| name | companion-clis |
| description | Companion CLIs for Runpod workflows — HuggingFace, GitHub, Docker, and AWS. |
| allowed-tools | Bash(hf:*), Bash(gh:*), Bash(docker:*), Bash(aws:*), Bash(ssh-keygen:*), Bash(ssh-add:*), Bash(ssh-agent:*) |
| compatibility | Linux, macOS, Windows |
| metadata | {"author":"runpod","version":"1.0"} |
| license | Apache-2.0 |
Companion CLIs
Four CLIs commonly needed alongside Runpod: HuggingFace (hf), GitHub (gh), Docker (docker), and AWS (aws). Each requires credentials before use.
Windows: Install WSL2 First
If you are on Windows, install WSL2 (Windows Subsystem for Linux) before proceeding. WSL2 gives you a native Linux environment on Windows, which all these CLIs are designed for. Run in PowerShell as Administrator, then restart:
wsl --install
This installs WSL2 with Ubuntu by default. After restarting, open the Ubuntu app to complete setup (create a Linux username and password). From that point on, follow the Linux instructions throughout this skill.
HuggingFace CLI
The HuggingFace CLI (hf) is used to download models from the Hub to your local machine so they are cached and available when you build and run the Docker container. For example, to deploy meta-llama/Llama-3.1-8B to a Runpod serverless endpoint: download the model locally first, build a Docker image that includes or mounts it, validate the container locally, then push the image to Docker Hub for Runpod to pull.
Install
curl -LsSf https://hf.co/cli/install.sh | bash
brew install hf
Note: pip install huggingface_hub installs the older Python CLI (huggingface-cli), which uses different command syntax. The commands below are for the standalone hf CLI.
Credentials
Get a token at https://huggingface.co/settings/tokens. Use write access for uploading; read access is sufficient for downloading public or gated models.
hf auth login
hf auth login --token $HF_TOKEN --add-to-git-credential
export HF_TOKEN=hf_...
hf auth whoami
hf auth logout
Key Commands
hf download meta-llama/Llama-3.1-8B --local-dir ./models/llama-3.1-8b
hf download TinyLlama/TinyLlama-1.1B-Chat-v1.0 --local-dir ./models/tinyllama
hf download meta-llama/Llama-3.1-8B config.json --local-dir ./models/llama-3.1-8b
hf download stabilityai/stable-diffusion-xl-base-1.0 \
--include "*.safetensors" --exclude "*.fp16.*" \
--local-dir ./models/sdxl
hf download meta-llama/Llama-3.1-8B --revision v1.0 --local-dir ./models/llama-3.1-8b
Troubleshooting
export HF_HUB_DOWNLOAD_TIMEOUT=30
GitHub CLI
The GitHub CLI (gh) is used to manage repositories for Runpod serverless workers. This includes cloning repos into local Docker containers for testing, versioning source code so changes can be tracked and shared with teammates or collaborators, and creating GitHub releases that publish listings to the Runpod Hub. The Hub indexes releases — not commits — so every deployment update requires a new release.
Install
brew install gh
(type -p wget >/dev/null || (sudo apt update && sudo apt install wget -y)) \
&& sudo mkdir -p -m 755 /etc/apt/keyrings \
&& out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg \
&& cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
| sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
&& sudo apt update && sudo apt install gh -y
apk add github-cli
SSH Keys
An SSH key identifies your machine as authentic to remote services. Generate one key and register the public key with each service that requires it — GitHub (via gh) and HuggingFace (via browser).
Generate a key
ssh-keygen -t ed25519 -C "your_email@example.com"
Add the key to the SSH agent
eval "$(ssh-agent -s)"
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
Credentials
gh auth login
gh auth status
Register the public key with each service
gh ssh-key add ~/.ssh/id_ed25519.pub --title "my-machine"
cat ~/.ssh/id_ed25519.pub
Key Commands
gh repo create my-worker --public
gh repo clone owner/repo
gh repo clone owner/repo -- --depth 1
gh repo view owner/repo
gh release create v1.0.0 --title "v1.0.0" --notes "Initial release"
gh release create v1.0.1 --title "v1.0.1" --notes "Update model tag"
gh release list
gh release view v1.0.0
Runpod Hub repository structure
A Hub-compatible repository requires these files (in root or .runpod/ directory):
handler.py # serverless worker implementation
Dockerfile # container definition
README.md # documentation shown on Hub listing
.runpod/
hub.json # Hub metadata: title, description, category, GPU config, env vars
tests.json # test cases run after each release
To publish: go to https://console.runpod.io → Hub → Add your repo → enter the GitHub repository URL.
Docker
Docker is used to build and validate container images locally before pushing to Docker Hub. Runpod uses Docker Hub as its default image registry — serverless endpoints, pods, and templates all reference images by their Docker Hub tag. Once an image is pushed, Runpod workers pull it automatically when the endpoint or pod is started.
Install
macOS: Download Docker Desktop from https://docs.docker.com/desktop/setup/install/mac-install/
- Choose the Apple Silicon installer for M-series Macs, or Intel Chip for older Macs
- Open the DMG, drag Docker to Applications, and launch it
Windows: Download Docker Desktop from https://docs.docker.com/desktop/setup/install/windows-install/
- Requires WSL 2 — if you followed the WSL2 setup above, Docker Desktop will detect it automatically
- After installation,
docker commands work inside your WSL2 terminal without extra configuration
- Run the installer and follow the setup wizard
Linux: See https://docs.docker.com/engine/install/ for distro-specific instructions
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
Credentials
Docker Hub authentication uses a personal access token (PAT), not your account password.
- Go to https://app.docker.com → Avatar (top right) → Account Settings → Personal Access Tokens
- Click Generate new token — give it a descriptive name, set an expiration, and choose Read & Write access
- Copy the token immediately — it is shown only once
docker login -u DOCKERHUB_USERNAME
Credentials are saved to ~/.docker/config.json after a successful login.
Tagging
Always use explicit semantic version tags. Never rely on latest.
The latest tag does not automatically point to the newest image — it only reflects the last build that was pushed without an explicit tag. If you push v1.0.0 and then push v1.0.1 with an explicit tag, latest still points to v1.0.0. Runpod workers pinned to latest will silently pull the wrong version.
Use a tag that uniquely identifies the build: v1.0.0, v1.0.1, etc.
docker build --platform=linux/amd64 -t myorg/myimage:v1.0.0 .
docker push myorg/myimage:v1.0.0
docker build -t myorg/myimage:latest .
Docker Hub
Docker Hub is the registry Runpod pulls images from. After pushing, images are visible at https://hub.docker.com/repositories/ and referenceable in Runpod as username/image:tag.
Images on Docker Hub can be public (anyone can pull) or private (requires credentials). For private images, register your Docker Hub credentials in Runpod once and they become available to any template:
- Go to https://console.runpod.io/user/settings → Container Registry Settings
- Add your Docker Hub username and personal access token (the same PAT used for
docker login)
- When creating or editing a template, select the saved credential from the dropdown
Runpod currently only supports docker login type credentials for container registry authentication.
Key Commands
docker build --platform=linux/amd64 -t myorg/myimage:v1.0.0 .
docker build --platform=linux/amd64 -t myorg/myimage:v1.0.0 -f Dockerfile.prod .
docker tag myorg/myimage:v1.0.0 myorg/myimage:v1.0.1
docker push myorg/myimage:v1.0.0
docker run --rm -it myorg/myimage:v1.0.0 bash
docker run --rm --gpus all myorg/myimage:v1.0.0 bash
docker run --rm -p 8080:80 -e API_KEY=secret myorg/myimage:v1.0.0
docker exec -it CONTAINER_ID /bin/bash
docker images
docker ps -a
docker logs CONTAINER_ID
docker logs -f CONTAINER_ID
docker rmi myorg/myimage:v1.0.0
docker rm CONTAINER_ID
AWS CLI
The AWS CLI is used to access Runpod storage over the S3 protocol. Any Runpod product that can mount a Network Volume — pods, clusters, and serverless endpoints — can have its storage accessed this way. The bucket name is the network volume ID.
Install
brew install awscli
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip
unzip awscliv2.zip && sudo ./aws/install
Credentials
Runpod uses its own S3-compatible API, not AWS. You need a Runpod user ID and S3 API key — not an AWS account.
- Access key (
AWS_ACCESS_KEY_ID): your Runpod user ID — found in the console under Settings > S3 API Keys, in the key description (format: user_...)
- Secret key (
AWS_SECRET_ACCESS_KEY): an S3 API key — generate one at Settings > S3 API Keys > Create. Shown only once; save it immediately (format: rps_...)
aws configure
aws configure list
export AWS_ACCESS_KEY_ID=user_...
export AWS_SECRET_ACCESS_KEY=rps_...
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
Region and Endpoint
The --region flag on every command is the Runpod datacenter ID where the network volume lives — not an AWS region. The --endpoint-url is derived from the same datacenter ID.
Every command requires both flags:
--region DATACENTER --endpoint-url https://s3api-DATACENTER.runpod.io/
Tip: Each network volume on the storage page at https://console.runpod.io/user/storage/ shows a pre-filled example aws s3 ls command with the correct --region and --endpoint-url already substituted. Use this to confirm the exact values for a given volume.
Datacenter IDs by region:
| Region | Datacenter IDs |
|---|
| EU | CZ-1, RO-1, IS-1, NO-1 |
| US | CA-2, GA-2, IL-1, KS-2, MD-1, MO-1, MO-2, NC-1, NC-2, NE-1, WA-1 |
Key Commands
Replace DATACENTER with the datacenter ID of your network volume (e.g. CA-2) and NETWORK_VOLUME_ID with the volume ID (used as the S3 bucket name).
aws s3 ls \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
s3://NETWORK_VOLUME_ID/
aws s3 ls \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
s3://NETWORK_VOLUME_ID/my-folder/
aws s3 cp local-file.txt \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
s3://NETWORK_VOLUME_ID/
aws s3 cp \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
s3://NETWORK_VOLUME_ID/remote-file.txt ./
aws s3 rm \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
s3://NETWORK_VOLUME_ID/remote-file.txt
aws s3 sync local-dir/ \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
s3://NETWORK_VOLUME_ID/remote-dir/
Path mapping: /workspace/my-folder/file.txt on a pod = s3://NETWORK_VOLUME_ID/my-folder/file.txt via S3.
Troubleshooting
export AWS_RETRY_MODE=standard
export AWS_MAX_ATTEMPTS=10
aws s3 cp large-file.zip \
--region DATACENTER \
--endpoint-url https://s3api-DATACENTER.runpod.io/ \
--cli-read-timeout 7200 \
s3://NETWORK_VOLUME_ID/