namespace:other-flow
# Watch an execution in real time (alias: follow) — exits non-zero on FAILED, KILLED, or CANCELLEDkestractl executions watch 2TLGqHrXC9k8BczKJe5djX
# Control execution statekestractl executions kill 2TLGqHrXC9k8BczKJe5djXkestractl executions pause 2TLGqHrXC9k8BczKJe5djXkestractl executions resume 2TLGqHrXC9k8BczKJe5djXkestractl executions restart 2TLGqHrXC9k8BczKJe5djXkestractl executions force-run 2TLGqHrXC9k8BczKJe5djXkestractl executions unqueue 2TLGqHrXC9k8BczKJe5djX
# Replay an executionkestractl executions replay 2TLGqHrXC9k8BczKJe5djX
# Replay from a specific task run (optionally targeting a revision or setting breakpoints)kestractl executions replay-with-inputs 2TLGqHrXC9k8BczKJe5djX --task-run-id <taskRunId>kestractl executions replay-with-inputs 2TLGqHrXC9k8BczKJe5djX --revision 3
# Bulk operations by IDs (positional execution IDs)kestractl executions kill-bulk id1 id2 id3kestractl executions pause-bulk id1 id2 id3kestractl executions resume-bulk id1 id2 id3kestractl executions restart-bulk id1 id2 id3kestractl executions replay-bulk id1 id2 id3kestractl executions force-run-bulk id1 id2 id3kestractl executions delete-bulk id1 id2 id3kestractl executions unqueue-bulk id1 id2 id3kestractl executions set-labels-bulk env=prod --ids id1 --ids id2kestractl executions change-status-by-ids --status SUCCESS id1 id2
# Bulk operations by querykestractl executions kill-by-query --namespace my.namespace --flow my-flowkestractl executions pause-by-query --namespace my.namespacekestractl executions resume-by-query --namespace my.namespacekestractl executions restart-by-query --namespace my.namespacekestractl executions replay-by-query --namespace my.namespace --latest-revisionkestractl executions force-run-by-query --namespace my.namespacekestractl executions delete-by-query --namespace my.namespace --delete-logs --delete-storagekestractl executions unqueue-by-query --namespace my.namespacekestractl executions set-labels-by-query env=prod --namespace my.namespace
# Filter bulk operations by field (FIELD:OPERATION:VALUE)kestractl executions kill-by-query --filter STATE:EQUALS:RUNNING
# Labelskestractl executions set-labels 2TLGqHrXC9k8BczKJe5djX env=prod team=platform
# Trigger an execution via webhook (--method GET|POST|PUT; --path appends a URL suffix)kestractl executions trigger-webhook my.namespace my-flow my-webhook-keykestractl executions trigger-webhook my.namespace my-flow my-webhook-key --method POSTkestractl executions trigger-webhook my.namespace my-flow my-webhook-key --method PUT --path extra/segment
# Graph and flow infokestractl executions flow-graph 2TLGqHrXC9k8BczKJe5djXkestractl executions flow-info my.namespace my-flowkestractl executions flow-info-by-id 2TLGqHrXC9k8BczKJe5djX
# Download output fileskestractl executions download-file 2TLGqHrXC9k8BczKJe5djX --path outputs/result.csvkestractl executions file-metadata 2TLGqHrXC9k8BczKJe5djX --path outputs/result.csv
# Evaluate a Pebble expression against an executionkestractl executions eval-expression 2TLGqHrXC9k8BczKJe5djX "{{ outputs.myTask.value }}"
# Force-change execution or task run statuskestractl executions change-status 2TLGqHrXC9k8BczKJe5djX SUCCESSkestractl executions