“Should we use Frodo or Amster?”
This question comes up in almost every ForgeRock project. The short answer: it depends on your deployment type. The longer answer involves Identity Cloud support, ESV management, and whether you’re willing to deal with Java.
Here’s the breakdown to help you decide.
The Quick Answer
| Feature | Frodo CLI | Amster |
|---|---|---|
| Platform Support | Identity Cloud, ForgeOps, Classic | ForgeOps, Classic AM |
| Identity Cloud | ✅ Full support | ❌ Not supported |
| Installation | npm, Homebrew, binary | Java-based, bundled with AM |
| Journey Export | ✅ With dependencies | ✅ Basic export |
| ESV Management | ✅ Full support | ❌ Not available |
| Script Management | ✅ Full support | ✅ Full support |
| OAuth2 Management | ✅ Full support | ✅ Full support |
| Realm Management | ✅ Full support | ✅ Full support |
| Token Caching | ✅ (v2.0+) | ✅ Built-in |
| Active Development | ✅ Very active | ⚠️ Maintenance mode |
When to Use Frodo
✅ Use Frodo CLI For:
1. PingOne Advanced Identity Cloud (SaaS)
# Frodo is the ONLY CLI option for Identity Cloud
frodo conn add https://openam-mycompany.forgeblocks.com/am [email protected]
frodo journey export -a
2. Modern ForgeRock Deployments
- ForgeOps (Kubernetes-based)
- Docker deployments
- Cloud-native architectures
3. ESV (Environment Secrets and Variables) Management
# ESV commands are Frodo-exclusive
frodo esv variable create -i "esv-api-url" -v "https://api.example.com"
frodo esv secret create -i "esv-api-key" -v "secret-value"
frodo esv apply
4. Journey Export with Dependencies Frodo exports journeys with all dependencies:
# Exports journey + scripts + inner trees + email templates
frodo journey export -i Login
5. CI/CD Pipelines
# Easy npm installation in GitHub Actions
- name: Install Frodo
run: npm install -g @rockcarver/frodo-cli
When to Use Amster
✅ Use Amster For:
1. Classic ForgeRock AM Deployments
# Amster connects directly to AM
./amster
connect https://openam.example.com/openam -k /path/to/keyfile
2. On-Premise AM Servers
- Traditional AM installations
- Air-gapped environments
- Legacy infrastructure
3. Server Configuration Export
# Amster exports server-level configuration
export-config --path /exports/config
4. Detailed AM Tree Export
# Export authentication trees with fine-grained control
export-auth-trees --realm / --tree Login --path /exports/trees
5. Organizations Using AM Admin Tools
- Teams familiar with Amster workflow
- Existing Amster automation scripts
- Documentation referencing Amster
Feature Deep Dive
Authentication/Connection
Frodo:
# Interactive login (stores credentials)
frodo conn add https://openam-dev.forgeblocks.com/am [email protected]
# Environment variables for CI/CD
export FRODO_HOST="https://openam-dev.forgeblocks.com/am"
export FRODO_USER="[email protected]"
export FRODO_PASSWORD="password"
frodo journey list
Amster:
# Key-based authentication
./amster
connect https://openam.example.com/openam -k /path/to/keyfile
# Or interactive
connect https://openam.example.com/openam
# Enter username and password
Journey/Tree Export
Frodo (Recommended Approach):
# Export with all dependencies automatically included
frodo journey export -i Login -D ./exports
# Resulting file includes:
# - Journey configuration
# - All node configurations
# - Scripts used by scripted decision nodes
# - Inner trees (sub-journeys)
# - Email templates
Amster:
# Export authentication trees
am> export-auth-trees --realm / --tree Login --path /exports
# Scripts must be exported separately
am> export-config --path /exports --selectEntity scripts
Script Management
Frodo:
# List scripts
frodo script list
# Export all scripts
frodo script export -a -D ./scripts
# Import with overwrite
frodo script import -a -D ./scripts --force
Amster:
# Export scripts
am> export-config --path /scripts --selectEntity scripts
# Import scripts
am> import-config --path /scripts
OAuth2 Client Management
Both tools handle OAuth2 clients similarly:
Frodo:
frodo oauth client list
frodo oauth client export -a -D ./oauth
frodo oauth client import -a -D ./oauth
Amster:
am> export-config --path /oauth --selectEntity OAuth2Clients
am> import-config --path /oauth
Migration: Amster to Frodo
If you’re migrating from Amster to Frodo:
Step 1: Export with Amster
# Export current configuration
./amster
connect https://openam.example.com/openam -k /path/to/keyfile
export-config --path /exports/full
:exit
Step 2: Connect Frodo
# Add connection to Frodo
frodo conn add https://openam.example.com/openam [email protected]
Step 3: Re-export with Frodo
# Export in Frodo format
frodo journey export -a -D ./frodo-exports/journeys
frodo script export -a -D ./frodo-exports/scripts
frodo oauth client export -a -D ./frodo-exports/oauth
Step 4: Update CI/CD Pipelines
# Before (Amster)
- name: Export with Amster
run: |
./amster << 'EOF'
connect $AM_URL -k $KEYFILE
export-config --path ./exports
:exit
EOF
# After (Frodo)
- name: Export with Frodo
run: |
npm install -g @rockcarver/frodo-cli
frodo journey export -a -D ./exports
Using Both Tools Together
In some scenarios, using both tools makes sense:
Hybrid Environment
#!/bin/bash
# export-all-envs.sh
# Identity Cloud (Frodo only)
echo "Exporting from Identity Cloud..."
