This is a Beta Software
NOTE: This tool is intended to be installed via the Akamai CLI package manager, which can be retrieved from the releases page of the Akamai CLI tool.
- Node 7
- npm install after every update
- Ensure that the 'bin' subdirectory is in your path
- Version number - if not specified, the tool will assume the latest version is editable and try to execute the actions on the version. If the version is not editable1, you will get an error.
- Config ID - if not specified, the tool will make an assumption that the user has only one configuration and try to execute the action on the editable1 version.
- Security policy id - if not provided in commands that required a security policy, the tool will assume that the editable1 version has only one policy and try to use it. If the said version has more than one policy, an error will be thrown asking for the policy id.
If left to these assumptions, the commands will perform slower than when these options are provided explicitly.
In order to use this configuration, you need to:
- Set up your credential files as described in the authorization and credentials sections of the getting started guide on developer.akamai.com.
- When working through this process you need to give grants for the Application Security API. The section in your configuration file should be called 'appsec' or 'default' unless you would like to pass the section name in every command using the
--section
option.
Account switching can be performed by providing the --account-key
option with account ID as the value.
- In order to use this capability, an API client needs to be setup. Detailed information is available here https://learn.akamai.com/en-us/learn_akamai/getting_started_with_akamai_developers/developer_tools/accountSwitch.html
The akamai appsec Kit is a set of nodejs libraries that wraps Akamai's {OPEN} APIs to help simplify protection to the properties delivered by Akamai. This kit can be used as a no-fuss command line utility to interact with the library.
$ akamai appsec
Usage: akamai appsec <command> [options]
Commands:
activate Activate a version.
activation Get activation status.
clone Clone a config.
configs List all available configurations.
enable-custom-rule Assigns an action (such as alert or deny) to an existing custom rule in a policy.
create-custom-rule Create a custom rule.
delete-custom-rule Delete a custom rule.
custom-rule Display contents of custom rule.
modify-custom-rule Update existing custom rule.
structured-rule-template Prints sample JSON of a structured custom rule. [aliases: srt]
custom-rules List all custom rules.
export Export a configuration version.
add-hostname Add hostnames to selected list
selectable-hostnames List all selectable hostnames.
selected-hostnames List all currently chosen hostnames.
create-match-target Creates a match target.
modify-match-target Updates a match target.
match-target-order Change the match target sequence.
match-targets List all match targets.
policies List all security policies.
clone-policy Clone security policy.
version Read a config version
versions List all config versions
create-rate-policy (Beta) Create a rate policy.
delete-rate-policy (Beta) Delete a rate policy.
rate-policy (Beta) Display contents of a rate policy.
modify-rate-policy (Beta) Update existing rate policy.
rate-policies (Beta) List all rate policies.
api-endpoints (Beta) List all api endpoints.
mode (Beta) Display the WAF Mode
set-mode (Beta) Set the WAF Mode
protections (Beta) List all protections of a policy.
set-protections (Beta) Update protections of a policy.
rate-policies-actions (Beta) List all enabled rate policies actions of a policy.
enable-rate-policy (Beta) Assigns an action to an existing rate policy in a policy.
disable-rate-policy (Beta) Removes an action set to an existing rate policy in a policy.
slow-post (Beta) Display contents of slow post in a policy.
enable-slow-post (Beta) Enable slow post in a policy.
disable-slow-post (Beta) Disable slow post in a policy.
penalty-box (Beta) Display penalty box action in a policy.
disable-penalty-box (Beta) Disable penalty box in a policy.
enable-penalty-box (Beta) Enable penalty box in a policy.
attack-groups (Beta) List all attack group actions in a policy.
attack-group (Beta) Display attack group action in a policy.
enable-attack-group (Beta) Enable attack group in a policy.
disable-attack-group (Beta) Disable attack group in a policy.
rule-actions (Beta) List all rule actions in a policy.
rule-action (Beta) Display rule action in a policy.
enable-rule-action (Beta) Enable rule action in a policy.
disable-rule-action (Beta) Disable rule action in a policy.
rule-condition-exception (Beta) Display rule condition exception in a policy.
modify-rule-condition-exception (Beta) Update rule condition exception in a policy.
