raqeb-cli
v1.5.2
Published
Raqeb CLI - Command-line tool for Database PAM and Developer Secrets Management
Maintainers
tzamun-adminReadme
Raqeb CLI
Official command-line tool for Raqeb Privileged Access Management (PAM) platform.
🚀 Features
- 🔐 Database PAM: Get temporary database credentials with auto-expiration
- 🔑 Secrets Management: Securely retrieve application secrets
- 👤 Service Accounts: Programmatic API access for applications
- 📊 API Keys: Personal access tokens for developers
- 🔒 Zero Trust: Dynamic credentials that automatically expire
- 📝 Audit Logging: Track all access activities
📦 Installation
npm (Node.js)
npm install -g raqeb-cliPyPI (Python)
pip install raqeb-cliHomebrew (macOS/Linux)
brew tap Tzamun-Arabia-IT-Co/raqeb
brew install raqeb-cliChocolatey (Windows)
choco install raqeb-cliRPM (RedHat/Fedora/CentOS)
# Download from GitHub Releases
curl -LO https://github.com/Tzamun-Arabia-IT-Co/raqeb-cli/releases/latest/download/raqeb-cli.rpm
sudo rpm -ivh raqeb-cli.rpm🎯 Quick Start
1. Login with Service Account
# Using service account API key (for applications/CI/CD)
raqeb login --api-key sa_your_service_account_key
# Or using personal API key (for developers)
raqeb login --api-key ak_your_personal_key2. Get Temporary Database Credentials
# Get read-only access for 2 hours
raqeb db connect prod-mysql --ttl 2 --access-level read-only
# Returns:
# Username: temp_user_abc123
# Password: random_secure_password
# Host: mysql.example.com
# Port: 3306
# Expires: 2026-02-14 20:00:003. Retrieve Application Secrets
# Get secret value
raqeb secrets get stripe-api-key
# Returns the decrypted secret value4. Manage API Keys
# List your API keys
raqeb keys list
# Create new API key
raqeb keys create "My Dev Key" --scopes secrets:read,databases:read
# Delete API key
raqeb keys delete <key-id>📖 Commands Reference
Authentication
# Login with API key
raqeb login --api-key <key>
# Login with interactive prompt
raqeb login
# Logout
raqeb logout
# Show current user
raqeb whoamiDatabase PAM
# Get temporary database credentials
raqeb db connect <database-id> [options]
--ttl <hours> Time to live in hours (default: 4, max: 24)
--access-level <level> Access level: read-only, read-write, admin (default: read-only)
# List active database leases
raqeb db leases
# Revoke database credentials
raqeb db revoke <lease-id>
# List available databases
raqeb db listSecrets Management
# Get secret value
raqeb secrets get <secret-id>
# List all secrets (names only, not values)
raqeb secrets list
# Create new secret
raqeb secrets create <name> <value> [--description <desc>]
# Update secret
raqeb secrets update <secret-id> <new-value>
# Delete secret
raqeb secrets delete <secret-id>API Keys (Personal)
# List your API keys
raqeb keys list
# Create new API key
raqeb keys create <name> [options]
--scopes <scopes> Comma-separated scopes (default: secrets:read)
--expires-in <days> Expiration in days (default: 90, max: 365)
# Delete API key
raqeb keys delete <key-id>
# Rotate API key
raqeb keys rotate <key-id>Service Accounts (Admin Only)
# List service accounts
raqeb sa list
# Create service account
raqeb sa create <name> [options]
--scopes <scopes> Comma-separated scopes
--allowed-databases <ids> Comma-separated database IDs
--allowed-secrets <ids> Comma-separated secret IDs
# Delete service account
raqeb sa delete <account-id>
# View service account details
raqeb sa get <account-id>Audit Logs
# View audit logs
raqeb audit list [options]
--limit <n> Number of records (default: 50)
--user <user-id> Filter by user
--action <action> Filter by action type
--from <date> Start date (YYYY-MM-DD)
--to <date> End date (YYYY-MM-DD)
# Export audit logs
raqeb audit export --format csv --output audit.csv⚙️ Configuration
Configuration is stored in ~/.raqeb/config.json
{
"base_url": "https://app.raqeb.cloud/api/v1",
"api_key": "sa_your_service_account_key",
"tenant": "your-tenant-subdomain"
}Environment Variables
You can also use environment variables:
export RAQEB_API_KEY="sa_your_api_key"
export RAQEB_BASE_URL="https://app.raqeb.cloud/api/v1"
export RAQEB_TENANT="your-tenant"Multi-Tenant Support
If you work with multiple Raqeb tenants:
# Switch tenant
raqeb config set-tenant production-tenant
# Or specify tenant per command
raqeb --tenant staging-tenant db connect staging-db💡 Use Cases & Examples
1. CI/CD Pipeline Integration
#!/bin/bash
# GitHub Actions / Jenkins / GitLab CI
# Login with service account (stored in CI secrets)
raqeb login --api-key $RAQEB_SERVICE_ACCOUNT_KEY
# Get temporary database credentials for migration
CREDS=$(raqeb db connect prod-mysql --ttl 1 --access-level read-write)
DB_USER=$(echo "$CREDS" | grep "Username:" | awk '{print $2}')
DB_PASS=$(echo "$CREDS" | grep "Password:" | awk '{print $2}')
# Run database migration
mysql -h prod-mysql.example.com -u $DB_USER -p$DB_PASS < migration.sql
# Credentials automatically expire after 1 hour2. Application Secrets Retrieval
#!/bin/bash
# Retrieve secrets for application startup
# Login
raqeb login --api-key $RAQEB_API_KEY
# Get all required secrets
export STRIPE_API_KEY=$(raqeb secrets get stripe-api-key)
export AWS_ACCESS_KEY=$(raqeb secrets get aws-access-key)
export DATABASE_URL=$(raqeb secrets get database-url)
# Start application
npm start3. Developer Local Access
# Developer needs temporary access to staging database
# Login with personal API key
raqeb login --api-key ak_developer_key
# Get 4-hour read-only access
raqeb db connect staging-postgres --ttl 4 --access-level read-only
# Connect with provided credentials
psql -h staging-db.example.com -U temp_user_xyz789 -d staging
# Credentials auto-expire after 4 hours4. Automated Testing
#!/bin/bash
# Integration tests with temporary database
# Login
raqeb login --api-key $RAQEB_TEST_KEY
# Get test database credentials
raqeb db connect test-mysql --ttl 1 --access-level read-write
# Run tests
npm test
# Cleanup (optional - auto-expires anyway)
raqeb db revoke $LEASE_ID5. Service Account Management (Admin)
# Admin creates service account for production app
raqeb sa create "Production Backend" \
--scopes "databases:read,databases:write,secrets:read" \
--allowed-databases "prod-mysql,prod-postgres" \
--allowed-secrets "stripe-key,aws-key"
# Returns service account API key (sa_xxx)
# Store in production environment variables🔐 Security Best Practices
API Key Management
- Never commit API keys to version control
- Use environment variables in CI/CD pipelines
- Rotate keys regularly (every 90 days recommended)
- Use service accounts for applications, personal keys for development
- Limit scopes to minimum required permissions
Database Access
- Request minimum TTL needed for your task
- Use read-only access when possible
- Revoke credentials when done (optional - auto-expires)
- Monitor audit logs for suspicious activity
Secrets Management
- Encrypt secrets at rest (handled by Raqeb)
- Limit secret access to specific service accounts
- Rotate secrets regularly
- Use different secrets for different environments
📚 Documentation
- Full Documentation: https://docs.raqeb.cloud
- API Reference: https://docs.raqeb.cloud/api
- Service Accounts Guide: https://docs.raqeb.cloud/service-accounts
- Database PAM Guide: https://docs.raqeb.cloud/database-pam
- Secrets Management: https://docs.raqeb.cloud/secrets
🆘 Support
- Email: [email protected]
- Website: https://raqeb.cloud
- GitHub Issues: https://github.com/Tzamun-Arabia-IT-Co/raqeb-cli/issues
- Documentation: https://docs.raqeb.cloud
📝 License
MIT License - Copyright (c) 2026 Tzamun Arabia IT Co
🌟 Features Roadmap
- [ ] Multi-factor authentication support
- [ ] SSH key management
- [ ] Certificate management
- [ ] Kubernetes secrets integration
- [ ] Terraform provider
- [ ] Ansible integration
🤝 Contributing
Contributions are welcome! Please read our contributing guidelines before submitting PRs.
📊 Version
Current version: 1.0.0
See CHANGELOG.md for release notes.