Skip to main content

Commands

This page lists the public NebCLI commands, grouped by what they do. For a guided sign-in walkthrough, see Authentication. Run any command with --help to see its full options and examples in your terminal.

note

Every command checks your identity first and turns any error into a clear, predictable result last. That shared path is why the tool behaves consistently across commands. Pure-local commands such as version and doctor do not require sign-in.

Identity and session

CommandWhat it does
nebcli loginSign in through your browser and save a session.
nebcli logoutEnd your local session.
nebcli auth statusShow your current authentication state and active environment.
nebcli auth contextsList every available environment context.
nebcli auth use-context <name>Switch the active context.
nebcli auth rename-context <old> <new>Rename a context.
nebcli auth tokenPrint the current session token (for debugging).
nebcli sessions listList your active sessions.
nebcli sessions revoke <id>End one of your sessions.
nebcli doctorRun the sign-in and connectivity self-check.
nebcli license refreshFetch the latest signed license and write it locally.
nebcli login --tenant <your-tenant>
nebcli sessions list

Cloud access

Get and renew temporary AWS access, written where the aws CLI and SDKs read from.

CommandWhat it does
nebcli cloud refreshRefresh expired or expiring AWS credentials.
nebcli cloud listList the cloud accounts and roles available to you.
nebcli cloud statusShow your managed AWS profiles and their expiry.
nebcli cloud cleanRemove managed AWS profiles (--expired-only to keep live ones).
nebcli elevate role <your-role>
aws s3 ls # the standard tool runs on its own
nebcli cloud refresh # when the credential expires

Temporary elevation

Raise your cloud permissions for a limited time, then give them back.

CommandWhat it does
nebcli elevate role <role>Raise your AWS permissions to a specific role for a limited time.
nebcli elevate listList the roles you can elevate to.
nebcli elevate statusShow your currently raised permissions.
nebcli elevate revokeGive back all raised permissions.

Cluster access

Inspect access to clusters, written where kubectl reads from.

CommandWhat it does
nebcli cluster listList the clusters you can reach.
nebcli cluster statusCheck a cluster's health.
nebcli cluster list
kubectl get pods -A # standard tool runs directly

GitHub access

Set up and renew access to GitHub, written where gh and git read from.

CommandWhat it does
nebcli github setup-ghOne-time setup so gh and git push/clone work.
nebcli github statusShow the cached token's expiry and granted permissions.

Tokens renew on their own: the credential helper installed by setup-gh mints a fresh one whenever git or gh asks. If access is rejected, nebcli github status shows what the current token is allowed to do and when it expires.

Helm validation and delivery

These are the framework-aware Helm verbs. Every other Helm operation (template, lint, install, and the rest) runs against the upstream helm binary directly.

CommandWhat it does
nebcli helm validateCheck a chart against the platform's rules and every cluster it affects, before merge.
nebcli helm complianceCheck that a chart follows the required platform patterns.
nebcli helm update-depsRefresh a chart's dependencies in the correct order.
nebcli helm sync-appsetsAlign deployment records with the chart versions that have been published.
nebcli helm refresh-registryGet short-lived chart-registry access so helm pull can download charts.
nebcli helm validate \
--chart ./ \
--appsets ../path/to/appsets \
--cluster your-cluster-name \
--verbose

Configuration and utilities

CommandWhat it does
nebcli config viewShow your effective configuration.
nebcli config pathPrint the path to the config file.
nebcli completion <shell>Generate a shell completion script.
nebcli updateUpdate NebCLI to the latest release: downloads, verifies the signature, and swaps the binary in place. --check only reports.
nebcli use <tenant>Re-point the laptop default tenant used for guardrail attribution.
nebcli versionShow the version and build information.

Output flags

These flags work across commands and control how output is rendered.

FlagEffect
--output jsonMachine-readable JSON instead of human text. Use it in scripts and CI.
--no-colorDisable colored output. The default in CI.
--verbosePrint per-step detail.
--debugPrint protocol-level traces, including HTTP requests, to standard error. Useful for diagnosing a failed call.

Exit codes

Every command exits with a code you can branch on in scripts. The first eight are universal.

CodeMeaning
0Success.
1Generic error (invalid config, file not found, network failure).
2A required resource was not found (a name or id that does not exist).
3You lack permission for the operation.
4Your session expired or is invalid. Run nebcli login.
5A flag value failed validation.
6A required flag combination was not supplied.
7A lookup matched more than one candidate; be more specific.
99An unexpected internal error.

Example of branching on the exit code in a script:

nebcli cloud refresh
case $? in
0) echo "credentials refreshed";;
4) echo "session expired; signing in" >&2; nebcli login;;
*) echo "refresh failed (exit $?)" >&2; exit 1;;
esac

Next steps

  • Examples: full worked tasks built from these commands.
  • Credential brokering: the model behind cloud, cluster, GitHub, and registry access.