Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This page details the immuta
command, its subcommands and arguments, and the workflow for cloning a tenant and using the Immuta API.
immuta
This command allows you to manage your Immuta tenant by creating data sources, projects, policies, and purposes. The table below illustrates the immuta
subcommands and arguments.
Subcommands | Description | Argument(s) |
---|---|---|
To view a list of the commands available in your current Immuta CLI version, run immuta
with no additional arguments.
Options you can specify with the immuta
command include
--config string
: Specify the configuration file name and where it will be saved. (The default is $HOME/.immutacfg.yaml
.)
-h
or --help
: Get more information about the command.
-p
or --profile string
: Specify the profile for what tenant or API the CLI will use.
immuta clone
You need the GOVERNANCE
permission in Immuta to run this command.
If you have an Immuta tenant that was set up without using the API, you can use the immuta clone
command to save all your data sources, projects, policies, and purposes as payloads:
This command will create valid V2 API YAML files for all your data sources, projects, policies, and purposes. Within these files, database passwords and user files (such as a BigQuery auth file) will be removed; instead passwords will appear as {{EnvVar "dbPass"}}
. The CLI will then read the environment variable dbPass
to fill in the password if you use the cloned payload to create or update a data source. File contents will appear as {{ReadFile "<filePath>"}}
, and then the CLI will read the file at the path and replace the value when commands are run.
--force
: Overwrite existing output directory targets. If this flag is omitted, you will receive an error when the output directory exists and is not empty.
-h
or --help
: Get details about the command.
Tags for data sources and projects are not returned.
Data sources will not have the sources
field, so if these payloads are used in create
commands, all possible tables will be created as data sources.
immuta api
This command makes an authenticated HTTP(s) request to the Immuta API and prints the response. The default HTTP request method is GET
, but POST
is used if any parameters were added. You can override the method with --method
:
-b
, --body string
: Unmodified string to be sent as payload body.
-d
, --data key=value
: Add a typed parameter in key=value
format. The --data
flag behaves like --raw-data
, with type conversion based on the format of the value. Literal values, true
, false
, null
, and integers are converted to appropriate JSON types. This will be sent in as the request payload.
--data-raw key=value
: Add a string parameter in key=value
format. The --data
flag behaves like --raw-data
, with type conversion based on the format of the value. Literal values, true
, false
, null
, and integers are converted to appropriate JSON types. This will be sent in as the request payload.
-H
, --header key:value
: Add an HTTP request header in key:value
format.
-h
, --help
: Get details about the command.
--input <filepath>
: A raw request body may be passed from the outside via the file specified to use as body for the HTTP request. Pass in '-' for standard input.
-X
, --method string
: The HTTP method for the request (default GET
).
-P
, --path-param key=value
: Add a string parameter in key=value format. Will replace {key}
in the url with value
.
-q
, --query key=value
: Add a string parameter in key=value format. The key value pairs are serialized into URL query parameters.
-t
, --outputTemplate string
: Format the response using a Go template. The provided Go template is rendered using the JSON data as input. For the syntax of Go templates, see this document.
The documentation below provides descriptions and examples of immuta api
options.
Make an authenticated Immuta API request.
endpoint
Clone all data sources, projects, purposes, and policies information into files.
directory path
Generate shell completion scripts for Immuta CLI commands.
bash
, zsh
, fish
, or powershell
Specify an Immuta tenant URL and API Key to be saved to the Immuta configuration file.
instance url
and Immuta API key
Manage data sources.
list
, delete
, rename
, and save
Manage Global Policies.
list
, delete
, rename
, and save
Manage projects.
list
, delete
, rename
, and save
Manage purposes.
list
, delete
, and save
version
The version of the Immuta CLI.
n/a
The Immuta CLI allows users to interact with their Immuta tenant using the command line to manage data sources, projects, policies, and purposes. This feature allows you to have all of your Immuta tenant information in a Git repository and use the CLI to sync your Immuta tenant with the files in your Git repository. To install the Immuta CLI, follow this installation guide.
You can navigate this section of documentation in two different ways: by workflow or by command.
The navigation in the left pane is organized by major workflows you would use in Immuta. Each workflow contains relevant commands. Follow this chronological outline to find commands relevant to your workflow.
