Examples
Worked, end-to-end tasks built from the commands on the Commands page. Each one assumes you have already installed NebCLI and can sign in (see Authentication).
Get temporary AWS access and run a command
The goal: run an aws command without ever putting a long-lived AWS key on your laptop. NebCLI gets you short-lived credentials, writes them where the AWS CLI reads from, and steps aside.
-
Sign in if you have not already.
nebcli login --tenant <your-tenant>Opening your browser to sign in...Signed in. Session saved. -
See which cloud roles you can use.
nebcli cloud listACCOUNT ROLE123456789012 platform-reader123456789012 platform-deployer -
Set up your AWS profile with short-lived credentials.
nebcli elevate role <your-role>Wrote profile to ~/.aws/credentialsCredentials expire in 1h00m. -
Use the standard
awstool directly. NebCLI is no longer in the loop.aws sts get-caller-identity{"Account": "123456789012","Arn": "arn:aws:sts::123456789012:assumed-role/platform-reader/you"} -
When the credential expires, refresh it and run again.
nebcli cloud refreshRefreshed profile. Credentials expire in 1h00m.
You can check expiry at any time with nebcli cloud status. NebCLI refreshes on demand, so you only need to act when a command reports expired access.
Raise your permissions for one task, then give them back
Sometimes a single task needs more than your normal role. Elevation grants a higher role for a limited window and then returns you to normal.
-
See which roles you can elevate to.
nebcli elevate listROLE AVAILABLEplatform-deployer yes -
Elevate for the task.
nebcli elevate role platform-deployerElevated to platform-deployer. Expires in 30m. -
Do the work with the standard tools, then give the permission back.
nebcli elevate revokeAll elevated credentials revoked.
Validate a chart before you merge
The goal: catch a Helm chart problem before it ships, not after. nebcli helm validate checks the chart against the platform's rules and against every cluster it would affect.
-
From the chart directory, run the validator against the clusters you care about.
nebcli helm validate \--chart ./ \--appsets ../path/to/appsets \--cluster your-cluster-name \--verbose -
A clean chart passes every phase.
Phase 1 chart compliance ............ okPhase 2 cluster resolution .......... 1 clusterPhase 3 per-cluster validation ...... okAll checks passed.The command exits
0. -
A problem is reported with the failing check, and the command stops.
Phase 1 chart compliance ............ FAILEDimage ref missing digest pin: myapp:latestValidation failed.The command exits
2, so CI can fail the build on it.
Add --output json to feed the result into a CI dashboard or a pre-commit hook.
Refresh a credential when a tool rejects it
Short-lived credentials expire by design. When a standard tool reports that access is no longer accepted, refresh the matching credential and retry the original command.
aws sts get-caller-identity
# An error occurred (ExpiredToken) when calling the GetCallerIdentity operation
nebcli cloud refresh
# Renewed AWS credentials.
aws sts get-caller-identity
# {
# "Account": "123456789012",
# "Arn": "arn:aws:sts::123456789012:assumed-role/platform-reader/you"
# }
The same pattern works for GitHub access (nebcli github refresh) and chart-registry access (nebcli helm refresh-registry): refresh the one credential that expired, then run the original command again.
Next steps
- Commands: the full reference for everything used above.
- Credential brokering: why this refresh-and-retry pattern is the whole design.