HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Nomad
Nomad Home

You are viewing documentation for version v1.8.x. View latest version.

Command: acl binding-rule create

The acl binding-rule create command is used to create new ACL Binding Rules.

Usage

nomad acl binding-rule create [options]

The acl binding-rule create command requires the correct setting of the create options via flags detailed below.

General Options

  • -address=<addr>: The address of the Nomad server. Overrides the NOMAD_ADDR environment variable if set. Defaults to http://127.0.0.1:4646.

  • -region=<region>: The region of the Nomad server to forward commands to. Overrides the NOMAD_REGION environment variable if set. Defaults to the Agent's local region.

  • -no-color: Disables colored command output. Alternatively, NOMAD_CLI_NO_COLOR may be set. This option takes precedence over -force-color.

  • -force-color: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively, NOMAD_CLI_FORCE_COLOR may be set. This option has no effect if -no-color is also used.

  • -ca-cert=<path>: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides the NOMAD_CACERT environment variable if set.

  • -ca-path=<path>: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both -ca-cert and -ca-path are specified, -ca-cert is used. Overrides the NOMAD_CAPATH environment variable if set.

  • -client-cert=<path>: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify -client-key. Overrides the NOMAD_CLIENT_CERT environment variable if set.

  • -client-key=<path>: Path to an unencrypted PEM encoded private key matching the client certificate from -client-cert. Overrides the NOMAD_CLIENT_KEY environment variable if set.

  • -tls-server-name=<value>: The server name to use as the SNI host when connecting via TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.

  • -tls-skip-verify: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped if NOMAD_SKIP_VERIFY is set.

  • -token: The SecretID of an ACL token to use to authenticate API requests with. Overrides the NOMAD_TOKEN environment variable if set.

Create Options

  • -description: A free form text description of the binding-rule that must not exceed 256 characters.

  • -auth-method: Specifies the name of the ACL authentication method that this binding rule is associated with.

  • -selector: Selector is an expression that matches against verified identity attributes returned from the auth method during login.

    Caveat: Selectors that operate on ClaimMappings (as opposed to ListClaimMappings), the key that we match against has to be prefixed with value.

  • -bind-type: Specifies adjusts how this binding rule is applied at login time to internal Nomad objects. Valid options are role, policy, and management.

  • -bind-name: Specifies is the target of the binding used on selector match. This can be lightly templated using HIL ${foo} syntax. If the bind type is set to management, this should not be set.

  • -json: Output the ACL binding-rule in a JSON format.

  • -t: Format and display the ACL binding-rule using a Go template.

Examples

Create a new ACL Binding Rule:

$ nomad acl binding-rule create \
    -description "example binding rule" \
    -auth-method "auth0" \
    -bind-type "role" \
    -bind-name "eng-ro" \
    -selector "engineering in list.roles"
ID           = 698fdad6-dcb3-79dd-dc72-b43374057dea
Description  = example binding rule
Auth Method  = auth0
Selector     = "engineering in list.roles"
Bind Type    = role
Bind Name    = eng-ro
Create Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Modify Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Create Index = 14
Modify Index = 14

Create a new ACL Binding Rule where the selector needs to be escaped on UNIX machines:

$ nomad acl binding-rule create \
    -description "example binding rule" \
    -auth-method "auth0" \
    -bind-type "role" \
    -bind-name "eng-ro" \
    -selector "\"product-developer\" in list.roles"
ID           = 698fdad6-dcb3-79dd-dc72-b43374057dea
Description  = example binding rule
Auth Method  = auth0
Selector     = "\"project-developer\" in list.roles"
Bind Type    = role
Bind Name    = eng-ro
Create Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Modify Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Create Index = 14
Modify Index = 14

Create a new ACL Binding Rule where the selector needs to be escaped on Windows machines via PowerShell:

$ nomad.exe acl binding-rule create \
    -description "example binding rule" \
    -auth-method "auth0" \
    -bind-type "role" \
    -bind-name "eng-ro" \
    -selector="`"project-developer`"
ID           = 698fdad6-dcb3-79dd-dc72-b43374057dea
Description  = example binding rule
Auth Method  = auth0
Selector     = "\"project-developer\" in list.roles"
Bind Type    = role
Bind Name    = eng-ro
Create Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Modify Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Create Index = 14
Modify Index = 14

Create a new ACL Binding Rule where the selector uses a mathing against a single ClaimMapping which uses owner as its value:

$ nomad acl binding-rule create \
    -description "example binding rule" \
    -auth-method "github" \
    -bind-type "role" \
    -bind-name "eng-ro" \
    -selector="value.owner == user"
ID           = 698fdad6-dcb3-79dd-dc72-b43374057dea
Description  = example binding rule
Auth Method  = github
Selector     = "value.owner == user"
Bind Type    = role
Bind Name    = eng-ro
Create Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Modify Time  = 2022-12-20 11:15:22.582568 +0000 UTC
Create Index = 14
Modify Index = 14