A command-line interface for managing your Thalassa Cloud Installation.
This project is still in beta. Commands and UX may change while the project is in initial development.
brew install thalassa-cloud/tap/tcloudDownload the latest release for your platform from the GitHub releases page.
Authenticate with Thalassa Cloud (opens a browser login by default):
tcloud context create --api=https://api.thalassa.cloudOr with a personal access token:
tcloud context create --api=https://api.thalassa.cloud --token=<PAT>The CLI stores non-secret settings in ~/.tcloud. Sensitive credentials are kept out of this file when a system credential store is available (see Credential storage below).
When using the file-backed credential store, tokens may appear in the config. With the default keychain storage, the config only records where credentials are stored:
configVersion: v1
contexts:
- name: default
context:
api: api.thalassa.cloud
user: default
organisation: <ORG_SLUG_OR_IDENTITY>
current-context: default
servers:
- name: api.thalassa.cloud
api:
server: https://api.thalassa.cloud
users:
- name: default
credentialStore: keychain
user: {}By default, the CLI stores secrets in the OS credential store when one is available:
- macOS: Keychain (service name
Thalassa Cloud CLI) - Windows: Credential Manager
- Linux: Secret Service (for example GNOME Keyring or KWallet)
Stored secrets include personal access tokens, OIDC client credentials, and browser login access/refresh tokens.
Control the store with THALASSA_CREDENTIAL_STORE:
| Value | Behaviour |
|---|---|
auto (default) |
Use the OS credential store when available; otherwise store secrets in the config file |
keychain |
Always use the OS credential store; fail if unavailable |
file |
Store secrets in ~/.tcloud (legacy behaviour) |
Existing plaintext credentials in ~/.tcloud are migrated to the keychain automatically on load when keychain storage is enabled.
To inspect or remove keychain entries on macOS, open Keychain Access and search for Thalassa Cloud CLI.
The CLI stores settings in ~/.tcloud. On load, the CLI warns if that file is world-readable. Fix permissions with:
tcloud context fixThis restricts ~/.tcloud to owner-only access (0600).
New logins store secrets in the OS credential store (macOS Keychain, Windows Credential Manager, or Linux Secret Service) when available. Existing configs with plaintext tokens in ~/.tcloud are left unchanged until manually running the fix command.
To move existing plaintext credentials into the keychain:
tcloud context fix --migrate-credentialsUse tcloud context view to inspect your config with secrets redacted.
Control credential storage with THALASSA_CREDENTIAL_STORE (auto, keychain, or file).
- Go 1.24 or later
- Make
# Clone the repository
git clone https://github.com/thalassa-cloud/cli.git
cd cli
# Build the binary
make build
# Run tests
make testNote: Running E2E tests creates real resources and you may be charged for these!
# Build the binary first
make build
# Set environment variables
export TCLOUD_E2E_API_ENDPOINT="https://api.thalassa.cloud"
export TCLOUD_E2E_PERSONAL_ACCESS_TOKEN="your-token"
export TCLOUD_E2E_ORGANISATION="org-id"
# Run tests
make test-e2e
# or
go test ./e2e/... -vWe welcome contributions! Please see our Contributing Guide for details.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.