update-taskrun 2TLGqHrXC9k8BczKJe5djX <taskRunId> SUCCESS
# Search executions for a specific flowkestractl executions search-by-flow --namespace my.namespace --flow-id my-flow
# Bulk status change by querykestractl executions update-status-by-query --namespace my.namespace --new-status KILLED
# Delete an executionkestractl executions delete 2TLGqHrXC9k8BczKJe5djXExecution logs
# List log entries for an executionkestractl logs list <execution_id>kestractl logs list <execution_id> --min-level WARNING --task-id my-task
# Search logs across all executionskestractl logs search --namespace my.namespace --flow-id my-flow --min-level ERRORkestractl logs search --query "timeout" --page 1 --size 50
# Download logs for an execution to a filekestractl logs download <execution_id> --output-file execution.logkestractl logs download <execution_id> --task-id my-task --output-file task.log
# Delete logs for an execution or all logs for a flowkestractl logs delete <execution_id>kestractl logs delete-flow my.namespace my-flowkestractl logs delete-flow my.namespace my-flow --trigger-id my-triggerTrigger management
# List all triggerskestractl triggers list
# List triggers for a specific flowkestractl triggers search-for-flow my.namespace my-flow
# Enable / disable / unlock a triggerkestractl triggers enable my.namespace my-flow my-triggerkestractl triggers disable my.namespace my-flow my-triggerkestractl triggers unlock my.namespace my-flow my-trigger
# Restart or update a triggerkestractl triggers restart my.namespace my-flow my-triggerkestractl triggers update my.namespace my-flow my-trigger --disabled
# Delete a triggerkestractl triggers delete my.namespace my-flow my-trigger
# Bulk operations by IDs (format: namespace/flowId/triggerId)kestractl triggers delete-by-ids my.ns/my-flow/sched my.ns/my-flow/webhookkestractl triggers unlock-by-ids my.ns/my-flow/schedkestractl triggers disable-by-ids my.ns/my-flow/schedkestractl triggers enable-by-ids my.ns/my-flow/sched
# Bulk operations by querykestractl triggers delete-by-query --namespace my.namespacekestractl triggers unlock-by-query --namespace my.namespacekestractl triggers disable-by-query --namespace my.namespacekestractl triggers enable-by-query --namespace my.namespace
# Backfill management (single trigger)kestractl triggers create-backfill \ --namespace my.namespace --flow-id my-flow --trigger-id my-trigger \ --start 2024-01-01T00:00:00Z --end 2024-02-01T00:00:00Zkestractl triggers backfill-pause my.namespace my-flow my-triggerkestractl triggers backfill-unpause my.namespace my-flow my-triggerkestractl triggers backfill-delete my.namespace my-flow my-trigger
# Backfill management by IDskestractl triggers pause-backfill-by-ids my.ns/my-flow/schedkestractl triggers unpause-backfill-by-ids my.ns/my-flow/schedkestractl triggers delete-backfill-by-ids my.ns/my-flow/sched
# Backfill management by querykestractl triggers pause-backfill-by-query --namespace my.namespacekestractl triggers unpause-backfill-by-query --namespace my.namespacekestractl triggers delete-backfill-by-query --namespace my.namespace
# Export all triggers as CSVkestractl triggers export-csvkestractl triggers export-csv --output-file triggers.csvNamespace management
