ONSdigital · 418error · May 14, 2026 · May 18, 2026 · May 19, 2026 · May 19, 2026
@@ -1,36 +1,35 @@
 # dp-cli
 
-Command-line client providing *handy helper tools* for the ONS Dissemination Platform software engineering team
+> [!WARNING]
+> This tool is primarily for internal use at ONS but feel free to fork for your own use.
+>
+> If you notice any bugs/issues please open a GitHub issue.
 
-:warning: Still in active development. If you notice any bugs/issues please open a GitHub issue.
+Command-line client providing *handy helper tools* for the ONS Dissemination Platform software engineering team
 
 ## Getting started
 
-Clone the code (not needed if you [brew install on macOS](#brew-installation) :warning:)
-
-```shell
-git clone git@github.com:ONSdigital/dp-cli.git
-```
+If using macOS, you can install using `brew`:
 
-:warning: `dp-cli` uses Go Modules and **must** be cloned to a location outside of your `$GOPATH`.
+- Create tap
 
-### Prerequisites
+  ```shell
+  brew tap ONSdigital/homebrew-dp-cli git@github.com:ONSdigital/homebrew-dp-cli
+  ```
 
-**Required:**
+- Run brew install
 
-Check that `session-manager-plugin` is installed by running the following command
+   ```shell
+   brew install dp-cli
+   ```
 
-```shell
-which session-manager-plugin
-```
+### Prerequisites
 
-if not installed, you can install it using the following:
+The cli tool will do its best to check you have the required supporting tools installed, but you will need to have the following installed to use the tool:
 
-```shell
-brew install --cask session-manager-plugin
-```
-
-or by follow this [doc](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-macos).
+- **aws cli** - Either `brew install awscli` or follow the [AWS docs](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html)
+- **aws session manager plugin** - Either `brew install --cask session-manager-plugin` or follow the [AWS docs](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-macos)
+- **socat** - Either `brew install socat`
 
 #### Optional but common requirements
 
@@ -56,7 +55,7 @@ In order to use the `dp ssh` sub-command you will need:
   git clone git@github.com:ONSdigital/dp-nisra-infrastructure
   ```
 
-Note: Make sure your repo's are on the right branches and are uptodate:
+Note: Make sure your repo's are on the right branches and are up-to-date:
 
 - `dp-setup` is on the `awsb` (or `main`) branch
 - `dp-ci` is on the `main` branch
@@ -116,31 +115,20 @@ update the paths and `user-name`:
 
 You can uncomment more `environments` values as and when you get access to them.
 
-### Brew Installation
-
-If using macOS, you can install using `brew`:
-
-- Create tap
-
-  ```shell
-  brew tap ONSdigital/homebrew-dp-cli git@github.com:ONSdigital/homebrew-dp-cli
-  ```
-
-- Run brew install
-
-   ```shell
-   brew install dp-cli
-   ```
+## Binary build and run
 
-### Build and run
-
-If not using the *brew* installation (above), you can build, install and start the CLI thus:
+```shell
+git clone git@github.com:ONSdigital/dp-cli.git
+```
 
 ```shell
 make install
 dp
 ```
 
+> [!IMPORTANT]
+> `dp-cli` uses Go Modules and **must** be cloned to a location outside of your `$GOPATH`.
+
 - If you get:
 
   `command not found: dp`
@@ -170,14 +158,16 @@ Usage:
 
 Available Commands:
   clean            Delete data from your local environment
-  create-repo      Creates a new repository with the typical Dissemination Platform configurations
+  completion       Generate the autocompletion script for the specified shell
+  create-repo      Creates a new repository with the typical Dissemination Platform configurations 
+  eks              EKS cluster management commands
   generate-project Generates the boilerplate for a given project type
   help             Help about any command
   import           Import data into your local developer environment
+  override-key     Generates an overrideKey to bypass the Florence dataset version validation step when approving a collection
   remote           Allow or deny remote access to environment
-  scp              Push (or `--pull`) a file to (from) an environment using scp
+  remote2          (NEW) Allow or deny remote access to environment using the new remote allow service
   spew             Log out some useful debugging info
-  ssh              Access an environment using ssh
   version          Print the app version
 
 Flags:
@@ -188,9 +178,9 @@ Use "dp [command] --help" for more information about a command.
 
 Use the available commands for more info on the functionality available.
 
-### Common issues
+## Common issues
 
-#### Credentials error
+### Credentials error
 
 1. If sandbox/prod/staging are not in the dp cli output try unsetting `AWS_REGION` and `AWS_DEFAULT_REGION`
 
@@ -219,7 +209,7 @@ Use the available commands for more info on the functionality available.
         profile:
     ```
 
-#### SSH/SCP command fails
+### SSH/SCP command fails
 
 ```shell
 $ dp ssh sandbox
@@ -229,7 +219,7 @@ ssh to sandbox
 
 If the SSH or SCP command fails, ensure that the `dp remote allow` command has been run for the environment you want to connect to.
 
-#### Remote Allow security group error
+### Remote Allow security group error
 
 `Error: no security groups matching environment: "sandbox" with name "sandbox - bastion"`
 
@@ -246,7 +236,7 @@ Example:
 export AWS_PROFILE=dp-staging
 ```
 
-#### Remote Allow security group rule already exists error
+### Remote Allow security group rule already exists error
 
 ```shell
 $ dp remote allow sandbox
@@ -258,13 +248,14 @@ Error: error adding rules to bastionSG: InvalidPermission.Duplicate: the specifi
 The error occurs when rules have previously been added and the command is run again.
 Use (e.g.) `dp remote deny sandbox` to clear out existing rules and try again.
 
-Note: *This error should no longer appear* - the code should now avoid re-adding existing rules.
-However, it is possible that the rule has been added with a description that does not match your username.
-If so, you will have to use the AWS web UI/console to remove any offending Security Group rules.
+> [!NOTE]
+> *This error should no longer appear* - the code should now avoid re-adding existing rules.
+> However, it is possible that the rule has been added with a description that does not match your username.
+> If so, you will have to use the AWS web UI/console to remove any offending Security Group rules.
 
-### Advanced use
+## Advanced use
 
-#### ssh commands
+### ssh commands
 
 You can run ssh commands from the command-line, for example to determine the time on a given host:
 
@@ -285,7 +276,7 @@ $ dp ssh sandbox web 1 --to 0 -- ls -la
 # runs `ls -la` on ALL web boxes
 ```
 
-#### Manually configuring your IP or user
+### Manually configuring your IP or user
 
 Optionally, (e.g. to avoid the program looking-up your IP),
 you can use the `--ip` flag (or an environment variable `MY_IP`) to force the IP used when running `dp remote allow`.
@@ -303,7 +294,7 @@ Similarly, use the `--user` flag to change the label attached to the IP that is
 dp remote --user MyColleaguesName --ip 192.168.44.55 --http-only allow sandbox
 ```
 
-#### Remote allow extra ports
+### Remote allow extra ports
 
 You can expand the allowed ports in your config for `publishing`, `web` or `bastion` with:
 
@@ -315,7 +306,7 @@ environments:
         - 80
 ```
 
-#### AWS Command Line Access
+### AWS Command Line Access
 
 Follow the guide in [dp](https://github.com/ONSdigital/dp/blob/main/guides/AWS_ACCOUNT_ACCESS.md)
 

@@ -7,7 +7,10 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 )
 
-func getAWSConfig(ctx context.Context, profile string) aws.Config {
+// GetAWSConfig loads the AWS SDK config for the given profile.
+// Region is determined by the SDK's default resolution chain
+// (environment variables, shared config file, then falls back to eu-west-2).
+func GetAWSConfig(ctx context.Context, profile string) (aws.Config, error) {
 	var configOpts []func(*config.LoadOptions) error
 
 	configOpts = append(configOpts, config.WithRegion("eu-west-2"))
@@ -16,12 +19,15 @@ func getAWSConfig(ctx context.Context, profile string) aws.Config {
 		configOpts = append(configOpts, config.WithSharedConfigProfile(profile))
 	}
 
-	cfg, err := config.LoadDefaultConfig(ctx,
-		configOpts...,
-	)
+	return config.LoadDefaultConfig(ctx, configOpts...)
+}
+
+// Deprecated: The use of getAWSConfig will be removed, this was the legacy internal helper that panics on error.
+// Existing code in this package uses it; new code should use GetAWSConfig and legacy refactored.
+func getAWSConfig(ctx context.Context, profile string) aws.Config {
+	cfg, err := GetAWSConfig(ctx, profile)
 	if err != nil {
 		panic(err)
 	}
-
 	return cfg
 }
@@ -0,0 +1,27 @@
+package aws
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/lambda"
+)
+
+func getLambdaClient(ctx context.Context, profile string) *lambda.Client {
+	return lambda.NewFromConfig(getAWSConfig(ctx, profile))
+}
+
+// InvokeLambda invokes a Lambda function with the provided JSON payload and returns the raw response payload as string.
+func InvokeLambda(ctx context.Context, profile string, functionName string, payload []byte) (string, error) {
+	client := getLambdaClient(ctx, profile)
+
+	out, err := client.Invoke(ctx, &lambda.InvokeInput{
+		FunctionName: aws.String(functionName),
+		Payload:      payload,
+	})
+	if err != nil {
+		return "", err
+	}
+
+	return string(out.Payload), nil
+}
@@ -6,7 +6,7 @@ image_resource:
   type: docker-image
   source:
     repository: golang
-    tag: 1.24.11-bookworm
+    tag: 1.26.3-bookworm
 
 inputs:
   - name: dp-cli

@@ -6,7 +6,7 @@ image_resource:
   type: docker-image
   source:
     repository: golang
-    tag: 1.24.11-bookworm
+    tag: 1.26.3-bookworm
 
 inputs:
   - name: dp-cli

@@ -6,7 +6,7 @@ image_resource:
   type: docker-image
   source:
     repository: golang
-    tag: 1.24.11-bookworm
+    tag: 1.26.3-bookworm
 
 inputs:
   - name: dp-cli