Below is a list of major commands available in the Immuta CLI. Click a command to navigate to its corresponding page that details subcommands, options, and arguments.
immuta
: Interact with your Immuta tenant to create data sources, projects, policies, and purposes.
immuta api
: Make an authenticated Immuta API request. This command will let you hit any endpoint in the Immuta API, including version 1 endpoints. For example, immuta api /tag
will hit the v1 endpoint to list tags. This allows you to use the immuta api
command instead of something like Postman or cURL to interact with the V1 API.
immuta clone
: Clone all data sources, projects, purposes, and policies information into files.
immuta completion
: Generate shell completion scripts.
immuta configure
: Specify an Immuta tenant url and API key to be saved to the Immuta configuration file.
immuta datasource
: Manage data sources.
immuta policy
: Manage Global Policies.
immuta project
: Manage projects.
immuta purpose
: Manage purposes.
This page details how to install the Immuta CLI and tab completions.
macOS CLI Binary Warning: When installing the macOS CLI binary, macOS displays the warning "could not verify that this app is free from malware" when the binary is run. Navigate to the Security & Privacy section in your System Preferences to allow the binary to be run.
Download the binary that corresponds to your operating system.
The latest stable binaries can be found here:
Linux x86_64 (amd64)
Linux ARMv8 (arm64)
The latest stable binaries can be found here:
Darwin x86_64 (amd64)
Darwin ARMv8 (arm64)
The latest stable binary can be found here: https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_windows_amd64.
Download and add the binary to a directory in your system's $PATH as immuta.exe
.
The SHA 256 checksum is available to verify the file at https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_SHA256SUMS.
Run immuta configure
.
Enter the URL of your Immuta tenant in the interactive prompt.
Enter your Immuta API Key in the interactive prompt:
Below is the configuration file that will be saved at ~/.immutacfg.yaml
:
To generate shell completion scripts for Immuta CLI commands, run immuta completion [bash|zsh|fish|powershell]
. You can opt to specify -h
or --help
for instructions on installing tab completions for Bash, Zsh, Fish, and PowerShell commands and flags.
Use the tabs below for specific instructions for each of these shells.
Install bash-completion https://github.com/scop/bash-completion.
Add this to your ~/.bash_profile
:
Generate an _immuta
completion script and save it in your $fpath
:
Ensure that the following is present in your ~/.zshrc
:
Generate an immuta.fish
completion script:
Run immuta completion powershell | Out-String | Invoke-Expression
.
To load completions for every new session, run
Source this immuta.ps1
from your PowerShell profile.
The exact configuration file locations might vary based on your system. Make sure to restart your shell before you test whether completions are working.
In previous documentation, rule is referred to as classifier or identifier and framework is referred to as template.
immuta sdd
This command allows you to customize and run SDD in your instance of Immuta. The table below illustrates subcommands and arguments.
Subcommands | Description |
---|---|
Use these options to get more details about the sdd
command or any of its subcommands:
-h
--help
Two common workflows for using SDD are outlined below. The first illustrates how to apply a global framework to all data sources, while the second outlines how users can create and apply frameworks to data sources they own.
The tutorials linked below show how to use the CLI to complete this workflow. For an overview of how sensitive data discovery works, see this overview.
Data governor creates a framework using one or more rules.
Data governor creates one or more rules with patterns.
Data owner triggers SDD on one or more data sources and resulting tags are applied to columns where criteria were met and patterns were recognized.
This page details the immuta datasource
command, its subcommands and arguments, and the workflow for creating, renaming, and deleting data sources.
immuta datasource
This command allows you to list, save, delete, and rename data sources in your instance of Immuta. The table below illustrates subcommands and arguments.
Subcommands | Description | Argument(s) |
---|---|---|
Use these options to get more details about the datasource
command or any of its subcommands:
-h
--help
immuta datasource save
Add your remote database's connection information in a valid YAML file for the V2 API. Additional payload examples for creating data sources can be found here:
Run immuta datasource save <filepath> [--wait int] [--dryRun]
, referencing the file you just created. The options you can specify include
-d
or --dryRun
: No updates will actually be made to the data source(s).
-h
or --help
: Get more information about the command.
-w
or --wait int
: Specify how long to wait for data source creation.
The following example illustrates a user saving an updated datasourceInfo.yaml
file, first as a dry run and then by specifying that the data sources wait 5 seconds to be created.
immuta datasource rename
Run immuta datasource list keys
to view a list of data source connection keys. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
To rename one of your data source connection keys, run immuta datasource rename <old connection key> <new connection key>
. You can include the -h
or --help
options to get more information about this command.
The following example illustrates a user renaming a data source connection key to demonstration
.
immuta datasource delete
This command will delete all data sources for the connection key you specify.
Run immuta datasource list keys
to view a list of data source connection keys. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
Opt to view a list of the data sources in this connection key by running immuta datasource list sources <connection key>
.
