Skip to content

Security and Access

hdxcli v1.0.83

User⚓︎

This command handles the administration of user accounts. Provides functionality to list, show, delete, and manage roles for existing users, and to manage their invitations.

Usage

1
hdxcli user [OPTIONS] COMMAND [ARGS]...

Options

Option Description
--user TEXT Perform operation on the passed user.

Assign Role⚓︎

Assign one or more roles to a user. This command adds roles to an existing user.

Usage

1
hdxcli user assign-role [OPTIONS] USER_EMAIL

Options

Option Description
-r, --role TEXT Role to assign. Can be used multiple times. [required]

Examples

1
2
## Assign the 'operator' and 'read_only' roles to a user
hdxcli user assign-role my_user@example.com --role operator --role read_only

Delete⚓︎

Permanently deletes the specified user. This action is irreversible.

Usage

1
hdxcli user delete [OPTIONS] USER_NAME

Options

Option Description
--disable-confirmation-prompt Suppress confirmation to delete the user.

Examples

1
2
## Delete the specified user and bypass the confirmation prompt
hdxcli user delete my_user@example.com --disable-confirmation-prompt

List⚓︎

List all users.

Displays a list of all users, excluding service accounts. The output includes the user's email and their assigned roles.

Usage

1
hdxcli user list [OPTIONS]

Examples

1
2
## List all users in the organization
hdxcli user list

Remove Role⚓︎

Remove one or more roles from a user. This command removes existing roles from a user.

Usage

1
hdxcli user remove-role [OPTIONS] USER_EMAIL

Options

Option Description
-r, --role TEXT Role to remove. Can be used multiple times. [required]

Examples

1
2
## Remove the 'super_admin' role from a user
hdxcli user remove-role my_user@example.com --role super_admin

Show⚓︎

Show details for a specific user.

Displays the full configuration of a specific user. It will use the invite specified with the --user option.

Usage

1
hdxcli user show [OPTIONS] USER_EMAIL

Options

Option Description
-i, --indent Output in indented JSON format.

Examples

1
2
## Show details for a specific user
hdxcli user show my_user

Invite⚓︎

Provides commands for managing user invitations. Includes commands to send, resend, list, show, and delete user invitations.

Usage

1
hdxcli user invite [OPTIONS] COMMAND [ARGS]...

Options

Option Description
--invite USER_EMAIL Perform operation on the passed user.

Delete⚓︎

Permanently deletes the specified invite. This action is irreversible.

Usage

1
hdxcli user invite delete [OPTIONS] INVITE_NAME

Options

Option Description
--disable-confirmation-prompt Suppress confirmation to delete the invite.

Examples

1
2
## Delete the specified invite and bypass the confirmation prompt
hdxcli user invite delete my_invite@example.com --disable-confirmation-prompt

List⚓︎

List all invites.

Displays a list of all user invitations, showing their email and status. The list can be filtered for only pending invitations with the --pending flag.

Usage

1
hdxcli user invite list [OPTIONS]

Options

Option Description
-p, --pending List only pending invitations.

Examples

1
2
3
4
5
## List all invitations, including claimed and pending
hdxcli user invite list

## List only the invitations with a 'pending' status
hdxcli user invite list --pending

Resend⚓︎

Resend an existing invite. Resends an invitation to a user, typically when the original invitation has expired or was not received.

Usage

1
hdxcli user invite resend [OPTIONS] INVITE_EMAIL

Examples

1
2
## Resend an invitation to a user
hdxcli user invite resend my_invite_pending_user@example.com

Send⚓︎

Create and send a new invite. Sends an email invitation to a new user with a specific set of roles.

Usage

1
hdxcli user invite send [OPTIONS] INVITE_EMAIL

Options

Option Description
-r, --role TEXT Role to assign to the new user. Can be used multiple times. [required]

Examples

1
2
## Invite a new user with the 'operator' role
hdxcli user invite send my_invite_user@example.com --role operator

Show⚓︎

Show details for a specific invite.

Displays the full configuration of a specific invite. It will use the invite specified with the --invite option.

Usage

1
hdxcli user invite show [OPTIONS] USER_EMAIL

Options

Option Description
-i, --indent Output in indented JSON format.

Examples

1
2
## Show details for a specific invite
hdxcli user invite show my_invite

Service-Account⚓︎

Service accounts are non-human users designed for programmatic API access. This includes creating, listing, deleting, and managing roles and tokens for them.

Usage

1
hdxcli service-account [OPTIONS] COMMAND [ARGS]...

Options

Option Description
--service-account, --sa TEXT Perform an operation on the specified service account.

Assign Role⚓︎

Assign one or more roles to a service account.

Usage

1
hdxcli service-account assign-role [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
-r, --role ROLE Role(s) to assign. Can be used multiple times. [required]

Examples

1
2
## Assign the 'operator' role to the 'my_service_account' service account
hdxcli service-account assign-role my_service_account --role operator

Create⚓︎

This command creates a new service account and assigns one or more roles to it. An access token can be generated immediately by using the --generate-token flag.

Usage

1
hdxcli service-account create [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
-r, --role ROLE Role to assign. Can be specified multiple times. [required]
--generate-token [DURATION] Generate a token after creation. Optionally, provide a duration (for example, '30d', '1y').
--set-as-auth Set the generated token as the authentication method for the current profile. This will overwrite any existing credentials.

Examples

1
2
3
4
5
6
7
8
## Create a service account with the 'super_admin' role
hdxcli service-account create my_service_account --role super_admin

## Create a service account and generate a token valid for 90 days
hdxcli service-account create grafana_connector --role reporting_viewer --generate-token 90d

## Create a service account, generate a token, and set it as the auth method
hdxcli service-account create user_connector --role automation_admin --generate-token 90d --set-as-auth

Delete⚓︎

Delete a specific service account.

This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.

Usage

1
hdxcli service-account delete [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
--disable-confirmation-prompt Suppress confirmation to delete service account.

Examples

1
2
## Delete the service account named 'my_service_account'
hdxcli service-account delete my_service_account

Generate Token⚓︎

Generate a new access token for a service account. The service account name can be specified via argument or the global --sa option.

Usage

1
hdxcli service-account generate-token [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
--duration DURATION Set token lifetime (for example, '30d', '12h', '1y'). If not set, the API default is used.
--json Display the full token response in JSON format.
--set-as-auth Set the generated token as the authentication method for the current profile. This will overwrite any existing credentials.

Examples

1
2
## Generate a token for 'grafana_connector' that expires in 30 days and set it as the auth method
hdxcli service-account generate-token grafana_connector --duration 30d --set-as-auth

List⚓︎

List all available service accounts. Displays a table with the names of all service accounts and the roles assigned to them.

Usage

1
hdxcli service-account list [OPTIONS]

Examples

1
2
## List all service accounts in the organization
hdxcli service-account list

Remove Role⚓︎

Remove one or more roles from a service account.

Usage

1
hdxcli service-account remove-role [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
-r, --role ROLE Role(s) to remove. Can be used multiple times. [required]

Examples

1
2
## Remove the 'super_admin' role from the 'my_service_account' service account
hdxcli service-account remove-role my_service_account --role super_admin

Revoke Tokens⚓︎

Revoke all active tokens for a service account.

This is a security-sensitive operation that invalidates all existing tokens for the specified service account, forcing any application using them to re-authenticate with a new token.

Usage

1
hdxcli service-account revoke-tokens [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
--yes Bypass the confirmation prompt.

Examples

1
2
## Revoke all tokens for 'my_service_account' after a confirmation prompt
hdxcli service-account revoke-tokens my_service_account

Show⚓︎

Show details for a specific service account.

Retrieves and displays the settings of a single service account. If no name is provided, the default service account will be used if exists.