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
--account-key Account ID to switch to when performing the operation [string]
Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation
This script wraps all of the functionality from the library into a command line utility which can be used to support the following use cases.
Akamai customers can currently configure delivery of a new web property using the PAPI API/CLI. This use case enables protecting these new web properties. This protection is limited to adding the host to an existing security policy. The typical steps are listed in the following table:
# | Commands | Comments |
---|---|---|
1 | akamai property create | |
2 | akamai property activate | |
3 | akamai appsec configs |
|
4 | akamai appsec versions --config=<config id> |
|
5 | akamai appsec clone --config=<config id> |
Optional. You can skip this step if you choose to use an existing editable1 configuration version |
6 | akamai appsec selectable-hostnames |
|
7 | akamai appsec add-hostname <comma separated hostnames> |
|
8a | akamai appsec policies --config=<config id> --version=<version number> |
|
8b | akamai appsec create-match-target --hostnames=<comma separated hostnames> --paths=<comma separated paths> --policy=<security policy id> |
|
8c | akamai appsec match-target-order --insert=<match target id> --config=<config id> --version=<version number> |
|
8d | akamai appsec modify-match-target <match target id> add-hostname <hostname> |
|
9 | akamai appsec activate --network=<activation network> --notes=<activation notes> --notify=<emails> |
|
10 | akamai appsec activation --activation-id=<activation id> |
Adding or updating a custom rule to the protection of a hostname requires a change to a policy. The custom rule action API is used to enable the custom rule.
# | Commands | Comments |
---|---|---|
1 | akamai appsec clone --config=<config id> |
Optional. You can skip this step if you choose to use an existing editable1 configuration version |
2 | akamai appsec structured-rule-template > structuredRule.json |
This prints a template json to the standard output. You must edit this template appropriately before creating the custom rule |
3 | vim structuredRule.json |
|
4 | akamai appsec create-custom-rule @structuredRule.json |
|
5 | akamai appsec enable-custom-rule --custom-rule=<custom rule id> --policy=<security policy id> --action=<alert or deny> |
|
6 | akamai appsec activate --network=<activation network> --notes=<activation notes> --notify=<emails> |
|
7 | akamai appsec activation --activation-id=<activation id> |
For details about individual commands, please look at Commands
- Retrieve available configurations
- Retrieve available configuration versions
- Retrieve a configuration version
- Clone a configuration version
- Retrieve hostnames available for protection
- Retrieve hostnames that are protected
- Add hostname(s) to protect
- Retrieve Security policies
- Clone a security policy
- Create a Website Match target
- Retrieve Website Match targets
- Modify a Website Match target
- Change Website Match target order
- Custom rule template
- Create custom rule
- Delete custom rule
- Modify a custom rule
- Enable a custom rule
- Retrieve all custom rules
- Retrieve a custom rule
- Delete a custom rule
- Activate a configuration version
- Check activation status
- Export a configuration version
Usage: akamai appsec configs [options]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. Defaults to ~/.edgrrc [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec versions [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--limit <num> Specifies the number of most recent versions of the selected configuration to be fetched. [number]
--verbose Provides more details about each version. [boolean]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. Defaults to ~/.edgrrc [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec version [options]
Options:
--config <id> Configuration id number. If not provided, assumes there is only one configuration and
chooses it. If there's more, an error is thrown.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. Defaults to ~/.edgrrc [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Clones the configuration version.
sage: akamai appsec clone [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--version <num> The version number to clone [required] [string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation
These are the hostnames that the user can choose from, to add to the configuration version for protection.
Usage: akamai appsec selectable-hostnames [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <id> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If not
provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
These are the hostnames that the user is already protecting as part of this configuration version.
Usage: akamai appsec selected-hostnames [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <id> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If not
provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Adds a new hostname to the protected list(selected hostnames). The hostnames chosen here should be from the selectable hostnames list.
Usage: akamai appsec add-hostname <hostnames> [options]
Arguments:
<hostnames> The comma separated list of hostnames to add.
[required] [array:string]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Retrieves the list of security policies present in this configuration version.
Usage: akamai appsec policies [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <id> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If not
provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Creates a new security policy by cloning another policy available within the same configuration version.
