Skip to content

CLI

These docs reflect the latest PyPI release.


fidesctl

1
The parent group for the Fidesctl CLI.

Usage:

1
fidesctl [OPTIONS] COMMAND [ARGS]...

Options:

1
2
3
4
5
6
7
8
  --version               Show the version and exit.
  -f, --config-path TEXT  Path to a configuration file. Use 'fidesctl view-
                          config' to print the config. Not compatible with the
                          'fidesctl webserver' subcommand.
  --local                 Run in 'local_mode'. This mode doesn't make API
                          calls and can be used without the API
                          server/database.
  --help                  Show this message and exit.

fidesctl annotate

1
Annotate fidesctl resource types

Usage:

1
fidesctl annotate [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.

fidesctl annotate dataset

1
Guided flow for annotating datasets. The dataset file will be edited in-place.

Usage:

1
fidesctl annotate dataset [OPTIONS] INPUT_FILENAME

Options:

1
2
3
  -a, --all-members  Annotate all dataset members, not just fields
  -v, --validate     Strictly validate annotation inputs.
  --help             Show this message and exit.

fidesctl apply

1
2
Validate local manifest files and persist any changes via the API server.
Deprecated in favor of `fidesctl push` command.

Usage:

1
fidesctl apply [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
3
4
  --dry   Prevent the persistance of any changes.
  --diff  Include any changes between server and local resources in the
          command output
  --help  Show this message and exit.

fidesctl db

1
Database utility commands

Usage:

1
fidesctl db [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.

fidesctl db init

1
Initialize the Fidesctl database.

Usage:

1
fidesctl db init [OPTIONS]

Options:

1
  --help  Show this message and exit.

fidesctl db reset

1
Wipes all user-created data and resets the database back to its freshly initialized state.

Usage:

1
fidesctl db reset [OPTIONS]

Options:

1
2
  -y, --yes  Automatically responds 'yes' to any prompts.
  --help     Show this message and exit.

fidesctl delete

1
Delete a resource on the server.

Usage:

1
2
3
fidesctl delete [OPTIONS] {data_category|data_qualifier|data_subject|data_use|
                dataset|organization|policy|registry|system|evaluation}
                FIDES_KEY

Options:

1
  --help  Show this message and exit.

fidesctl evaluate

1
2
3
4
5
6
Compare your System's Privacy Declarations with your Organization's Policy Rules.

All local resources are applied to the server before evaluation.

If your policy evaluation fails, it is expected that you will need to
either adjust your Privacy Declarations, Datasets, or Policies before trying again.

Usage:

1
fidesctl evaluate [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
3
4
5
6
7
8
  -k, --fides-key TEXT  The fides_key of the single policy that you wish to
                        evaluate.
  -m, --message TEXT    A message that you can supply to describe the context
                        of this evaluation.
  -a, --audit           Raise errors if resources are missing attributes
                        required for building a data map.
  --dry                 Prevent the persistance of any changes.
  --help                Show this message and exit.

fidesctl export

1
Export fidesctl resource types

Usage:

1
fidesctl export [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.

fidesctl export datamap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Export a formatted data map to excel using the fides template.

The data map is comprised of an Organization, Systems, and Datasets.

The default organization is used, however a custom one can be
passed if required.

A custom manifest directory can be provided for the output location.

The csv flag can be used to output data as csv, while the dry
flag can be used to return data to the console instead.

Usage:

1
fidesctl export datamap [OPTIONS]

Options:

1
2
3
4
5
6
7
  -d, --output-dir TEXT  The output directory for the data map to be exported
                         to.
  -k, --org-key TEXT     The organization_fides_key you wish to export
                         resources for.
  --dry                  Prevent the persistance of any changes.
  --csv                  Export using csv format
  --help                 Show this message and exit.

fidesctl export dataset

1
Export a dataset in a data map format.

Usage:

1
fidesctl export dataset [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
  --dry   Prevent the persistance of any changes.
  --help  Show this message and exit.

fidesctl export organization

1
Export an organization in a data map format.

Usage:

1
fidesctl export organization [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
  --dry   Prevent the persistance of any changes.
  --help  Show this message and exit.

fidesctl export system

1
Export a system in a data map format.

Usage:

1
fidesctl export system [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
  --dry   Prevent the persistance of any changes.
  --help  Show this message and exit.

fidesctl generate

1
Generate fidesctl resource types

Usage:

1
fidesctl generate [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.

fidesctl generate dataset

1
Generate fidesctl Dataset resources

Usage:

1
fidesctl generate dataset [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.
fidesctl generate dataset db
1
2
3
4
5
6
7
Connect to a database directly via a SQLAlchemy-style connection string and
generate a dataset manifest file that consists of every schema/table/field.
Connection string can be supplied as an option or a credentials reference
to fidesctl config.

This is a one-time operation that does not track the state of the database.
It will need to be run again if the database schema changes.

