Installation
CloudBase CLI is the official command-line tool provided by CloudBase to help you quickly manage and deploy CloudBase resources.
Install CLI
Use your familiar package manager to install CloudBase CLI globally:
- npm
- yarn
- pnpm
npm i -g @cloudbase/cli
# If you encounter network timeout errors (e.g. ETIMEOUT, network request failed), use the Tencent Cloud npm mirror
npm i -g @cloudbase/cli --registry=http://mirrors.cloud.tencent.com/npm/
yarn global add @cloudbase/cli
# If you encounter network timeout errors (e.g. ETIMEOUT, network request failed), use the Tencent Cloud npm mirror
yarn global add @cloudbase/cli --registry=http://mirrors.cloud.tencent.com/npm/
pnpm add -g @cloudbase/cli
# If you encounter network timeout errors (e.g. ETIMEOUT, network request failed), use the Tencent Cloud npm mirror
pnpm add -g @cloudbase/cli --registry=http://mirrors.cloud.tencent.com/npm/
Authentication
After installation, run the following command to log in:
tcb login
The CLI will automatically open the CloudBase console to obtain authorization. Click the Agree to Authorize button in the browser to complete the login.
Device Code Login
In Agent, remote server, container, or other environments where a browser cannot be opened directly, tcb login will automatically use the device code authorization flow:
- After running
tcb login, the CLI outputs an authorization link (verification_uri) and a user code (user_code) - On any device with a browser, open the authorization link, enter the user code, and confirm authorization
- The CLI polls for authorization status automatically and saves the login credentials once complete
💡 This flow is designed for AI coding assistants (e.g., Claude Code, OpenAI Codex) that invoke CloudBase CLI via MCP tools or scripts.
Other Login Methods
- Cloud API Key Authorization
- CI Environment Login
- Temporary Key Login
- Custom Endpoint
Suitable for scenarios requiring higher permission control:
tcb login --key
Follow the prompts to enter your Cloud API key's SecretId and SecretKey to complete the login.
⚠️ Security Notice: Tencent Cloud API keys can operate all Tencent Cloud resources under your account. Please store them securely and rotate them regularly. Delete old keys promptly after rotation.
Get Keys: Go to the Cloud API Key Management page to create or view keys.
Suitable for use in Continuous Integration (CI/CD) environments, without interactive input:
tcb login --apiKeyId xxx --apiKey xxx
Suitable for sensitive scenarios, using short-term temporary keys:
tcb login --apiKeyId xxx --apiKey xxx --token xxx
💡 Tip: Temporary keys have a validity period and need to be re-obtained after expiration.
Suitable for enterprise users who build their own authorization service, pointing CLI login authentication to a private Device Flow authorization endpoint:
tcb login --endpoint https://your-auth-server.example.com
The CLI will use the specified Endpoint to complete the authorization flow, calling the /device/code and /token endpoints sequentially to obtain credentials.
💡 Tip: This option only takes effect when
flow=device. The custom authorization service must comply with the CloudBase CLI Device Flow protocol specification. See Custom Device Flow Authorization Service Implementation Specification for details.
Getting Started
After logging in, you can start using CloudBase CLI.
AI-Assisted Development
Use AI features to quickly develop CloudBase applications:
tcb ai
View All Commands
View the complete list of commands supported by the CLI:
tcb -h
Sub-Account Authorization
If you need to use a Tencent Cloud sub-account to access CloudBase resources, the master account must first grant the appropriate permissions to the sub-account.
Authorization Steps
- Log in to the Tencent Cloud Access Management Console
- Select Users > User List from the left menu
- Click the Create User button
- Fill in the user information and complete the creation
- Select TCB preset authorization policies from the policy list
- Click Complete to finish creating the sub-account
💡 Tip: You can also associate policies with existing sub-accounts. For specific operations, please refer to the Authorization Management documentation.
Available Preset Policies
CloudBase provides the following preset policies for you to choose from:
| Policy Name | Description |
|---|---|
QcloudAccessForTCBRole | Grant CloudBase access to cloud resources |
QcloudAccessForTCBRoleInAccessCloudBaseRun | Grant CloudBase access to VPC, CVM and other cloud service resources (for CloudBase Run) |
The above policies contain full read and write permissions for resources such as object storage, cloud functions, logs, monitoring, VPC, etc. After granting these policies to a sub-account, the sub-account will have complete control over these resources and automatically gain access to subsequently added resources. Please grant authorization carefully.
CLI Login Related Policies
If you need a sub-account to use the CLI tool's web authorization login method, you need to additionally grant CAM read-only permission:
| Policy Name | Description |
|---|---|
QcloudCamReadOnlyAccess | Grant Cloud Access Management (CAM) read-only access |
💡 Tip: If this policy is not granted, the sub-account can only log in to the CLI using the API Key method.
Advanced Configuration
Configure Network Proxy
If your terminal cannot directly access the public network, you can make the CLI work properly by setting an HTTP proxy. The CLI will automatically read the http_proxy or HTTP_PROXY environment variable.
Temporarily set proxy (valid for current terminal session):
export HTTP_PROXY=http://127.0.0.1:8000
http://127.0.0.1:8000 is only an example. Please configure the correct proxy address and port according to your actual network environment.
Permanently set proxy:
Add the above command to your terminal configuration file (such as ~/.bashrc, ~/.zshrc, etc.) to automatically apply the proxy configuration each time you open the terminal.