# List namespaceskestractl namespaces listkestractl namespaces list --query my.namespace
# Search namespaceskestractl namespaces search --query my.namespace
# Autocomplete namespace names (useful for scripting)kestractl namespaces autocomplete --query my.
# Get namespace detailskestractl namespaces get my.namespace
# Create / update / delete a namespacekestractl namespaces create my.namespacekestractl namespaces update my.namespace --description "Production namespace"kestractl namespaces delete my.namespace
# View inherited secrets and variableskestractl namespaces inherited-secrets my.namespacekestractl namespaces inherited-variables my.namespace
# View plugin defaults for a namespace (includes inherited configuration)kestractl namespaces plugin-defaults my.namespace
# Export / import plugin defaultskestractl namespaces export-plugin-defaults my.namespace --output-file defaults.yamlkestractl namespaces import-plugin-defaults my.namespace --file defaults.yamlKey-value pairs
# List keys in a namespacekestractl kv list my.namespace
# Set a key with an optional TTL (ISO 8601 duration)kestractl kv set my.namespace STRING api_key "abc123"kestractl kv set my.namespace NUMBER retries 3kestractl kv set my.namespace BOOLEAN enabled truekestractl kv set my.namespace JSON settings '{"feature":true}'kestractl kv set my.namespace STRING session_token "abc" --ttl PT1Hkestractl kv set my.namespace STRING cache_key "val" --ttl P7D
# Update an existing key (fails if the key does not exist)kestractl kv update my.namespace NUMBER retries 5kestractl kv update my.namespace STRING session_token "new" --ttl PT30M
# Read and delete keyskestractl kv get my.namespace api_keykestractl kv delete my.namespace api_key
# Bulk-delete multiple keyskestractl kv delete-all my.namespace api_key session_token
# List KV pairs inherited from parent namespaceskestractl kv list-inherited my.namespaceSecrets management (Enterprise Edition)
# List secret keys in a namespacekestractl secrets list my.namespace
# Create or replace a secretkestractl secrets set my.namespace my-secret "the-value"kestractl secrets set my.namespace my-secret "the-value" --description "API key for external service"
# Update secret metadata without changing the valuekestractl secrets patch my.namespace my-secret --description "Updated description"
# Delete a secretkestractl secrets delete my.namespace my-secretDashboards (Enterprise Edition)
# List dashboardskestractl dashboards listkestractl dashboards list --query my-dashboard --output json
# Get dashboard details (aliases: show, describe)kestractl dashboards get <id>
# Create a dashboard from a YAML filekestractl dashboards create --file my-dashboard.yaml
# Update an existing dashboardkestractl dashboards update <id> --file my-dashboard.yaml
# Delete a dashboardkestractl dashboards delete <id>
# Validate a dashboard or chart definitionkestractl dashboards validate --file my-dashboard.yamlkestractl dashboards validate-chart --file my-chart.yaml
# Preview a chart's data without saving itkestractl dashboards preview-chart --file my-chart.yaml --output json
# Fetch data for a chart of an existing dashboardkestractl dashboards chart-data <dashboard-id> <chart-id>kestractl dashboards chart-data <dashboard-id> <chart-id> --file filters.yaml --output json
# Export chart data as CSVkestractl dashboards export-chart-csv --file my-chart.yaml --output-file chart.csvkestractl dashboards export-chart-data-csv <dashboard-id> <chart-id> --output-file chart.csvkestractl dashboards export-chart-data-csv <dashboard-id> <chart-id> --file filters.yaml --output-file chart.csvApps (Enterprise Edition)
Apps are low-code interfaces built on top of flows.
