»Consul ACL Token Create
Command: consul acl token create
This command creates new tokens. When creating a new token, policies may be linked using
either the -policy-id or the -policy-name options. When specifying policies by IDs you
may use a unique prefix of the UUID as a shortcut for specifying the entire UUID.
»Usage
Usage: consul acl token create [options] [args]
»API Options
-
-ca-file=<value>- Path to a CA file to use for TLS when communicating with Consul. This can also be specified via theCONSUL_CACERTenvironment variable. -
-ca-path=<value>- Path to a directory of CA certificates to use for TLS when communicating with Consul. This can also be specified via theCONSUL_CAPATHenvironment variable. -
-client-cert=<value>- Path to a client cert file to use for TLS whenverify_incomingis enabled. This can also be specified via theCONSUL_CLIENT_CERTenvironment variable. -
-client-key=<value>- Path to a client key file to use for TLS whenverify_incomingis enabled. This can also be specified via theCONSUL_CLIENT_KEYenvironment variable. -
-http-addr=<addr>- Address of the Consul agent with the port. This can be an IP address or DNS address, but it must include the port. This can also be specified via theCONSUL_HTTP_ADDRenvironment variable. In Consul 0.8 and later, the default value is http://127.0.0.1:8500, and https can optionally be used instead. The scheme can also be set to HTTPS by setting the environment variableCONSUL_HTTP_SSL=true. This may be a unix domain socket usingunix:///path/to/socketif the agent is configured to listen that way. -
-tls-server-name=<value>- The server name to use as the SNI host when connecting via TLS. This can also be specified via theCONSUL_TLS_SERVER_NAMEenvironment variable. -
-token=<value>- ACL token to use in the request. This can also be specified via theCONSUL_HTTP_TOKENenvironment variable. If unspecified, the query will default to the token of the Consul agent at the HTTP address. -
-token-file=<value>- File containing the ACL token to use in the request instead of one specified via the-tokenargument orCONSUL_HTTP_TOKENenvironment variable. This can also be specified via theCONSUL_HTTP_TOKEN_FILEenvironment variable.
-
-datacenter=<name>- Name of the datacenter to query. If unspecified, the query will default to the datacenter of the Consul agent at the HTTP address. -
-stale- Permit any Consul server (non-leader) to respond to this request. This allows for lower latency and higher throughput, but can result in stale data. This option has no effect on non-read operations. The default value is false.
»Command Options
-
-accessor=<string>- Create the token with this Accessor ID. It must be a UUID. If not specified one will be auto-generated -
-description=<string>- A description of the token. -
-expires-ttl=<duration>- Duration of time this token should be valid for. -
-local- Create this as a datacenter local token. -
-meta- Indicates that token metadata such as the content hash and raft indices should be shown for each entry. -
-node-identity=<value>- Name of a node identity to use for this role. May be specified multiple times. Format isNODENAME:DATACENTER. Added in Consul 1.8.1. -
-policy-id=<value>- ID of a policy to use for this token. May be specified multiple times. -
-policy-name=<value>- Name of a policy to use for this token. May be specified multiple times. -
-role-id=<value>- ID of a role to use for this token. May be specified multiple times. -
-role-name=<value>- Name of a role to use for this token. May be specified multiple times. -
-service-identity=<value>- Name of a service identity to use for this token. May be specified multiple times. Format is theSERVICENAMEorSERVICENAME:DATACENTER1,DATACENTER2,... -
-secret=<string>- Create the token with this Secret ID. It must be a UUID. If not specified one will be auto-generated. Note: The SecretID is used to authorize operations against Consul and should be generated from an appropriate cryptographic source. -
-format={pretty|json}- Command output format. The default value ispretty.
»Enterprise Options
-
-namespace=<string>- Specifies the namespace to query. If not provided, the namespace will be inferred from the request's ACL token, or will default to thedefaultnamespace. Namespaces are a Consul Enterprise feature added in v1.7.0.
»Examples
Create a new token:
Create a new local token:
Create a new token and link with policies by name:
Create a new token with one service identity that expires in 15 minutes: