HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Nomad
Nomad Home

nomad acl auth-method create command reference

The acl auth-method create command is used to create new ACL Auth Methods.

Usage

nomad acl auth-method create [options]

The acl auth-method create command requires the correct setting of the create options via flags detailed below.

Options

  • -name: Sets the human readable name for the ACL auth method. The name must be between 1-128 characters and is a required parameter.

  • -description: A free form text description of the auth-method that must not exceed 256 characters.

  • -type: Sets the type of the auth method. Supported types are OIDC and JWT.

  • -max-token-ttl: Sets the duration of time all tokens created by this auth method should be valid for.

  • -token-locality: Defines the kind of token that this auth method should produce. This can be either local or global.

  • token-name-format: Sets the token format for the authenticated users. This can be lightly templated using HIL '${foo}' syntax. Defaults to '${auth_method_type}-${auth_method_name}'.

  • -default: Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command.

  • -config: Auth method configuration in JSON format. You may provide '-' to send the config through stdin, or prefix a file path with '@' to indicate that the config should be loaded from the file.

  • -json: Output the ACL auth-method in a JSON format.

  • -t: Format and display the ACL auth-method using a Go template.

Examples

Create a new ACL Auth Method:

$ nomad acl auth-method create -name "example-acl-auth-method" -type "OIDC" -max-token-ttl "1h" -token-locality "local" -config "@config.json"
Name                = example-acl-auth-method
Type                = OIDC
Locality            = local
Max Token TTL       = 1h0m0s
Token Name Format   = ${auth_method_type}-${auth_method_name}
Default             = false
Create Index        = 14
Modify Index        = 14

Auth Method Config

OIDC Discovery URL     = https://my-corp-app-name.auth0.com/
OIDC Client ID         = V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt
OIDC Client Secret     = example-client-secret
Bound audiences        = V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt
Allowed redirects URIs = http://localhost:4646/oidc/callback
Discovery CA pem       = <none>
Signing algorithms     = <none>
Claim mappings         = {http://example.com/first_name: first_name}; {http://example.com/last_name: last_name}
List claim mappings    = {http://nomad.com/groups: groups}

Example config file:

{
  "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/",
  "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt",
  "OIDCClientSecret": "example-client-secret",
  "BoundAudiences": [
    "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt"
  ],
  "AllowedRedirectURIs": [
    "http://localhost:4646/oidc/callback"
  ],
  "ClaimMappings": {
    "http://example.com/first_name": "first_name",
    "http://example.com/last_name": "last_name"
  },
  "ListClaimMappings": {
    "http://nomad.com/groups": "groups"
  }
}

This example config uses a private key JWT client assertion instead of a client secret.

{
  "OIDCDiscoveryURL": "https://my-keycloak-instance.com/realms/nomad",
  "OIDCClientID": "my-great-client-id",
  "OIDCClientAssertion": {
    "KeySource": "nomad"
  },
  "BoundAudiences": [
    "my-great-client-id"
  ],
  "AllowedRedirectURIs": [
    "http://localhost:4646/oidc/callback"
  ],
  "ListClaimMappings": {
    "groups": "groups"
  }
}

General options

  • -address=<addr>: The address of the Nomad server. Overrides the NOMAD_ADDR environment variable if set. Defaults to http://127.0.0.1:4646.

  • -region=<region>: The region of the Nomad server to forward commands to. Overrides the NOMAD_REGION environment variable if set. Defaults to the Agent's local region.

  • -no-color: Disables colored command output. Alternatively, NOMAD_CLI_NO_COLOR may be set. This option takes precedence over -force-color.

  • -force-color: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively, NOMAD_CLI_FORCE_COLOR may be set. This option has no effect if -no-color is also used.

  • -ca-cert=<path>: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides the NOMAD_CACERT environment variable if set.

  • -ca-path=<path>: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both -ca-cert and -ca-path are specified, -ca-cert is used. Overrides the NOMAD_CAPATH environment variable if set.

  • -client-cert=<path>: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify -client-key. Overrides the NOMAD_CLIENT_CERT environment variable if set.

  • -client-key=<path>: Path to an unencrypted PEM encoded private key matching the client certificate from -client-cert. Overrides the NOMAD_CLIENT_KEY environment variable if set.

  • -tls-server-name=<value>: The server name to use as the SNI host when connecting via TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.

  • -tls-skip-verify: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped if NOMAD_SKIP_VERIFY is set.

  • -token: The SecretID of an ACL token to use to authenticate API requests with. Overrides the NOMAD_TOKEN environment variable if set.

Edit this page on GitHub