# List appskestractl apps listkestractl apps list --output json
# Get app details (aliases: show, describe)kestractl apps get <id>
# Deploy an app from a YAML file (creates or replaces)kestractl apps deploy --file my-app.yaml
# Update an existing appkestractl apps update <id> --file my-app.yaml
# Enable / disable an appkestractl apps enable <uid>kestractl apps disable <uid>
# Export all apps as a ZIP archivekestractl apps export --output-file apps.zip
# Import apps from a ZIP archivekestractl apps import --file apps.zip
# Bulk enable / disable / delete multiple appskestractl apps bulk-enable uid-1 uid-2 uid-3kestractl apps bulk-disable uid-1 uid-2 uid-3kestractl apps bulk-delete uid-1 uid-2 --yes
# List all tags used across appskestractl apps tags
# Search apps from the catalogkestractl apps catalogkestractl apps catalog --query reporting --output json
# Inspect files produced by an app execution viewkestractl apps file-meta <view-id> --path /path/to/filekestractl apps file-preview <view-id> --path /path/to/file --max-rows 50kestractl apps file-preview <view-id> --path /path/to/file --max-rows 50 --encoding UTF-8
# Download logs for an app executionkestractl apps logs <view-id> --min-level ERROR --output-file app.logkestractl apps logs <view-id> --execution-id <exec-id> --task-id my-task --output-file app.log
# Delete an appkestractl apps delete <id>Assets (Enterprise Edition)
# List assetskestractl assets listkestractl assets list --output json
# Get asset details (aliases: show, describe)kestractl assets get <id>
# Create an asset from a YAML definition filekestractl assets create --file my-asset.yaml
# Delete an assetkestractl assets delete <id>
# Show an asset's dependency graphkestractl assets dependencies <id>kestractl assets dependencies <id> --expand-all --output jsonkestractl assets dependencies <id> --destination-only --output json
# Bulk-delete assets by IDs or by query filterskestractl assets delete-by-ids id1 id2 id3kestractl assets delete-by-query --namespace my.namespacekestractl assets delete-by-query --filter NAMESPACE:EQUALS:my.namespace --purge
# Inspect and manage lineage eventskestractl assets lineage-events list --output jsonkestractl assets lineage-events delete-by-query --namespace my.namespace
# Inspect and manage asset usageskestractl assets usages list --output jsonkestractl assets usages delete-by-query --namespace my.namespaceBlueprints
Community blueprints are available to all editions. Internal flow blueprints require Kestra EE.
# Search and retrieve community blueprintskestractl blueprints community search --query "kafka"kestractl blueprints community search --query "etl" --kind FLOW --output jsonkestractl blueprints community search --tag python --tag sqlkestractl blueprints community get <id>kestractl blueprints community source <id>
# Show the graph topology of a community blueprintkestractl blueprints community graph <id> --output jsonkestractl blueprints community graph <id> --kind FLOW --output json
# Manage internal flow blueprints (Enterprise Edition)kestractl blueprints flow listkestractl blueprints flow get <id>kestractl blueprints flow get <id> --legacykestractl blueprints flow create --title "My Blueprint" --source-file blueprint.yaml --tag etlkestractl blueprints flow update <id> --title "My Blueprint" --source-file blueprint.yamlkestractl blueprints flow delete <id>
# Generate a flow from a flow blueprint templatekestractl blueprints flow use-template <id> --input env=prod --input region=eu
# Manage custom (internal) blueprints (Enterprise Edition)kestractl blueprints custom get <id>kestractl blueprints custom source <id>kestractl blueprints custom create --title "My Blueprint" --source-file blueprint.yamlkestractl blueprints custom update <id> --title "My Blueprint" --source-file blueprint.yamlkestractl blueprints custom delete <id>Test suites (Enterprise Edition)
# List test suiteskestractl test-suites listkestractl test-suites list --namespace my.namespace
# Get a test suitekestractl test-suites get my.namespace my-test-suite
# Create / update / delete a test suitekestractl test-suites create --file suite.yamlkestractl test-suites update my.namespace my-test-suite --file suite.yamlkestractl test-suites delete my.namespace my-test-suite
# Validate a test suite definition without creating itkestractl test-suites validate --file suite.yaml
# Run a test suite or all suites matching a querykestractl test-suites run my.namespace my-test-suitekestractl test-suites run-by-query --namespace my.namespace
# Bulk enable / disable / deletekestractl test-suites enable-bulk my.namespace/suite-a my.namespace/suite-bkestractl test-suites disable-bulk my.namespace/suite-akestractl test-suites delete-bulk my.namespace/suite-a my.namespace/suite-b
# Retrieve resultskestractl test-suites search-results --namespace my.namespacekestractl test-suites last-result --ids my.namespace/suite-a --ids my.namespace/suite-bkestractl test-suites get-result <result_id>IAM management (Enterprise Edition)
The users, groups, roles, service-accounts, bindings, and invitations command groups require Kestra Enterprise Edition. users and service-accounts operate at the instance level while groups, roles, bindings, and invitations are tenant-scoped and use the active tenant from your context.
