# tcld account command reference

> Manage Temporal Cloud accounts using tcld commands. Get account details, configure and manage metrics endpoints, and handle end-entity certificates efficiently with various commands.

The `tcld account` commands manage accounts in Temporal Cloud.

Alias: `a`

- [tcld account audit-log](#audit-log)
- [tcld account get](#get)
- [tcld account list-regions](#list-regions)
- [tcld account metrics](#metrics)

## audit-log

The `tcld account audit-log` command manage Audit Logs in Temporal Cloud.

Alias: `al`

- [tcld account audit-log kinesis](#kinesis)
- [tcld account audit-log pubsub](#pubsub)

### kinesis

The `tcld account audit-log kinesis` command manages Kinesis audit log sinks.

Alias: `k`

- [tcld account audit-log kinesis create](#create)
- [tcld account audit-log kinesis delete](#delete)
- [tcld account audit-log kinesis get](#account-audit-log-kinesis-get)
- [tcld account audit-log kinesis list](#list)
- [tcld account audit-log kinesis update](#update)
- [tcld account audit-log kinesis validate](#validate)

#### create

The `tcld account audit-log kinesis` command creates a Kinesis audit log sink.

Alias: `c`

##### --destination-uri

The destination URI of the audit log sink.

Alias: `du`

##### --region

The region to use for the request.

Alias: `re`

##### --role-name

The role name to use to write to the sink.

Alias: `rn`

##### --sink-name

Provide a name for the sink.

#### delete

The `tcld account audit-log kinesis delete` command deletes an audit log sink.

Alias: `d`

##### --resource-version

The resource-version (etag) to update from, if not set the cli will use the latest (optional).

Alias: `v`

##### --sink-name

Provide a name for the sink.

#### get 

The `tcld account audit-log kinesis get` command gets an audit log sink.

Alias: `g`

##### --sink-name

Provide a name for the sink.

#### list

The `tcld account audit-log kinesis list` command lists audit log sinks on the account.

Alias: `l`

##### --page-size

The page size for list operations.

##### --page-token

The page token for list operations.

#### update

The `tcld account audit-log kinesis update` command updates an audit log sink.

Alias: `u`

##### --destination-uri

The destination URI of the audit log sink.

Alias: `du`

##### --enabled

Whether the sink is enabled.

##### --region

The region to use for the request.

Alias: `re`

##### --resource-version

The resource-version (etag) to update from, if not set the cli will use the latest (optional).

Alias: `v`

##### --role-name

The role name to use to write to the sink.

Alias: `rn`

##### --sink-name

Provide a name for the sink.

#### validate

The `tcld account audit-log kinesis validate` command verifies Temporal Cloud can write to a Kinesis sink.

Alias: `v`

##### --destination-uri

The destination URI of the audit log sink.

Alias: `du`

##### --region

The region to use for the request.

Alias: `re`

##### --role-name

The role name to use to write to the sink.

Alias: `rn`

##### --sink-name

Provide a name for the sink.

### pubsub

The `tcld account audit-log pubsub` command manages Pub/Sub audit log sinks.

Alias: `ps`

- [tcld account audit-log pubsub create](#create)
- [tcld account audit-log pubsub delete](#delete)
- [tcld account audit-log pubsub get](#account-audit-log-pubsub-get)
- [tcld account audit-log pubsub list](#list)
- [tcld account audit-log pubsub update](#update)
- [tcld account audit-log pubsub validate](#validate)

#### create

The `tcld account audit-log pubsub` command creates a Pub/Sub audit log sink.

Alias: `c`

##### --service-account-email

The service account email to impersonate to write to the sink.

Alias: `sae`

##### --sink-name

Provide a name for the sink.

##### --topic-name

The topic name to write to the sink.

Alias: `tn`

#### delete

The `tcld account audit-log pubsub delete` command deletes an audit log sink.

Alias: `d`

##### --resource-version

The resource-version (etag) to update from, if not set the cli will use the latest (optional).

Alias: `v`

##### --sink-name

Provide a name for the sink.

#### get 

The `tcld account audit-log pubsub get` command gets an audit log sink.

Alias: `g`

##### --sink-name

Provide a name for the sink.

#### list

The `tcld account audit-log pubsub list` command lists audit log sinks on the account.

Alias: `l`

##### --page-size

The page size for list operations.

