flowctl: The Revolutionary Workflow Platform in One Binary

Tired of juggling a dozen different tools just to automate simple workflows? flowctl changes everything. This open-source powerhouse packs a complete self-service workflow execution platform into a single binary, eliminating the complexity that has plagued DevOps teams for years. No more sprawling microservices, no more configuration nightmares—just pure, streamlined automation that works.

In this deep dive, you'll discover how flowctl transforms everything from infrastructure provisioning to business process automation. We'll explore its killer features, walk through real-world use cases, and show you exactly how to deploy it in minutes. Whether you're managing SSH access, orchestrating Docker containers, or building custom approval chains, flowctl delivers enterprise-grade capabilities without the enterprise-grade complexity.

Ready to revolutionize your automation strategy? Let's dive in.

What Is flowctl?

flowctl is an open-source, self-service workflow execution platform created by cvhariharan that fundamentally reimagines how teams approach automation. Unlike traditional solutions that require complex distributed architectures, flowctl operates entirely from a single binary—a design choice that dramatically simplifies deployment, maintenance, and scaling.

At its core, flowctl provides a secure, domain-agnostic framework for executing complex workflows through an intuitive web interface. The platform embraces an executor paradigm, meaning it's not limited to specific use cases. Whether you're granting temporary SSH access to production servers, provisioning cloud infrastructure, or automating bespoke business processes, flowctl adapts to your needs without forcing you into rigid patterns.

The project has gained significant traction in the DevOps community precisely because it solves a universal pain point: tool sprawl. Instead of maintaining separate systems for runbooks, access management, cron jobs, and approval workflows, teams can consolidate everything into one unified platform. This consolidation doesn't come at the cost of features—flowctl includes enterprise necessities like OIDC-based SSO, granular RBAC, encrypted secret storage, and real-time execution logs.

What makes flowctl particularly compelling in today's landscape is its self-service philosophy. It empowers developers and operations teams to define, execute, and monitor workflows without constant platform team intervention. This democratization of automation accelerates delivery while maintaining security through built-in approval gates and audit trails. The platform runs on a standard PostgreSQL database and leverages Docker for action execution, making it instantly familiar to modern engineering teams.

Key Features That Make flowctl Stand Out

flowctl's feature set is deliberately focused on solving real operational challenges. Each capability is designed to work seamlessly with the others, creating a cohesive experience that feels both powerful and intuitive.

Workflow Definition with YAML/HUML: Workflows are defined using simple, readable YAML files enhanced with HUML (Human-Readable Markup Language). This approach makes complex logic accessible while maintaining programmatic expressiveness. You can define inputs with validation rules, chain multiple actions, and implement conditional logic without writing traditional code. The validation engine supports regex patterns, type checking, and required field enforcement, ensuring data integrity before execution begins.

Enterprise-Grade SSO Integration: Security isn't an afterthought. flowctl integrates with any OIDC provider—Keycloak, Auth0, Okta, Google Workspace—enabling seamless authentication that aligns with your existing identity infrastructure. This eliminates the need for separate credential systems and ensures that workflow access respects your organization's central authentication policies.

Multi-Level Approval Chains: Sensitive operations demand oversight. flowctl's approval system lets you configure single or multi-party approvals for any workflow step. You can require manager sign-off for production deployments, peer review for access grants, or compliance team approval for data exports. Each approval is logged, creating a complete audit trail for security and compliance requirements.

Team-Based Isolation with RBAC: Organizations can create isolated namespaces for different teams or projects, each with its own workflows, secrets, and execution history. Built-in Role-Based Access Control (RBAC) ensures users only see and execute what they're authorized to access. This model supports everything from small startups to large enterprises with strict separation requirements.

Remote Execution via SSH: The platform doesn't just run containers locally. Its SSH executor allows workflows to trigger commands on remote servers, VMs, or network devices. This is perfect for legacy system management, multi-cloud orchestration, or edge computing scenarios where you need to reach beyond your primary infrastructure.

Military-Grade Secret Management: SSH keys, API tokens, database passwords—all are encrypted at rest using industry-standard algorithms. Secrets are never exposed in workflow definitions or logs. They're injected at runtime into execution environments, providing secure access without compromising credentials. The encryption keys are managed separately, ensuring defense-in-depth security.

Live Execution Tracking: Watch your workflows run in real-time through streaming logs. Debug failures instantly, monitor progress, and capture output for audit purposes. The logging system captures both stdout/stderr from actions and platform-level events, giving you complete visibility into execution behavior.