Users
Use --user-password to set a user’s password — not --password. The --password flag authenticates the CLI itself with basic auth. Passing a user’s new password to --password sends it as your own credentials.
# List / filter userskestractl users listkestractl users list --query alice --output json
# Autocomplete user nameskestractl users autocomplete --query ali
# Get user detailskestractl users get <user_id>
# Create a user (--email is required)kestractl users create --email alice@example.com --first-name Alice --last-name Smith --user-password 'S3cret!'kestractl users create --email bob@example.com --superadminkestractl users create --email bot@example.com --restricted
# Grant a user access to specific tenants (--tenant-grant is repeatable)kestractl users create --email ops@example.com --tenant-grant main --tenant-grant staging
# Update a user — only the flags you pass change; other attributes are preservedkestractl users update <user_id> --first-name Alicia --last-name Joneskestractl users update <user_id> --superadmin=falsekestractl users update <user_id> --tenant-grant main
# Set a user's passwordkestractl users set-password <user_id> --user-password 'N3wPass!'
# Change your own passwordkestractl users change-my-password --old-password 'OldPass!' --new-password 'N3wPass!'
# Grant or revoke super-admin statuskestractl users set-super-admin <user_id> --super-adminkestractl users set-super-admin <user_id> --super-admin=false
# Mark a user as restricted, or lift the restrictionkestractl users set-restricted <user_id> --restricted=truekestractl users set-restricted <user_id> --restricted=false
# Delete an auth method for a userkestractl users delete-auth-method <user_id> BASIC_AUTH
# Assign a user to groups in the active tenant# Passing no --group clears all group memberships for that tenantkestractl users set-groups <user_id> --group <group_id>
# Impersonate a user (returns an impersonation token)kestractl users impersonate <user_id>
# Revoke all refresh tokens for a userkestractl users revoke-refresh-token <user_id>
# Delete a user — prompts for confirmation; skip with --yeskestractl users delete <user_id>kestractl users delete <user_id> --yes
# Manage a user's API tokens (the full token value is shown only once, at creation)kestractl users tokens create <user_id> --name ci-token --description "CI pipeline token"kestractl users tokens list <user_id>kestractl users tokens delete <user_id> <token_id>Groups
# List / filter groupskestractl groups listkestractl groups list --query admins --output json
# Autocomplete group nameskestractl groups autocomplete --query adm
# Look up multiple groups by IDskestractl groups list-by-ids <id1> <id2>
# Get group detailskestractl groups get <group_id>
# Create a group (--name is required; --member is repeatable for initial members)kestractl groups create --name admins --description 'Platform admins'kestractl groups create --name admins --member <user_id> --member <user_id>
# Update a group — only the flags you pass change; other attributes are preservedkestractl groups update <group_id> --name platform-adminskestractl groups update <group_id> --description 'Updated description'
# Set a user's group membership (replaces all current memberships in this group)kestractl groups set-membership <group_id> <user_id>
# Delete a group — prompts for confirmation; skip with --yeskestractl groups delete <group_id>kestractl groups delete <group_id> --yes
# Manage group memberskestractl groups members list <group_id>kestractl groups members add <group_id> <user_id>kestractl groups members remove <group_id> <user_id>Roles
A role carries a permissions payload: a map of resource (e.g. FLOW, EXECUTION, NAMESPACE) to a list of actions (e.g. VIEW, LIST, EXECUTE). Provide permissions either inline with the repeatable --permission TYPE:ACTION[,ACTION] flag or from a YAML/JSON file with --permissions-file — not both at once.
For the full list of resources and their valid actions, see the RBAC permissions reference.
Passing --permission or --permissions-file on roles update replaces the entire permissions block — it does not merge with the existing permissions. Omit both flags on update if you only want to change the name or description.
