Tencent Cloud Command Line Interface (TCCLI) - Unified Cloud Resource Management

TCCLI (Tencent Cloud Command Line Interface) is a unified command-line tool that allows you to manage all Tencent Cloud resources through a single interface. It provides direct access to Tencent Cloud APIs, enabling you to create, modify, and manage cloud resources without using the web console.

TCCLI officially supports Python 2.7 but don't fucking use it - Python 2.7 has been dead since 2020. Use Python 3.6 (literally the newest version that won't break everything) unless you enjoy compatibility hell:

pip install tccli-intl-en

Windows gotcha: Installation fails 50% of the time with Microsoft Visual C++ 14.0 is required. Fix: Install Visual Studio Build Tools or use WSL2.

macOS gotcha: On M1/M2 Macs, you might get architecture not supported errors. Fix: Use Rosetta or install via Homebrew.

Verify installation (takes 5-10 seconds on first run):

tccli --version

If this fails with command not found, your PATH is fucked. Add ~/.local/bin to your PATH or reinstall with pip install --user.

TCCLI is cross-platform compatible and runs on:

• Windows
• macOS
• Linux/Unix (with command autocomplete support)

Yes, you need Tencent Cloud API credentials. Without them, every command fails with AuthFailure.SignatureFailure:

• SecretId: Your Cloud API key identifier (starts with AKID)
• SecretKey: Your Cloud API secret key (random 40-character string)
• Region: Target Tencent Cloud service region (e.g., ap-guangzhou-2)

Production nightmare: These credentials expire without warning - no email, no notification, just failed deployments at the worst possible time. We learned this at 3am on a Tuesday when our deployment pipeline died with AuthFailure.TokenFailure and I spent 45 minutes debugging network issues before I realized the fucking obvious - expired creds. Set up credential monitoring or enjoy random 3am wake-up calls.

Configure via tccli configure (interactive) or environment variables (for CI/CD):

export TENCENTCLOUD_SECRET_ID=\"your-secret-id\"
export TENCENTCLOUD_SECRET_KEY=\"your-secret-key\"
export TENCENTCLOUD_REGION=\"ap-guangzhou-2\"

TCCLI doesn't cost anything. The cloud resources you spin up with it will definitely cost you.

Cost gotcha: Commands like tccli cvm RunInstances will spin up billable resources immediately. There's no confirmation prompt. I've seen people accidentally create $500/month instances with a typo. Always double-check your parameters.

Rate limiting: Hit the APIs too hard and you'll get throttled. Free tier gets about 100 requests per minute. Exceed that and commands start failing with RequestLimitExceeded.

Yes, but it's clunky as hell. You create profiles for each account:

tccli configure --profile staging
tccli configure --profile production

Then use --profile for every command:

tccli cvm DescribeInstances --profile production

Massive gotcha: Forget the --profile flag and you'll run commands against the wrong account. We almost deleted our production database this way - caught it just in time when I noticed the wrong profile in the terminal prompt. Always check which profile is active with tccli configure list.

Better approach: Use environment variables in your scripts to avoid profile confusion:

## staging.env
export TENCENTCLOUD_SECRET_ID=\"staging-id\"
export TENCENTCLOUD_SECRET_KEY=\"staging-key\"

## production.env
export TENCENTCLOUD_SECRET_ID=\"production-id\"
export TENCENTCLOUD_SECRET_KEY=\"production-key\"

JSON parameters are where TCCLI becomes a massive pain in the ass. Get the syntax wrong and you'll get cryptic errors like InvalidParameterValue with zero helpful context.

The right way (single quotes, proper escaping):

tccli cvm RunInstances --Placement '{"Zone":"ap-guangzhou-2"}' --SystemDisk '{"DiskType":"CLOUD_BASIC", "DiskSize":50}'

Common failures:

• Double quotes: "{"Zone":"ap-guangzhou-2"}" → Shell parses incorrectly
• Missing quotes: {"Zone":"ap-guangzhou-2"} → Shell treats { as special character
• Wrong JSON: {'Zone':'ap-guangzhou-2'} → Python-style quotes don't work

Pro tip: Use jq to validate your JSON first:

echo '{"Zone":"ap-guangzhou-2"}' | jq .

