Lacework Python SDK Authentication
Once you have installed the SDK you will need to determine how you want to pass authentication information to the SDK. There are a variety of ways to do this, however they all require a valid API key for the Lacework account you wish to access with the SDK. Note that API keys are generated at the account level only, not a the organization level. You must have/generate a key for each account you need access to.
Learn more about generating Lacework API keys here.
Learn more about Lacework organizations here.
Once you have created an API key in the Lacework console you should download
the JSON file containing your new API credentials. This will contain 3 or 4 properties
depending on whether the keys you generated are part of a Lacework organization. These
properties are will be keyId
, secret
, account
, and optionally subaccount
.
If your key comes from a Lacework organization then the account
property represents the
name of the organization and the subaccount
property represents that name of the account
within that organization.
Be sure keep these credentials SECURE!
Now that you have this file you can choose which method of authentication to use:
Auth Method 1: Install the Lacework CLI
The Lacework Python SDK does NOT require that you install the Lacework CLI tool. However, if you do
have the Lacework CLI installed AND
configured then as part of it’s configuration
process the CLI will create a file in your home directory called .lacework.toml
which will contain
one or more sections containing Lacework credentials, with each section representing information for a
single Lacework account.
If you have this file in place and you have not specified credentials using any other method then
the Python SDK will use the credentials stored there to access the Lacework API endpoints. Note that by
default the SDK will use the creds in the default
section of the .lacework.toml
file.
You can tell the SDK to use a different section using the profile=
keyword argument when
instantiating the class.
from laceworksdk import LaceworkClient
lw = LaceworkClient()
from laceworksdk import LaceworkClient
lw = LaceworkClient(profile="testprofile")
Auth Method 2: Specify the Credentials as Environment Variables
You can specify your account credentials or the profile to use in environmental variables.
Environment Variable |
Description |
Required |
|
Lacework CLI profile to use (configured at ~/.lacework.toml) |
N |
|
Lacework account/organization domain (i.e. <account>.lacework.net) |
Y |
|
Lacework sub-account |
N |
|
Lacework API Access Key |
Y |
|
Lacework API Access Secret |
Y |
Note: Specifying creds this way will override your .lacework.toml
default profile.
Auth Method 3: Specify the Credentials Manually
The most straight forward way of specifying credentials is to pass them to the class instance at instantiation.
from laceworksdk import LaceworkClient
lw = LaceworkClient(account="ACCOUNT",
subaccount="SUBACCOUNT",
api_key="API KEY",
api_secret="API SECRET")
Note: This will override your .lacework.toml
default profile AND any credentials you may have
specified as environmental variables.