Usage:

1
fidesctl generate dataset db [OPTIONS] OUTPUT_FILENAME

Options:

1
2
3
4
5
  --credentials-id TEXT     Use credentials defined within fidesctl config
  --connection-string TEXT  Use connection string option to connect to a
                            database
  --include-null            Includes attributes that would otherwise be null.
  --help                    Show this message and exit.
fidesctl generate dataset gcp
1
Generate fidesctl Dataset resources for Google Cloud Platform

Usage:

1
fidesctl generate dataset gcp [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.
fidesctl generate dataset gcp bigquery
1
2
3
4
5
6
7
Connect to a BigQuery dataset directly via a SQLAlchemy connection and
generate a dataset manifest file that consists of every schema/table/field.
A path to a google authorization keyfile can be supplied as an option, or a
credentials reference to fidesctl config.

This is a one-time operation that does not track the state of the dataset.
It will need to be run again if the dataset schema changes.

Usage:

1
fidesctl generate dataset gcp bigquery [OPTIONS] DATASET_NAME OUTPUT_FILENAME

Options:

1
2
3
4
  --credentials-id TEXT  Use credentials defined within fidesctl config
  --keyfile-path TEXT
  --include-null         Includes attributes that would otherwise be null.
  --help                 Show this message and exit.

fidesctl generate system

1
Generate fidesctl System resources

Usage:

1
fidesctl generate system [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.
fidesctl generate system aws
1
2
3
4
5
6
7
8
Connect to an aws account and generate a system manifest file that consists of every
tracked resource.
Credentials can be supplied as options, a credentials
reference to fidesctl config, or boto3 environment configuration.
Tracked resources: [Redshift, RDS, DynamoDb, S3]

This is a one-time operation that does not track the state of the aws resources.
It will need to be run again if the tracked resources change.

Usage:

1
fidesctl generate system aws [OPTIONS] OUTPUT_FILENAME

Options:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
  --credentials-id TEXT     Use credentials defined within fidesctl config
  --access_key_id TEXT      Use access key id option to connect to aws.
                            Requires options --access_key_id,
                            --secret_access_key and --region
  --secret_access_key TEXT  Use access key option to connect to aws. Requires
                            options --access_key_id, --secret_access_key and
                            --region
  --region TEXT             Use region option to connect to aws. Requires
                            options --access_key_id, --secret_access_key and
                            --region
  --include-null            Includes attributes that would otherwise be null.
  -k, --org-key TEXT        The organization_fides_key you wish to export
                            resources for.
  --help                    Show this message and exit.
fidesctl generate system okta
1
2
3
4
5
6
7
Generates systems for your Okta applications. Connect to an Okta admin
account by providing an organization url and auth token or a credentials
reference to fidesctl config. Auth token and organization url can also
be supplied by setting environment variables as defined by the okta python sdk.

This is a one-time operation that does not track the state of the okta resources.
It will need to be run again if the tracked resources change.

Usage:

1
fidesctl generate system okta [OPTIONS] OUTPUT_FILENAME

Options:

1
2
3
4
5
6
7
8
9
  --credentials-id TEXT  Use credentials defined within fidesctl config
  --org-url TEXT         Use org url option to connect to okta. Requires
                         options --org-url and --token
  --token TEXT           Use token option to connect to okta. Requires options
                         --org-url and --token
  --include-null         Includes attributes that would otherwise be null.
  -k, --org-key TEXT     The organization_fides_key you wish to export
                         resources for.
  --help                 Show this message and exit.

fidesctl get

1
View a resource from the server as a JSON object.

Usage:

1
2
fidesctl get [OPTIONS] {data_category|data_qualifier|data_subject|data_use|dat
             aset|organization|policy|registry|system|evaluation} FIDES_KEY

Options:

1
  --help  Show this message and exit.

fidesctl init

1
2
3
4
Initializes a Fidesctl instance, creating the default directory (`.fides/`) and
the configuration file (`fidesctl.toml`) if necessary.

Additionally, requests the ability to respectfully collect anonymous usage data.

Usage:

1
fidesctl init [OPTIONS] [FIDES_DIRECTORY_LOCATION]

Options:

1
  --help  Show this message and exit.

fidesctl ls

1
Get a list of all resources of this type from the server and display them as JSON.

Usage:

1
2
fidesctl ls [OPTIONS] {data_category|data_qualifier|data_subject|data_use|data
            set|organization|policy|registry|system|evaluation}

Options:

1
  --help  Show this message and exit.

fidesctl parse

1
2
3
4
Reads the resource files that are stored in MANIFESTS_DIR and its subdirectories to verify
the validity of all manifest files.

If the taxonomy is invalid, this command prints the error messages and triggers a non-zero exit code.

