authority create


Preview

Preview features are available for use, but are still under rapid development.

There may be some minor gaps in functionality or documentation.

Your feedback on the enhancements you'd like to see on this feature are especially valuable, please send them through at https://github.com/build-trust/ockam/discussions/new

ockam authority create [OPTIONS] --project-identifier <PROJECT_IDENTIFIER> <--trusted-identities <JSON_OBJECT>|--reload-from-trusted-identities-file <PATH>> [NODE_NAME]

This command starts an authority node with the needed services to issue and verify cryptographically signed credentials.

Arguments

  • [NODE_NAME] (optional)
    Name of the node

Options

  • --project-identifier <PROJECT_IDENTIFIER>
    Identifier of the project associated to this authority node on the Orchestrator

  • -t, --tcp-listener-address [SOCKET_ADDRESS] (optional)
    TCP listener address

  • --child-process (optional)
    authority create started a child process to run this node in foreground

  • --no-direct-authentication (optional)
    Set this option if the authority node should not support the enrollment of new project members

  • --no-token-enrollment (optional)
    Set this option if the authority node should not support the issuing of enrollment tokens

  • --trusted-identities [JSON_OBJECT] (optional)
    List of the trusted identities, and corresponding attributes to be preload in the attributes storage. Format: {"identifier1": {"attribute1": "value1", "attribute2": "value12"}, ...}

  • --reload-from-trusted-identities-file [PATH] (optional)
    Path of a file containing trusted identities and their attributes encoded as a JSON object. Format: {"identifier1": {"attribute1": "value1", "attribute2": "value12"}, ...}

  • --tenant-base-url [URL] (optional)
    Okta: URL used for accessing the Okta API

  • --certificate [STRING] (optional)
    Okta: pem certificate used to access the Okta server

  • --attributes [ATTRIBUTE_NAMES] (optional)
    Okta: name of the attributes which can be retrieved from Okta

  • -f, --foreground (optional)
    Run the node in foreground

  • --vault [VAULT_NAME] (optional)
    Vault that authority will use

  • --identity [IDENTITY_NAME] (optional)
    Name of the Identity that the authority will use

Examples

# Create an authority node which can be accessed by users of project 93c6455c5f
# The default node name is 'authority'.
$ ockam authority create \
    --tcp-listener-address 127.0.0.1:4200 \
    --project-identifier 93c6455c5f \
    --trusted-identities "[{\"identifier\": \"P6c20e814b56579306f55c64e8747e6c1b4a53d9a3f4ca83c252cc2fbfc72fa94\", \"attributes\": {\"ockam-role\": \"enroller\"}}]"

# Create an authority node which can be accessed by users of project 93c6455c5f
# Trusted identities come from a file which is always reloaded where searching for an identity attribute
$ ockam authority create \
    --tcp-listener-address 127.0.0.1:4200 \
    --project-identifier 93c6455c5f \
    --reload-from-trusted-identities-file trust-anchors.json

# Delete an authority node
$ ockam node delete authority