# List / filter roleskestractl roles listkestractl roles list --query editor --output jsonkestractl roles list --page 1 --size 50 --sort name:asc
# Autocomplete role nameskestractl roles autocomplete --query edi
# Look up multiple roles by IDskestractl roles list-from-ids <id1> <id2>
# Get role details, including its permissionskestractl roles get <role_id>
# Create a role (--name required; at least one --permission or --permissions-file required)kestractl roles create --name operator \ --description "Can edit and execute flows, monitor executions" \ --permission FLOW:VIEW,LIST,CREATE,UPDATE,DELETE,EXECUTE,DISABLE,ENABLE \ --permission EXECUTION:VIEW,LIST,ACCESS_LOGS,ACCESS_FILES,FOLLOW
# Create a role from a permissions file (YAML or JSON)kestractl roles create --name viewer --permissions-file perms.yaml# perms.yamlFLOW: - VIEW - LISTEXECUTION: - VIEW - LIST - ACCESS_LOGS - FOLLOW# Update a role — only the flags you pass change; other attributes are preserved# Exception: --permission replaces the entire permissions blockkestractl roles update <role_id> --description "Updated description"kestractl roles update <role_id> --permission FLOW:VIEW,LIST,CREATE,UPDATE,DELETEkestractl roles update <role_id> --default
# Delete a role — prompts for confirmation; skip with --yeskestractl roles delete <role_id>kestractl roles delete <role_id> --yesService accounts
Service accounts are instance-level resources. The command can be shortened to service-account or sa.
update is a partial update — only --name and --description are accepted. Super-admin status, tenant grants, and group membership cannot be changed with update. Pass at least one of --name or --description; passing neither returns an error.
# List service accountskestractl service-accounts listkestractl service-accounts list --output jsonkestractl service-accounts list --page 1 --size 50 --sort name:asc
# Get service account detailskestractl service-accounts get <service_account_id>
# Create a service account (--name is required; lowercase alphanumeric and dashes)kestractl service-accounts create --name ci-bot --description "CI pipeline"
# Create a super-admin service account with tenant access (--tenant-grant is repeatable)kestractl service-accounts create --name ops-bot --superadmin --tenant-grant main
# Update name or description only (at least one flag required)kestractl service-accounts update <service_account_id> --description "Updated description"kestractl service-accounts update <service_account_id> --name new-bot-name
# Grant or revoke super-admin statuskestractl service-accounts set-super-admin <service_account_id> --super-adminkestractl service-accounts set-super-admin <service_account_id> --super-admin=false
# Delete a service account — prompts for confirmation; skip with --yeskestractl service-accounts delete <service_account_id>kestractl service-accounts delete <service_account_id> --yes
# Manage API tokens (the full token value is shown only once, at creation)kestractl service-accounts tokens create <service_account_id> --name deploy-token --description "CD pipeline token"kestractl service-accounts tokens create <service_account_id> --name short-lived --max-age P30D --extendedkestractl service-accounts tokens list <service_account_id>kestractl service-accounts tokens delete <service_account_id> <token_id>Bindings
A binding assigns a role to a user or group, optionally scoped to a namespace. Bindings are tenant-scoped.
# List all bindingskestractl bindings list
# Filter by subject type or IDkestractl bindings list --type USER --external-id <user_id>kestractl bindings list --type GROUP --external-id <group_id>
# Filter by namespacekestractl bindings list --namespace company.team
# Get binding detailskestractl bindings get <binding_id>
# Assign a role to a user tenant-widekestractl bindings create --type USER --external-id <user_id> --role <role_id>
# Assign a role to a group scoped to a namespacekestractl bindings create --type GROUP --external-id <group_id> --role <role_id> \ --namespace company.team
# Create multiple bindings from a JSON filekestractl bindings bulk-create --file bindings.json
# Delete a binding — prompts for confirmation; skip with --yeskestractl bindings delete <binding_id>kestractl bindings delete <binding_id> --yesInvitations
Invitations let you grant users access to a tenant. Pre-assign roles and groups so the invitee receives them upon acceptance.
