Get Started with the Lacework CLI
The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers to Docker Hub for various platforms with the intended purpose of integrating with CI/CD automation pipelines.
Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.
Install the Lacework CLI
Bash (macOS/Linux)
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
Powershell (Windows)
- Open a PowerShell terminal and run the following command: The Lacework CLI is installed at
Set-ExecutionPolicy Bypass -Scope Process -Force
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))C:\ProgramData\Lacework\lacework.exe
and the system PATH environment variable is updated to include the Lacework CLI. - Open a new PowerShell terminal to read the updated system PATH and use the Lacework CLI.
Homebrew (macOS/Linux)
brew install lacework/tap/lacework-cli
For more details, see the Lacework Homebrew Tap.
Chocolatey (Windows):
choco install lacework-cli
For more details, see the Lacework CLI Chocolatey package.
Create API Key
The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys and Tokens.
- Log in to the Lacework Console.
- Click Settings > API keys.
- Click Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId
secret
, subAccount
, and account
:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configure the CLI
Use the lacework configure
command to configure the Lacework CLI with the API Key downloaded from the previous step.
lacework configure -j /path/to/key.json
Example output:
Account: example
Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************
You are all set!
The lacework configure
command generates a file named .lacework.toml
inside your home directory
($HOME/.lacework.toml
) with a single profile named default
.
Enable Command Autocomplete
You can work faster and get help remembering commands by enabling command autocomplete for the Lacework CLI for your shell environment.
With autocomplete enabled, you can quickly complete CLI commands you have started to type by hitting the tab key. If there is more than one way to complete a command, hit the tab key twice to view all options.
The Lacework CLI supports several shell environments, including bash, powershell, and zsh.
To use autocomplete in a supported shell, you first need to enable it by running the autocomplete script. To see supported shell environments, run the following command:
lacework completion
For example, to enable completion in your current bash shell session, run the following command:
source <(lacework completion bash)
For complete instructions for bash and other supported environments, see the following topics:
lacework completion bash
lacework completion fish
lacework completion powershell
lacework completion zsh
For general information on the Lacework CLI command autocomplete feature, see lacework completion.
Multiple Profiles
You can add additional profiles that you can refer to with a name by specifying the --profile
flag. The following
example creates a profile named prod
.
lacework configure --profile prod -j /path/to/key.json
Example output:
Account: prod.example
Access Key ID: PROD_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************
You are all set!
Then, when you run a command, you can specify a --profile prod
and use the credentials and settings stored under that
name.
lacework agent list --profile prod
If there is no --profile
flag, the Lacework CLI defaults to the default
profile.
To list all available profiles configured in the workstation use:
lacework configure list
Example output:
PROFILE | ACCOUNT | API KEY | API SECRET
--------------+---------------+----------------------------------------------------------+------------------------------------
prod | prod-account | PRODACCT_0C66EF03A0694E16D3203E553C9B13E36E39239FB0FCEBF | *****************************8520
qa1 | qa1-account | QA1ACCOT_038B1395C1B5B9BD1C5DEA849DF62FCB95D7697C58C4942 | *****************************9ad8
qa2 | qa2-account | QA2ACCOT_0362BF5146FBE18A9CD0AB0259FBEE912EBB1A429A0A213 | *****************************a3cb
> default | dev-account | DEVACCOT_03C8910D0BDCDBD2AFD4355A1C5284104AAA2AE5253938C | *****************************98f1
Switch Profiles
To switch between profiles configured into the config file $HOME/.lacework.toml
, use the command.
lacework configure switch-profile <profile>
This is a global configuration for the Lacework CLI, which means that any new terminal continues to use the selected profile.
To switch back to the default
profile.
lacework configure use default
The command lacework configure use
is an alias to the switch-profile
sub-command.
An alternative to temporarily switching to a different profile in your current terminal is to export the environment
variable LW_PROFILE=your-profile
Organizational Accounts
An organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.
To enroll your account in an organization, see Organization Enrollment Process.
Use the global flag --subaccount
to switch to a different account inside your organizational account.
For example, having a default
profile that has access to your primary
account named my-company
:
[default]
account = "my-company"
api_key = "my-api-key"
api_secret = "my-api-secret"
version = 2
To access your sub-account named business-unit
, pass the flag --subaccount business-unit
to any command.
There are two ways to set a sub-account persistently:
- Export the environment variable
LW_SUBACCOUNT="<YOUR_SUBACCOUNT>"
. This only makes the sub-account configuration persist for the active terminal. - Reconfigure your profile with the command
lacework configure
. This command prompts you to select any sub-account that you have access to in your organizational account.
To list all accounts in your organization:
lacework account list
Output Formats
The Lacework CLI supports the following output formats:
- Human-readable: Default output that presents the information in a "human-readable" or "human-friendly" format, which is much easier to read, but not as useful for automation purposes.
- JSON: To switch the output of any command to be formatted as a JSON string, add the flag
--json
.
Some commands that have additional formats available:
- PDF: For compliance reports, it is possible to download a report in PDF format by adding the flag
--pdf
. - HTML: For container vulnerability assessments, use the
--html
flag to render the assessment results in HTML format. - CSV: For compliance reports and host vulnerability data, you can pass the flag
--csv
to switch the output to CSV format.
Environment Variables
Default configuration parameters found in the .lacework.toml
may also be overridden by setting environment variables
prefixed with LW_
.
To override the account
, api_key
, and api_secret
configurations:
Bash (macOS/Linux)
export LW_ACCOUNT="<YOUR_ACCOUNT>"
export LW_API_KEY="<YOUR_API_KEY>"
export LW_API_SECRET="<YOUR_API_SECRET>"Powershell (Windows)
$env:LW_ACCOUNT = '<YOUR_ACCOUNT>'
$env:LW_API_KEY = '<YOUR_API_KEY>'
$env:LW_API_SECRET = '<YOUR_API_SECRET>'
For org admins only, to switch to a different sub-account permanently in your current terminal:
Bash (macOS/Linux)
export LW_SUBACCOUNT=business-unit
Powershell (Windows)
$env:LW_SUBACCOUNT = 'business-unit'
The following lists all environment variables that you can use to modify the operation of the Lacework CLI.
Environment Variable | Description |
---|---|
LW_NOCOLOR=1 | turn off colors |
LW_NOCACHE=1 | turn off caching |
LW_DEBUG=1 | turn on debug logging |
LW_JSON=1 | switch commands output from human-readable to JSON format |
LW_NONINTERACTIVE=1 | disable interactive progress bars (i.e. spinners) |
LW_UPDATES_DISABLE=1 | disable daily version checks |
LW_TELEMETRY_DISABLE=1 | disable sending telemetry data |
LW_PROFILE="<name>" | switch between profiles configured at ~/.lacework.toml |
LW_ACCOUNT="<account>" | account subdomain of URL (i.e. <ACCOUNT>.lacework.net ) |
LW_API_KEY="<key>" | API access key id |
LW_API_SECRET="<secret>" | API secret access key |
LW_SUBACCOUNT="<sub-account>" | sub-account name inside your organization (org admins only) |