CLI & fgshell command reference¶
Every DotID control-plane operation is available two ways — the fgai CLI and the
in-console fgshell — except creating a brand-new root-user account, which stays a
browser sign-up flow. Both surfaces call the same control-plane APIs
(see CLI authentication); every call is authorization-checked.
For how to authenticate, see CLI authentication.
Command groups (fgai <group> …)¶
Group |
What it manages |
|---|---|
|
IAM users, groups, roles, policies, access-key credentials, STS, service users, workload identities, Identity Center (users, permission sets, assignments), delegations, authorization checks |
|
Accounts — provision member accounts, get/update, status (close/reopen/suspend/restore), service installations |
|
Organizations — OUs, SCPs, member accounts, invitations, service installations |
|
Portal ( |
|
Quota scopes, your quotas, and quota requests |
|
Your audit events, account events, single event lookup |
|
Developer service registration, submission, credentials |
|
Browse the catalog and manage installations |
|
PassPort application launch links |
Run fgai <group> (or fgai <group> help) to list its subcommands; the identity
group is nested one level further: fgai identity <resource> <verb>.
Conventions¶
Path parameters are flags:
fgai identity user get --account <id> --user <id>.Create/update bodies are raw JSON: pass
--body '{…}'or--body-file path.json(-reads stdin). Fields follow the API’s snake_case shape.Output is the API’s JSON response, pretty-printed; an empty (204) response prints
ok.
Examples¶
# Identity Center + IAM
fgai identity user list --account 3857bedb
fgai identity user create --account 3857bedb --body '{"username":"bob","email":"bob@acme.io"}'
fgai identity role create --account 3857bedb --body-file role.json
fgai identity credential rotate --account 3857bedb --credential AKIA…
fgai identity sts assume-role --body '{"role_frn":"frn:…:iam:role/Deploy","external_id":"…"}'
fgai identity authorize check --body '{"action":"iam:CreateUser","resource":"frn:…"}'
# Accounts & organizations
fgai account provision --body '{"email":"ops@acme.io","account_name":"acme-prod","ou_id":"Root"}'
fgai org scp-attach --org 7b39dd74 --scp scp-123 --body '{"target_type":"OU","target_id":"ou-1"}'
fgai org invite-create --org 7b39dd74 --body '{"email":"partner@x.io"}'
# Quotas & audit
fgai quota request --body '{"quota_id":"q-1","desired":50}'
fgai audit account-events --account 3857bedb
fgshell¶
The same operations are available inside the console shell as
dotid <group> [<resource>] <verb> commands, taking the same arguments. fgshell runs
each command against the DotID control-plane API using your session identity, so what
you can do in fgshell is exactly what your permissions allow — identical to the CLI and
console. Mutating commands prompt for confirmation.