Install and Configure Spin CLI

Install spin

One way to manage applications and pipelines as code is through spin.

To acquire spin, do the following:

On Linux

curl -LO$(curl -s

chmod +x spin

sudo mv spin /usr/local/bin/spin

On MacOS

curl -LO$(curl -s

chmod +x spin

sudo mv spin /usr/local/bin/spin

Configure spin

spin reads its configuration from ~/.spin/config. Currently, all configuration is for authentication mechanisms only.


spin can be configured with X.509 to authenticate calls against Spinnaker. The configuration block looks like this:

  enabled: true
    certPath: <cert file path>
    keyPath: <key file path>


  enabled: true
    # Pipes for multi-line strings in yaml.
    # Cert and key contents are 64 encoded pem values.
    cert: |
    key: |

Follow the ssl and x509 guides to generate the X.509 certificate and key files. Refer to the example config and the README for more information about X.509 in spin.


spin can be configured with OAuth2.0 to authenticate calls against Spinnaker. The configuration block looks like this:

  enabled: true
    authUrl: # OAuth2 provider auth url
    tokenUrl: # OAuth2 provider token url
    clientId: # OAuth2 client id
    clientSecret: # OAuth2 client secret
    scopes: # Scopes requested for the token
    - scope1
    - scope2

Read the OAuth setup instructions to see examples for acquiring a clientId/clientSecret from your provider.

Unlike X.509, OAuth2 needs to be initialized once to authenticate with the provider before it can be used for automation. To authenticate, configure OAuth2 as shown above and execute any spin command. You will be prompted to authenticate with your OAuth2 provider and paste an access code. spin then exchanges the code for an OAuth2 access/refresh token pair, which it caches in your ~/.spin/config file for future use. All subsequent spin calls will use the cached OAuth2 token for authentication with no user input required. If an OAuth2 access token expires, spin will use the refresh token to renew the access token expiry.

Global Flags

spin has a few helpful global flags:

Global Options:

        --gate-endpoint               Gate (API server) endpoint.
        --no-color                    Removes color from CLI output.
        --insecure=false              Ignore certificate errors during connection to endpoints.
        --quiet=false                 Squelch non-essential output.
        --output <output format>      Formats CLI output.

Output Formatting

The global --output flag allows users to manipulate spin’s output format. By default, spin will print the command output in json. Users can also specify a jsonpath in the output flag to extract nested data from the command output:

spin pipeline get --name pipelineName --application app --output jsonpath="{.stages}"


spin leverages the kubectl jsonpath libraries to support this. Follow the kubectl documentation for more information about the possible jsonpath arguments.