You're viewing Apigee Edge documentation.
Go to the
Apigee X documentation. info
The apigee-remote-service-cli
Command Line Interface (CLI) helps you
provision and manage Apigee Adapter for Envoy.
List bindings command
List all API products that are bound to the Remote Service.
Usage
apigee-remote-service-cli bindings list [flags]
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Required | All | (String) An environment in your organization. |
-h,
|
Optional | All | Displays help for the command parameters. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
Required | Edge Public Cloud only | You must set this flag if you are using Apigee Edge for Public Cloud. Sets the management and runtime URLs for Apigee Edge for Public Cloud. |
-m,
|
Required | Edge Private Cloud only | (String) The management base URL for your Apigee Edge for Private Cloud installation.
Default: https://api.enterprise.apigee.com
|
‑‑mfa
| Required | Edge Public Cloud only | (String) Multi-factor authorization token for your Apigee Edge for Public Cloud. Required only if MFA is set up on your Apigee Edge account. |
‑‑opdk
| Required | Edge Private Cloud only | You must set this flag if you are using Apigee Edge for Private Cloud. |
-o,
|
Required | All | (String) An Apigee organization. You must be an org administrator. |
-p,
|
Required (Basic Auth Only) |
Edge Public and Private Cloud only | (String) Your Apigee password. You can optionally specify
the password in a .netrc file. See also
Using .netrc for credentials.
|
-r,
|
Required | Edge Private Cloud and Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https:// . For example: https://apitest.apigee-hybrid-docs.net
|
|
Optional | Edge Private Cloud only | (String) Specifies client-side TLS certificate, private key, and root CA for mTLS connection. |
-t,
|
Required (OAuth token auth only) |
All | (String) An OAuth or SAML token that you generate from your Apigee account information. Overrides any other provided credentials. |
-u,
|
Required (Basic Auth Only) |
Edge Public and Private Cloud only |
(String) Your Apigee username (typically an email address).
You can optionally specify the username in a .netrc file. If you do so, then
you are not required to provide your username on the command line. See
also Using .netrc for credentials.
|
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli bindings list -o myorg -e test -u user@example.com \ -c config.yaml -p abc123
Example output
PI Products ============ Bound ----- envoy-test: Quota: 5 requests every 1 minute Target bindings: httpbin.org Paths: httpbin: Quota: 5 requests every 1 minute Target bindings: httpbin.org Paths: /httpbin / Unbound ------- product-1: Quota: 100 requests every 1 hour product-2: Quota: 1000 requests every 1 month product-3: product-4:
Help command
Online help is provided for all apigee-remote-service-cli
commands. Just type:
apigee-remote-service-cli help
For help on any command, type:
apigee-remote-service-cli [command] help
For example:
apigee-remote-service-cli provision help
Provision command
The apigee-remote-service-cli provision
command installs two API proxies in your Apigee
Edge organization, sets up a certificate, and generates credentials that you'll need to
configure the Apigee Adapter for Envoy.
Usage
apigee-remote-service-cli provision [flags]
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
‑‑analytics-sa
|
Optional | Apigee hybrid and Apigee X only |
(String) Use this flag to specify the path to a Google Cloud service account key file, where
the service account has the |
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Required | All | (String) An environment in your organization. |
-f, ‑‑force-proxy-install
|
Optional | All | (Optional) Forces the remote-service proxy to be re-installed if it is
already installed in your org.
|
-h,
|
Optional | All | Displays help for the command parameters. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
Required | Edge Public Cloud only | You must set this flag if you are using Apigee Edge for Public Cloud. Sets the management and runtime URLs for Apigee Edge for Public Cloud. |
-m,
|
Required | Edge Private Cloud only | (String) The management base URL for your Apigee Edge for Private Cloud installation.
Default: https://api.enterprise.apigee.com
|
‑‑mfa
| Required | Edge Public Cloud only | Multi-factor authorization token for your Apigee Edge for Public Cloud. Required only if MFA is set up on your Apigee Edge account. |
-n, ‑‑namespace
|
Optional | All | (String) Emit configuration as an Envoy ConfigMap in the specified namespace. Default: apigee
|
‑‑opdk
| Required | Edge Private Cloud only | You must set this flag if you are using Apigee Edge for Private Cloud. |
-o,
|
Required | All | (String) An Apigee organization. You must be an org administrator to provision. |
-p,
|
Required (Basic Auth Only) |
Edge Public and Private Cloud only | (String) Your Apigee password. You can optionally specify
the password in a .netrc file. If you do so, then you are not required to
provide your password on the command line. See also
Using .netrc for credentials.