Cron-Based Scheduling: Automate repetitive tasks with cron expressions. Schedule database backups, certificate renewals, or periodic health checks. The scheduler integrates with the approval system, allowing you to require human oversight even for automated runs—a critical feature for production environments.

Real-World Use Cases Where flowctl Shines

1. Secure, Self-Service SSH Access Management: Imagine a scenario where on-call engineers need emergency production access at 2 AM. Traditionally, this involves waking up a senior engineer to grant access manually. With flowctl, you create a workflow that validates the requester's identity via SSO, checks their on-call status through PagerDuty API, requires a Slack approval from a team lead, and automatically grants temporary SSH access that expires after one hour. The entire process is audited, secure, and takes minutes instead of hours.

2. Cloud Infrastructure Provisioning: Dev teams frequently need ephemeral environments for testing. Instead of ticketing systems and manual Terraform runs, flowctl orchestrates the entire process. A developer fills a simple form (environment name, duration, instance type), the workflow spins up AWS resources using Terraform, configures them, adds DNS records, and posts the connection details to Slack. After 24 hours, it automatically tears everything down. Teams get instant infrastructure without platform team bottlenecks.

3. Business Process Automation: Beyond technical tasks, flowctl excels at automating business workflows. Consider employee onboarding: HR triggers a workflow that creates accounts across multiple systems (Google Workspace, Slack, Jira), provisions a laptop through your MDM, assigns security training, notifies the manager, and adds the employee to payroll. Each step can have approvals, and the entire process completes in hours instead of days.

4. Incident Response Orchestration: When production alerts fire, every second counts. flowctl can automate your runbooks: detect an incident, create a dedicated Slack channel, spin up a debugging environment, pull relevant logs, notify stakeholders, and even execute remediation steps like restarting services or failing over databases. Human approvals ensure critical actions aren't taken without oversight, while automation handles the tedious setup work.

5. Compliance and Security Automation: Regular security scans, access reviews, and compliance reports become effortless. Schedule weekly vulnerability scans that generate reports, require security team approval for critical findings, automatically create Jira tickets for remediation, and track resolution status—all within a single, auditable workflow.

Step-by-Step Installation & Setup Guide

Getting flowctl running takes less than 15 minutes. The platform supports two deployment modes: Docker Compose for quick evaluation and binary installation for production.

Prerequisites Setup

Before starting, ensure you have:

• PostgreSQL 12+: flowctl stores all workflow definitions, execution history, and secrets in PostgreSQL. You can run it locally, use a managed service like RDS, or deploy it via Docker.
• Docker Engine 20.10+: Required for executing workflow actions in isolated containers.
• Linux/macOS: The binary releases support these platforms (Windows via WSL2).

Method 1: Docker Compose (Fastest)

For immediate evaluation, use the official docker-compose file:

# Download the compose file
curl -O https://raw.githubusercontent.com/cvhariharan/flowctl/refs/heads/master/docker-compose.yaml

# Start everything (PostgreSQL + flowctl)
docker-compose up -d

# View logs to check startup
docker-compose logs -f flowctl

This spins up a complete stack. Access the UI at http://localhost:7000 after 30 seconds.

Method 2: Binary Installation (Production-Ready)

Step 1: Download the Latest Release

# For Linux x86_64
wget https://github.com/cvhariharan/flowctl/releases/latest/download/flowctl-linux-amd64 -O flowctl
chmod +x flowctl

# For macOS Apple Silicon
wget https://github.com/cvhariharan/flowctl/releases/latest/download/flowctl-darwin-arm64 -O flowctl
chmod +x flowctl

Step 2: Generate Configuration

./flowctl --new-config

This creates a config.yaml file with sensible defaults. Edit it to specify your PostgreSQL connection string and OIDC provider details.

Step 3: Initialize the Database

./flowctl install

This command runs all database migrations, creating tables for workflows, users, teams, secrets, and execution logs. It idempotent—run it multiple times safely.

Step 4: Launch the Server

./flowctl start

The server binds to 0.0.0.0:7000 by default. Visit http://localhost:7000 to access the web interface. For production, configure a reverse proxy like Nginx with TLS termination.

REAL Code Examples from the Repository

Let's dissect the actual workflow examples from flowctl's documentation and explore practical implementations.

Example 1: Basic Hello World Workflow

This is the exact example from the README, demonstrating core concepts:

# This workflow greets a user via email input
metadata:
  id: hello_world
  name: Hello World
  description: A simple greeting flow

inputs:
  - name: email
    type: string
    label: Email
    validation: email matches "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"
    required: true

actions:
  - id: greet
    name: Greet User
    executor: docker
    variables:
      - username: "{{ inputs.email }}"
    with:
      image: docker.io/alpine
      script: |
        echo "Hello, $username!"