Usage:

1
fidesctl parse [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
  -v, --verbose  Enable verbose output.
  --help         Show this message and exit.

fidesctl pull

1
2
3
4
5
6
Update local resource files by their fides_key to match their server versions.

Alternatively, with the "--all" flag all resources from the server will be pulled
down into a local file.

The pull is aborted if there are unstaged or untracked files in the manifests dir.

Usage:

1
fidesctl pull [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
3
  -a, --all-resources TEXT  Pulls all locally missing resources from the
                            server into this file.
  --help                    Show this message and exit.

fidesctl push

1
Validate local manifest files and persist any changes via the API server.

Usage:

1
fidesctl push [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
3
4
  --dry   Prevent the persistance of any changes.
  --diff  Include any changes between server and local resources in the
          command output
  --help  Show this message and exit.

fidesctl scan

1
Scan external resource coverage against fidesctl resources

Usage:

1
fidesctl scan [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.

fidesctl scan dataset

1
Scan fidesctl Dataset resources

Usage:

1
fidesctl scan dataset [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.
fidesctl scan dataset db
1
2
3
4
5
6
7
8
9
Connect to a database directly via a SQLAlchemy-style connection string and
compare the database objects to existing datasets. Connection string can be
supplied as an option or a credentials reference to fidesctl config.

If there are fields within the database that aren't listed and categorized
within one of the datasets, this counts as lacking coverage.

Outputs missing fields and has a non-zero exit if coverage is
under the stated threshold.

Usage:

1
fidesctl scan dataset db [OPTIONS] [MANIFESTS_DIR]

Options:

1
2
3
4
5
6
7
  --credentials-id TEXT           Use credentials defined within fidesctl
                                  config
  --connection-string TEXT        Use connection string option to connect to a
                                  database
  -c, --coverage-threshold INTEGER RANGE
                                  [0<=x<=100]
  --help                          Show this message and exit.

fidesctl scan system

1
Scan fidesctl System resources

Usage:

1
fidesctl scan system [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.
fidesctl scan system aws
1
2
3
4
5
6
7
Connect to an aws account and compares tracked resources to existing systems.
Credentials can be supplied as options, a credentials reference to fidesctl
config, or boto3 environment configuration.
Tracked resources: [Redshift, RDS, DynamoDb, S3]

Outputs missing resources and has a non-zero exit if coverage is
under the stated threshold.

Usage:

1
fidesctl scan system aws [OPTIONS] [MANIFESTS_DIR]

Options:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
  --credentials-id TEXT           Use credentials defined within fidesctl
                                  config
  --access_key_id TEXT            Use access key id option to connect to aws.
                                  Requires options --access_key_id,
                                  --secret_access_key and --region
  --secret_access_key TEXT        Use access key option to connect to aws.
                                  Requires options --access_key_id,
                                  --secret_access_key and --region
  --region TEXT                   Use region option to connect to aws.
                                  Requires options --access_key_id,
                                  --secret_access_key and --region
  -k, --org-key TEXT              The organization_fides_key you wish to
                                  export resources for.
  -c, --coverage-threshold INTEGER RANGE
                                  [0<=x<=100]
  --help                          Show this message and exit.
fidesctl scan system okta
1
2
3
4
5
6
7
8
Scans your existing systems and compares them to found Okta applications.
Connect to an Okta admin account by providing an organization url and
auth token or a credentials reference to fidesctl config. Auth token and
organization url can also be supplied by setting environment variables
as defined by the okta python sdk.

Outputs missing resources and has a non-zero exit if coverage is
under the stated threshold.

Usage:

1
fidesctl scan system okta [OPTIONS] [MANIFESTS_DIR]

Options:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
  --credentials-id TEXT           Use credentials defined within fidesctl
                                  config
  --org-url TEXT                  Use org url option to connect to okta.
                                  Requires options --org-url and --token
  --token TEXT                    Use token option to connect to okta.
                                  Requires options --org-url and --token
  -k, --org-key TEXT              The organization_fides_key you wish to
                                  export resources for.
  -c, --coverage-threshold INTEGER RANGE
                                  [0<=x<=100]
  --help                          Show this message and exit.

fidesctl status

1
Sends a request to the Fidesctl API healthcheck endpoint and prints the response.

Usage:

1
fidesctl status [OPTIONS]

Options:

1
  --help  Show this message and exit.

fidesctl view

1
View various resources types.

Usage:

1
fidesctl view [OPTIONS] COMMAND [ARGS]...

Options:

1
  --help  Show this message and exit.

fidesctl view config

1
Prints the fidesctl configuration values.

Usage:

1
fidesctl view config [OPTIONS]

Options:

1
2
  --exclude-unset  Only print configuration values explicitly set by the user.
  --help           Show this message and exit.

fidesctl webserver

1
Starts the fidesctl API server using Uvicorn on port 8080.

Usage:

1
fidesctl webserver [OPTIONS]

Options:

1
  --help  Show this message and exit.
Back to top