|
‑‑rotate-int
|
Optional | Apigee hybrid only | (Integer) If n > 0, generate new private key and keep n public keys (hybrid only) |
-r,
|
Required | Edge Private Cloud and Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https:// . For example: https://apitest.apigee-hybrid-docs.net
|
|
Optional | Edge Private Cloud only | (String) Specifies client-side TLS certificate, private key, and root CA for mTLS connection. |
-t,
|
Required (OAuth token auth only) |
All | (String) An OAuth or SAML token that you generate from your Apigee account information. Overrides any other provided credentials. |
-u,
|
Required (Basic Auth Only) |
Edge Public and Private Cloud only |
(String) Your Apigee username (typically an email address).
You can optionally specify the username in a .netrc file. See
also Using .netrc for credentials.
|
-v,
|
Optional | All | (Optional) Produces verbose output. |
‑‑virtual-hosts
|
Optional | Edge Private Cloud only | (String) Overrides the default virtual hosts, which are default,secure . Use this option if you
have virtual hosts specified for your Edge organization-environment other than these defaults.
|
Example
As the following example shows, it's important to capture the output of the provision
command in a file, which is used
as input for other Apigee Adapter for Envoy operations.
Example:
apigee-remote-service-cli provision --legacy --mfa $MFA --username $USER --password $PASSWORD \ --organization $ORG --environment $ENV > config.yaml
Samples command
Creates and lists sample configuration files.
Create sample configuration files
Creates sample configuration files for native Envoy and Istio deployments.
Usage
apigee-remote-service-cli samples create [flags]
Description
This command requires a valid config.yaml
file as input. This input file is the file that was
generated through provisioning.
By default, the sample files are output to a directory named ./samples
. The command
creates this directory for you.
If you're using native Envoy, the command takes the target service host and the desired name for
its cluster. It also sets custom SSL connection from the Envoy proxy to the remote service
cluster if a folder containing tls.key
and tls.crt
is provided via --tls
.
If you're using Istio, where the Envoy proxy acts as a sidecar, if the target is unspecified,
the httpbin
example will be generated. Otherwise, you are responsible for preparing
configuration files related to deployment of your target services.
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
‑‑adapter‑host
|
Required for Envoy templates only | All | (String) The adapter hostname (default: localhost )
|
-c, ‑‑config
|
Required | All | (String) Path to Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-f, ‑‑force
|
Optional | All | Force the existing directory to be overwritten. |
-h, ‑‑help
|
Optional | All | Displays help for the command parameters. |
‑‑host |
Required for Envoy templates only | All | (String) The target service host (default httpbin.org )
|
-n, ‑‑name |
Required | All | (String) The target service name (default httpbin.org )
|
‑‑out
|
Optional | All | (String) The directory in which to create the sample config files. Default: ./samples
|
‑‑tag
|
Required for Istio templates only | All | (String) The version tag of the Envoy Adapter image. Default: v2.0.0
|
-t, ‑‑template
|
Required | All | (String) The Envoy or Istio template name. To see the available list of templates, execute the command
apigee-remote-service samples templates .
|
‑‑tls
|
Optional, for Envoy templates only | All | (String) The directory containing tls.key and tls.crt files
used for the adapter service.
|
Example
apigee-remote-service-cli samples create -c ./config.yaml
List available template options
Lists the templates available to use with the --templates
parameter for the samples
command.
Usage
apigee-remote-service-cli samples templates
Parameters
None.
Example
apigee-remote-service-cli samples templates
Supported templates (native is deprecated): envoy-1.15 envoy-1.16 envoy-1.17 istio-1.7 istio-1.8 istio-1.9
Token commands
You can use a JWT token to make authenticated API proxy calls instead of using an API key. The token commands let you create, inspect, and rotate JWT tokens for this purpose.