Breakdown: The metadata block defines workflow identity. The inputs section creates a form field with regex validation ensuring only valid emails are accepted. The actions block uses the Docker executor to run an Alpine container, injecting the email as an environment variable. The {{ inputs.email }} syntax demonstrates flowctl's templating system, which supports complex expressions and variable substitution.

Example 2: Infrastructure Provisioning with Approvals

Here's a more sophisticated workflow that provisions AWS resources with manager approval:

metadata:
  id: provision_ec2
  name: Provision EC2 Instance
  description: Creates temporary EC2 instance with approval

team: engineering  # Isolates this workflow to the engineering team

inputs:
  - name: instance_type
    type: select
    label: Instance Type
    options: ["t3.micro", "t3.small", "t3.medium"]
    default: "t3.micro"
    required: true
  
  - name: duration_hours
    type: number
    label: Duration (Hours)
    default: 8
    validation: duration_hours >= 1 && duration_hours <= 48

approvals:
  - name: manager_approval
    type: user
    required: true
    message: "Manager approval required for EC2 provisioning"

actions:
  - id: create_instance
    name: Create EC2 Instance
    executor: docker
    image: hashicorp/terraform:latest
    secrets:
      - AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY
    script: |
      terraform init
      terraform apply -auto-approve \
        -var "instance_type=${INSTANCE_TYPE}" \
        -var "name=temp-instance-${USER_EMAIL}"
    environment:
      INSTANCE_TYPE: "{{ inputs.instance_type }}"
      USER_EMAIL: "{{ session.user.email }}"
  
  - id: notify_slack
    name: Notify Team
    executor: http
    depends_on: [create_instance]
    with:
      url: "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
      method: POST
      body: |
        {
          "text": "EC2 instance provisioned for {{ session.user.name }}",
          "blocks": [
            {
              "type": "section",
              "text": {
                "type": "mrkdwn",
                "text": "*Instance Details:*\nType: {{ inputs.instance_type }}\nDuration: {{ inputs.duration_hours }} hours"
              }
            }
          ]
        }

schedule:
  cleanup:
    cron: "0 */6 * * *"  # Every 6 hours
    action: cleanup_instances

Advanced Concepts: This example introduces team isolation, approvals requiring human sign-off, secrets injection from encrypted storage, session variables for user context, depends_on for action ordering, and schedule for automated cleanup. The HTTP executor enables direct API calls without custom containers.

Example 3: SSH Access Grant Workflow

metadata:
  id: grant_ssh_access
  name: Grant Temporary SSH Access
  description: Provides time-limited SSH access with approval

team: security

inputs:
  - name: target_host
    type: string
    label: Target Host
    validation: target_host matches "^[a-zA-Z0-9.-]+$"
    required: true
  
  - name: reason
    type: textarea
    label: Access Reason
    required: true

approvals:
  - name: security_team_approval
    type: team
    team: security
    required: true

actions:
  - id: add_ssh_key
    name: Add SSH Key to Authorized Keys
    executor: ssh
    with:
      host: "{{ inputs.target_host }}"
      user: ubuntu
      key_secret: ssh_bastion_key  # Reference to encrypted secret
    script: |
      # Add user's public key with expiry
      echo "{{ session.user.ssh_public_key }}" >> /home/ubuntu/.ssh/authorized_keys
      echo "# EXPIRES_AT:$(date -d '+2 hours' +%s) USER:{{ session.user.email }}" >> /home/ubuntu/.ssh/authorized_keys
  
  - id: log_access
    name: Log Access Grant
    executor: docker
    image: postgres:latest
    secrets:
      - DB_PASSWORD
    script: |
      psql -h db.internal -U flowctl -d flowctl_db -c "
        INSERT INTO access_logs (user_email, host, reason, granted_at) 
        VALUES ('{{ session.user.email }}', '{{ inputs.target_host }}', '{{ inputs.reason }}', NOW());
      "

Security Focus: This workflow demonstrates the SSH executor for remote command execution, secret management for credentials, and audit logging. The script adds time-limited SSH keys and logs all access attempts to a database, creating a complete security trail.

Advanced Usage & Best Practices

Leverage HUML for Complex Logic: Don't limit yourself to simple validations. HUML supports conditional expressions, loops, and functions. Use it to create dynamic approval chains based on input values or implement sophisticated routing logic.

