Commands
This page lists the public NebCLI commands, grouped by what they do. For a guided sign-in walkthrough, see Authentication. Run any command with --help to see its full options and examples in your terminal.
Every command checks your identity first and turns any error into a clear, predictable result last. That shared path is why the tool behaves consistently across commands. Pure-local commands such as version and doctor do not require sign-in.
Identity and session
| Command | What it does |
|---|---|
nebcli login | Sign in through your browser and save a session. |
nebcli logout | End your local session. |
nebcli auth status | Show your current authentication state and active environment. |
nebcli auth contexts | List every available environment context. |
nebcli auth use-context <name> | Switch the active context. |
nebcli auth rename-context <old> <new> | Rename a context. |
nebcli auth token | Print the current session token (for debugging). |
nebcli sessions list | List your active sessions. |
nebcli sessions revoke <id> | End one of your sessions. |
nebcli doctor | Run the sign-in and connectivity self-check. |
nebcli license refresh | Fetch the latest signed license and write it locally. |
nebcli login --tenant <your-tenant>
nebcli sessions list
Cloud access
Get and renew temporary AWS access, written where the aws CLI and SDKs read from.
| Command | What it does |
|---|---|
nebcli cloud refresh | Refresh expired or expiring AWS credentials. |
nebcli cloud list | List the cloud accounts and roles available to you. |
nebcli cloud status | Show your managed AWS profiles and their expiry. |
nebcli cloud clean | Remove managed AWS profiles (--expired-only to keep live ones). |
nebcli elevate role <your-role>
aws s3 ls # the standard tool runs on its own
nebcli cloud refresh # when the credential expires
Temporary elevation
Raise your cloud permissions for a limited time, then give them back.
| Command | What it does |
|---|---|
nebcli elevate role <role> | Raise your AWS permissions to a specific role for a limited time. |
nebcli elevate list | List the roles you can elevate to. |
nebcli elevate status | Show your currently raised permissions. |
nebcli elevate revoke | Give back all raised permissions. |
Cluster access
Inspect access to clusters, written where kubectl reads from.
| Command | What it does |
|---|---|
nebcli cluster list | List the clusters you can reach. |
nebcli cluster status | Check a cluster's health. |
nebcli cluster list
kubectl get pods -A # standard tool runs directly
GitHub access
Set up and renew access to GitHub, written where gh and git read from.
| Command | What it does |
|---|---|
nebcli github setup-gh | One-time setup so gh and git push/clone work. |
nebcli github status | Show the cached token's expiry and granted permissions. |
Tokens renew on their own: the credential helper installed by setup-gh mints a fresh one whenever git or gh asks. If access is rejected, nebcli github status shows what the current token is allowed to do and when it expires.
Helm validation and delivery
These are the framework-aware Helm verbs. Every other Helm operation (template, lint, install, and the rest) runs against the upstream helm binary directly.
| Command | What it does |
|---|---|
nebcli helm validate | Check a chart against the platform's rules and every cluster it affects, before merge. |
nebcli helm compliance | Check that a chart follows the required platform patterns. |
nebcli helm update-deps | Refresh a chart's dependencies in the correct order. |
nebcli helm sync-appsets | Align deployment records with the chart versions that have been published. |
nebcli helm refresh-registry | Get short-lived chart-registry access so helm pull can download charts. |
nebcli helm validate \
--chart ./ \
--appsets ../path/to/appsets \
--cluster your-cluster-name \
--verbose
Configuration and utilities
| Command | What it does |
|---|---|
nebcli config view | Show your effective configuration. |
nebcli config path | Print the path to the config file. |
nebcli completion <shell> | Generate a shell completion script. |
nebcli update | Update NebCLI to the latest release: downloads, verifies the signature, and swaps the binary in place. --check only reports. |
nebcli use <tenant> | Re-point the laptop default tenant used for guardrail attribution. |
nebcli version | Show the version and build information. |
Output flags
These flags work across commands and control how output is rendered.
| Flag | Effect |
|---|---|
--output json | Machine-readable JSON instead of human text. Use it in scripts and CI. |
--no-color | Disable colored output. The default in CI. |
--verbose | Print per-step detail. |
--debug | Print protocol-level traces, including HTTP requests, to standard error. Useful for diagnosing a failed call. |
Exit codes
Every command exits with a code you can branch on in scripts. The first eight are universal.
| Code | Meaning |
|---|---|
0 | Success. |
1 | Generic error (invalid config, file not found, network failure). |
2 | A required resource was not found (a name or id that does not exist). |
3 | You lack permission for the operation. |
4 | Your session expired or is invalid. Run nebcli login. |
5 | A flag value failed validation. |
6 | A required flag combination was not supplied. |
7 | A lookup matched more than one candidate; be more specific. |
99 | An unexpected internal error. |
Example of branching on the exit code in a script:
nebcli cloud refresh
case $? in
0) echo "credentials refreshed";;
4) echo "session expired; signing in" >&2; nebcli login;;
*) echo "refresh failed (exit $?)" >&2; exit 1;;
esac
Next steps
- Examples: full worked tasks built from these commands.
- Credential brokering: the model behind cloud, cluster, GitHub, and registry access.