This page applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
The apigee-remote-service-cli Command Line Interface (CLI) helps you
provision and manage Apigee Adapter for Envoy.
Simplify CLI commands with the ‑‑config option
The ‑‑config option specifies the ___location
of the config.yaml file generated by the provision command. A helpful benefit of this option is that it
allows you to skip most other command parameters because the CLI pulls them directly from the config.yaml file.
Note that any command-line parameters specified override values in the config.yaml file.
- organization
- environment
- runtime
- management
- insecure
- namespace
- legacy
- opdk
You can use this option when upgrading the adapter; however, you must still include the
--force-proxy-install flag in that case.
For example, you could execute the provision command like this:
apigee-remote-service-cli provision --config='old-config.yaml' > new-config.yaml
Note that if you do not change any values in the old config file, you don't have to save a new one, because it will be identical to the original.
List bindings command
List all API products that are bound to the Remote Service.
Usage
apigee-remote-service-cli bindings list [flags]
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
-c,
|
Optional | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Optional if --config is present; required otherwise. |
All | (String) An environment in your organization. |
-h,
|
Optional | All | Displays help for the command parameters. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
N/A | Edge Public Cloud only | This parameter does not apply for Apigee installations. |
-m,
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
‑‑mfa
| N/A | Edge Public Cloud only | This parameter does not apply for Apigee installations. |
‑‑opdk
| N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-o,
|
Optional if --config is present; required otherwise. |
All | (String) An Apigee organization. You must be an org administrator. |
-p,
|
N/A (Basic Auth Only) |
Edge Public and Private Cloud only | This parameter does not apply for Apigee installations. |
-r,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https://. For example: https://apitest.example.net
|
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-t,
|
Required (OAuth token auth only) |
All | (String) An OAuth or SAML token that you generate from your Apigee account information. Overrides any other provided credentials. |
-u,
|
N/A (Basic Auth Only) |
Edge Public and Private Cloud only | This parameter does not apply for Apigee installations. |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli bindings list -o myorg -e test --token $TOKEN \ -c config.yaml
Example output
API Products
============
Bound
-----
envoy-test:
Quota: 5 requests every 1 minute
Target bindings:
httpbin.org
Paths:
httpbin:
Quota: 5 requests every 1 minute
Target bindings:
httpbin.org
Paths:
/httpbin
/
Unbound
-------
product-1:
Quota: 100 requests every 1 hour
product-2:
Quota: 1000 requests every 1 month
product-3:
product-4:
Help command
Online help is provided for all apigee-remote-service-cli commands. Just type:
apigee-remote-service-cli help
For help on any command, type:
apigee-remote-service-cli [command] help
For example:
apigee-remote-service-cli provision help
Provision command
The apigee-remote-service-cli provision command installs two API proxies in your Apigee
Edge organization, sets up a certificate, and generates credentials that you'll need to
configure the Apigee Adapter for Envoy.
Usage
apigee-remote-service-cli provision [flags]
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
‑‑analytics-sa
|
Optional | Apigee hybrid and Apigee only |
(String) Use this flag to specify the path to a Google Cloud service account key file, where
the service account has the |
-c,
|
Optional | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the --config option.
|
-e,
|
Optional if --config is present; required otherwise. |
All | (String) An environment in your organization. |
-f, ‑‑force-proxy-install
|
Optional | All | (Optional) Forces the remote-service proxy to be re-installed if it is
already installed in your org.
|
-h,
|
Optional | All | Displays help for the command parameters. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
N/A | Edge Public Cloud only | This parameter does not apply for Apigee installations. |
-m,
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
‑‑mfa
| N/A | Edge Public Cloud only | This parameter does not apply for Apigee installations. |
-n, ‑‑namespace
|
Optional if --config is present; defaults to apigee.
|
For Kubernetes deployments only | (String) Emit configuration as an Envoy ConfigMap in the specified namespace. Default: apigee
|
‑‑opdk
| N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-o,
|
Optional if --config is present; required otherwise. |
All | (String) An Apigee organization. You must be an org administrator to provision. |
-p,
|
N/A (Basic Auth Only) |
Edge Public and Private Cloud only | This parameter does not apply for Apigee installations. |
‑‑rotate
|
Optional | Apigee hybrid only | (Integer) If n > 0, generate new private key and keep n public keys (hybrid only) |
-r,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) Specifies the runtime URL for your Apigee hybrid instance.
