Skip to main content

Examples

Worked, end-to-end tasks built from the commands on the Commands page. Each one assumes you have already installed NebCLI and can sign in (see Authentication).

Get temporary AWS access and run a command

The goal: run an aws command without ever putting a long-lived AWS key on your laptop. NebCLI gets you short-lived credentials, writes them where the AWS CLI reads from, and steps aside.

  1. Sign in if you have not already.

    nebcli login --tenant <your-tenant>
    Opening your browser to sign in...
    Signed in. Session saved.
  2. See which cloud roles you can use.

    nebcli cloud list
    ACCOUNT ROLE
    123456789012 platform-reader
    123456789012 platform-deployer
  3. Set up your AWS profile with short-lived credentials.

    nebcli elevate role <your-role>
    Wrote profile to ~/.aws/credentials
    Credentials expire in 1h00m.
  4. Use the standard aws tool directly. NebCLI is no longer in the loop.

    aws sts get-caller-identity
    {
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/platform-reader/you"
    }
  5. When the credential expires, refresh it and run again.

    nebcli cloud refresh
    Refreshed profile. Credentials expire in 1h00m.
tip

You can check expiry at any time with nebcli cloud status. NebCLI refreshes on demand, so you only need to act when a command reports expired access.

Raise your permissions for one task, then give them back

Sometimes a single task needs more than your normal role. Elevation grants a higher role for a limited window and then returns you to normal.

  1. See which roles you can elevate to.

    nebcli elevate list
    ROLE AVAILABLE
    platform-deployer yes
  2. Elevate for the task.

    nebcli elevate role platform-deployer
    Elevated to platform-deployer. Expires in 30m.
  3. Do the work with the standard tools, then give the permission back.

    nebcli elevate revoke
    All elevated credentials revoked.

Validate a chart before you merge

The goal: catch a Helm chart problem before it ships, not after. nebcli helm validate checks the chart against the platform's rules and against every cluster it would affect.

  1. From the chart directory, run the validator against the clusters you care about.

    nebcli helm validate \
    --chart ./ \
    --appsets ../path/to/appsets \
    --cluster your-cluster-name \
    --verbose
  2. A clean chart passes every phase.

    Phase 1 chart compliance ............ ok
    Phase 2 cluster resolution .......... 1 cluster
    Phase 3 per-cluster validation ...... ok
    All checks passed.

    The command exits 0.

  3. A problem is reported with the failing check, and the command stops.

    Phase 1 chart compliance ............ FAILED
    image ref missing digest pin: myapp:latest
    Validation failed.

    The command exits 2, so CI can fail the build on it.

tip

Add --output json to feed the result into a CI dashboard or a pre-commit hook.

Refresh a credential when a tool rejects it

Short-lived credentials expire by design. When a standard tool reports that access is no longer accepted, refresh the matching credential and retry the original command.

aws sts get-caller-identity
# An error occurred (ExpiredToken) when calling the GetCallerIdentity operation

nebcli cloud refresh
# Renewed AWS credentials.

aws sts get-caller-identity
# {
# "Account": "123456789012",
# "Arn": "arn:aws:sts::123456789012:assumed-role/platform-reader/you"
# }

The same pattern works for GitHub access (nebcli github refresh) and chart-registry access (nebcli helm refresh-registry): refresh the one credential that expired, then run the original command again.

Next steps