credctl reset
Synopsis
Section titled “Synopsis”credctl reset [flags]Description
Section titled “Description”credctl reset tears down all cloud infrastructure created by credctl and removes the local ~/.credctl directory. This is a destructive operation intended for starting fresh or cleaning up after testing.
What it deletes
Section titled “What it deletes”AWS:
- CloudFormation stack (
credctl-infra) - IAM role (detaches all policies first)
- IAM OIDC provider
- S3 OIDC bucket
GCP:
- Workload Identity Pool (cascades to providers and bindings)
- GCS OIDC bucket
- GCP credential config file
Local:
~/.credctl/directory (config, public key, OIDC documents)
What it does NOT delete
Section titled “What it does NOT delete”- The Secure Enclave private key — macOS manages its lifecycle. Running
credctl initafter reset will create a new key pair.
| Flag | Type | Default | Description |
|---|---|---|---|
--force | bool | false | Skip the confirmation prompt. |
Examples
Section titled “Examples”Interactive reset
Section titled “Interactive reset”credctl resetThis will delete all credctl config and tear down cloud resources. Continue? [y/N] yDeleting CloudFormation stack 'credctl-infra'...Cleaning up IAM role 'credctl-device-role'...Deleting IAM OIDC provider...Deleting Workload Identity Pool 'credctl-pool'...Deleting GCS bucket 'credctl-oidc-my-project'...Removing ~/.credctl...
Reset complete.Force reset (no prompt)
Section titled “Force reset (no prompt)”credctl reset --forceExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
| 0 | Reset completed (warnings for individual resource deletion failures are non-fatal) |
| 1 | Error (could not read config or remove local directory) |
See also
Section titled “See also”credctl init— create a new device identity after resetcredctl setup aws— recreate AWS infrastructurecredctl setup gcp— recreate GCP infrastructure