Skip to main content

Get Started

The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers to Docker Hub for various platforms with the intended purpose of integrating with CI/CD automation pipelines.

Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.


Bash (macOS/Linux)

curl | bash

Powershell (Windows)

Set-ExecutionPolicy Bypass -Scope Process -Force
iex ((New-Object System.Net.WebClient).DownloadString(''))

Homebrew (macOS/Linux)

brew install lacework/tap/lacework-cli

For more details, see Lacework Homebrew Tap.

Create API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework console. Generate API Key

  1. Log in to the Lacework Console.
  2. Click Settings > API Keys.
  4. Give the API key a Name and optional Description.
  5. Click SAVE.
  6. Click DOWNLOAD to save the API Key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": ""

Configure the CLI

Use the lacework configure command to configure the CLI with the API Key downloaded from the previous step.

lacework configure -j /path/to/key.json

Example output:

Account: example
Secret Access Key: **********************************

You are all set!

The lacework configure command generates a file named .lacework.toml inside your home directory ($HOME/.lacework.toml) with a single profile named default.

Multiple Profiles

You can add additional profiles that you can refer to with a name by specifying the --profile option. The following example creates a profile named prod.

lacework configure --profile prod -j /path/to/key.json

Example output:

Account: prod.example
Secret Access Key: **********************************

You are all set!

Then, when you run a command, you can specify a --profile prod and use the credentials and settings stored under that name.

lacework integration list --profile prod

If there is no --profile option, the CLI will default to the default profile.

To list all available profiles configured in the workstation use:

lacework configure list

Example output:

    PROFILE   |    ACCOUNT    |                         API KEY                          |            API SECRET
prod | prod-account | PRODACCT_0C66EF03A0694E16D3203E553C9B13E36E39239FB0FCEBF | *****************************8520
qa1 | qa1-account | QA1ACCOT_038B1395C1B5B9BD1C5DEA849DF62FCB95D7697C58C4942 | *****************************9ad8
qa2 | qa2-account | QA2ACCOT_0362BF5146FBE18A9CD0AB0259FBEE912EBB1A429A0A213 | *****************************a3cb
> default | dev-account | DEVACCOT_03C8910D0BDCDBD2AFD4355A1C5284104AAA2AE5253938C | *****************************98f1