Access your organization's VMware Tanzu Mission Control resources using the command-line interface.


You must be a member of a VMware Cloud Services organization that has access to Tanzu Mission Control to log in with the CLI.

Before starting this procedure, make sure you have already logged in to the Tanzu Mission Control console.

If you intend to run the Tanzu Mission Control CLI from a location protected by a proxy server, you must add the following URL to your proxy allowlist.


  1. Install the Tanzu Mission Control CLI (tmc).
    1. In the left navigation pane of the Tanzu Mission Control console, click Automation center.
    2. On the Automation Center page, click Download CLI, and then choose the environment where you want to use the CLI.
    3. After the download completes, move the tmc executable to an accessible bin directory (for example, ~/bin or %UserProfile%\bin).
    4. Make sure the bin directory is accessible on your PATH.
    5. Make the file executable.
      • For Linux or Mac OS:
        chmod +x ~/bin/tmc
      • For Windows:
        move %UserProfile%\bin\tmc %UserProfile%\bin\tmc.exe
        attrib +x %UserProfile%\bin\tmc.exe
    6. Now change to a different directory and verify that the CLI is ready to use by checking the help.
      tmc --help
      If you are running on Mac OS, you might encounter the following error:
      "tmc" cannot be opened because the developer cannot be verified.
      If this happens, you need to create a security exception for the tmc executable. Locate the tmc app in the Finder, control-click the app, and then choose Open.
  2. Retrieve an API token.
    1. On the Download CLI page, click the link to go to the My Account page in the VMware Cloud Services console.
    2. Click the API Tokens tab.
    3. Select roles. Either select All Roles, or select Organization Owner and Organization Member from the Organization Roles list and Tanzu Mission Control Admin and Tanzu Mission Control Member from the Service Roles list.
      The reason for selecting the four roles specifically is that these are the roles honored by the Tanzu Mission Control RBAC and it defines the scope for the APIToken. When the CLI generates an Access/ID token from this user APIToken, it would only have the subset of these 4 roles based on which roles the user is actually assigned in CSP. That’s also the reason why we can recommend selecting All Roles, as we’re just defining the scope for the APIToken and not actual role assignments.
    4. Check the OpenID checkbox.
      While generating an API token for Tanzu Mission Control, the OpenID checkbox is required, otherwise CSP doesn’t include groups in the ID Token and that directly impacts the Tanzu Mission Control RBAC.
    5. Click Generate Token to create an API token with a scope of All Roles, and then copy the generated token.
      Save this token in a safe place in the event you need to use it again.
    6. Return to the Download CLI page in the Tanzu Mission Control console.
  3. Open a command window and use the following command to log in.
    tmc login
  4. When prompted enter your API token.
    For more information, enter the following command.
    tmc login --help

What to do next

After you log in, you can manage your clusters at the command line.