This page applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
The apigee-remote-service-cli Command Line Interface (CLI) helps you
provision and manage Apigee Adapter for Envoy.
Binding commands
Binding associates a service deployed to the Istio mesh with an Apigee API product. The CLI lets you create, remove, and list bindings.
Note: In the Create Product UI, you can specify one or more services with a product. Doing so is equivalent to creating the binding using the CLI.Add a binding
Adds a remote target binding to an API product.
Usage
For Apigee hybrid:
apigee-remote-service-cli bindings add [service_name] [product_name] -o [organization] -e [environment] -t [token]
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | (Required) The path to the Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --env
|
String | (Required) An environment in your organization. |
-h, --help
|
Displays help for the command parameters. | |
--insecure
|
Allow insecure server connections when using SSL | |
--legacy
|
Set this flag if you are using Apigee Cloud. It sets the management and runtime URLs for Edge Cloud. | |
--opdk
|
Set this flag if you are using Apigee for Private Cloud. | |
-o, --org
|
String | (Required) An Apigee organization. You must be an org administrator. |
-p, --password
|
String | (Required for basic authentication only) Your Apigee password. You can optionally specify
the password in a .netrc file. If you do so, then you are not required to
provide your password on the command line. See also
Using .netrc for credentials.
|
-r, --runtime
|
String | Apigee runtime base URL (required for hybrid or opdk). |
-t, --token
|
String | (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Obtaining an OAuth 2.0 access token and SAML overview. |
-u, --username
|
String | (Required for basic authentication only) Your Apigee username (typically an email address).
You can optionally specify the username in a .netrc file. If you do so, then
you are not required to provide your username on the command line. See
also Using .netrc for credentials.
|
-v, --verbose
|
(Optional) Produces verbose output. |
Example
./apigee-remote-service-cli bindings add httpbin.org envoy-test -o myorg -e test -u user@example.com -c config.yaml -p xxxxxx product envoy-test is now bound to: httpbin.org
List bindings
List all API products that are bound to the Remote Service.
Usage
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | (Required) The path to the Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --env
|
String | (Required) An environment in your organization. |
-h, --help
|
Displays help for the command parameters. | |
--insecure
|
Allow insecure server connections when using SSL | |
--legacy
|
Set this flag if you are using Apigee Cloud. It sets the management and runtime URLs for Edge Cloud. | |
--opdk
|
Set this flag if you are using Apigee for Private Cloud. | |
-o, --org
|
String | (Required) An Apigee organization. You must be an org administrator. |
-p, --password
|
String | (Required for basic authentication only) Your Apigee password. You can optionally specify
the password in a .netrc file. If you do so, then you are not required to
provide your password on the command line. See also
Using .netrc for credentials.
|
-r, --runtime
|
String | Apigee runtime base URL (required for hybrid or opdk). |
-t, --token
|
String | (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Obtaining an OAuth 2.0 access token and SAML overview. |
-u, --username
|
String | (Required for basic authentication only) Your Apigee username (typically an email address).
You can optionally specify the username in a .netrc file. If you do so, then
you are not required to provide your username on the command line. See
also Using .netrc for credentials.
|
-v, --verbose
|
(Optional) Produces verbose output. |
Example
apigee-remote-service-cli bindings list -o myorg -e test -u user@example.com -c config.yaml -p abc123
PI Products
============
Bound
-----
envoy-test:
Quota: 5 requests every 1 minute
Target bindings:
httpbin.org
Paths:
httpbin:
Quota: 5 requests every 1 minute
Target bindings:
httpbin.org
Paths:
/httpbin
/
Unbound
-------
product-1:
Quota: 100 requests every 1 hour
product-2:
Quota: 1000 requests every 1 month
product-3:
product-4:
Remove a binding
Remove the binding of Remote Service for Envoy from an API product.
Note: You can also remove a Remote Service for Envoy binding by removing the service name from the product in the UI.Usage
For Apigee hybrid:
apigee-remote-service-cli bindings remove [service_name] [product_name] -o [organization] -e [environment] -t [token]
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | (Required) The path to the Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --env
|
String | (Required) An environment in your organization. |
-h, --help
|
Displays help for the command parameters. | |
--insecure
|
Allow insecure server connections when using SSL | |
--legacy
|
Set this flag if you are using Apigee Cloud. It sets the management and runtime URLs for Edge Cloud. | |
--opdk
|
Set this flag if you are using Apigee for Private Cloud. | |
-o, --org
|
String | (Required) An Apigee organization. You must be an org administrator. |
-p, --password
|
String | (Required for basic authentication only) Your Apigee password. You can optionally specify
the password in a .netrc file. If you do so, then you are not required to
provide your password on the command line. See also
Using .netrc for credentials.
|
-r, --runtime
|
String | Apigee runtime base URL (required for hybrid or opdk). |
-t, --token
|
String | (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Obtaining an OAuth 2.0 access token and SAML overview. |
-u, --username
|
String | (Required for basic authentication only) Your Apigee username (typically an email address).
You can optionally specify the username in a .netrc file. If you do so, then
you are not required to provide your username on the command line. See
also Using .netrc for credentials.
|
-v, --verbose
|
(Optional) Produces verbose output. |
Example
./apigee-remote-service-cli bindings remove httpbin.org envoy-test -o myorg -e test -u user@example.com -c config.yaml -p xxxxxx product envoy-test is no longer bound to: httpbin.org
Help command
Online help is provided for all apigee-remote-service-cli commands. Just type:
apigee-remote-service-cli help
For help on any command, type:
apigee-remote-service-cli [command] help
For example:
apigee-remote-service-cli provision help
Provision command
The apigee-remote-service-cli provision command installs a proxy in your
Apigee organization, sets up a certificate, and generates credentials that you'll need to
configure the Apigee Adapter for Envoy.
Usage
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | Path to Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --environment
|
String | (Required) An environment in your organization. |
-f, --force-proxy-install
|
(Optional) Forces the remote-service proxy to be re-installed if it is
already installed in your org.
|
|
-h, --help
|
Displays help for the command parameters. | |
-k, --key
|
String | Specifies the key returned from
the apigee-remote-service-cli provision command.
|
--legacy
|
Apigee Edge (sets management and runtime URL) | |
-m, --management
|
String | (Required if you are on Apigee Private Cloud) Your Apigee management base URL.
Default: https://api.enterprise.apigee.com
|
-n, --namespace
|
String | emit configuration as an Envoy ConfigMap in the specified namespace. |
--opdk
|
String | Apigee OPDK. |
-o, --organization
|
String | (Required) Your Apigee organization. You must be an org administrator. |
-p, --password
|
String | (Required for basic authentication only) Your Apigee password. You can optionally specify
the password in a .netrc file. If you do so, then you are not required to
provide your password on the command line. See also
Using .netrc for credentials.
|
--rotate-int
|
int | If n > 0, generate new private key and keep n public keys (hybrid only) |
-r, --runtime
|
String | Apigee runtime base URL (required for hybrid or opdk) |
-s, --secret
|
String | Specifies the secret returned from the apigee-remote-service-cli provision
command.
|
--strength
|
int | (Optional) Specifies the encryption strength for SSL certificates used in provisioning the adapter. Default 2048 |
-t, --token
|
String | (Hybrid only) Apigee OAuth or SAML token. |
-u, --username
|
String | (Required for basic authentication only) Your Apigee username (typically an email address).
You can optionally specify the username in a .netrc file.
See also Using .netrc for credentials.
|
-v, --verbose
|
(Optional) Produces verbose output. | |
--virtual-hosts
|
String | Overrides the default virtual hosts. |
--years
|
int | (Optional) The number of years before the SSL certificate used in the provisioning expires. Default: 1 |
Example
Be sure to capture the output of the provision command in a file, which is used
as input for other Apigee Adapter for Envoy operations.
Apigee hybrid example:
apigee-remote-service-cli provision --organization $ORG --environment $ENV --runtime $RUNTIME --namespace $NAMESPACE --token $TOKEN > config.yaml
Token commands
You can use a JWT token to make authenticated API proxy calls instead of using an API key. The token commands let you create, inspect, and rotate JWT tokens for this purpose.
Create a JWT token
You can use a JWT token to make authenticated API proxy calls to a remote service target. See also Using JWT based authentication.Usage
For Apigee hybrid:apigee-remote-service-cli token create -c [config_file] --id [consumer_key] --secret [consumer_secret] -r [runtime] -o [org] -e [env]
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | (Required) The path to the Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --env
|
String | (Required) An environment in your organization. |
-h, --help
|
Displays help for the command parameters. | |
--insecure
|
Allow insecure server connections when using SSL. | |
-o, --org
|
String | (Required) An Apigee organization. You must be an org administrator. |
-r, --runtime
|
String | Apigee runtime base URL (required only for hybrid or opdk). |
-v, --verbose
|
(Optional) Produces verbose output. |
Example
apigee-remote-service-cli token create -o myorg -e test -i YUmlZAcBKNsTAelJqPZFl3sh58ObATX9 -s icTARgaKHqvUH1dq -c config.yaml
Output
On success, you'll see a JST token output similar to the following:eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJ0a2tlVzVKQTY2a0pZYTB4bFV1cVBsUW1BMU43IiwiYXVkIjoiaXN0aW8iLCJuYmYiOjE1MzAxMzg1OTEsImFwaV9wcm9kdWN0X2xpc3QiOlsiaXN0aW8tcHJvZHVjdCJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiaXN0aW8tYXBwIiwiZGV2ZWxvcGVyX2VtYWlsIjoicFluZ2Zsb3lkQGdvb2dsZS5jb20iLCJpc3MiOiJodHRwczovL2FwaWdlZXNlYXJjaC10ZXN0LmFwaWdlZS5uZXQvaXN0aW8tYXV0aC90b2tlbiIsImV4cCI6MTUzMDEzOTQ5MSwiaWF0IjoxNTMwMTM4NTkxLCJqdGkiOiIxODgzMzViZi0wMmE4LTRjZGUsOGFkOS0yMWJmNDZjNmRjZDkiLCJjbGllbnRfaWQiOiJZVW1sWkFjQktOc1RBZWxKcVBZRmwzc2g1OE9iQVRYOSJ9.AL7pKSTmond-NSPRNNHVbIzTdAnZjOXcjQ-BbOJ_8lsQvF7PuiOUrGIhY5XTcJusisKgbCdtIxBl8Wq1EiQ_fKnUc3JYYOqzpTB5bGoFy0Yqbfu96dneuWyzgZnoQBkqwZkbQTIg7WNTGx1TJX-UTePvBPxAefiAbaEUcigX9tTsXPoRJZOTrm7IOeKpxpB_gQYkxQtV1_NbERxjTPyMbHdMWal9_xRVzSt7mpTGudMN9OR-VtQ1uXA67GOqhZWcOzq57qImOiCMbaoKnKUADevyWjX_VscN5ZZUtzQUQhTrmv8aR69-uVhMIPKp9juMyYKaYn2IsYZEeCWfhfV45Q
Inspect a JWT token
You can inspect a JWT token with this command. See also Inspect a token.Usage
For Apigee hybrid:apigee-remote-service-cli token inspect -o [organization] -e [environment] -f [token_file] --runtime [host_alias]
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | (Required) The path to the Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --env
|
String | (Required) An environment in your organization. |
-h, --help
|
Displays help for the command parameters. | |
--insecure
|
Allow insecure server connections when using SSL. | |
-o, --org
|
String | (Required) An Apigee organization. You must be an org administrator. |
-r, --runtime
|
String | Apigee runtime base URL (required only for hybrid or opdk). |
-v, --verbose
|
(Optional) Produces verbose output. |
Example
apigee-remote-service-cli token inspect -c config.yaml <<< $TOKEN
Output
On success, you'll see output similar to the following:
{
"aud": [
"remote-service-client"
],
"exp": 1591741549,
"iat": 1591740649,
"iss": "https://apigee-docs-test.apigee.net/remote-service/token",
"jti": "99325d2e-6440-4278-9f7f-b252a1a79e53",
"nbf": 1591740649,
"access_token": "VfzpXzBGAQ07po0bPMKY4JgQjus",
"api_product_list": [
"httpbin"
],
"application_name": "httpbin",
"client_id": "GYDGHy5TRpV8AejXCOlreP7dPVepA8H",
"developer_email": "user@example.com",
"scope": ""
}
verifying...