If the invitee already has a Kestra user account, or if you pass --create-user-if-not-exist, the server grants tenant access directly and no invitation email is sent.
# List all invitationskestractl invitations list
# Filter by status or emailkestractl invitations list --status PENDINGkestractl invitations list --email jane@example.com
# List invitations for a specific email addresskestractl invitations list-by-email user@example.com
# Get invitation detailskestractl invitations get <invitation_id>
# Invite a user and pre-assign a rolekestractl invitations create --email jane@example.com --role <role_id>
# Invite a user into one or more groups (--group is repeatable)kestractl invitations create --email jane@example.com --group <group_id> --group <group_id>
# Grant superadmin on acceptancekestractl invitations create --email jane@example.com --superadmin
# Grant access directly, creating the user account if it does not existkestractl invitations create --email jane@example.com --create-user-if-not-exist
# Delete (revoke) an invitation — prompts for confirmation; skip with --yeskestractl invitations delete <invitation_id>kestractl invitations delete <invitation_id> --yesServer administration
# Show license details (type, expiry, max servers, standalone mode, Worker Groups support) — Enterprise Editionkestractl server license
# List available server actions returned by the APIkestractl server actions
# Generate a statistics report (optional start date)kestractl server generatekestractl server generate --from 2024-01-01Plugin management
The plugins command group manages the plugins a Kestra worker needs to start. Use it when deploying standalone or remote workers without Docker, where plugins must be pre-installed as JAR files.
kestractl plugins list <version>
List all compatible plugins for a given Kestra version. Output is a single space-separated line of groupId:artifactId:version coordinates.
kestractl plugins list 2.0.0Use --output json for full plugin metadata (groupId, artifactId, license, version).
| Flag | Default | Description |
|---|---|---|
--edition | ALL | Filter by edition: ALL, OSS, or EE |
--from-config | — | Derive required core plugins from one or more config files (see below) |
--output | table | Output format: table (space-separated coordinates) or json |
kestractl plugins download [version]
Download plugins to a local directory. By default, all compatible plugins for the given version are downloaded from Maven Central.
kestractl plugins download 2.0.0The version argument is required unless --plugins is set.
| Flag | Default | Description |
|---|---|---|
--plugins-dir | ./plugins | Directory to write downloaded JARs into |
--edition | ALL | Filter by edition: ALL, OSS, or EE |
--plugins | — | Explicit coordinates to download (groupId:artifactId:version, space-separated or repeated); bypasses API lookup and makes version optional |
--from-config | — | Download only the core plugins required by one or more config files; requires a version argument (see below) |
--concurrency | 1 | Number of parallel downloads |
--keep-only-last-version | true | Remove older versions of each plugin from the plugins directory after downloading |
--force-redownload | false | Re-download plugins even if they already exist |
--global-timeout | 5m | Maximum total time for all downloads |
--maven-repository | Maven Central | Custom Maven repository base URL |
--maven-username | — | Username for Maven basic authentication |
--maven-password | — | Password for Maven basic authentication |
The global --header flag (see Global flags) adds arbitrary HTTP headers to all requests, including Maven downloads — use it for bearer token authentication against a private registry.