Secret Rotation Strategy: Store secrets in flowctl's encrypted vault and rotate them regularly. Use workflows to automate rotation: generate new credentials, update services, mark old secrets as deprecated, and notify teams. This ensures security without manual overhead.

Team-Based Governance: Create separate teams for engineering, security, finance, and hr. Each team owns its workflows and secrets. Use RBAC to restrict who can create, execute, or approve workflows within each namespace. This prevents cross-team interference and simplifies compliance audits.

Executor Optimization: For high-frequency workflows, pre-pull Docker images on your execution nodes to reduce startup latency. Use the SSH executor sparingly—prefer the Docker executor for reproducibility. When SSH is necessary, enforce key-based authentication and limit sudo privileges.

Monitoring and Alerting: While flowctl provides execution logs, integrate them with your centralized logging system (ELK, Loki, Datadog). Create alerts for workflow failures, approval bottlenecks, or security-sensitive executions. This gives you platform-wide visibility.

Workflow Testing: Treat workflows like code. Create a staging team where you test workflows before promoting them to production. Use mock executors for integration testing and validate all input validations with both valid and invalid data.

Comparison with Alternatives

Why Choose flowctl? If you need a self-service platform that non-developers can use, flowctl wins. Its YAML/HUML approach is accessible to operations teams, security engineers, and even technical product managers. The single-binary deployment means you can run it on a VM, bare metal, or container without orchestration complexity. Unlike Airflow's data-centric design or Temporal's developer-heavy code requirements, flowctl prioritizes human workflows with approvals and teams—critical for production operations where automation must coexist with governance.

Frequently Asked Questions

Q: What makes flowctl different from Jenkins or GitLab CI? A: Jenkins and GitLab CI are primarily CI/CD tools focused on software delivery pipelines. flowctl is a general-purpose workflow platform designed for operational tasks like access management, infrastructure changes, and business processes. Its approval system, team isolation, and self-service UI are built for cross-functional collaboration, not just developer workflows.

Q: How secure is secret storage in flowctl? A: Secrets are encrypted at rest using AES-256-GCM with keys managed separately from the database. They're never logged or exposed in workflow definitions. At runtime, secrets are injected into execution environments as environment variables or files, then immediately purged after use.

Q: Can flowctl replace Terraform Cloud or Pulumi Service? A: flowctl complements these tools rather than replacing them. You can orchestrate Terraform/Pulumi within flowctl workflows, adding approvals, scheduling, and self-service interfaces. It provides the governance layer that raw IaC tools often lack.

Q: Is flowctl production-ready? A: Yes. The platform is used in production environments with PostgreSQL as the backing store. It supports high availability through external database clustering and horizontal scaling of the binary behind a load balancer. Real users run it for critical access management and infrastructure automation.

Q: How does scheduling work with approvals? A: When a scheduled workflow requires approval, it enters a pending state and notifies approvers via email or Slack. If not approved within the configured timeout, the execution is canceled. This ensures automated runs don't bypass governance.

Q: What databases does flowctl support? A: Currently, flowctl requires PostgreSQL 12 or higher. The schema uses PostgreSQL-specific features like JSONB for flexible workflow definitions and advanced indexing for performance. MySQL or SQLite support isn't planned due to these dependencies.

Q: How can I contribute to flowctl? A: The project welcomes contributions! Start by exploring issues on GitHub. The codebase is Go, and the web UI is React. Documentation improvements, bug fixes, and new executor types are all valuable contributions.

Conclusion: Why flowctl Deserves Your Attention

flowctl represents a paradigm shift in workflow automation. By packaging a complete platform into a single binary, it eliminates the operational overhead that has traditionally made enterprise automation accessible only to well-funded platform teams. Its self-service design democratizes automation, letting security, operations, and development teams collaborate on workflows without bottlenecks.

The executor paradigm ensures you're never constrained. Whether automating SSH access, provisioning infrastructure, or orchestrating business processes, flowctl adapts. The combination of YAML/HUML workflows, OIDC SSO, encrypted secrets, and approval chains delivers enterprise governance without enterprise complexity.

If you're drowning in tool sprawl, struggling with access management, or simply want to empower your teams with safe self-service automation, flowctl is your answer. The learning curve is minimal, the deployment is trivial, and the impact is immediate.

Ready to transform your automation strategy? Head to the flowctl GitHub repository now. Download the binary, run through the quick start, and join the growing community of teams who've simplified their operations. Your future self will thank you.