##### --page-token

The page token for list operations.

#### update

The `tcld account audit-log pubsub update` command updates an audit log sink.

Alias: `u`

##### --enabled

Whether the sink is enabled.

##### --resource-version

The resource-version (etag) to update from, if not set the cli will use the latest (optional).

Alias: `v`

##### --service-account-email

The service account email to impersonate to write to the sink.

Alias: `sae`

##### --sink-name

Provide a name for the sink.

##### --topic-name

The topic name to write to the sink.

Alias: `tn`

#### validate

The `tcld account audit-log pubsub validate` command verifies Temporal Cloud can write to a Pub/Sub sink.

Alias: `v`

##### --service-account-email

The service account email to impersonate to write to the sink.

Alias: `sae`

##### --sink-name

Provide a name for the sink.

##### --topic-name

The topic name to write to the sink.

Alias: `tn`

## get

The `tcld account get` command gets information about the Temporal Cloud account you are logged into.

Alias: `g`

`tcld account get`

The command has no modifiers.

## list-regions

The `tcld account list-regions` lists all regions where the account can provision namespaces.

Alias: `l`

## metrics

The `tcld account metrics` commands configure the metrics endpoint for the Temporal Cloud account that is currently logged in.

Alias: `m`

- [tcld account metrics enable](#enable)
- [tcld account metrics disable](#disable)
- [tcld account metrics accepted-client-ca](#accepted-client-ca)

### accepted-client-ca

The `tcld account metrics accepted-client-ca` commands manage the end-entity certificates for the metrics endpoint of the Temporal Cloud account that is currently logged in.

> **ℹ️ Info:**
>
> The end-entity certificates for the metrics endpoint must chain up to the CA certificate used for the account. For more information, see [Certificate requirements](/cloud/certificates#certificate-requirements).
>

Alias: `ca`

- [tcld account metrics accepted-client-ca add](#add)
- [tcld account metrics accepted-client-ca list](#list)
- [tcld account metrics accepted-client-ca set](#set)
- [tcld account metrics accepted-client-ca remove](#remove)

#### add

The `tcld account metrics accepted-client-ca add` command adds end-entity certificates to the metrics endpoint of a Temporal Cloud account.

> **ℹ️ Info:**
>
> The end-entity certificates for the metrics endpoint must chain up to the CA certificate used for the account. For more information, see [Certificate requirements](/cloud/certificates#certificate-requirements).
>

`tcld account metrics accepted-client-ca add --ca-certificate <value>`

Alias: `a`

The following modifiers control the behavior of the command.

##### --request-id

Specify a request identifier to use for the asynchronous operation. If not specified, the server assigns a request identifier.

Alias: `-r`

**Example**

```bash
tcld account metrics accepted-client-ca add --request-id <request_id> --ca-certificate <encoded_certificate>
```

##### --resource-version

Specify a resource version (ETag) to update from. If not specified, the latest version is used.

Alias: `-v`

**Example**

```bash
tcld account metrics accepted-client-ca add --resource-version <etag> --ca-certificate <encoded_certificate>
```

##### --ca-certificate

_Required modifier unless `--ca-certificate-file` is specified_

Specify a base64-encoded string of a CA certificate PEM file.

If both `--ca-certificate` and `--ca-certificate-file` are specified, only `--ca-certificate` is used.

Alias: `-c`

**Example**

```bash
tcld account metrics accepted-client-ca add --ca-certificate <encoded_certificate>
```

##### --ca-certificate-file

_Required modifier unless `--ca-certificate` is specified_

Specify a path to a CA certificate PEM file.

If both `--ca-certificate` and `--ca-certificate-file` are specified, only `--ca-certificate` is used.

Alias: `-f`

**Example**

```bash
tcld account metrics accepted-client-ca add --ca-certificate-file <path>
```

#### list

The `tcld account metrics accepted-client-ca list` command lists the end-entity certificates that are currently configured for the metrics endpoint of a Temporal Cloud account.

`tcld account metrics accepted-client-ca list`

Alias: `l`

The command has no modifiers.

#### remove

The `tcld account metrics accepted-client-ca remove` command removes end-entity certificates from the metrics endpoint of a Temporal Cloud account.

`tcld account metrics accepted-client-ca remove --ca-certificate <value>`

Alias: `r`

The following modifiers control the behavior of the command.