If jq can't parse it, TCCLI will fail too.

Yes, but it's not as smooth as AWS CLI. Configure credentials via environment variables to avoid interactive prompts:

export TENCENTCLOUD_SECRET_ID="your-secret-id"
export TENCENTCLOUD_SECRET_KEY="your-secret-key"
export TENCENTCLOUD_REGION="ap-guangzhou-2"

CI/CD gotchas that will bite you:

1. No credential validation: TCCLI doesn't test credentials until you actually hit an API. Your pipeline runs for 5 minutes, then dies with AuthFailure.SignatureFailure. Every. Fucking. Time.

2. Silent timeouts: Large operations just stop working with no error. We lost 2 hours debugging a "successful" storage sync that claimed to process like 600+ files but actually only did around 270. The logs lied to our faces.

3. Rate limiting in loops: Don't loop through 100 instances without delays. You'll hit API limits and get RequestLimitExceeded.

Working example for GitLab CI:

deploy:
  script:
    - pip install tccli-intl-en
    - tccli cvm DescribeInstances --output json | jq .TotalCount  # Test credentials
    - ./deploy-script.sh

You get three ways to see the output, and here's when each one doesn't suck:

• JSON: For scripts and when you need all the gory details - warning: massive dumps of data
• Table: For humans who want to actually read the output - works great until you have 50+ resources
• Text: For shell scripts and quick parsing - basically just the key values

Use --output json|table|text to specify the format. JSON is default and usually what you want.

Real talk on production credentials (because we learned this shit the hard way):

1. Environment variables only - config files get checked into git and you'll leak credentials. We caught someone committing production keys literally 20 minutes before they were about to push.

2. IAM roles with minimal permissions - give TCCLI exactly what it needs, nothing more. We had an intern accidentally delete our entire staging database because they had admin permissions. Took 6 hours to restore.

3. Temporary credentials when possible - they expire automatically so stolen keys become useless. Our security team mandates 4-hour expiry for anything touching production.

4. Automated rotation - manual key rotation means forgetting to rotate until something breaks at 3am. Set up automated rotation or enjoy weekend emergency calls.

Yes, TCCLI provides command autocomplete on Linux/Unix systems. Enable it with:

complete -C 'tccli_completer' tccli

TCCLI error messages are often garbage, but here's how to actually debug them:

Step 1: Always run with --debug first:

tccli cvm DescribeInstances --debug

Common errors and real fixes:

• AuthFailure.SignatureFailure → Your credentials are wrong or expired
• InvalidParameterValue → Usually JSON syntax error, check quotes
• ResourceNotFound.InstanceIdNotExist → Instance doesn't exist in that region
• RequestLimitExceeded → You're hitting API rate limits, add delays
• UnsupportedOperation → You're using wrong API version or unsupported feature

Nuclear option when nothing works (aka the "fuck it, start over" approach):

## Clear all cached credentials and reconfigure
rm -rf ~/.tccli/
tccli configure

Time estimate: Simple errors take 5 minutes to fix. Complex permission issues eat 2-4 hours because Tencent's error messages are useless - they don't tell you which exact permission is missing, just that "something" failed.

TCCLI operates in a single region per command. For multi-region operations:

1. Configure multiple profiles with different regions
2. Use the --region parameter to override default settings
3. Write scripts that loop through target regions
4. Consider using infrastructure-as-code tools for complex multi-region deployments

TCCLI basically wraps Tencent's APIs so you don't have to mess with raw HTTP calls. Compared to AWS CLI or Azure CLI:

• It's less polished - AWS CLI has better error messages and docs
• Smaller ecosystem - fewer third-party tools and integrations
• Works fine for basic stuff - gets annoying for complex deployments
• Updates inconsistently - sometimes new features lag behind the web console