frodo journey export -a -D ./exports/cloud -h https://openam-cloud.forgeblocks.com/am
# On-premise AM (Amster preferred)
echo "Exporting from on-premise AM..."
./amster << 'EOF'
connect https://onprem-am.company.com/openam -k ./amster.key
export-config --path ./exports/onprem
:exit
EOF
Migration Period
During migration from on-premise to Identity Cloud:
- Source (On-prem): Use Amster to export
- Convert: Transform Amster exports to Frodo format
- Target (Cloud): Use Frodo to import
Performance Comparison
Connection Speed
| Operation | Frodo | Amster |
|---|---|---|
| Initial connection | ~2s | ~3s |
| With cached token | <1s | ~2s |
| Token refresh | Automatic | Manual |
Export Speed (100 journeys)
| Tool | Time | Notes |
|---|---|---|
| Frodo | ~45s | Parallel processing |
| Amster | ~90s | Sequential processing |
Ecosystem and Community
Frodo CLI
- Repository: github.com/rockcarver/frodo-cli
- Updates: Regular releases (monthly)
- Community: Active GitHub discussions
- Documentation: Comprehensive README and wiki
Amster
- Distribution: Bundled with ForgeRock AM
- Updates: Follows AM release cycle
- Documentation: ForgeRock Backstage
- Support: ForgeRock support channels
Decision Matrix
Use this matrix to choose your tool:
| Scenario | Recommended Tool |
|---|---|
| PingOne Advanced Identity Cloud | Frodo (only option) |
| New ForgeRock deployment | Frodo |
| Existing Amster automation | Amster (or migrate) |
| CI/CD pipeline integration | Frodo |
| ESV management | Frodo (only option) |
| Air-gapped environment | Amster |
| Classic AM (pre-7.x) | Amster |
| Journey with dependencies | Frodo |
| Server-level config | Amster |
Best Practices
For Frodo Users
-
Use token caching for faster operations
# Enabled by default in Frodo 2.x frodo journey list # First call caches token frodo script list # Uses cached token -
Leverage environment variables for CI/CD
export FRODO_HOST="https://tenant.forgeblocks.com/am" export FRODO_USER="[email protected]" export FRODO_PASSWORD="$SECRET" -
Use the
-aflag for bulk operationsfrodo journey export -a # Export all journeys at once
For Amster Users
-
Use key-based authentication for automation
connect $AM_URL -k /secure/amster.key -
Create reusable scripts
# export-all.amster connect $AM_URL -k $KEYFILE export-config --path /exports :exit -
Validate before import
import-config --path /exports --preview
Related Resources
Frodo CLI Series
Official Resources
The Bottom Line
After working with both tools across multiple projects:
Go with Frodo if you’re on Identity Cloud (you have no choice anyway), starting fresh, or want something that feels like a modern CLI tool. The npm install, environment variable support, and active development make it the better choice for new projects.
Stick with Amster if you’ve got existing automation scripts that work, you’re in an air-gapped environment where npm isn’t an option, or you’re on a classic AM deployment that predates Identity Cloud.
Use both during migration periods. We’ve run hybrid setups where Amster handles the legacy on-prem exports while Frodo manages the cloud-side imports. It’s messier, but it works.
The tools aren’t competitors—they serve different eras of ForgeRock deployments. Pick the one that fits your situation and move on. The real work is in the journeys and scripts, not the CLI you use to move them around.