--version Show the version and exit.
-f, --config-path TEXT Path to a configuration file. Use 'fidesctl view-
config' to print the config. Not compatible with the
'fidesctl webserver' subcommand.
--local Run in 'local_mode'. This mode doesn't make API
calls and can be used without the API
server/database.
--help Show this message and exit.
fidesctl annotate
1
Annotate fidesctl resource types
Usage:
1
fidesctl annotate [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl annotate dataset
1
Guided flow for annotating datasets. The dataset file will be edited in-place.
-a, --all-members Annotate all dataset members, not just fields
-v, --validate Strictly validate annotation inputs.
--help Show this message and exit.
fidesctl apply
12
Validate local manifest files and persist any changes via the API server.
Deprecated in favor of `fidesctl push` command.
Usage:
1
fidesctl apply [OPTIONS] [MANIFESTS_DIR]
Options:
1234
--dry Prevent the persistance of any changes.
--diff Include any changes between server and local resources in the
command output
--help Show this message and exit.
fidesctl db
1
Database utility commands
Usage:
1
fidesctl db [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl db init
1
Initialize the Fidesctl database.
Usage:
1
fidesctl db init [OPTIONS]
Options:
1
--help Show this message and exit.
fidesctl db reset
1
Wipes all user-created data and resets the database back to its freshly initialized state.
Usage:
1
fidesctl db reset [OPTIONS]
Options:
12
-y, --yes Automatically responds 'yes' to any prompts.
--help Show this message and exit.
Compare your System's Privacy Declarations with your Organization's Policy Rules.
All local resources are applied to the server before evaluation.
If your policy evaluation fails, it is expected that you will need to
either adjust your Privacy Declarations, Datasets, or Policies before trying again.
Usage:
1
fidesctl evaluate [OPTIONS] [MANIFESTS_DIR]
Options:
12345678
-k, --fides-key TEXT The fides_key of the single policy that you wish to
evaluate.
-m, --message TEXT A message that you can supply to describe the context
of this evaluation.
-a, --audit Raise errors if resources are missing attributes
required for building a data map.
--dry Prevent the persistance of any changes.
--help Show this message and exit.
fidesctl export
1
Export fidesctl resource types
Usage:
1
fidesctl export [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl export datamap
1 2 3 4 5 6 7 8 91011
Export a formatted data map to excel using the fides template.
The data map is comprised of an Organization, Systems, and Datasets.
The default organization is used, however a custom one can be
passed if required.
A custom manifest directory can be provided for the output location.
The csv flag can be used to output data as csv, while the dry
flag can be used to return data to the console instead.
Usage:
1
fidesctl export datamap [OPTIONS]
Options:
1234567
-d, --output-dir TEXT The output directory for the data map to be exported
to.
-k, --org-key TEXT The organization_fides_key you wish to export
resources for.
--dry Prevent the persistance of any changes.
--csv Export using csv format
--help Show this message and exit.
fidesctl export dataset
1
Export a dataset in a data map format.
Usage:
1
fidesctl export dataset [OPTIONS] [MANIFESTS_DIR]
Options:
12
--dry Prevent the persistance of any changes.
--help Show this message and exit.
Connect to a database directly via a SQLAlchemy-style connection string and
generate a dataset manifest file that consists of every schema/table/field.
Connection string can be supplied as an option or a credentials reference
to fidesctl config.
This is a one-time operation that does not track the state of the database.
It will need to be run again if the database schema changes.
Usage:
1
fidesctl generate dataset db [OPTIONS] OUTPUT_FILENAME
Options:
12345
--credentials-id TEXT Use credentials defined within fidesctl config
--connection-string TEXT Use connection string option to connect to a
database
--include-null Includes attributes that would otherwise be null.
--help Show this message and exit.
fidesctl generate dataset gcp
1
Generate fidesctl Dataset resources for Google Cloud Platform
Connect to a BigQuery dataset directly via a SQLAlchemy connection and
generate a dataset manifest file that consists of every schema/table/field.
A path to a google authorization keyfile can be supplied as an option, or a
credentials reference to fidesctl config.
This is a one-time operation that does not track the state of the dataset.
It will need to be run again if the dataset schema changes.
--credentials-id TEXT Use credentials defined within fidesctl config
--keyfile-path TEXT
--include-null Includes attributes that would otherwise be null.
--help Show this message and exit.
fidesctl generate system
1
Generate fidesctl System resources
Usage:
1
fidesctl generate system [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl generate system aws
12345678
Connect to an aws account and generate a system manifest file that consists of every
tracked resource.
Credentials can be supplied as options, a credentials
reference to fidesctl config, or boto3 environment configuration.
Tracked resources: [Redshift, RDS, DynamoDb, S3]
This is a one-time operation that does not track the state of the aws resources.
It will need to be run again if the tracked resources change.
Usage:
1
fidesctl generate system aws [OPTIONS] OUTPUT_FILENAME
Options:
1 2 3 4 5 6 7 8 91011121314
--credentials-id TEXT Use credentials defined within fidesctl config
--access_key_id TEXT Use access key id option to connect to aws.
Requires options --access_key_id,
--secret_access_key and --region
--secret_access_key TEXT Use access key option to connect to aws. Requires
options --access_key_id, --secret_access_key and
--region
--region TEXT Use region option to connect to aws. Requires
options --access_key_id, --secret_access_key and
--region
--include-null Includes attributes that would otherwise be null.
-k, --org-key TEXT The organization_fides_key you wish to export
resources for.
--help Show this message and exit.
fidesctl generate system okta
1234567
Generates systems for your Okta applications. Connect to an Okta admin
account by providing an organization url and auth token or a credentials
reference to fidesctl config. Auth token and organization url can also
be supplied by setting environment variables as defined by the okta python sdk.
This is a one-time operation that does not track the state of the okta resources.
It will need to be run again if the tracked resources change.
Usage:
1
fidesctl generate system okta [OPTIONS] OUTPUT_FILENAME
Options:
123456789
--credentials-id TEXT Use credentials defined within fidesctl config
--org-url TEXT Use org url option to connect to okta. Requires
options --org-url and --token
--token TEXT Use token option to connect to okta. Requires options
--org-url and --token
--include-null Includes attributes that would otherwise be null.
-k, --org-key TEXT The organization_fides_key you wish to export
resources for.
--help Show this message and exit.
fidesctl get
1
View a resource from the server as a JSON object.
Usage:
12
fidesctl get [OPTIONS] {data_category|data_qualifier|data_subject|data_use|dat
aset|organization|policy|registry|system|evaluation} FIDES_KEY
Options:
1
--help Show this message and exit.
fidesctl init
1234
Initializes a Fidesctl instance, creating the default directory (`.fides/`) and
the configuration file (`fidesctl.toml`) if necessary.
Additionally, requests the ability to respectfully collect anonymous usage data.
Get a list of all resources of this type from the server and display them as JSON.
Usage:
12
fidesctl ls [OPTIONS] {data_category|data_qualifier|data_subject|data_use|data
set|organization|policy|registry|system|evaluation}
Options:
1
--help Show this message and exit.
fidesctl parse
1234
Reads the resource files that are stored in MANIFESTS_DIR and its subdirectories to verify
the validity of all manifest files.
If the taxonomy is invalid, this command prints the error messages and triggers a non-zero exit code.
Usage:
1
fidesctl parse [OPTIONS] [MANIFESTS_DIR]
Options:
12
-v, --verbose Enable verbose output.
--help Show this message and exit.
fidesctl pull
123456
Update local resource files by their fides_key to match their server versions.
Alternatively, with the "--all" flag all resources from the server will be pulled
down into a local file.
The pull is aborted if there are unstaged or untracked files in the manifests dir.
Usage:
1
fidesctl pull [OPTIONS] [MANIFESTS_DIR]
Options:
123
-a, --all-resources TEXT Pulls all locally missing resources from the
server into this file.
--help Show this message and exit.
fidesctl push
1
Validate local manifest files and persist any changes via the API server.
Usage:
1
fidesctl push [OPTIONS] [MANIFESTS_DIR]
Options:
1234
--dry Prevent the persistance of any changes.
--diff Include any changes between server and local resources in the
command output
--help Show this message and exit.
fidesctl scan
1
Scan external resource coverage against fidesctl resources
Usage:
1
fidesctl scan [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl scan dataset
1
Scan fidesctl Dataset resources
Usage:
1
fidesctl scan dataset [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl scan dataset db
123456789
Connect to a database directly via a SQLAlchemy-style connection string and
compare the database objects to existing datasets. Connection string can be
supplied as an option or a credentials reference to fidesctl config.
If there are fields within the database that aren't listed and categorized
within one of the datasets, this counts as lacking coverage.
Outputs missing fields and has a non-zero exit if coverage is
under the stated threshold.
Usage:
1
fidesctl scan dataset db [OPTIONS] [MANIFESTS_DIR]
Options:
1234567
--credentials-id TEXT Use credentials defined within fidesctl
config
--connection-string TEXT Use connection string option to connect to a
database
-c, --coverage-threshold INTEGER RANGE
[0<=x<=100]
--help Show this message and exit.
fidesctl scan system
1
Scan fidesctl System resources
Usage:
1
fidesctl scan system [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl scan system aws
1234567
Connect to an aws account and compares tracked resources to existing systems.
Credentials can be supplied as options, a credentials reference to fidesctl
config, or boto3 environment configuration.
Tracked resources: [Redshift, RDS, DynamoDb, S3]
Outputs missing resources and has a non-zero exit if coverage is
under the stated threshold.
Usage:
1
fidesctl scan system aws [OPTIONS] [MANIFESTS_DIR]
Options:
1 2 3 4 5 6 7 8 910111213141516
--credentials-id TEXT Use credentials defined within fidesctl
config
--access_key_id TEXT Use access key id option to connect to aws.
Requires options --access_key_id,
--secret_access_key and --region
--secret_access_key TEXT Use access key option to connect to aws.
Requires options --access_key_id,
--secret_access_key and --region
--region TEXT Use region option to connect to aws.
Requires options --access_key_id,
--secret_access_key and --region
-k, --org-key TEXT The organization_fides_key you wish to
export resources for.
-c, --coverage-threshold INTEGER RANGE
[0<=x<=100]
--help Show this message and exit.
fidesctl scan system okta
12345678
Scans your existing systems and compares them to found Okta applications.
Connect to an Okta admin account by providing an organization url and
auth token or a credentials reference to fidesctl config. Auth token and
organization url can also be supplied by setting environment variables
as defined by the okta python sdk.
Outputs missing resources and has a non-zero exit if coverage is
under the stated threshold.
Usage:
1
fidesctl scan system okta [OPTIONS] [MANIFESTS_DIR]
Options:
1 2 3 4 5 6 7 8 91011
--credentials-id TEXT Use credentials defined within fidesctl
config
--org-url TEXT Use org url option to connect to okta.
Requires options --org-url and --token
--token TEXT Use token option to connect to okta.
Requires options --org-url and --token
-k, --org-key TEXT The organization_fides_key you wish to
export resources for.
-c, --coverage-threshold INTEGER RANGE
[0<=x<=100]
--help Show this message and exit.
fidesctl status
1
Sends a request to the Fidesctl API healthcheck endpoint and prints the response.
Usage:
1
fidesctl status [OPTIONS]
Options:
1
--help Show this message and exit.
fidesctl view
1
View various resources types.
Usage:
1
fidesctl view [OPTIONS] COMMAND [ARGS]...
Options:
1
--help Show this message and exit.
fidesctl view config
1
Prints the fidesctl configuration values.
Usage:
1
fidesctl view config [OPTIONS]
Options:
12
--exclude-unset Only print configuration values explicitly set by the user.
--help Show this message and exit.
fidesctl webserver
1
Starts the fidesctl API server using Uvicorn on port 8080.