authority create


Preview

Preview features are available for use, but are still under rapid development.

There may be some minor gaps in functionality or documentation.

Your feedback on the enhancements you'd like to see on this feature are especially valuable, please send them through at https://github.com/build-trust/ockam/discussions/new

ockam authority create [OPTIONS] --project-identifier <PROJECT_IDENTIFIER> --trusted-identities <JSON_OBJECT> [NODE_NAME]

This command starts an authority node with the needed services to issue and verify cryptographically signed credentials.

Arguments

  • [NODE_NAME] (optional)
    Name of the node

Options

  • -f, --foreground (optional)
    Run the node in foreground

  • -s, --skip-is-running-check (optional)
    Skip the check if such node is already running. Useful for kubernetes when the pid is the same on each run

  • --child-process (optional)
    authority create started a child process to run this node in foreground

  • -t, --tcp-listener-address [SOCKET_ADDRESS] (optional)
    TCP listener address

  • --identity [IDENTITY_NAME] (optional)
    Name of the Identity that the authority will use

  • --project-identifier <PROJECT_IDENTIFIER>
    Identifier of the project associated to this authority node on the Orchestrator

  • --project-identity-identifier-file [PROJECT_IDENTITY_IDENTIFIER_FILE] (optional)
    Path to a file containing the identifier of the identity used by the project

  • --project-access-route [MULTI_ADDR] (optional)
    MultiAddr for accessing the project. If provided, then default project data is stored in the authority node database

  • --trusted-identities <JSON_OBJECT>
    List of the trusted identities, and corresponding attributes to be preload in the attributes storage. Format: {"identifier1": {"attribute1": "value1", "attribute2": "value12"}, ...}

  • --no-direct-authentication (optional)
    Set this option if the authority node should not support the enrollment of new project members

  • --no-token-enrollment (optional)
    Set this option if the authority node should not support the issuing of enrollment tokens

  • --tenant-base-url [URL] (optional)
    Okta: URL used for accessing the Okta API

  • --certificate [STRING] (optional)
    Okta: pem certificate used to access the Okta server

  • --attributes [ATTRIBUTE_NAMES] (optional)
    Okta: name of the attributes which can be retrieved from Okta

  • --account-authority [ACCOUNT_AUTHORITY_CHANGE_HISTORY] (optional)
    Full, hex-encoded Identity (change history) of the account authority to trust for account and project administrator credentials

  • --enforce-admin-checks (optional)
    Enforce distinction between admins and enrollers

  • --disable-trust-context-id (optional)
    Not include trust context id and project id into the credential TODO: Set to true after old clients are updated

Examples

# Create an authority node which can be accessed by users of project 93c6455c5f
# The default node name is 'authority'.
$ ockam authority create \
    --tcp-listener-address 127.0.0.1:4200 \
    --project-identifier 93c6455c5f \
    --trusted-identities "[{\"identifier\": \"I6c20e814b56579306f55c64e8747e6c1b4a53d9a3f4ca83c252cc2fbfc72fa94\", \"attributes\": {\"ockam-role\": \"enroller\"}}]"

# Delete an authority node
$ ockam node delete authority