Home

Awesome

English | 简体中文

<h1 align="center">Alibaba Cloud CLI</h1> <p align="center"> <a href="https://github.com/aliyun/aliyun-cli/actions/workflows/go.yml"><img src="https://github.com/aliyun/aliyun-cli/actions/workflows/go.yml/badge.svg" alt="Go build Status"></a> <a href="https://codecov.io/gh/aliyun/aliyun-cli"><img src="https://codecov.io/gh/aliyun/aliyun-cli/branch/master/graph/badge.svg" alt="codecov"></a> <a href="https://github.com/aliyun/aliyun-cli/blob/master/LICENSE"><img src="https://img.shields.io/github/license/aliyun/aliyun-cli.svg" alt="License"></a> <a href="https://goreportcard.com/report/github.com/aliyun/aliyun-cli"><img src="https://goreportcard.com/badge/github.com/aliyun/aliyun-cli" alt="Go Report" ></a> <br/> <a href="https://github.com/aliyun/aliyun-cli/releases/latest"><img src="https://img.shields.io/github/release/aliyun/aliyun-cli.svg" alt="Latest Stable Version" ></a> <a href="https://github.com/aliyun/aliyun-cli/releases/latest"><img src="https://img.shields.io/github/release-date/aliyun/aliyun-cli.svg" alt="GitHub Release Date"></a> <br/> <a href="https://github.com/aliyun/aliyun-cli/releases"><img src="https://img.shields.io/github/downloads/aliyun/aliyun-cli/total.svg" alt="GitHub All Releases" ></a> <p>

The Alibaba Cloud CLI is an open source tool, you can get the latest version from GitHub. You can also try it out in the Cloud Shell before installing the CLI.

<a href="https://shell.aliyun.com/" target="cloudshell"> <img src="https://img.alicdn.com/tfs/TB1wt1zq9zqK1RjSZFpXXakSXXa-1066-166.png" width="180" alt="cloudshell" /> </a>

Introduction

The Alibaba Cloud CLI is a tool to manage and use Alibaba Cloud resources through a command line interface. It is written in Go and built on the top of Alibaba Cloud OpenAPI.

Note: Alibaba Cloud CLI access the Alibaba Cloud services through OpenAPI. Before using Alibaba Cloud CLI, make sure that you have activated the service to use and known how to use OpenAPI.

Troubleshoot

Troubleshoot Provide OpenAPI diagnosis service to help developers locate quickly and provide solutions for developers through RequestID or error message.

CLI Releases

The release notes for the CLI can be found in the CHANGELOG

Installation

brew install aliyun-cli

You can paste the following command in a macOS Terminal or Linux shell prompt.

/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"

If you need detailed installation steps or compile the installation steps, please visit Installation Guide.

Configure

For detailed configuration instructions, please visit the official website Configuration Alibaba Cloud CLI.

Before using Alibaba Cloud CLI to invoke the services, you need to configure the credential information, region, language, etc.

You can run the aliyun configure command for quick configuration.

$ aliyun configure
Configuring profile 'default' ...
Aliyun Access Key ID [None]: <Your AccessKey ID>
Aliyun Access Key Secret [None]: <Your AccessKey Secret>
Default Region Id [None]: cn-hangzhou
Default output format [json]: json
Default Language [zh]: zh

Configure authentication methods

You can specify the authentication method to use by using the configure command with the --mode <authenticationMethod> option.

The following are supported authentication methods:

Authentication methodsDescription
AKUse direct AccessKey ID/Secret as access credentials
RamRoleArnUse RAM role assumption to provide access credentials
EcsRamRoleUse ECS instance role to provide access credentials
OIDCUse OIDC role assumption to provide access credentials
ExternalUse external processes to provide access credentials
CredentialsURIUse external services to provide access credentials
ChainableRamRoleArnUse chainable role assumption to provide access credentials

If the --mode is not specified during configuration, the AK mode will be used by default.

RAM Sub-account Role Assumption

You can specify obtaining credentials through RAM sub-account role assumption by using the --mode RamRoleArn. It works by exchanging temporary credentials through the AssumeRole method. An example is as follows:

$ aliyun configure --mode RamRoleArn --profile subaccount
Configuring profile 'subaccount' in 'RamRoleArn' authenticate mode...
Access Key Id []: AccessKey ID
Access Key Secret []: AccessKey Secret
Sts Region []: cn-hangzhou
Ram Role Arn []: acs:ram::******:role/ecs-test
Role Session Name []: sessionname
Expired Seconds []: 900
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[subaccount] ...Done.

Use an external program to get credentials

You can use --mode External to specify to obtain credential data through an external program, and CLI will execute the program command and return it as a credential to initiate the call.

Agreement:

  1. The output location of the external program is standard output.
  2. The output format is json string.
  3. The output contains the key fields required by the CLI and credential fields

Key field:

Example of the return of each credential type:

{
  "mode": "AK",
  "access_key_id": "accessKeyId",
  "access_key_secret": "accessKeySecret"
}
{
  "mode": "StsToken",
  "access_key_id": "accessKeyId",
  "access_key_secret": "accessKeySecret",
  "sts_token": "stsToken"
}

Example

$ aliyun configure --mode External --profile externalTest
Configuring profile 'externalTest' in 'External' authenticate mode...
Process Command []: <getCredential ak>
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: 
Saving profile[externalTest] ...Done.

Use chainable RamRoleArn

You can use --mode ChainableRamRoleArn to combile a source profile and RAM role ARN flow. The following example get intermediate credentials from source profile cli-test, then use it to call AssumeRole for get final credentials.

