Skip to main content

Get Started with the Lacework CLI

The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers to Docker Hub for various platforms with the intended purpose of integrating with CI/CD automation pipelines.

Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.

Install the Lacework CLI

Bash (macOS/Linux)

curl | bash

Powershell (Windows)

  1. Open a PowerShell terminal and run the following command:
    Set-ExecutionPolicy Bypass -Scope Process -Force
    iex ((New-Object System.Net.WebClient).DownloadString(''))
    The Lacework CLI is installed at C:\ProgramData\Lacework\lacework.exe and the system PATH environment variable is updated to include the Lacework CLI.
  2. Open a new PowerShell terminal to read the updated system PATH and use the Lacework CLI.

Homebrew (macOS/Linux)

brew install lacework/tap/lacework-cli

For more details, see the Lacework Homebrew Tap.

Chocolatey (Windows):

choco install lacework-cli

For more details, see the Lacework CLI Chocolatey package.

Create API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys and Tokens.

  1. Log in to the Lacework Console.
  2. Click Settings > API keys.
  3. Click Add New.
  4. Enter a name for the key and an optional description.
  5. Click Save.
  6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": ""

Configure the CLI

Use the lacework configure command to configure the Lacework CLI with the API Key downloaded from the previous step.

lacework configure -j /path/to/key.json

Example output:

Account: example
Secret Access Key: **********************************

You are all set!

The lacework configure command generates a file named .lacework.toml inside your home directory ($HOME/.lacework.toml) with a single profile named default.

Enable Command Autocomplete

You can work faster and get help remembering commands by enabling command autocomplete for the Lacework CLI for your shell environment.

With autocomplete enabled, you can quickly complete CLI commands you have started to type by hitting the tab key. If there is more than one way to complete a command, hit the tab key twice to view all options.

The Lacework CLI supports several shell environments, including bash, powershell, and zsh.

To use autocomplete in a supported shell, you first need to enable it by running the autocomplete script. To see supported shell environments, run the following command:

lacework completion

For example, to enable completion in your current bash shell session, run the following command:

source <(lacework completion bash)

For complete instructions for bash and other supported environments, see the following topics:

For general information on the Lacework CLI command autocomplete feature, see lacework completion.

Multiple Profiles

You can add additional profiles that you can refer to with a name by specifying the --profile flag. The following example creates a profile named prod.

lacework configure --profile prod -j /path/to/key.json

Example output:

Account: prod.example
Secret Access Key: **********************************

You are all set!

Then, when you run a command, you can specify a --profile prod and use the credentials and settings stored under that name.

lacework agent list --profile prod

If there is no --profile flag, the Lacework CLI defaults to the default profile.

To list all available profiles configured in the workstation use:

lacework configure list

Example output:

    PROFILE   |    ACCOUNT    |                         API KEY                          |            API SECRET
prod | prod-account | PRODACCT_0C66EF03A0694E16D3203E553C9B13E36E39239FB0FCEBF | *****************************8520
qa1 | qa1-account | QA1ACCOT_038B1395C1B5B9BD1C5DEA849DF62FCB95D7697C58C4942 | *****************************9ad8
qa2 | qa2-account | QA2ACCOT_0362BF5146FBE18A9CD0AB0259FBEE912EBB1A429A0A213 | *****************************a3cb
> default | dev-account | DEVACCOT_03C8910D0BDCDBD2AFD4355A1C5284104AAA2AE5253938C | *****************************98f1

Switch Profiles

To switch between profiles configured into the config file $HOME/.lacework.toml, use the command.

lacework configure switch-profile <profile>

This is a global configuration for the Lacework CLI, which means that any new terminal continues to use the selected profile.

To switch back to the default profile.

lacework configure use default

The command lacework configure use is an alias to the switch-profile sub-command.

An alternative to temporarily switching to a different profile in your current terminal is to export the environment variable LW_PROFILE=your-profile

Organizational Accounts

An organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.


To enroll your account in an organization, see Organization Enrollment Process.

Use the global flag --subaccount to switch to a different account inside your organizational account.

For example, having a default profile that has access to your primary account named my-company:

account = "my-company"
api_key = "my-api-key"
api_secret = "my-api-secret"
version = 2

To access your sub-account named business-unit, pass the flag --subaccount business-unit to any command.

There are two ways to set a sub-account persistently:

  • Export the environment variable LW_SUBACCOUNT="<YOUR_SUBACCOUNT>". This only makes the sub-account configuration persist for the active terminal.
  • Reconfigure your profile with the command lacework configure. This command prompts you to select any sub-account that you have access to in your organizational account.

To list all accounts in your organization:

lacework account list

Output Formats

The Lacework CLI supports the following output formats:

  • Human-readable: Default output that presents the information in a "human-readable" or "human-friendly" format, which is much easier to read, but not as useful for automation purposes.
  • JSON: To switch the output of any command to be formatted as a JSON string, add the flag --json.

Some commands that have additional formats available:

  • PDF: For compliance reports, it is possible to download a report in PDF format by adding the flag --pdf.
  • HTML: For container vulnerability assessments, use the --html flag to render the assessment results in HTML format.
  • CSV: For compliance reports and host vulnerability data, you can pass the flag --csv to switch the output to CSV format.

Environment Variables

Default configuration parameters found in the .lacework.toml may also be overridden by setting environment variables prefixed with LW_.

To override the account, api_key, and api_secret configurations:

  • Bash (macOS/Linux)

    export LW_API_KEY="<YOUR_API_KEY>"
  • Powershell (Windows)

    $env:LW_API_KEY = '<YOUR_API_KEY>'

For org admins only, to switch to a different sub-account permanently in your current terminal:

  • Bash (macOS/Linux)

    export LW_SUBACCOUNT=business-unit
  • Powershell (Windows)

    $env:LW_SUBACCOUNT = 'business-unit'

The following lists all environment variables that you can use to modify the operation of the Lacework CLI.

Environment VariableDescription
LW_NOCOLOR=1turn off colors
LW_NOCACHE=1turn off caching
LW_DEBUG=1turn on debug logging
LW_JSON=1switch commands output from human-readable to JSON format
LW_NONINTERACTIVE=1disable interactive progress bars (i.e. spinners)
LW_UPDATES_DISABLE=1disable daily version checks
LW_TELEMETRY_DISABLE=1disable sending telemetry data
LW_PROFILE="<name>"switch between profiles configured at ~/.lacework.toml
LW_ACCOUNT="<account>"account subdomain of URL (i.e. <ACCOUNT>
LW_API_KEY="<key>"API access key id
LW_API_SECRET="<secret>"API secret access key
LW_SUBACCOUNT="<sub-account>"sub-account name inside your organization (org admins only)