Custom Maven registry authentication
# Basic authkestractl plugins download 2.0.0 \ --maven-repository https://nexus.example.com/repository/maven-central \ --maven-username myuser \ --maven-password mypassword
# Bearer token (--header is a global flag)kestractl plugins download 2.0.0 \ --maven-repository https://nexus.example.com/repository/maven-central \ --header "Authorization:Bearer <token>"Bootstrap core plugins with --from-config
Use --from-config when you need to determine which core infrastructure plugins a standalone worker needs before it can start. Pass one or more Kestra application.yaml files and the command reads four keys, mapping each to the plugin it requires:
kestra.storage.typekestra.secret.typekestra.queue.typekestra.repository.type
Bundled backends produce no output. Only backends that ship as a separate plugin appear in the output.
| Category | Bundled (no plugin needed) | Requires a plugin |
|---|---|---|
Storage (kestra.storage.type) | local | s3, gcs, azure, minio, seaweedfs, cloudflare |
Secret (kestra.secret.type) | jdbc, elasticsearch | vault, aws-secret-manager, azure-key-vault, google-secret-manager, cyberark, doppler, 1password, beyondtrust, delinea |
Queue (kestra.queue.type) | memory, h2, postgres, mysql, kafka | — |
Repository (kestra.repository.type) | memory, h2, postgres, mysql | elasticsearch, opensearch |
Example: a worker using S3 storage and AWS Secrets Manager needs two plugins:
kestractl plugins list 2.0.0 --from-config /etc/kestra/application.yaml# → io.kestra.storage:storage-s3:1.4.1If all configured backends are bundled, the command exits cleanly with:
No core plugins required by the provided configuration (all configured backends are bundled in Kestra).If a config key contains an unrecognized type, the command fails and lists supported values:
Error: unknown kestra.storage.type "unknownbackend" — no known core plugin mapping (supported: azure, cloudflare, gcs, local, minio, s3, seaweedfs)Multiple config files
Pass --from-config multiple times to merge configs. The last non-empty value per category wins — later files override earlier ones:
kestractl plugins download 2.0.0 \ --from-config /etc/kestra/application.yaml \ --from-config /etc/kestra/application-prod.yamlPipe pattern
--from-config and --plugins are mutually exclusive on download. Use the pipe pattern to preview the required plugins before downloading:
kestractl plugins download 2.0.0 \ --plugins "$(kestractl plugins list 2.0.0 --from-config /etc/kestra/application.yaml)"Enterprise plugin registry
External secret managers (aws-secret-manager, azure-key-vault, google-secret-manager, and others) and the Elasticsearch/OpenSearch repository backends are not published to Maven Central. Use --maven-repository with your Kestra plugin registry credentials to download them.
Worker management
kestractl workers registration-tokens generate
Generate a worker registration token. This command runs entirely offline — no running Kestra instance is required.
kestractl workers registration-tokens generateThe token is printed to stdout in the format kwreg_<random>_<checksum>.
When deploying a standalone worker, you also need to download the core infrastructure plugins it requires. See Bootstrap core plugins with --from-config.
Configuration
Global flags
--host- Kestra host URL--tenant- Tenant name--token/-t- API token (Enterprise)--username- Basic auth username (Open Source)--password- Basic auth password (Open Source)--output/-o- Output format (tableorjson)--config- Custom config file path (default:~/.kestractl/config.yaml)--verbose/-v- Verbose output (warning: prints credentials in HTTP requests)
Config file and contexts
Manage contexts with kestractl config add, kestractl config show, kestractl config use, and kestractl config remove.
Environment variables
Environment variables override config file settings. Use either KESTRACTL_TOKEN or KESTRACTL_USERNAME and KESTRACTL_PASSWORD.
export KESTRACTL_HOST=http://localhost:8080export KESTRACTL_TENANT=mainexport KESTRACTL_TOKEN=YOUR_TOKENexport KESTRACTL_USERNAME=adminexport KESTRACTL_PASSWORD=adminexport KESTRACTL_OUTPUT=jsonConfiguration precedence
- Command-line flags (
--host,--token, etc.) - Environment variables (
KESTRACTL_HOST,KESTRACTL_TOKEN, etc.) - Config file (
~/.kestractl/config.yamlor custom via--config) - Default values
Override per command
kestractl flows get my.namespace my-flow \ --host https://kestra.example.com \ --tenant production \ --token YOUR_TOKENWas this page helpful?