Run immuta datasource delete <connection key> [--dryRun]
to delete all of these data sources. Options you can specify include
-d
or --dryRun
: No updates will actually be made.
-h
or --help
: Get more information about the command.
The following example illustrates a user deleting the demonstration
connection key and all its data sources.
In previous documentation, rule is referred to as classifier or identifier and framework is referred to as template.
Sensitive data discovery must be enabled.
immuta sdd template
This command allows you to manage identification frameworks, which are a collection of rules and settings used to drive the configuration of SDD runs. The table below illustrates subcommands and arguments.
Subcommands | Aliases | Description |
---|---|---|
Use these options to get more details about the sdd template
command or any of its subcommands:
-h
--help
Save your framework to a valid YAML or JSON file using these attributes:
An example is provided below.
Run immuta sdd template create <filepath> [flags]
, referencing the file you just created. The options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
Run immuta sdd template get <frameworkName> [flags]
, specifying the name of the framework you would like to get. Options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
The example below illustrates a user getting a framework named ACCOUNT_NUMBERS_FRAMEWORK.
Run immuta sdd template global [flags]
, to get the global framework that has been configured for sensitive data discovery. Options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
The example below illustrates a user getting the global framework that had been configured in the Immuta UI by an administrator.
Run immuta sdd template search [string] [flags]
to list all identification frameworks or search identification frameworks by name. Options you can specify include
--classifiers strings
: Limit results to only frameworks that contain the specified rules.
-h
, --help
: Help for search.
--limit int
The search limit for pagination (default 25).
--offset int
: The search offset for pagination.
--order asc | desc
: The sort order.
-o
, --output json | yaml
: The output format.
--outputTemplate string
: Format the response using a Go template.
-s
, --sort id | name | displayName | type | createdAt | updatedAt
: Field to sort by.
The example below illustrates a user searching all frameworks containing the ACCOUNT_NUMBER_RULE
.
Update your framework in a valid YAML or JSON file using these attributes:
Run immuta sdd template update <frameworkName> <filepath> [flags]
, referencing the file you just updated. The options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
The example below illustrates a user updating a framework named ACCOUNT_NUMBERS_FRAMEWORK.
Run immuta sdd template delete <frameworkName> [flags]
to delete the framework. The options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
In previous documentation, rule is referred to as classifier or identifier and framework is referred to as template.
Sensitive data discovery must be enabled.
immuta sdd classifier
This command allows you to manage rules that will apply tags to data that matches patterns you specify during SDD. The table below illustrates subcommands and arguments.
Subcommands | Aliases | Description |
---|---|---|
Use these options to get more details about the sdd classifier
command or any of its subcommands:
-h
--help
Save your rule to a valid YAML or JSON file using these attributes.
Examples are provided below.
Run immuta sdd classifier create <filepath> [flags]
, referencing the file you just created. The options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
Run immuta sdd classifier get <classifierName> [flags]
, specifying the name of the rule you would like to get. Options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
The example below illustrates a user getting a rule called ACCOUNT_NUMBER_RULE.
Run immuta sdd classifier search [string] [flags]
to list all rules or search rules by name. Options you can specify include
-h
, --help
: Help for search.
--limit int
The search limit for pagination (default 25).
--offset int
: The search offset for pagination.
--order asc | desc
: The sort order.
-o
, --output json | yaml
: The output format.
--outputTemplate string
: Format the response using a Go template.
-s
, --sort id | name | displayName | type | createdAt | updatedAt
: Field to sort by.
--type regex | columnNameRegex | dictionary | builtIn
: Limit results to the specified pattern type.
The example below illustrates a user searching all rules containing account
.
Update your rule in a valid YAML or JSON file using these attributes:
Run immuta sdd classifier update <classifierName> <filepath> [flags]
, referencing the file you just updated. The options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
The example below illustrates a user updating a rule named ACCOUNT_NUMBER_RULE.
Run immuta sdd classifier delete <classifierName> [flags]
to delete the rule. The options you can specify include
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
.
immuta sdd run
This command allows you to run SDD on specific data sources or all data sources in your instance of Immuta.
Use these options to get more details about the sdd run
command or any of its subcommands:
-h
--help
Run immuta sdd run <dataSourceName> [flags]
, naming the data source you want to run SDD on. The options you can specify include
-d
, --dryRun
: No updates will actually be made.
-f
, --force
: Do not prompt for confirmation when attempting to run SDD on all data sources.
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
-t
, --outputTemplate string
: Run SDD with this framework. This flag can only be used with the dryRun
flag.
