Get Started with the Lacework CLI
The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers to Docker Hub for various platforms with the intended purpose of integrating with CI/CD automation pipelines.
Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.
Install the Lacework CLI
Bash (macOS/Linux)
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
Powershell (Windows)
Set-ExecutionPolicy Bypass -Scope Process -Force
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))
Homebrew (macOS/Linux)
brew install lacework/tap/lacework-cli
For more details, see the Lacework Homebrew Tap.
Chocolatey (Windows):
choco install lacework-cli
For more details, see the Lacework CLI Chocolatey package.
Create API Key
The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys and Tokens.
- Log in to the Lacework Console.
- Click Settings > API keys.
- Click Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId secret, subAccount, and account:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configure the CLI
Use the lacework configure command to configure the Lacework CLI with the API Key downloaded from the previous step.
lacework configure -j /path/to/key.json
Example output:
Account: example
Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************
You are all set!
The lacework configure command generates a file named .lacework.toml inside your home directory
($HOME/.lacework.toml) with a single profile named default.
Multiple Profiles
You can add additional profiles that you can refer to with a name by specifying the --profile flag. The following
example creates a profile named prod.
lacework configure --profile prod -j /path/to/key.json
Example output:
Account: prod.example
Access Key ID: PROD_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************
You are all set!
Then, when you run a command, you can specify a --profile prod and use the credentials and settings stored under that
name.
lacework agent list --profile prod
If there is no --profile flag, the Lacework CLI defaults to the default profile.
To list all available profiles configured in the workstation use:
lacework configure list
Example output:
PROFILE | ACCOUNT | API KEY | API SECRET
--------------+---------------+----------------------------------------------------------+------------------------------------
prod | prod-account | PRODACCT_0C66EF03A0694E16D3203E553C9B13E36E39239FB0FCEBF | *****************************8520
qa1 | qa1-account | QA1ACCOT_038B1395C1B5B9BD1C5DEA849DF62FCB95D7697C58C4942 | *****************************9ad8
qa2 | qa2-account | QA2ACCOT_0362BF5146FBE18A9CD0AB0259FBEE912EBB1A429A0A213 | *****************************a3cb
> default | dev-account | DEVACCOT_03C8910D0BDCDBD2AFD4355A1C5284104AAA2AE5253938C | *****************************98f1
Switch Profiles
To switch between profiles configured into the config file $HOME/.lacework.toml, use the command.
lacework configure switch-profile <profile>
important
This is a global configuration for the Lacework CLI, which means that any new terminal continues to use the selected profile.
To switch back to the default profile.
lacework configure use default
The command lacework configure use is an alias to the switch-profile sub-command.
An alternative to temporarily switching to a different profile in your current terminal is to export the environment
variable LW_PROFILE=your-profile
Organizational Accounts
An organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.
note
To enroll your account in an organization, see Organization Enrollment Process.
Use the global flag --subaccount to switch to a different account inside your organizational account.
For example, having a default profile that has access to your primary
account named my-company:
[default]
account = "my-company"
api_key = "my-api-key"
api_secret = "my-api-secret"
version = 2
To access your sub-account named business-unit, pass the flag --subaccount business-unit to any command.
There are two ways to set a sub-account persistently:
- Export the environment variable
LW_SUBACCOUNT="<YOUR_SUBACCOUNT>". This only makes the sub-account configuration persist for the active terminal. - Reconfigure your profile with the command
lacework configure. This command prompts you to select any sub-account that you have access to in your organizational account.
To list all accounts in your organization:
lacework account list
Output Formats
The Lacework CLI supports the following output formats:
- Human-readable: Default output that presents the information in a "human-readable" or "human-friendly" format, which is much easier to read, but not as useful for automation purposes.
- JSON: To switch the output of any command to be formatted as a JSON string, add the flag
--json.
Some commands that have additional formats available:
- PDF: For compliance reports, it is possible to download a report in PDF format by adding the flag
--pdf. - HTML: For container vulnerability assessments, use the
--htmlflag to render the assessment results in HTML format. - CSV: For compliance reports and host vulnerability data, you can pass the flag
--csvto switch the output to CSV format.
Environment Variables
Default configuration parameters found in the .lacework.toml may also be overridden by setting environment variables
prefixed with LW_.
To override the account, api_key, and api_secret configurations:
Bash (macOS/Linux)
export LW_ACCOUNT="<YOUR_ACCOUNT>"
export LW_API_KEY="<YOUR_API_KEY>"
export LW_API_SECRET="<YOUR_API_SECRET>"Powershell (Windows)
$env:LW_ACCOUNT = '<YOUR_ACCOUNT>'
$env:LW_API_KEY = '<YOUR_API_KEY>'
$env:LW_API_SECRET = '<YOUR_API_SECRET>'
For org admins only, to switch to a different sub-account permanently in your current terminal:
Bash (macOS/Linux)
export LW_SUBACCOUNT=business-unitPowershell (Windows)
$env:LW_SUBACCOUNT = 'business-unit'
The following lists all environment variables that you can use to modify the operation of the Lacework CLI.
| Environment Variable | Description |
|---|---|
LW_NOCOLOR=1 | turn off colors |
LW_NOCACHE=1 | turn off caching |
LW_DEBUG=1 | turn on debug logging |
LW_JSON=1 | switch commands output from human-readable to JSON format |
LW_NONINTERACTIVE=1 | disable interactive progress bars (i.e. spinners) |
LW_UPDATES_DISABLE=1 | disable daily version checks |
LW_TELEMETRY_DISABLE=1 | disable sending telemetry data |
LW_PROFILE="<name>" | switch between profiles configured at ~/.lacework.toml |
LW_ACCOUNT="<account>" | account subdomain of URL (i.e. <ACCOUNT>.lacework.net) |
LW_API_KEY="<key>" | API access key id |
LW_API_SECRET="<secret>" | API secret access key |
LW_SUBACCOUNT="<sub-account>" | sub-account name inside your organization (org admins only) |