If you’ve ever spent an afternoon clicking through the ForgeRock admin console to export journeys one by one, or copy-pasted JSON between browser tabs to migrate configurations—you know the pain. I’ve been there, and it’s exactly why Frodo CLI exists.
Frodo (ForgeRock DO) is the CLI that ForgeRock should have shipped from day one. It handles PingOne Advanced Identity Cloud, ForgeOps, and classic AM deployments. Once you start using it, you’ll wonder how you ever lived without it.
The Problem Frodo Solves
Here’s what configuration management looked like before Frodo:
| Challenge | Without Frodo | With Frodo |
|---|---|---|
| Journey Migration | Manual export via admin console, error-prone | frodo journey export/import |
| Multi-Environment Sync | Copy-paste configurations | Scripted promotion pipelines |
| Script Management | Edit in browser, no version control | Export to files, use Git |
| CI/CD Integration | Limited REST API scripting | Native CLI automation |
| Secret Management | Manual ESV configuration | frodo esv commands |
Frodo in Your Workflow:
graph LR
subgraph "Development"
DEV[Dev Tenant]
end
subgraph "Frodo CLI"
EXP[frodo export]
IMP[frodo import]
GIT[Git Repository]
end
subgraph "Production"
PROD[Prod Tenant]
end
DEV -->|Export| EXP
EXP --> GIT
GIT --> IMP
IMP -->|Import| PROD
style EXP fill:#667eea,color:#fff
style IMP fill:#667eea,color:#fff
Installation
Method 1: Homebrew (Recommended for macOS/Linux)
# Add the tap
brew tap rockcarver/frodo-cli
# Install stable version
brew install frodo-cli
# Or install latest pre-release
brew install frodo-cli-next
Method 2: NPM (Cross-platform)
# Install globally
npm install -g @rockcarver/frodo-cli
# Or install pre-release
npm install -g @rockcarver/frodo-cli@next
Method 3: Binary Download
Download platform-specific executables from GitHub Releases:
frodo-linux-x64- Linuxfrodo-macos-x64- macOS Intelfrodo-macos-arm64- macOS Apple Siliconfrodo-win-x64.exe- Windows
Verify Installation
frodo -v
# Output example:
# cli: v2.0.0
# lib: v2.0.0
# node: v18.17.0
Connecting to Tenants
Your First Connection
Connect to your Identity Cloud tenant:
frodo conn add https://openam-mycompany.forgeblocks.com/am [email protected]
You’ll be prompted for your password. Frodo securely stores the connection profile.
Connection Profile Management
# List all connections
frodo conn list
# Output:
# ┌──────────────────────────────────────────────────┬────────────────────────┐
# │ Host │ Username │
# ├──────────────────────────────────────────────────┼────────────────────────┤
# │ https://openam-mycompany.forgeblocks.com/am │ [email protected] │
# │ https://openam-staging.forgeblocks.com/am │ [email protected] │
# │ https://openam-prod.forgeblocks.com/am │ [email protected] │
# └──────────────────────────────────────────────────┴────────────────────────┘
# View connection details
frodo conn describe https://openam-mycompany.forgeblocks.com/am
# Delete a connection
frodo conn delete https://openam-mycompany.forgeblocks.com/am
Multi-Tenant Setup
For enterprise environments with multiple tenants (dev, staging, prod):
# Add development tenant
frodo conn add https://openam-dev.forgeblocks.com/am [email protected]
# Add staging tenant
frodo conn add https://openam-staging.forgeblocks.com/am [email protected]
# Add production tenant
frodo conn add https://openam-prod.forgeblocks.com/am [email protected]
Tip for automation: Use environment variables for CI/CD:
export FRODO_HOST="https://openam-dev.forgeblocks.com/am"
export FRODO_USER="[email protected]"
export FRODO_PASSWORD="your-password"
# Now commands use these automatically
frodo journey list
Token Caching (Frodo 2.x)
Frodo 2.x introduces secure token caching for better performance:
# Tokens are cached by default at:
# ~/.frodo/TokenCache.json
# Disable caching for a single command
frodo journey list --no-cache
# Or set environment variable
export FRODO_NO_CACHE=true
# Custom cache location
export FRODO_TOKEN_CACHE_PATH=/path/to/cache.json
Core Commands
Journey Management
