Command: acl auth-method create
The acl auth-method create
command is used to create new ACL Auth Methods.
Usage
nomad acl auth-method create [options]
The acl auth-method create
command requires the correct setting of the create options
via flags detailed below.
General Options
-address=<addr>
: The address of the Nomad server. Overrides theNOMAD_ADDR
environment variable if set. Defaults tohttp://127.0.0.1:4646
.-region=<region>
: The region of the Nomad server to forward commands to. Overrides theNOMAD_REGION
environment variable if set. Defaults to the Agent's local region.-no-color
: Disables colored command output. Alternatively,NOMAD_CLI_NO_COLOR
may be set. This option takes precedence over-force-color
.-force-color
: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively,NOMAD_CLI_FORCE_COLOR
may be set. This option has no effect if-no-color
is also used.-ca-cert=<path>
: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides theNOMAD_CACERT
environment variable if set.-ca-path=<path>
: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both-ca-cert
and-ca-path
are specified,-ca-cert
is used. Overrides theNOMAD_CAPATH
environment variable if set.-client-cert=<path>
: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify-client-key
. Overrides theNOMAD_CLIENT_CERT
environment variable if set.-client-key=<path>
: Path to an unencrypted PEM encoded private key matching the client certificate from-client-cert
. Overrides theNOMAD_CLIENT_KEY
environment variable if set.-tls-server-name=<value>
: The server name to use as the SNI host when connecting via TLS. Overrides theNOMAD_TLS_SERVER_NAME
environment variable if set.-tls-skip-verify
: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped ifNOMAD_SKIP_VERIFY
is set.-token
: The SecretID of an ACL token to use to authenticate API requests with. Overrides theNOMAD_TOKEN
environment variable if set.
Create Options
-name
: Sets the human readable name for the ACL auth method. The name must be between 1-128 characters and is a required parameter.-description
: A free form text description of the auth-method that must not exceed 256 characters.-type
: Sets the type of the auth method. Supported types areOIDC
andJWT
.-max-token-ttl
: Sets the duration of time all tokens created by this auth method should be valid for.-token-locality
: Defines the kind of token that this auth method should produce. This can be eitherlocal
orglobal
.token-name-format
: Sets the token format for the authenticated users. This can be lightly templated using HIL '${foo}' syntax. Defaults to '${auth_method_type}-${auth_method_name}'.-default
: Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command.-config
: Auth method configuration in JSON format. May be prefixed with '@' to indicate that the value is a file path to load the config from. '-' may also be given to indicate that the config is available on stdin.-json
: Output the ACL auth-method in a JSON format.-t
: Format and display the ACL auth-method using a Go template.
Examples
Create a new ACL Auth Method:
$ nomad acl auth-method create -name "example-acl-auth-method" -type "OIDC" -max-token-ttl "1h" -token-locality "local" -config "@config.json"Name = example-acl-auth-methodType = OIDCLocality = localMax Token TTL = 1h0m0sToken Name Format = ${auth_method_type}-${auth_method_name}Default = falseCreate Index = 14Modify Index = 14 Auth Method Config OIDC Discovery URL = https://my-corp-app-name.auth0.com/OIDC Client ID = V1RPi2MYptMV1RPi2MYptMV1RPi2MYptOIDC Client Secret = example-client-secretBound audiences = V1RPi2MYptMV1RPi2MYptMV1RPi2MYptAllowed redirects URIs = http://localhost:4646/oidc/callbackDiscovery CA pem = <none>Signing algorithms = <none>Claim mappings = {http://example.com/first_name: first_name}; {http://example.com/last_name: last_name}List claim mappings = {http://nomad.com/groups: groups}
Example config file:
{ "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", "OIDCClientSecret": "example-client-secret", "BoundAudiences": [ "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" ], "AllowedRedirectURIs": [ "http://localhost:4646/oidc/callback" ], "ClaimMappings": { "http://example.com/first_name": "first_name", "http://example.com/last_name": "last_name" }, "ListClaimMappings": { "http://nomad.com/groups": "groups" }}