{
  "profiles": [
    {
      "name": "chain",
      "mode": "ChainableRamRoleArn",
      "ram_role_arn": "acs:ram::<Account ID>:role/<Role Name>",
      "ram_session_name": "session",
      "source_profile": "cli-test"
    },
    {
      "name": "cli-test",
      "mode": "AK",
      "access_key_id": "<Access Key ID>",
      "access_key_secret": "<Access Key Secret>"
    }
  ]
}

Use Credentials URI

You can use --mode CredentialsURI to get credentials from local/remote URI.

{
  "profiles": [
    {
      "name": "uri",
      "mode": "CredentialsURI",
      "credentials_uri": "http://localhost:6666/?user=jacksontian"
    }
  ]
}

The Credentials URI must be response with status code 200, and following body:

{
  "Code": "Success",
  "AccessKeyId": "<ak id>",
  "AccessKeySecret": "<ak secret>",
  "SecurityToken": "<security token>",
  "Expiration": "2006-01-02T15:04:05Z" // utc time
}

Otherwise, CLI treate as failure case.

Use OIDC to get credentials

You can use the --mode OIDC to obtain credentials through OIDC-based SSO role assumption. An example is as follows:

$ aliyun configure --mode OIDC --profile oidc_p
Configuring profile 'oidc_p' in 'OIDC' authenticate mode...
OIDC Provider ARN []: xxxx
OIDC Token File []: xxx
RAM Role ARN []: xxx
Role Session Name []: xxx
Default Region Id []: xxx
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: 
Saving profile[oidc_p] ...Done.

Enable bash/zsh auto completion

Use Alibaba Cloud CLI

Here is the basic usage guidelines. If you need a detailed manual, please visit Use Alibaba Cloud CLI

The Alibaba Cloud OpenAPI has two styles, RPC style and RESTful style. Most of the Alibaba Cloud products use the RPC style. The way of calling an API varies depending on the API style.

You can distinguish the API style from the following characteristics:

Call RPC APIs

The following statement shows how to call RPC APIs in the Alibaba Cloud CLI:

aliyun <product> <operation> --parameter1 value1 --parameter2 value2 ...

Examples:

aliyun rds DescribeDBInstances --PageSize 50
aliyun ecs DescribeRegions
aliyun rds DescribeDBInstanceAttribute --DBInstanceId xxxxxx

Call RESTful APIs

APIs of some products such as Container Service are RESTful style. The way to call RESTful APIs is different from RPC APIs.

The following examples show how to call RESTful APIs in the Alibaba Cloud CLI:

Get help information

Alibaba Cloud CLI integrates API descriptions for some products, you can get help by using the following commands:

For example, get help of ECS APIs: $ aliyun help ecs

For example, get the help information of the CreateInstance API: aliyun help ecs CreateInstance

Use the --force option

Alibaba Cloud CLI integrates the product metadata of some products. It will validate API parameters when calling the API. If an API or a parameter that is not included in the metadata is used, an error unknown api or unknown parameter will be returned. You can use the --force option to skip the validation and call the API by force as shown in the following example:

aliyun newproduct --version 2018-01-01 --endpoint newproduct.aliyuncs.com --param1 ... --force

The following two options are required when using the --force option:

Use the --output parameter

The query interface of Alibaba Cloud products will return json structured data, which is inconvenient to read. Example:

aliyun ecs DescribeInstances

Executing the above command will get the following json result:

{
  "PageNumber": 1,
  "TotalCount": 2,
  "PageSize": 10,
  "RequestId": "2B76ECBD-A296-407E-BE17-7E668A609DDA",
  "Instances": {
    "Instance": [
      {
        "ImageId": "ubuntu_16_0402_64_20G_alibase_20171227.vhd",
        "InstanceTypeFamily": "ecs.xn4",
        "VlanId": "",
        "InstanceId": "i-12345678912345678123",
        "Status": "Stopped",
        //omit some fields
      },
      Instance": [
      {
        "ImageId": "ubuntu_16_0402_64_20G_alibase_20171227.vhd",
        "InstanceTypeFamily": "ecs.xn4",
        "VlanId": "",
        "InstanceId": "i-abcdefghijklmnopqrst",
        "Status": "Running",
        //omit some fields
      },
    ]
  }
}

You can use the --output parameter to extract the fields of interest in the results and perform tabular output. Example:

aliyun ecs DescribeInstances --output cols=InstanceId,Status rows=Instances.Instance[]

Executing the above command will get the following result:

InstanceId             | Status
-----------------------|--------
i-12345678912345678123 | Stopped
i-abcdefghijklmnopqrst | Running

When using the --output parameter, the following sub-parameters must be specified:

Optional sub-parameters:

Use --waiter parameter

This parameter is used to poll the instance information until a specific state appears.

For example, after creating an instance using ECS, the instance will have a startup process. We will continue to query the running status of the instance until the status becomes "Running".

Example:

aliyun ecs DescribeInstances --InstanceIds '["i-12345678912345678123"]' --waiter expr='Instances.Instance[0].Status' to=Running

After executing the above command, the command line program will poll the instance status at a certain time interval and stop polling when the instance status becomes Running.

When using the --waiter parameter, you must specify the following two sub-parameters:

Optional sub-parameters:

Special argument

When you input some argument like "-PortRange -1/-1", will cause parse error. In this case, you could assign value like this: --PortRange=-1/-1.

Supported environment variables

We support the following environment variables:

Getting Help

We use GitHub issues to track bugs and feature requests for user feedback. Please visit the following site for assistance: