Forseti 2.0 provides a convenient command-line interface (CLI) client that you can use to operate the various functionalities in Forseti: build inventory, create models, use explain, perform scanning, and send notifications.
CLI users can be non-admin users, and should not have access to the highly elevated privileges that Forseti is permissioned with. To prevent CLI users from gaining Forseti’s privilege, the CLI is deployed to its own VM, and communicates with the Server via gRPC.
Access to the CLI VM is managed by OS Login roles.
compute.osLogin
role.compute.osLoginExternalUser
role.When a CLI user has these roles, they gain SSH access to the CLI VM. Forseti Config enables you to set the CLI configuration.
For more information, see the client-server architecture of Forseti.
Please also note that Forseti CLI is deployed on the Forseti Server VM so the same commands can be run on the Forseti Server VM as well. The recommendation is to run all the commands through the Forseti Client VM as there is always a risk when granting users access to the Forseti Server VM due to the Forseti Server Service Account’s elevated privilege.
The following command outputs the current local configuration:
forseti config show
The following command resets the local configuration back to its original state:
forseti config reset
The following command will update the output format of the CLI to <FORMAT>
:
forseti config format <FORMAT>
Where <FORMAT>
defines the CLI output format as text
or JSON
.
The following command sets the IP address the CLI uses to communicate to the server:
forseti config endpoint <IP_ADDRESS>:50051