Usage

1
hdxcli service-account show [OPTIONS] SERVICE_ACCOUNT_NAME

Options

Option Description
-i, --indent Indent the output.

Examples

1
2
## Show details for the service account named 'my_service_account'
hdxcli service-account show my_service_account

Role⚓︎

Commands to create, edit, and manage user roles and their permissions.

Usage

1
hdxcli role [OPTIONS] COMMAND [ARGS]...

Options

Option Description
--role ROLE_NAME Perform operation on the passed role.

Add User⚓︎

Add one or more users to a role.

Usage

1
hdxcli role add-user [OPTIONS] ROLE_NAME

Options

Option Description
-u, --user TEXT Specify users to add to a role (can be used multiple times). [required]

Examples

1
2
## Add 'user@example.com' to the 'my_role' role
hdxcli role add-user my_role --user user@example.com

Create⚓︎

Create a new role. This command supports two modes for creating a role:

  1. Command-Line: Define a single policy by providing its details as options.
  2. Interactive: Use the --interactive flag for a guided setup.

Usage

1
hdxcli role create [OPTIONS] ROLE_NAME

Options

Option Description
-t, --scope-type TEXT Type of scope for the role.
-i, --scope-id TEXT Identifier for the scope (UUID).
-p, --permission TEXT Specify permissions for the new role (can be used multiple times).
--interactive Enter interactive mode to be guided through role creation.

Examples

1
2
3
4
5
6
7
8
## Create a role with a single global permission
hdxcli role create my_read_role --permission read_table

## Create a role with project-scoped permissions
hdxcli role create my_project_role --scope-type project --scope-id <uuid> --permission add_table

## Start the interactive guide to create a role
hdxcli role create my_interactive_role --interactive

Delete⚓︎

Delete a specific role.

This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.

Usage

1
hdxcli role delete [OPTIONS] ROLE_NAME

Options

Option Description
--disable-confirmation-prompt Suppress confirmation to delete role.

Examples

1
2
## Delete the role named 'my_role'
hdxcli role delete my_role

Edit⚓︎

Modify an existing role interactively.

This command starts an interactive session to guide you through modifying a role, including its name and policies.

Usage

1
hdxcli role edit [OPTIONS] ROLE_NAME

Examples

1
2
## Start the interactive editor for 'my_role'
hdxcli role edit my_role

List⚓︎

List all available roles.

Retrieves a list of all roles you have access to. Pagination options (--page, --page-size) are available if supported by the API.

Usage

1
hdxcli role list [OPTIONS]

Options

Option Description
-p, --page INTEGER Page number.
-s, --page-size INTEGER Number of items per page.

Examples

1
2
## List the first page of roles
hdxcli role list

List Permissions⚓︎

Lists all available permissions that can be assigned to a role, optionally filtered by a scope type.

Usage

1
hdxcli role list-permissions [OPTIONS]

Options

Option Description
-t, --scope-type SCOPE_TYPE Filter the permissions by a specific scope type.

Examples

1
2
## List all permissions available for the 'project' scope
hdxcli role list-permissions --scope-type project

Remove User⚓︎

Remove one or more users from a role.

Usage

1
hdxcli role remove-user [OPTIONS] ROLE_NAME

Options

Option Description
-u, --user TEXT Specify users to remove from a role (can be used multiple times). [required]

Examples

1
2
## Remove 'user@example.com' from the 'my_role' role
hdxcli role remove-user my_role --user user@example.com

Show⚓︎

Show details for a specific role.

Retrieves and displays the settings of a single role. If no name is provided, the default role will be used if exists.

Usage

1
hdxcli role show [OPTIONS] ROLE_NAME

Options

Option Description
-i, --indent Indent the output.

Examples

1
2
## Show details for the role named 'my_role'
hdxcli role show my_role

Row-Policy⚓︎

Manages Row-Level security policies for tables.

This command group provides functionality to create, list, show, delete, and manage roles for row policies, allowing for fine-grained access control over the data within a table.