token ok.
Rotate a JWT token
At some time after you initially generate a JWT, you might need to change the public/private key pair stored by Apigee in its encrypted key-value map (KVM). This process of generating a new key pair is called key rotation. When you rotate keys, a new private/public key pair is generated and stored in the "istio" KVM in your Apigee organization/environment. In addition, the old public key is retained along with its original key ID value.Usage
Parameters
| Parameters | Type | Description |
|---|---|---|
-c, --config
|
String | (Required) The path to the Apigee Remote Service config file. Tip: When you specify
this option, you can omit most other command parameters. See
Using the --config option.
|
-e, --env
|
String | (Required) An environment in your organization. |
-h, --help
|
Displays help for the command parameters. | |
--insecure
|
Allow insecure server connections when using SSL | |
--truncate
|
int | Number of certs to keep in jwks (default 2) |
-o, --org
|
String | (Required) An Apigee organization. You must be an org administrator. |
-r, --runtime
|
String | Apigee runtime base URL (required for hybrid or opdk). |
-v, --verbose
|
(Optional) Produces verbose output. |
Example
apigee-remote-service-cli token rotate-cert -c config.yaml -o myorg -e test -k 2e238ffa15dc5ab6a1e97868e7581f6c60ddb8575478582c256d8b7e5b2677a8 -s 51058077223fa7b683c3bea845c5cca138340d1d5583922b6d465f9f918a4b08
Output
certificate successfully rotated
Using .netrc for credentials
apigee-remote-service-cli automatically picks up the username and
password (for basic authentication where needed) from a .netrc
file in your home directory if you are on Apigee and have an entry for the
machine api.enterprise.apigee.com. If you are on Apigee Private Cloud,
the machine value is the same as your management URL (for example:
http://192.162.55.100).
Version command
Print the CLI version.
apigee-remote-service-cli version
Using the --config command option
The --config option specifies the location
of the config file generated by the provision command. A helplful benefit of this option is that it
allows you to skip most other command parameters, which the CLI pulls from the config file.
These options include:
- organization
- environment
- runtime
- management
- insecure
- namespace
- legacy
- opdk
For example, you could execute the provision command like this:
apigee-remote-service-cli provision --config='old-config.yaml' > new-config.yaml
Configuration file
This section shows an example configuration file with all of the available options.
global:
temp_dir: /tmp/apigee-istio
keep_alive_max_connection_age: 10m
api_address: :5000
metrics_address: :5001
tls:
cert_file: tls.crt
key_file: tls.key
tenant:
internal_api: https://istioservices.apigee.net/edgemicro
remote_service_api: https://org-test.apigee.net/remote-service
org_name: org
env_name: env
key: mykey
secret: mysecret
client_timeout: 30s
allow_unverified_ssl_cert: false
products:
refresh_rate: 2m
analytics:
legacy_endpoint: false
file_limit: 1024
send_channel_size: 10
collection_interval: 10s
fluentd_endpoint: apigee-udca-myorg-test.apigee.svc.cluster.local:20001
tls:
ca_file: /opt/apigee/tls/ca.crt
cert_file: /opt/apigee/tls/tls.crt
key_file: /opt/apigee/tls/tls.key
allow_unverified_ssl_cert: false
auth:
api_key_claim: claim
api_key_cache_duration: 30m
api_key_header: x-api-key
api_target_header: :authority
reject_unauthorized: true
jwks_poll_interval: 0s