Journeys (authentication trees) are the most commonly managed artifacts:
# List all journeys
frodo journey list -h https://openam-dev.forgeblocks.com/am
# Export a single journey
frodo journey export -i Login -h https://openam-dev.forgeblocks.com/am
# Export all journeys
frodo journey export -a -h https://openam-dev.forgeblocks.com/am
# Export to specific directory
frodo journey export -a -D ./exports -h https://openam-dev.forgeblocks.com/am
# Import a journey
frodo journey import -f Login.journey.json -h https://openam-prod.forgeblocks.com/am
# Import all journeys from directory
frodo journey import -a -D ./exports -h https://openam-prod.forgeblocks.com/am
Journey Export Includes:
- Journey configuration
- All referenced nodes
- Scripts used by scripted decision nodes
- Inner trees (sub-journeys)
- Email templates
Script Management
# List all scripts
frodo script list -h https://openam-dev.forgeblocks.com/am
# Export all scripts
frodo script export -a -h https://openam-dev.forgeblocks.com/am
# Export specific script by name
frodo script export -n "My Custom Script" -h https://openam-dev.forgeblocks.com/am
# Import scripts
frodo script import -a -D ./scripts -h https://openam-prod.forgeblocks.com/am
IDM Configuration
# List IDM managed objects
frodo idm list -h https://openam-dev.forgeblocks.com/am
# Export IDM configuration
frodo idm export -a -h https://openam-dev.forgeblocks.com/am
# Export specific config
frodo idm export -n managed -h https://openam-dev.forgeblocks.com/am
# Count managed objects
frodo idm count -h https://openam-dev.forgeblocks.com/am
ESV (Environment Secrets and Variables)
# List secrets
frodo esv secret list -h https://openam-dev.forgeblocks.com/am
# List variables
frodo esv variable list -h https://openam-dev.forgeblocks.com/am
# Create a variable
frodo esv variable create -i "my-variable" -v "my-value" -h https://openam-dev.forgeblocks.com/am
# Create a secret
frodo esv secret create -i "my-secret" -v "secret-value" -h https://openam-dev.forgeblocks.com/am
# Export ESVs
frodo esv secret export -a -h https://openam-dev.forgeblocks.com/am
frodo esv variable export -a -h https://openam-dev.forgeblocks.com/am
# Apply pending ESV changes (activate)
frodo esv apply -h https://openam-dev.forgeblocks.com/am
Important: Secrets are never exported in plaintext. Use ESVs to reference sensitive values in your configurations.
OAuth/Application Management
# List OAuth2 clients
frodo oauth client list -h https://openam-dev.forgeblocks.com/am
# Export OAuth2 clients
frodo oauth client export -a -h https://openam-dev.forgeblocks.com/am
# Import OAuth2 clients
frodo oauth client import -a -D ./oauth -h https://openam-prod.forgeblocks.com/am
Complete Command Reference
| Category | Command | Description |
|---|---|---|
| Connection | frodo conn add/list/delete |
Manage tenant connections |
| Journey | frodo journey export/import/list/prune |
Authentication trees |
| Script | frodo script export/import/list |
Custom scripts |
| IDM | frodo idm export/import/list/count |
Identity management config |
| ESV | frodo esv secret/variable |
Environment secrets/variables |
| OAuth | frodo oauth client export/import |
OAuth2 clients |
| SAML | frodo saml export/import |
SAML entity providers |
| Theme | frodo theme export/import |
UI themes |
frodo email template export/import |
Email templates | |
| Agent | frodo agent export/import |
Web/Java/Gateway agents |
| Service | frodo service export/import |
AM services |
| Realm | frodo realm list |
Realm management |
| Logs | frodo logs fetch/tail |
Identity Cloud logs |
| Admin | frodo admin |
Administrative tasks |
Practical Examples
Example 1: Full Environment Export
#!/bin/bash
# export-all.sh - Export entire tenant configuration
TENANT="https://openam-dev.forgeblocks.com/am"
EXPORT_DIR="./exports/$(date +%Y%m%d)"
mkdir -p "$EXPORT_DIR"
echo "Exporting journeys..."
frodo journey export -a -D "$EXPORT_DIR/journeys" -h "$TENANT"
echo "Exporting scripts..."
frodo script export -a -D "$EXPORT_DIR/scripts" -h "$TENANT"
echo "Exporting OAuth clients..."