Create a JWT token
You can use a JWT token to make authenticated API proxy calls to a remote service target. See also Using JWT based authentication.Usage
apigee-remote-service-cli token create [flags]
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Required | All | (String) An environment in your organization. |
-h,
|
Optional | All | Displays help for the command parameters. |
--i, --id
|
Required | All | (String) The Key credential found in the Apigee developer app as described in How to obtain an API key. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
Required | Edge Public Cloud only | You must set this flag if you are using Apigee Edge for Public Cloud. Sets the management and runtime URLs for Apigee Edge for Public Cloud. |
‑‑opdk
| Required | Edge Private Cloud only | You must set this flag if you are using Apigee Edge for Private Cloud. |
-o,
|
Required | All | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Required | Edge Private Cloud and Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https:// . For example: https://apitest.apigee-hybrid-docs.net
|
--s, ‑‑secret
|
Required | All | (String) The Secret credential found in the Apigee developer app as described in How to obtain an API key. |
|
Optional | Edge Private Cloud only | (String) Specifies client-side TLS certificate, private key, and root CA for mTLS connection. |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli token create -o myorg -e test -i YUmlZAcBKNsTAelJqPZFl3sh58ObATX9 \ -s icTARgaKHqvUH1dq -c config.yaml
Output
On success, you'll see a JST token output similar to the following:eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJ0a2tlVzVKQTY2a0pZYTB4bFV1cVBsUW1BMU43IiwiYXVkIjoiaXN0aW8iLCJuYmYiOjE1MzAxMzg1OTEsImFwaV9wcm9kdWN0X2xpc3QiOlsiaXN0aW8tcHJvZHVjdCJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiaXN0aW8tYXBwIiwiZGV2ZWxvcGVyX2VtYWlsIjoicFluZ2Zsb3lkQGdvb2dsZS5jb20iLCJpc3MiOiJodHRwczovL2FwaWdlZXNlYXJjaC10ZXN0LmFwaWdlZS5uZXQvaXN0aW8tYXV0aC90b2tlbiIsImV4cCI6MTUzMDEzOTQ5MSwiaWF0IjoxNTMwMTM4NTkxLCJqdGkiOiIxODgzMzViZi0wMmE4LTRjZGUsOGFkOS0yMWJmNDZjNmRjZDkiLCJjbGllbnRfaWQiOiJZVW1sWkFjQktOc1RBZWxKcVBZRmwzc2g1OE9iQVRYOSJ9.AL7pKSTmond-NSPRNNHVbIzTdAnZjOXcjQ-BbOJ_8lsQvF7PuiOUrGIhY5XTcJusisKgbCdtIxBl8Wq1EiQ_fKnUc3JYYOqzpTB5bGoFy0Yqbfu96dneuWyzgZnoQBkqwZkbQTIg7WNTGx1TJX-UTePvBPxAefiAbaEUcigX9tTsXPoRJZOTrm7IOeKpxpB_gQYkxQtV1_NbERxjTPyMbHdMWal9_xRVzSt7mpTGudMN9OR-VtQ1uXA67GOqhZWcOzq57qImOiCMbaoKnKUADevyWjX_VscN5ZZUtzQUQhTrmv8aR69-uVhMIPKp9juMyYKaYn2IsYZEeCWfhfV45Q
Inspect a JWT token
You can inspect a JWT token with this command. See also Inspect a token.Usage
apigee-remote-service-cli token inspect [flags]
Parameters
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Required | All | (String) An environment in your organization. |
-f,
|
Required | All | (String) The token file (default: use stdin )
|
-h,
|
Optional | All | Displays help for the command parameters. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
Required | Edge Public Cloud only | You must set this flag if you are using Apigee Edge for Public Cloud. Sets the management and runtime URLs for Apigee Edge for Public Cloud. |
‑‑opdk
| Required | Edge Private Cloud only | You must set this flag if you are using Apigee Edge for Private Cloud. |
-o,
|
Required | All | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Required | Edge Private Cloud and Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https:// . For example: https://apitest.apigee-hybrid-docs.net
|
|
Optional | Edge Private Cloud only | (String) Specifies client-side TLS certificate, private key, and root CA for mTLS connection. |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli token inspect -c config.yaml <<< $TOKEN
Output
On success, you'll see output similar to the following:{ "aud": [ "remote-service-client" ], "exp": 1591741549, "iat": 1591740649, "iss": "https://apigee-docs-test.apigee.net/remote-service/token", "jti": "99325d2e-6440-4278-9f7f-b252a1a79e53", "nbf": 1591740649, "access_token": "VfzpXzBGAQ07po0bPMKY4JgQjus", "api_product_list": [ "httpbin" ], "application_name": "httpbin", "client_id": "GYDGHy5TRpV8AejXCOlreP7dPVepA8H", "developer_email": "user@example.com", "scope": "" } verifying... token ok.