The URL must start with https://. For example: https://apitest.example.net
|
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-t,
|
Required (OAuth token auth only) |
All | (String) An OAuth or SAML token that you generate from your Apigee account information. Overrides any other provided credentials. |
-u,
|
N/A (Basic Auth Only) |
Edge Public and Private Cloud only | This parameter does not apply for Apigee installations. |
-v,
|
Optional | All | (Optional) Produces verbose output. |
‑‑virtual-hosts
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
Example
As the following example shows, it's important to capture the output of the provision command in a file, which is used
as input for other Apigee Adapter for Envoy operations.
Example:
apigee-remote-service-cli provision --legacy --mfa $MFA --username $USER --password $PASSWORD \ --organization $ORG --environment $ENV > config.yaml
Samples command
Creates and lists sample configuration files.
Create sample configuration files
Creates sample configuration files for native Envoy and Istio deployments.
Usage
apigee-remote-service-cli samples create [flags]
Description
This command requires a valid config.yaml file as input. This input file is the file that was
generated through provisioning.
By default, the sample files are output to a directory named ./samples. The command
creates this directory for you.
If you're using native Envoy, the command takes the target service host and the desired name for
its cluster. It also sets a custom SSL connection from the Envoy proxy to the remote service
cluster if a folder containing tls.key and tls.crt is provided via --tls.
If you're using Istio, where the Envoy proxy acts as a sidecar, if the target is unspecified,
the httpbin example will be generated. Otherwise, you are responsible for preparing
configuration files related to deployment of your target services.
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
‑‑adapter‑host
|
Used for Envoy templates only | All | (String) The adapter hostname (default: localhost)
|
-c, ‑‑config
|
Required | All | (String) Path to Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the --config option.
|
-f, ‑‑force
|
Optional | All | Force the existing directory to be overwritten. |
-h, ‑‑help
|
Optional | All | Displays help for the command parameters. |
‑‑host |
Used for Envoy templates only | All | (String) The target service host (default httpbin.org)
|
-n, ‑‑name |
Optional | All | (String) The target service name (default httpbin.org)
|
‑‑out
|
Optional | All | (String) The directory in which to create the sample config files. Default: ./samples
|
‑‑tag
|
Used for Istio templates only | All | (String) The version tag of the Envoy Adapter image. Default: Current release version |
-t, ‑‑template
|
Optional | All | (String) The Envoy or Istio template name. To see the available list of templates, execute the command
apigee-remote-service samples templates. Default: istio-1.9. The default
works for all 1.9+ versions of Istio.
|
‑‑tls
|
Optional, for Envoy templates only | All | (String) The directory containing tls.key and tls.crt files
used for the adapter service.
|
Example
apigee-remote-service-cli samples create -c ./config.yaml
List available template options
Lists the templates available to use with the --templates parameter for the samples
command.
Usage
apigee-remote-service-cli samples templates
Parameters
None.
Example
apigee-remote-service-cli samples templates
Supported templates (native is deprecated): envoy-1.15 envoy-1.16 envoy-1.17 istio-1.7 istio-1.8 istio-1.9
Token commands
You can use a JWT token to make authenticated API proxy calls instead of using an API key. The token commands let you create, inspect, and rotate JWT tokens for this purpose.
Create a JWT token
You can use a JWT token to make authenticated API proxy calls to a remote service target. See also Using JWT based authentication.Usage
apigee-remote-service-cli token create [flags]
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the --config option.