frodo oauth client export -a -D "$EXPORT_DIR/oauth" -h "$TENANT"
echo "Exporting IDM config..."
frodo idm export -a -D "$EXPORT_DIR/idm" -h "$TENANT"
echo "Exporting ESVs..."
frodo esv variable export -a -D "$EXPORT_DIR/esv" -h "$TENANT"
echo "Export complete: $EXPORT_DIR"
Example 2: Promote to Production
#!/bin/bash
# promote-to-prod.sh - Import configurations to production
PROD_TENANT="https://openam-prod.forgeblocks.com/am"
EXPORT_DIR="./exports/approved"
echo "Importing to production..."
# Import in correct order (scripts first, then journeys)
frodo script import -a -D "$EXPORT_DIR/scripts" -h "$PROD_TENANT"
frodo journey import -a -D "$EXPORT_DIR/journeys" -h "$PROD_TENANT"
frodo oauth client import -a -D "$EXPORT_DIR/oauth" -h "$PROD_TENANT"
echo "Promotion complete!"
Example 3: Journey Diff Between Environments
#!/bin/bash
# Compare journeys between dev and prod
frodo journey export -i Login -D ./dev -h https://openam-dev.forgeblocks.com/am
frodo journey export -i Login -D ./prod -h https://openam-prod.forgeblocks.com/am
diff ./dev/Login.journey.json ./prod/Login.journey.json
Best Practices
1. Use Version Control
# Initialize Git repo for configs
git init forgerock-config
cd forgerock-config
# Export configurations
frodo journey export -a -D ./journeys -h $TENANT
frodo script export -a -D ./scripts -h $TENANT
# Commit changes
git add .
git commit -m "Export from dev tenant $(date +%Y-%m-%d)"
2. Environment-Specific ESVs
Instead of hardcoding values, use ESVs:
# Dev tenant
frodo esv variable create -i "api-base-url" -v "https://api-dev.example.com" -h $DEV
# Prod tenant
frodo esv variable create -i "api-base-url" -v "https://api.example.com" -h $PROD
Reference in scripts/journeys as &{esv.api-base-url}.
3. Export Before Changes
Always export current state before making changes:
# Backup current state
frodo journey export -a -D "./backup-$(date +%Y%m%d-%H%M%S)" -h $TENANT
# Make changes in admin console
# ...
# Export new state
frodo journey export -a -D ./journeys -h $TENANT
4. Use Meaningful Directory Structure
forgerock-config/
├── dev/
│ ├── journeys/
│ ├── scripts/
│ ├── oauth/
│ └── esv/
├── staging/
│ └── ...
└── prod/
└── ...
Troubleshooting
Connection Issues
# Test connection
frodo conn describe https://openam-dev.forgeblocks.com/am
# Re-authenticate if token expired
frodo conn add https://openam-dev.forgeblocks.com/am [email protected] --force
Permission Errors
Ensure your admin user has the required privileges:
fr:idc:esv:*for ESV managementfr:am:*for AM configurationfr:idm:*for IDM configuration
Export Failures
# Use verbose mode for debugging
frodo journey export -i Login -h $TENANT --verbose
# Check specific journey exists
frodo journey list -h $TENANT | grep Login
Related Resources
Frodo CLI Series
- Frodo CLI for CI/CD: Automating Journey Export/Import in GitHub Actions
- Frodo Script Management: Bulk Export, Import, and Version Control
- Frodo ESV Management: Environment Secrets and Variables Automation
Related Tools
- PKCE Generator - Generate OAuth 2.0 PKCE values
- JWT Decode - Debug access tokens
- ForgeRock URL Builder - Build authorization URLs
Official Resources
Wrapping Up
After years of manual ForgeRock configuration management, Frodo has become my go-to tool. The time savings add up quickly—what used to take hours now takes minutes.
My recommendation: start small. Install Frodo, connect to your dev tenant, and export your journeys. Once you see how clean the workflow is, you’ll naturally want to expand into scripts, OAuth clients, and eventually full CI/CD pipelines.
# The three commands to get started
brew install frodo-cli
frodo conn add https://your-tenant.forgeblocks.com/am [email protected]
frodo journey export -a
That’s it. You’re now equipped to automate your ForgeRock configuration management.