kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-10 20:35:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
26e16febad01cc7d78fac93694de5a07ca5c4267
nomad/website/content/docs/commands/acl/auth-method/create.mdx
Aimee Ukasick 23fd87d9c9 Docs: Commands section move "General options" to page bottom (#26001) 
* sectionless files plus acl section

* alloc section

* config, deployment sections

* job section

* licence, namespace

* node, node-pool

* operator

* plugin, quota, recommendation

* scaling, sentinel, server, service, system, var, volume

* Add "ENT" label to left nav for enterprise commands

* job tag break into separate folder and files; update options header
2025-06-12 14:31:38 -05:00

131 lines
4.0 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: 'nomad acl auth-method create command reference'
description: |
The `nomad acl auth-method create` command creates new access control list (ACL) authentication methods. Set name, name format, description, OIDC or JWT type, local or global, and time to live (TTL).
---
# `nomad acl auth-method create` command reference
The `acl auth-method create` command is used to create new ACL Auth Methods.
## Usage
```plaintext
nomad acl auth-method create [options]
```
The `acl auth-method create` command requires the correct setting of the create options
via flags detailed below.
## Options
- `-name`: Sets the human readable name for the ACL auth method. The name must
be between 1-128 characters and is a required parameter.
- `-description`: A free form text description of the auth-method that must not exceed
256 characters.
- `-type`: Sets the type of the auth method. Supported types are `OIDC` and `JWT`.
- `-max-token-ttl`: Sets the duration of time all tokens created by this auth
method should be valid for.
- `-token-locality`: Defines the kind of token that this auth method should
produce. This can be either `local` or `global`.
- `token-name-format`: Sets the token format for the authenticated users.
This can be lightly templated using HIL '${foo}' syntax. Defaults to
'${auth_method_type}-${auth_method_name}'.
- `-default`: Specifies whether this auth method should be treated as a default
one in case no auth method is explicitly specified for a login command.
- `-config`: Auth method [configuration][] in JSON format. You may provide '-'
to send the config through stdin, or prefix a file path with '@' to indicate
that the config should be loaded from the file.
- `-json`: Output the ACL auth-method in a JSON format.
- `-t`: Format and display the ACL auth-method using a Go template.
## Examples
Create a new ACL Auth Method:
```shell-session
$ nomad acl auth-method create -name "example-acl-auth-method" -type "OIDC" -max-token-ttl "1h" -token-locality "local" -config "@config.json"
Name = example-acl-auth-method
Type = OIDC
Locality = local
Max Token TTL = 1h0m0s
Token Name Format = ${auth_method_type}-${auth_method_name}
Default = false
Create Index = 14
Modify Index = 14
Auth Method Config
OIDC Discovery URL = https://my-corp-app-name.auth0.com/
OIDC Client ID = V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt
OIDC Client Secret = example-client-secret
Bound audiences = V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt
Allowed redirects URIs = http://localhost:4646/oidc/callback
Discovery CA pem = <none>
Signing algorithms = <none>
Claim mappings = {http://example.com/first_name: first_name}; {http://example.com/last_name: last_name}
List claim mappings = {http://nomad.com/groups: groups}
```
Example config file:
```json
{
"OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/",
"OIDCClientID": "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt",
"OIDCClientSecret": "example-client-secret",
"BoundAudiences": [
"V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt"
],
"AllowedRedirectURIs": [
"http://localhost:4646/oidc/callback"
],
"ClaimMappings": {
"http://example.com/first_name": "first_name",
"http://example.com/last_name": "last_name"
},
"ListClaimMappings": {
"http://nomad.com/groups": "groups"
}
}
```
This example config uses a private key JWT [client assertion][]
instead of a client secret.
```json
{
"OIDCDiscoveryURL": "https://my-keycloak-instance.com/realms/nomad",
"OIDCClientID": "my-great-client-id",
"OIDCClientAssertion": {
"KeySource": "nomad"
},
"BoundAudiences": [
"my-great-client-id"
],
"AllowedRedirectURIs": [
"http://localhost:4646/oidc/callback"
],
"ListClaimMappings": {
"groups": "groups"
}
}
```
## General options
@include 'general_options_no_namespace.mdx'
[configuration]: /nomad/api-docs/acl/auth-methods#config
[client assertion]: /nomad/api-docs/acl/auth-methods#oidcclientassertion
Reference in New Issue View Git Blame Copy Permalink