-w
, --wait int
: The number of seconds to wait for the SDD job(s) to finish. Default is until the SDD job(s) finish (default -1).
The example below illustrates a user running SDD on a single data source.
Run immuta sdd run
. The options you can specify include
-d
, --dryRun
: No updates will actually be made.
-f
, --force
: Do not prompt for confirmation when attempting to run SDD on all data sources.
-h
or --help
: Get more information about the command.
-o
or --output json | yaml
: Specify the output format.
--outputTemplate string
: Format the response using a Go template.
-t
, --outputTemplate string
: Run SDD with this framework. This flag can only be used with the dryRun
flag.
-w
, --wait int
: The number of seconds to wait for the SDD job(s) to finish. Default is until the SDD job(s) finish (default -1).
Confirm that you want to run SDD on all data sources.
This page details the immuta project
command, its subcommands and arguments, and the workflow for creating, renaming, and deleting projects.
immuta project
This command allows you to list, save, delete, and rename projects in your instance of Immuta. The table below illustrates subcommands and arguments.
Subcommands | Description | Argument(s) |
---|
Use these options to get more details about the project
command or any of its subcommands:
-h
--help
immuta project save
Run immuta project save <filepath> [--dryRun] [--deleteWorkSpaceDataSources]
, referencing the file you just created. The options you can specify include
--deleteWorkSpaceDataSources
: Delete all data and the data sources associated with a project workspace when the workspace is deleted.
-d
or --dryRun
: No updates will be made.
-h
or --help
: Get more information about the command.
The example below illustrates a user listing all projects and then creating the project demo project
.
immuta project rename
Opt to list all project keys to identify which project you would like to rename by running immuta project list
. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
Rename the project key by running immuta project rename <old project key> <new project key>
, enclosing the name of the project key in quotation marks. Options you can specify to get more information about this command include -h
or --help
.
The example below illustrates a user renaming the demo project
project key to data analytics team
.
immuta project delete
Opt to list all project keys to determine which project key you would like to delete by running immuta project list
. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
Delete a project key by running immuta project delete <project key> [--dryRun] [--hardDelete
, enclosing the project key in quotation marks. Options you can specify include
-d
or --dryRun
: No updates will be made.
--hardDelete
: If this is set, it will delete everything related to the project in Immuta. If not set, it will only disable the project.
-h
or --help
: Get more information about the command.
The example below illustrates a user first disabling and then deleting the project Data Analytics Team
.
This page details the immuta policy
command, its subcommands and arguments, and the workflow for creating, renaming, cloning, and deleting Global Policies.
immuta policy
This command allows you to list, save, delete, and rename Global Policies in your instance of Immuta. The table below illustrates subcommands and arguments.
Subcommands | Description | Argument(s) |
---|
Use these options to get more details about the policy
command or any of its subcommands:
-h
--help
immuta policy save
Add your policy information in a valid YAML file for the V2 API. Additional payload examples for creating policies can :
Run immuta policy save <filepath> [--dryRun] [--reCertify]
, referencing the file you just created. The options you can specify include
-d
or --dryRun
: No updates will actually be made.
-h
or --help
: Get more information about the command.
--reCertify
: If the certification has changed, someone will need to re-certify this policy on all impacted data sources.
The example below illustrates a user listing all policies and then creating a policy called data conditional masking
.
immuta policy rename
Opt to list all policy keys to identify which policy you would like to rename by running immuta policy list
. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
Rename the policy key by running immuta policy rename <old policy key> <new policy key>
, enclosing the name of the policy key in quotation marks. Options you can specify to get more information about this command include -h
or --help
.
The example below illustrates a user renaming the data conditional masking
policy key to Data Masking
.
immuta policy clone
Clone and save all Global Policies to a file by running immuta policy clone <filepath>
. Options you can specify include
--force
: Overwrite existing output directory targets. If this flag is omitted, you will receive an error when the output directory exists and is not empty.
-h
, --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
The example below illustrates cloning and saving all Global Policies to a policy
folder. In this example, only one Global Policy existed: Test
.
immuta policy delete
Opt to list all policy keys to determine which policy key you would like to delete by running immuta policy list
. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
Delete a policy key by running immuta policy delete <policy key> [--dryRun]
. Options you can specify include
-d
or --dryRun
: No updates will be made.
-h
or --help
: Get more information about the command.
The example below illustrates a user deleting the Data Masking
policy.
This page details the immuta purpose
command, its subcommands and arguments, and the workflow for creating and deleting purposes.
immuta purpose
This command allows you to list, save, and delete purposes in your instance of Immuta. The table below illustrates subcommands and arguments.