|
-e,
|
Optional if --config is present; required otherwise. |
All | (String) An environment in your organization. |
-h,
|
Optional | All | Displays help for the command parameters. |
--i, --id
|
Required | All | (String) The Key credential found in the Apigee developer app as described in How to obtain an API key. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
N/A | Edge Public Cloud only | This parameter does not apply for Apigee installations. |
‑‑opdk
| N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-o,
|
Optional if --config is present; required otherwise. |
All | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https://. For example: https://apitest.example.net
|
--s, ‑‑secret
|
Required | All | (String) The Secret credential found in the Apigee developer app as described in How to obtain an API key. |
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli token create -o myorg -e test -i YUmlZAcBKNsTAelJqPZFl3sh58ObATX9 \ -s icTARgaKHqvUH1dq -c config.yaml
Output
On success, you'll see a JST token output similar to the following:eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJ0a2tlVzVKQTY2a0pZYTB4bFV1cVBsUW1BMU43IiwiYXVkIjoiaXN0aW8iLCJuYmYiOjE1MzAxMzg1OTEsImFwaV9wcm9kdWN0X2xpc3QiOlsiaXN0aW8tcHJvZHVjdCJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiaXN0aW8tYXBwIiwiZGV2ZWxvcGVyX2VtYWlsIjoicFluZ2Zsb3lkQGdvb2dsZS5jb20iLCJpc3MiOiJodHRwczovL2FwaWdlZXNlYXJjaC10ZXN0LmFwaWdlZS5uZXQvaXN0aW8tYXV0aC90b2tlbiIsImV4cCI6MTUzMDEzOTQ5MSwiaWF0IjoxNTMwMTM4NTkxLCJqdGkiOiIxODgzMzViZi0wMmE4LTRjZGUsOGFkOS0yMWJmNDZjNmRjZDkiLCJjbGllbnRfaWQiOiJZVW1sWkFjQktOc1RBZWxKcVBZRmwzc2g1OE9iQVRYOSJ9.AL7pKSTmond-NSPRNNHVbIzTdAnZjOXcjQ-BbOJ_8lsQvF7PuiOUrGIhY5XTcJusisKgbCdtIxBl8Wq1EiQ_fKnUc3JYYOqzpTB5bGoFy0Yqbfu96dneuWyzgZnoQBkqwZkbQTIg7WNTGx1TJX-UTePvBPxAefiAbaEUcigX9tTsXPoRJZOTrm7IOeKpxpB_gQYkxQtV1_NbERxjTPyMbHdMWal9_xRVzSt7mpTGudMN9OR-VtQ1uXA67GOqhZWcOzq57qImOiCMbaoKnKUADevyWjX_VscN5ZZUtzQUQhTrmv8aR69-uVhMIPKp9juMyYKaYn2IsYZEeCWfhfV45Q
Inspect a JWT token
You can inspect a JWT token with this command. See also Inspect a token.Usage
apigee-remote-service-cli token inspect [flags]
Parameters
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the ‑‑config option.
|
-e,
|
Optional if --config is present; required otherwise. |
All | (String) An environment in your organization. |
-f,
|
Required | All | (String) The token file (default: use stdin)
|
-h,
|
Optional | All | Displays help for the command parameters. |
‑‑insecure
|
Optional | All | Allow insecure server connections when using SSL. |
‑‑legacy
|
N/A | Edge Public Cloud only | This parameter does not apply for Apigee installations. |
‑‑opdk
| N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-o,
|
Optional if --config is present; required otherwise. |
All | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https://. For example: https://apitest.example.net
|
|
N/A | Edge Private Cloud only | This parameter does not apply for Apigee installations. |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli token inspect -c config.yaml <<< $TOKEN
Output
On success, you'll see output similar to the following:
{
"aud": [
"remote-service-client"
],
"exp": 1591741549,
"iat": 1591740649,
"iss": "https://apigee-docs-test.apigee.net/remote-service/token",
"jti": "99325d2e-6440-4278-9f7f-b252a1a79e53",
"nbf": 1591740649,
"access_token": "VfzpXzBGAQ07po0bPMKY4JgQjus",
"api_product_list": [
"httpbin"
],
"application_name": "httpbin",
"client_id": "GYDGHy5TRpV8AejXCOlreP7dPVepA8H",
"developer_email": "[email protected]",
"scope": ""
}
verifying...
token ok.