Rotate a JWT token
At some time after you initially generate a JWT, you might need to change the public/private key pair stored by Apigee in its encrypted key-value map (KVM). This process of generating a new key pair is called key rotation. When you rotate keys, a new private/public key pair is generated and stored in the "istio" KVM in your Apigee organization/environment. In addition, the old public key is retained along with its original key ID value.Usage
apigee-remote-service-cli token rotate-cert [flags]
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Required | All | (String) An environment in your organization. |
-h,
|
Optional | Edge Public and Private Cloud only | Displays help for the command parameters. |
--k, --key
|
Required | Edge Public and Private Cloud only | (String) The provision key. |
‑‑insecure
|
Optional | Edge Public and Private Cloud only | Allow insecure server connections when using SSL. |
‑‑legacy
|
Required | Edge Public Cloud only | You must set this flag if you are using Apigee Edge for Public Cloud. Sets the management and runtime URLs for Apigee Edge for Public Cloud. |
‑‑opdk
| Required | Edge Private Cloud only | You must set this flag if you are using Apigee Edge for Private Cloud. |
-o,
|
Required | Edge Public and Private Cloud only | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Required | Edge Private Cloud only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https:// . For example: https://apitest.apigee-hybrid-docs.net
|
--s, ‑‑secret
|
Required | All | (String) The provision secret. |
|
Optional | Edge Private Cloud only | (String) Specifies client-side TLS certificate, private key, and root CA for mTLS connection. |
--t, ‑‑truncate
|
Required | All | (Integer) The number of certs to keep in JWKS (default 2). |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli token rotate-cert -c config.yaml -o myorg -e test \ -k 2e238ffa15dc5ab6a1e97868e7581f6c60ddb8575478582c256d8b7e5b2677a8 \ -s 51058077223fa7b683c3bea845c5cca138340d1d5583922b6d465f9f918a4b08
Output
certificate successfully rotated
Create an internal token
Create a JWT token for authorizing remote-service API calls.Usage
apigee-remote-service-cli token internal [flags]
Parameters
Parameters
Parameters | Presence | Used with products | Description |
---|---|---|---|
-c,
|
Required | Apigee hybrid only | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-d,
|
Required | Apigee hybrid only | (String) valid time of the internal JWT from creation (default: 10m0s (10 minutes)).
|
-e,
|
Required | Apigee hybrid only | (String) An environment in your organization. |
-h,
|
Optional | Apigee hybrid only | Displays help for the command parameters. |
‑‑insecure
|
Optional | Apigee hybrid only | Allow insecure server connections when using SSL. |
-o,
|
Required | Apigee hybrid only | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Required | Apigee hybrid only | (String) Specifies the runtime URL for your Apigee hybrid instance.
The URL must start with https:// . For example: https://apitest.apigee-hybrid-docs.net
|
-v,
|
Optional | Apigee hybrid only | (Optional) Produces verbose output. |
Version command
Print the CLI version.
apigee-remote-service-cli version
Using .netrc for credentials
apigee-remote-service-cli
automatically picks up the username
and
password
(for basic authentication where needed) from a .netrc
file in your home directory if you are on Edge Public Cloud and have an entry for the
machine api.enterprise.apigee.com
. If you are on Apigee Private Cloud,
the machine value is the same as your management
URL (for example:
http://192.162.55.100
).
For example on Edge Public Cloud:
machine api.enterprise.apigee.com login jdoe@google.com password abc123
machine http://192.162.55.100 login jdoe@google.com password abc123
Using the ‑‑config
command option
The ‑‑config
option specifies the location
of the config file generated by the provision
command. A helpful benefit of this option is that it
allows you to skip most other command parameters, which the CLI pulls from the config file.
These options include:
- organization
- environment
- runtime
- management
- insecure
- namespace
- legacy
- opdk
For example, you could execute the provision
command like this:
apigee-remote-service-cli provision --config='old-config.yaml' > new-config.yaml
Configuration file
This section shows an example configuration file with all of the available options.
global: temp_dir: /tmp/apigee-istio keep_alive_max_connection_age: 10m api_address: :5000 metrics_address: :5001 tls: cert_file: tls.crt key_file: tls.key tenant: internal_api: https://istioservices.apigee.net/edgemicro remote_service_api: https://org-test.apigee.net/remote-service org_name: org env_name: env key: mykey secret: mysecret client_timeout: 30s tls: ca_file: /opt/apigee/tls/ca.crt cert_file: /opt/apigee/tls/tls.crt key_file: /opt/apigee/tls/tls.key allow_unverified_ssl_cert: false products: refresh_rate: 2m analytics: legacy_endpoint: false file_limit: 1024 send_channel_size: 10 collection_interval: 10s auth: api_key_claim: claim api_key_cache_duration: 30m api_key_header: x-api-key api_header: :authority allow_unauthorized: false jwt_provider_key: https://org-test.apigee.net/remote-token/token append_metadata_headers: true