authority create

[Preview]

ockam authority create [OPTIONS] --project-identifier <PROJECT_IDENTIFIER> --trusted-identities <JSON_OBJECT>

This command starts an authority node with the needed services to issue and verify cryptographically signed credentials.

Options

  • -f, --foreground (optional)
    Run the node in foreground

  • -s, --skip-is-running-check (optional)
    Skip the check if such node is already running. Useful for kubernetes when the pid is the same on each run

  • --child-process (optional)
    authority create started a child process to run this node in foreground

  • -t, --tcp-listener-address [SOCKET_ADDRESS] (optional)
    TCP listener address

  • --identity [IDENTITY_NAME] (optional)
    Name of the Identity that the authority will use

  • --project-identifier <PROJECT_IDENTIFIER>
    Identifier of the project associated to this authority node on the Orchestrator

  • --project-identity-identifier-file [PROJECT_IDENTITY_IDENTIFIER_FILE] (optional)
    Path to a file containing the identifier of the identity used by the project

  • --project-access-route [MULTI_ADDR] (optional)
    MultiAddr for accessing the project. If provided, then default project data is stored in the authority node database

  • --trusted-identities <JSON_OBJECT>
    List of the trusted identities, and corresponding attributes to be preload in the attributes storage. Format: {"identifier1": {"attribute1": "value1", "attribute2": "value12"}, ...}

  • --no-direct-authentication (optional)
    Set this option if the authority node should not support the enrollment of new project members

  • --no-token-enrollment (optional)
    Set this option if the authority node should not support the issuing of enrollment tokens

  • --tenant-base-url [URL] (optional)
    Okta: URL used for accessing the Okta API

  • --certificate [STRING] (optional)
    Okta: pem certificate used to access the Okta server

  • --attributes [ATTRIBUTE_NAMES] (optional)
    Okta: name of the attributes which can be retrieved from Okta

  • --account-authority [ACCOUNT_AUTHORITY_CHANGE_HISTORY] (optional)
    Full, hex-encoded Identity (change history) of the account authority to trust for account and project administrator credentials

  • --enforce-admin-checks (optional)
    Enforce distinction between admins and enrollers

  • --disable-trust-context-id (optional)
    Not include trust context id and project id into the credential TODO: Set to true after old clients are updated

  • --tcp-callback-port [TCP_CALLBACK_PORT] (optional)
    Port that a node should connect to when it's up and running, as a way to signal the parent process

Examples:

# Create an authority node which can be accessed by users of project 93c6455c5f
# The default node name is 'authority'.
$ ockam authority create \
    --tcp-listener-address 127.0.0.1:4200 \
    --project-identifier 93c6455c5f \
    --trusted-identities "[{\"identifier\": \"I6c20e814b56579306f55c64e8747e6c1b4a53d9a3f4ca83c252cc2fbfc72fa94\", \"attributes\": {\"ockam-role\": \"enroller\"}}]"

# Delete an authority node
$ ockam node delete authority

Learn More:

Use 'ockam --help' for more information about a subcommand. Where might be: 'node', 'status', 'enroll', etc. Learn more about Command: https://command.ockam.io/manual/ Learn more about Ockam: https://docs.ockam.io/reference/command

Feedback:

If you have questions, as you explore, join us on the contributors discord channel https://discord.ockam.io