--- layout: docs page_title: 'nomad acl auth-method create command reference' description: | The `nomad acl auth-method create` command creates new access control list (ACL) authentication methods. Set name, name format, description, OIDC or JWT type, local or global, and time to live (TTL). --- # `nomad acl auth-method create` command reference The `acl auth-method create` command is used to create new ACL Auth Methods. ## Usage ```plaintext nomad acl auth-method create [options] ``` The `acl auth-method create` command requires the correct setting of the create options via flags detailed below. ## Options - `-name`: Sets the human readable name for the ACL auth method. The name must be between 1-128 characters and is a required parameter. - `-description`: A free form text description of the auth-method that must not exceed 256 characters. - `-type`: Sets the type of the auth method. Supported types are `OIDC` and `JWT`. - `-max-token-ttl`: Sets the duration of time all tokens created by this auth method should be valid for. - `-token-locality`: Defines the kind of token that this auth method should produce. This can be either `local` or `global`. - `token-name-format`: Sets the token format for the authenticated users. This can be lightly templated using HIL '${foo}' syntax. Defaults to '${auth_method_type}-${auth_method_name}'. - `-default`: Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command. - `-config`: Auth method [configuration][] in JSON format. You may provide '-' to send the config through stdin, or prefix a file path with '@' to indicate that the config should be loaded from the file. - `-json`: Output the ACL auth-method in a JSON format. - `-t`: Format and display the ACL auth-method using a Go template. ## Examples Create a new ACL Auth Method: ```shell-session $ nomad acl auth-method create -name "example-acl-auth-method" -type "OIDC" -max-token-ttl "1h" -token-locality "local" -config "@config.json" Name = example-acl-auth-method Type = OIDC Locality = local Max Token TTL = 1h0m0s Token Name Format = ${auth_method_type}-${auth_method_name} Default = false Create Index = 14 Modify Index = 14 Auth Method Config OIDC Discovery URL = https://my-corp-app-name.auth0.com/ OIDC Client ID = V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt OIDC Client Secret = example-client-secret Bound audiences = V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt Allowed redirects URIs = http://localhost:4646/oidc/callback Discovery CA pem = Signing algorithms = Claim mappings = {http://example.com/first_name: first_name}; {http://example.com/last_name: last_name} List claim mappings = {http://nomad.com/groups: groups} ``` Example config file: ```json { "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", "OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt", "OIDCClientSecret": "example-client-secret", "BoundAudiences": [ "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" ], "AllowedRedirectURIs": [ "http://localhost:4646/oidc/callback" ], "ClaimMappings": { "http://example.com/first_name": "first_name", "http://example.com/last_name": "last_name" }, "ListClaimMappings": { "http://nomad.com/groups": "groups" } } ``` This example config uses a private key JWT [client assertion][] instead of a client secret. ```json { "OIDCDiscoveryURL": "https://my-keycloak-instance.com/realms/nomad", "OIDCClientID": "my-great-client-id", "OIDCClientAssertion": { "KeySource": "nomad" }, "BoundAudiences": [ "my-great-client-id" ], "AllowedRedirectURIs": [ "http://localhost:4646/oidc/callback" ], "ListClaimMappings": { "groups": "groups" } } ``` ## General options @include 'general_options_no_namespace.mdx' [configuration]: /nomad/api-docs/acl/auth-methods#config [client assertion]: /nomad/api-docs/acl/auth-methods#oidcclientassertion