##### --request-id

Specify a request identifier to use for the asynchronous operation. If not specified, the server assigns a request identifier.

Alias: `-r`

**Example**

```bash
tcld account metrics accepted-client-ca remove --request-id <request_id> --ca-certificate <encoded_certificate>
```

##### --resource-version

Specify a resource version (ETag) to update from. If not specified, the latest version is used.

Alias: `-v`

**Example**

```bash
tcld account metrics accepted-client-ca remove --resource-version <etag> --ca-certificate <encoded_certificate>
```

##### --ca-certificate

_Required modifier unless `--ca-certificate-fingerprint` or `--ca-certificate-file` is specified_

Specify a base64-encoded string of a CA certificate PEM file.

If `--ca-certificate-fingerprint` is also specified, both `--ca-certificate` and `--ca-certificate-file` are ignored.

If `--ca-certificate-file` is also specified but `--ca-certificate-fingerprint` is not, only `--ca-certificate` is used.

Alias: `-c`

**Example**

```bash
tcld account metrics accepted-client-ca remove --ca-certificate <encoded_certificate>
```

##### --ca-certificate-file

_Required modifier unless `--ca-certificate-fingerprint` or `--ca-certificate` is specified_

Specify a path to a CA certificate PEM file.

If `--ca-certificate-fingerprint` is also specified, both `--ca-certificate-file` and `--ca-certificate` are ignored.

If `--ca-certificate` is also specified but `--ca-certificate-fingerprint` is not, only `--ca-certificate` is used.

Alias: `-f`

**Example**

```bash
tcld account metrics accepted-client-ca remove --ca-certificate-file <path>
```

##### --ca-certificate-fingerprint

_Required modifier unless `--ca-certificate` or `--ca-certificate-file` is specified_

Specify the fingerprint of a CA certificate.

If `--ca-certificate`, `--ca-certificate-file`, or both are also specified, they are ignored.

Alias: `--fp`

**Example**

```bash
tcld account metrics accepted-client-ca remove --ca-certificate-fingerprint <fingerprint>
```

#### set

The `tcld account metrics accepted-client-ca set` command sets the end-entity certificates for the metrics endpoint of a Temporal Cloud account.

> **ℹ️ Info:**
>
> The end-entity certificates for the metrics endpoint must chain up to the CA certificate used for the account. For more information, see [Certificate requirements](/cloud/certificates#certificate-requirements).
>

`tcld account metrics accepted-client-ca set --ca-certificate <value>`

Alias: `s`

The following modifiers control the behavior of the command.

##### --request-id

Specify a request identifier to use for the asynchronous operation. If not specified, the server assigns a request identifier.

Alias: `-r`

**Example**

```bash
tcld account metrics accepted-client-ca set --request-id <request_id> --ca-certificate <encoded_certificate>
```

##### --resource-version

Specify a resource version (ETag) to update from. If not specified, the latest version is used.

Alias: `-v`

**Example**

```bash
tcld account metrics accepted-client-ca set --resource-version <etag> --ca-certificate <encoded_certificate>
```

##### --ca-certificate

_Required modifier unless `--ca-certificate-file` is specified_

Specify a base64-encoded string of a CA certificate PEM file.

If both `--ca-certificate` and `--ca-certificate-file` are specified, only `--ca-certificate` is used.

Alias: `-c`

**Example**

```bash
tcld account metrics accepted-client-ca set --ca-certificate <encoded_certificate>
```

##### --ca-certificate-file

_Required modifier unless `--ca-certificate` is specified_

Specify a path to a CA certificate PEM file.

If both `--ca-certificate` and `--ca-certificate-file` are specified, only `--ca-certificate` is used.

Alias: `-f`

**Example**

```bash
tcld account metrics accepted-client-ca set --ca-certificate-file <path>
```

### enable

The `tcld account metrics enable` command enables the metrics endpoint for the Temporal Cloud account that is currently logged in.

> **ℹ️ Info:**
>
> The end-entity for the metrics endpoint _must_ be configured before the endpoint can be enabled. See the [tcld account metrics accepted-client-ca](#accepted-client-ca) commands.
>

`tcld account metrics enable`

The command has no modifiers.

### disable

The `tcld account metrics disable` command disables the metrics endpoint for the Temporal Cloud account that is currently logged in.

`tcld account metrics disable`

The command has no modifiers.