Usage

1
hdxcli row-policy [OPTIONS] COMMAND [ARGS]...

Options

Option Description
--project PROJECT_NAME Use or override project set in the profile.
--table TABLE_NAME Use or override table set in the profile.
--row-policy ROW_POLICY_NAME Explicitly pass the row policy name.

Add Role⚓︎

Adds one or more roles to an existing row policy. This command associates roles with a row policy, granting the permissions defined by that row policy to users who have those roles.

Usage

1
hdxcli row-policy add-role [OPTIONS] ROW_POLICY_NAME

Options

Option Description
--role ROLE_NAME Role to add. Can be specified multiple times. [required]

Examples

1
2
3
4
5
## Add the 'viewer' role to the 'europe_logs' row policy
hdxcli row-policy --project hydro --table logs add-role europe_logs --role viewer

## Add multiple roles at once
hdxcli row-policy --project hydro --table logs add-role europe_logs --role viewer --role editor

Create⚓︎

Creates a new row policy for the specified table. A row policy filters the data that users can see based on a filter expression. It must be associated with at least one role to take effect.

Usage

1
hdxcli row-policy create [OPTIONS] ROW_POLICY_NAME

Options

Option Description
--filter FILTER_EXPRESSION The filter expression for the policy (for example, '"claimed"=false'). [required]
--restrictive Set the policy as restrictive. Default is permissive.
--role ROLE_NAME Role to associate with this policy. Can be specified multiple times.

Examples

1
2
3
4
5
## Create a PERMISSIVE row policy to show logs from Europe to 'analyst' users
hdxcli row-policy --project hydro --table logs create europe_logs --filter "region = 'EU'" --role analyst

## Create a RESTRICTIVE row policy to ensure only non-draft documents are ever shown
hdxcli row-policy --project docs --table articles create ensure_published --filter "status != 'draft'" --restrictive

Delete⚓︎

Delete a specific row policy.

This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.

Usage

1
hdxcli row-policy delete [OPTIONS] ROW_POLICY_NAME

Options

Option Description
--disable-confirmation-prompt Suppress confirmation to delete row policy.

Examples

1
2
## Delete the row policy named 'my_row_policy'
hdxcli row-policy --project my_project --table my_table delete my_row_policy

List⚓︎

Lists all row policies for a given table. Displays a summary of all row policies, including their name, filter expression, whether they are restrictive, and their associated roles.

Usage

1
hdxcli row-policy list [OPTIONS]

Examples

1
2
## List all row policies
hdxcli row-policy --project my_project --table my_table list

Remove Role⚓︎

Removes one or more roles from an existing row policy. This command disassociates roles from a row policy, revoking the permissions defined by that row policy from users who have those roles.

Usage

1
hdxcli row-policy remove-role [OPTIONS] ROW_POLICY_NAME

Options

Option Description
--role ROLE_NAME Role to remove. Can be specified multiple times. [required]

Examples

1
2
## Remove the 'editor' role from the 'europe_logs' policy
hdxcli row-policy --project hydro --table logs remove-role europe_logs --role editor

Settings⚓︎

List, get, or set key-value settings for a specific row policy.

This command operates in three modes: - LIST: Invoked with no arguments, it lists all settings. - GET: Invoked with only a KEY, it retrieves the value of that setting. - SET: Invoked with a KEY and a VALUE, it sets the value for that setting.

The VALUE can be a string, a number, or a JSON-formatted string for lists/objects. When setting a value, the --force-operation option may be required for certain resource.

Usage

1
hdxcli row-policy settings [OPTIONS] [KEY] [VALUE]

Options

Option Description
-F, --force This flag allows adding the force_operation parameter to the request.

Examples

1
2
3
4
5
6
7
8
## List all settings for the row policy 'my_row_policy'
hdxcli row-policy --project my_project --table my_table --row policy my_row_policy settings

## Get the 'name' setting for the row policy 'my_row_policy'
hdxcli row-policy --project my_project --table my_table --row policy my_row_policy settings name

## Set a new 'name' setting for the row policy 'my_row_policy'
hdxcli row-policy --project my_project --table my_table --row policy my_row_policy settings name new_name

Show⚓︎

Show details for a specific row policy.

Retrieves and displays the settings of a single row policy. If no name is provided, the default row policy will be used if exists.

Usage

1
hdxcli row-policy show [OPTIONS] ROW_POLICY_NAME

Options

Option Description
-i, --indent Indent the output.

Examples

1
2
## Show details for the row policy named 'my_row_policy'
hdxcli row-policy --project my_project --table my_table show my_row_policy

Credential⚓︎

Provides commands to create, list, show, and delete credentials. It also includes a command to list all available credential types which is useful before creating a new one.

Usage

1
hdxcli credential [OPTIONS] COMMAND [ARGS]...

Options

Option Description
--credential CREDENTIAL_NAME Perform operation on the passed credential.

Create⚓︎

Create a new credential. The command prompts for any required details not provided as options. For fully non-interactive use, all details must be specified using the --detail option.

Usage

1
hdxcli credential create [OPTIONS] CREDENTIAL_NAME CREDENTIAL_TYPE

Options

Option Description
--description TEXT Credential description.
--detail TEXT... A key-value pair for a credential detail. Use multiple times for multiple details.

Examples

1
2
3
4
5
## Create a credential interactively
hdxcli credential create my_credential gcp-service-account

## Create a credential non-interactively with key-value details
hdxcli credential create aws-prod-keys aws_access_keys --detail access_key_id "your-id" --detail secret_access_key "your-secret"

Delete⚓︎

Delete a specific credential.

This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.

Usage

1
hdxcli credential delete [OPTIONS] CREDENTIAL_NAME

Options

Option Description
--disable-confirmation-prompt Suppress confirmation to delete credential.

Examples

1
2
## Delete the credential named 'my_credential'
hdxcli credential delete my_credential

List⚓︎

List all available credentials.

Retrieves a list of all credentials you have access to. Pagination options (--page, --page-size) are available if supported by the API.

Usage

1
hdxcli credential list [OPTIONS]

Options

Option Description
-p, --page INTEGER Page number.
-s, --page-size INTEGER Number of items per page.

Examples

1
2
## List the first page of credentials
hdxcli credential list

List Types⚓︎

List available credential types.

Usage

1
hdxcli credential list-types [OPTIONS]

Options

Option Description
-c, --cloud CLOUD Filter the credential types by a specific cloud.

Examples

1
2
## List all available credential types, filtering by 'azure' cloud
hdxcli credential list-types --cloud azure

Settings⚓︎

List, get, or set key-value settings for a specific credential.

This command operates in three modes: - LIST: Invoked with no arguments, it lists all settings. - GET: Invoked with only a KEY, it retrieves the value of that setting. - SET: Invoked with a KEY and a VALUE, it sets the value for that setting.

The VALUE can be a string, a number, or a JSON-formatted string for lists/objects. When setting a value, the --force-operation option may be required for certain resource.

Usage

1
hdxcli credential settings [OPTIONS] [KEY] [VALUE]

Options

Option Description
-F, --force This flag allows adding the force_operation parameter to the request.

Examples

1
2
3
4
5
6
7
8
## List all settings for the credential 'my_credential'
hdxcli credential --credential my_credential settings

## Get the 'name' setting for the credential 'my_credential'
hdxcli credential --credential my_credential settings name

## Set a new 'name' setting for the credential 'my_credential'
hdxcli credential --credential my_credential settings name new_name

Show⚓︎

Show details for a specific credential.

Retrieves and displays the settings of a single credential. If no name is provided, the default credential will be used if exists.

Usage

1
hdxcli credential show [OPTIONS] CREDENTIAL_NAME

Options

Option Description
-i, --indent Indent the output.

Examples

1
2
## Show details for the credential named 'my_credential'
hdxcli credential show my_credential