Usage: akamai appsec clone-policy <policy> [options]
Arguments:
<policy> The policyId of the policy to clone. [required] [string]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
--prefix <prefix> A 4 character alphanumeric prefix for the policy ID of the new security policy being created. If
not provided, it will be auto-generated.
[string]
--name <name> Name of the security policy. Maximum 255 characters. If not provided, it will be auto-generated.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec create-match-target [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <id> The version number. It can also take the values 'PROD' or 'PRODUCTION'
or 'STAGING'. If not provided, latest version is assumed.
[string]
--hostnames <a.com, b.net, c.d.com> Hostnames to add.
[required] [array:string]
--paths <x,y,z> The file paths
[required] [array:string]
--policy <id> The policy id to use. If not provided, we try to use the policy
available on file(slow). If you have more than one policy, this option must
be provided.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec match-targets [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Updates an existing match target. As of now, the only supported operation is to add a hostname to the existing match target.
Usage: akamai appsec modify-match-target <match-target> <subcommand> <hostname> [options]
Arguments:
<match-target> The match target id. [required] [string]
<hostname> The hostname to add to the match target. [required] [string]
Sub Commands:
<subcommand> The subcommand. [add-hostname] [required] [string]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Updates the order of the website match targets
Usage: akamai appsec match-target-order [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
--insert <id> Match target id to move to the start.
[number]
--append <id> Match target id to move to the end.
[number]
[order] The comma separated list of numeric match target ids in desired order.
[array:number]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
The custom rule needs to be fed as as json and this command prints the json template for creating a custom rule. You must add the required details in the json and remove the rest before creating a custom rule.
Usage: akamai appsec structured-rule-template
Usage: akamai appsec create-custom-rule [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--file <path> File with JSON rules [required] [file] [must exist]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec modify-custom-rule [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--custom-rule <id> Rule ID. [required] [number]
--file <path> File with JSON rules [file] [must exist]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec enable-custom-rule [options]
Options:
--custom-rule <id> Rule ID.
[required] [number]
--policy <id> Policy ID.
[required] [string]
--action <action> Action to assign. If the action is "none", it is not associated with the policy
[required] [enum] [alert, deny, none]
--config <id> Configuration id. Mandatory if you have more than one configuration.
[number]
--version <num> The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
not provided, latest version is assumed.
[string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec custom-rules [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Usage: akamai appsec custom-rule [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--custom-rule <id> Rule ID. [required] [number]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Activates a configuration version and provides the activation id. This ID is required to monitor the activation status.
Usage: akamai appsec activate [options]
Options:
--config <id> Configuration id.
[number]
--version <id> The version number.
[string]
--network <network> The network in which the configuration must be activated.
[required] [enum] [PRODUCTION, STAGING]
--note <note> The activation notes.
[string]
--notify <emails> The comma separated email ids to get notification.
[required] [array:string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation
Prints the current state of the activation request. This command needs the activation id from the activation step.
Usage: akamai appsec activation [options]
Options:
--activation-id <id> Activation request id. [required] [number]
--verbose Provides more details about the activation status. [boolean]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation
Usage: akamai appsec delete-custom-rule [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--custom-rule <id> Rule ID. [required] [number]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
Exports the complete details of a configuration version.
Usage: akamai appsec export [options]
Options:
--config <id> Configuration id. Mandatory if you have more than one configuration. [number]
--version <num> The version number to Export [string]
Command options:
--json Print the raw json response. All commands respect this option. [boolean]
--edgerc The full path to the .edgerc file. [string]
--section The section of .edgerc to use. [string]
--help Prints help information. [commands: help] [boolean]
--version Current version of the program. [boolean]
The Akamai CLI is a new tool and as such we have made some design choices worth mentioning.
- Credentials - the tool looks for credentials in the 'appsec' section in your ~/.edgerc file. If not present, it will look for the section 'default'. Alternatively you can provide the section name using the --section option in every command. If you are unfamiliar with the authentication and provisioning for OPEN APIs, see the "Get Started" section of https://developer.akamai.com
1A configuration version is editable if it is not active currently or in the past in any of the environments(staging or production).