Use the CLI for the Access Console

The Command Line Interface (CLI) tool allows you to initiate and manage remote sessions directly from the command line. This is available if an admin has checked Allow the Access Console CLI tool under Access Console at /login > Management > Security.

To use the CLI tool, you must be logged in to the access console, and the CLI tool must be installed. It is installed from Global Settings. During installation, you might receive instructions to add the installation location to the PATH, or it may be added to the PATH by the installation process.

Once installed, enter commands in a terminal or run dialog to interact with the logged-in rep instance.

You must be logged in to the access console for commands to work.

Entering Commands

Enter a single CLI command with sub-commands.

bt ssh <user>@<host>

Subcommands take the form:

bt <command>

Initiate a Session

Search for a Vault account by name (for types that can inject) and a Jump Item by name. Jump Item searches are restricted to the type represented by the command. For example, bt ssh searches only Shell Jump Items.

If only one of each searched name is found, the session starts with that Jump Item and credential. If more than one result is found, you are prompted to choose the correct account and/or Jump Item.

A flag can be set flag to output the tunnel information in a format for use by another process or script, so that session calls can be piped to other functions or included in automated tasks such as VS code tasks. If this flag is set, the tunnel information prints, but the connection and external tool do not open.

Executing onExternalToolClicked() Callback

For all types except SSH, the representative can attempt to execute the onExternalToolClicked() callback for the given type before returning control to the CLI tool, rather than transferring that logic to the CLI tool itself.

For SSH, the SSH session replaces the CLI tool process.

Use Session Specific Subcommands


SSH subcommands take the form:

ssh <account>@<host>

Once the session is established, it directly spawns the SSH process to connect to the local tunnel and exits.

Create an SSH session:
bt ssh <user>@<host> 


RDP subcommands take the form:

rdp <account>@<host>

Once the session is established, it

  • spawns the default RDP client.
  • prints the tunnel information to the CLI for informational purposes.
  • exits.
To open the RDP tool, enter:
bt rdp <user>@<host>


DB subcommands take the form:

db <account>@<host>

Once the session is established, it:

  • spawns the DB client for the selected DB type, if possible. Part of the return value must be DB type and/or command to try.
  • prints the DB connection information.
  • exits.

Protocol tunnel

Protocol tunnel subcommands take the form:

pt <host>

There is no credential injection for protocol tunnels.

Once the session Is established, it prints the tunnel definitions and exits.

Because the tunnel is generic, it cannot spawn a specific tool.

Use Other Subcommands


List subcommands take the form:


The list subcommand shows connected sessions by Jump Item name.


Close subcommands take the form:

close <session>

The close subcommand closes the tunnel for the given session.