CLI & fgshell command reference

Every DotID control-plane operation is available two ways — the fgai CLI and the in-console fgshell — except creating a brand-new root-user account, which stays a browser sign-up flow. Both surfaces call the same control-plane APIs (see CLI authentication); every call is authorization-checked.

For how to authenticate, see CLI authentication.

Command groups (fgai <group> )

Group

What it manages

identity

IAM users, groups, roles, policies, access-key credentials, STS, service users, workload identities, Identity Center (users, permission sets, assignments), delegations, authorization checks

account

Accounts — provision member accounts, get/update, status (close/reopen/suspend/restore), service installations

org

Organizations — OUs, SCPs, member accounts, invitations, service installations

iam

Portal (contexts, my-accounts, my-organizations), account settings, quota thresholds

quota

Quota scopes, your quotas, and quota requests

audit

Your audit events, account events, single event lookup

developer

Developer service registration, submission, credentials

service-catalog

Browse the catalog and manage installations

passport

PassPort application launch links

Run fgai <group> (or fgai <group> help) to list its subcommands; the identity group is nested one level further: fgai identity <resource> <verb>.

Conventions

  • Path parameters are flags: fgai identity user get --account <id> --user <id>.

  • Create/update bodies are raw JSON: pass --body '{…}' or --body-file path.json (- reads stdin). Fields follow the API’s snake_case shape.

  • Output is the API’s JSON response, pretty-printed; an empty (204) response prints ok.

Examples

# Identity Center + IAM
fgai identity user list --account 3857bedb
fgai identity user create --account 3857bedb --body '{"username":"bob","email":"bob@acme.io"}'
fgai identity role create --account 3857bedb --body-file role.json
fgai identity credential rotate --account 3857bedb --credential AKIA…
fgai identity sts assume-role --body '{"role_frn":"frn:…:iam:role/Deploy","external_id":"…"}'
fgai identity authorize check --body '{"action":"iam:CreateUser","resource":"frn:…"}'

# Accounts & organizations
fgai account provision --body '{"email":"ops@acme.io","account_name":"acme-prod","ou_id":"Root"}'
fgai org scp-attach --org 7b39dd74 --scp scp-123 --body '{"target_type":"OU","target_id":"ou-1"}'
fgai org invite-create --org 7b39dd74 --body '{"email":"partner@x.io"}'

# Quotas & audit
fgai quota request --body '{"quota_id":"q-1","desired":50}'
fgai audit account-events --account 3857bedb

fgshell

The same operations are available inside the console shell as dotid <group> [<resource>] <verb> commands, taking the same arguments. fgshell runs each command against the DotID control-plane API using your session identity, so what you can do in fgshell is exactly what your permissions allow — identical to the CLI and console. Mutating commands prompt for confirmation.