All Products
Search

This Product

    Web Application Firewall:CLI integration example

    Document Center

    Web Application Firewall:CLI integration example

    Last Updated:Nov 12, 2025

    The Alibaba Cloud Command Line Interface (CLI) is a universal command-line tool built on OpenAPI. You can use the Alibaba Cloud CLI to automate the management and maintenance of Web Application Firewall (WAF) 2.0. If you are new to the Alibaba Cloud CLI, see What is the Alibaba Cloud CLI? This topic provides an example on how to use the Alibaba Cloud CLI to call Web Application Firewall 2.0. The example uses the DescribeInstanceSpecInfo operation to query the specifications of a WAF instance.

    Install the Alibaba Cloud CLI

    Before you use the Alibaba Cloud CLI, you must install it. Installation packages are available for Windows, Linux, and macOS. Select the installation package that corresponds to the operating system of your device.

    You can also use Cloud Shell provided by Alibaba Cloud to debug Alibaba Cloud CLI commands. For more information about Cloud Shell, see What is Cloud Shell?.

    Configure the Alibaba Cloud CLI

    Important

    An Alibaba Cloud account has permissions to manage and access the OpenAPI operations of all products. This poses a high security risk. We recommend that you create a Resource Access Management (RAM) identity, grant permissions based on the principle of least privilege, and then use the RAM identity to access OpenAPI.

    Before you use the Alibaba Cloud CLI, you must configure your identity credentials, region ID, and other information. The Alibaba Cloud CLI supports multiple types of identity credentials. For more information, see Credential types. This topic uses an AccessKey pair as an example. The procedure is as follows:

    1. Create a RAM user and an AccessKey. You can use them to configure your identity credentials. For more information, see Create a RAM user and Create an AccessKey.

    2. Grant product access policies to the RAM user as needed. For this example, you must grant the RAM user the AliyunYundunWAFReadOnlyAccess policy for read-only access to Web Application Firewall 2.0. For more information about system access policies, see System permission policies for Web Application Firewall.

    3. Obtain and record an available region ID. This ID is required to configure your identity credentials. The Alibaba Cloud CLI uses the specified region to make API calls. For more information about available regions, see Endpoints.

      Note

      When you use the Alibaba Cloud CLI, you can use the --region option to specify a region for a command. This option overrides the region information in the default identity credential configuration and environment variables. For more information, see Command-line options.

    4. Use the AccessKey of the RAM user to configure an AK-type credential. Name the configuration file AkProfile. For more information, see Configuration example.

    Generate a sample CLI command

    1. Go to the DescribeInstanceSpecInfo page in OpenAPI Explorer.

    2. In the Parameter Settings section, set the request parameters. Click the CLI Example tab to view the sample command.

    3. Copy the sample CLI command or run it in Cloud Shell:

      • Click the Run Command image button to open Cloud Shell and debug the command.

      • Click the Copy image button to copy the sample CLI command to the clipboard. You can then paste the command into your local shell tool and run it.

        Note

        • When you copy the sample CLI command to a local shell tool for debugging, make sure that the parameter format is correct. For more information about the parameter format for Alibaba Cloud CLI commands, see Parameter format.

        • OpenAPI Explorer adds the --region option to the generated sample by default. When you copy the command and run it locally, the Alibaba Cloud CLI uses the specified region and ignores the region that is configured in your default identity credentials and environment variables. You can remove or keep this option based on your requirements.

    image

    Call an API

    Example 1: Obtain a list of supportedWeb Application Firewall 2.0 OpenAPIs from Alibaba Cloud CLI

    The following example shows how to use the --help option to obtain the list of Web Application Firewall 2.0 OpenAPI operations that the Alibaba Cloud CLI supports. You can also view the supported API operations in API overview.

    1. Run the command.

      aliyun waf-openapi help

    2. The following output is returned.

      image

    Example 2: Query the specifications of a WAF instance

    The following example shows how to use the Alibaba Cloud CLI to call the DescribeInstanceSpecInfo operation of Web Application Firewall 2.0 to query the specifications of a WAF instance.

    1. Run the command.

      aliyun waf-openapi DescribeInstanceSpecInfo \
  --region cn-hangzhou \
  --RegionId 'cn-hangzhou' \
  --InstanceId 'waf-cn-st2225l****'

    2. The following output is returned.

      {
  "RequestId": "E906513E-F6B5-495E-98DC-7BA8****1D76",
  "InstanceId": "waf-cn-st2225l****",
  "ExpireTime": 1677168000000,
  "Version": "version_3",
  "InstanceSpecInfos": [
    {
      "Code": "103",
      "Value": "640"
    }
  ]
}
      Note

      If an error is returned when you call a Web Application Firewall 2.0 OpenAPI operation, use the returned error code to check whether the request parameters and their values are correct.

      You can also record the RequestID or SDK error message from the response and use Alibaba Cloud OpenAPI Diagnostic Platform to perform self-service diagnostics.