Rotate a JWT token
At some time after you initially generate a JWT, you might need to change the public/private key pair stored by Apigee in its encrypted key-value map (KVM). This process of generating a new key pair is called key rotation. When you rotate keys, a new private/public key pair is generated and stored in the "istio" KVM in your Apigee organization/environment. In addition, the old public key is retained along with its original key ID value.Usage
apigee-remote-service-cli token rotate-cert [flags]
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
-c,
|
Required | All | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the --config option.
|
-e,
|
Optional if --config is present; required otherwise. |
All | (String) An environment in your organization. |
-h,
|
N/A | Edge Public and Private Cloud only | Displays help for the command parameters. |
--k, --key
|
N/A | Edge Public and Private Cloud only | (String) The provision key. |
‑‑insecure
|
N/A | Edge Public and Private Cloud only | Allow insecure server connections when using SSL. |
‑‑legacy
|
N/A | Edge Public Cloud only | You must set this flag if you are using Apigee Edge for Public Cloud. Sets the management and runtime URLs for Apigee Edge for Public Cloud. |
‑‑opdk
| N/A | Edge Private Cloud only | You must set this flag if you are using Apigee Edge for Private Cloud. |
-o,
|
Optional if --config is present; required otherwise. |
Edge Public and Private Cloud only | (String) An Apigee organization. You must be an org administrator. |
-r,
|
N/A | Edge Private Cloud only | (String) Specifies the runtime URL for your Private Cloud or Apigee hybrid instance.
The URL must start with https://. For example: https://apitest.example.net
|
--s, ‑‑secret
|
Required | All | (String) The provision secret. |
|
N/A | Edge Private Cloud only | (String) Specifies client-side TLS certificate, private key, and root CA for mTLS connection. |
--t, ‑‑truncate
|
Required | All | (Integer) The number of certs to keep in JWKS (default 2). |
-v,
|
Optional | All | (Optional) Produces verbose output. |
Example
apigee-remote-service-cli token rotate-cert -c config.yaml -o myorg -e test \ -k 2e238ffa15dc5ab6a1e97868e7581f6c60ddb8575478582c256d8b7e5b2677a8 \ -s 51058077223fa7b683c3bea845c5cca138340d1d5583922b6d465f9f918a4b08
Output
certificate successfully rotated
Create an internal token
Create a JWT token for authorizing remote-service API calls.Usage
apigee-remote-service-cli token internal [flags]
Parameters
Parameters
| Parameters | Presence | Used with products | Description |
|---|---|---|---|
-c,
|
Required | Apigee hybrid only | (String) The path to the Apigee Remote Service config file. Tip: This flag allows you to omit most other command parameters, because the CLI is able to pull them directly from the config file. See Using the --config option.
|
-d,
|
Required | Apigee hybrid only | (String) valid time of the internal JWT from creation (default: 10m0s (10 minutes)).
|
-e,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) An environment in your organization. |
-h,
|
Optional | Apigee hybrid only | Displays help for the command parameters. |
‑‑insecure
|
Optional | Apigee hybrid only | Allow insecure server connections when using SSL. |
-o,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) An Apigee organization. You must be an org administrator. |
-r,
|
Optional if --config is present; required otherwise. |
Apigee hybrid only | (String) Specifies the runtime URL for your Apigee hybrid instance.
The URL must start with https://. For example: https://apitest.example.net
|
-v,
|
Optional | Apigee hybrid only | (Optional) Produces verbose output. |
Version command
Print the CLI version.
apigee-remote-service-cli version
Configuration file
This section shows an example configuration file with all of the available options.
global:
temp_dir: /tmp/apigee-istio
keep_alive_max_connection_age: 10m
api_address: :5000
metrics_address: :5001
tls:
cert_file: tls.crt
key_file: tls.key
tenant:
internal_api: https://istioservices.apigee.net/edgemicro
remote_service_api: https://org-test.apigee.net/remote-service
org_name: org
env_name: env
key: mykey
secret: mysecret
client_timeout: 30s
tls:
ca_file: /opt/apigee/tls/ca.crt
cert_file: /opt/apigee/tls/tls.crt
key_file: /opt/apigee/tls/tls.key
allow_unverified_ssl_cert: false
products:
refresh_rate: 2m
analytics:
legacy_endpoint: false
file_limit: 1024
send_channel_size: 10
collection_interval: 10s
auth:
api_key_claim: claim
api_key_cache_duration: 30m
api_key_header: x-api-key
api_header: :authority
allow_unauthorized: false
jwt_provider_key: https://org-test.apigee.net/remote-token/token
append_metadata_headers: true