Subcommands | Description | Argument(s) |
---|
Use these options to get more details about the purpose
command or any of its subcommands:
-h
--help
immuta purpose save
Run immuta purpose save <filepath> [--dryRun] [--reAcknowledge]
, referencing the file you just created. The options you can specify include
--reAcknowledge
: Require all users of any projects using this purpose to re-acknowledge any updated acknowledgement statements.
-d
or --dryRun
: No updates will be made.
-h
or --help
: Get more information about the command.
The example below illustrates a user creating a purpose called Demo Purpose
.
immuta purpose delete
You need the GOVERNANCE
permission in Immuta to run this command.
Opt to list all purposes to determine which purpose you would like to delete by running immuta purpose list
. Options you can specify include
-h
or --help
: Get more information about the command.
-v
or --verbose
: Print response as JSON.
Delete a purpose by running immuta purpose delete <purpose name> [--dryRun]
, enclosing the purpose name in quotation marks. Options you can specify include
-d
or --dryRun
: No updates will be made.
-h
or --help
: Get more information about the command.
The example below illustrates a user deleting the purpose Demo Purpose
.
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Add your project information in a valid YAML file for the V2 API. Additional payload examples for creating projects can :
Add your purpose information in a valid YAML file for the V2 API. Additional payload examples for creating purposes can .
Manage SDD rules.
Run SDD on specific data sources or all data sources.
Manage SDD frameworks.
list keys
List all data source connection keys.
n/a
list sources
List all data sources for a given connection key.
connection key
save
Create or update all specified data sources in Immuta given connection information to the remote database.
filepath
delete
Delete all data sources for the given connection key.
connection key
rename
Rename the data source connection key.
connection key
save
Create an identification framework.
None
Delete the passed identification framework.
None
Get an identification framework.
None
Get the global framework.
ls
, list
Search all identification frameworks.
None
Update an identification framework.
name
string
Unique, request-friendly framework name.
Yes
displayName
string
Unique, human-readable framework name.
Yes
description
string
The framework description.
Yes
classifiers
array
Includes each rules's name
and overrides
for minConfidence
and tags
.
Yes
name
string
Unique, request-friendly framework name.
Yes
displayName
string
Unique, human-readable framework name.
Yes
description
string
The framework description.
Yes
classifiers
array
Includes each rules's name
and overrides
for minConfidence
and tags
.
Yes
save
Create a rule.
None
Delete the passed rule.
None
Get a rule.
ls
, list
Search all rules.
None
Update a rule.
name
string
Unique, request-friendly rule name.
Yes
displayName
string
Unique, human-readable rule name.
Yes
description
string
The rule description.
Yes
type
string
The type of pattern: regex
, dictionary
, columnNameRegex
, or builtIn
.
Yes
config
object
The configuration of the rule, which may include config.values
, config.caseSensitive
, config.regex
, config.columnNameRegex
, and config.tags
.
Yes
config.tags
array[string]
The name of the tags to apply to the data source.
Yes
config.regex
string
A case-insensitive regular expression to match against column values.
No
config.columnNameRegex
string
A case-insensitive regular expression to match against column names.
No
config.values
array[string]
The list of words to include in the dictionary.
No
config.caseSensitive
boolean
Indicates whether or not values
are case sensitive. Defaults to false
.
No
name
string
Unique, request-friendly rule name.
Yes
displayName
string
Unique, human-readable rule name.
Yes
description
string
The rule description.
Yes
type
string
The type of pattern: regex
, dictionary
, columnNameRegex
, or builtIn
.
Yes
config
object
The configuration of the rule, which may include config.values
, config.caseSensitive
, config.regex
, config.columnNameRegex
, and config.tags
.
Yes
config.tags
array[string]
The name of the tags to apply to the data source.
Yes
config.regex
string
A case-insensitive regular expression to match against column values.
No
config.columnNameRegex
string
A case-insensitive regular expression to match against column names.
No
config.values
array[string]
The list of words to include in the dictionary.
No
config.caseSensitive
boolean
Indicates whether or not values
are case sensitive. Defaults to false
.
No
| Delete a project by project key. |
|
| List all project keys. | n/a |
| Rename the project key. |
|
| Create or update a project in Immuta. |
|
| Clone and save all Global Policies to files. |
|
| Delete a Global Policy by policy key. |
|
| List all Global Policy keys. | n/a |
| Rename the Global Policy key. |
|
| Create or update a Global Policy in Immuta. |
|
| Delete a purpose by name. |
|
| List all purposes. | n/a |
| Create or update a purpose in Immuta. |
|