project enroll
ockam project enroll [OPTIONS] [ENROLLMENT TICKET]
The project enroll
command allows you to use an enrollment ticket generated by ockam project ticket
(for a Project) to enroll an Identity, on an Ockam Node, typically running on another machine, to that Project. This is a great choice for enrolling large fleets of applications, services, or machines. It is also friendly to automated provisioning scripts and tools.
When you or someone else uses a machine to run this command with a ticket, the following steps take place for it to get a credential. The Identity of the Ockam Node running on this machine is enrolled with the ticket's Project. This Identity gets a Project membership credential that attests to the attributes that the ticket was created with. Then, for example, this Node can create a Relay in the Project, at an address specified in the attributes of the ticket. The attributes are also used in conjunction with access control policies on other Ockam Nodes to ensure that Project members that possess a certain credential with a certain attribute can communicate with them.
The ticket is plain text representing a one-time use token and the non-sensitive data about the Project, like the route to reach it and the Project Identity Identifier, which will be used to validate the Project Identity. The ticket itself can be stored in an environment variable, or a file.
Ockam offers several pluggable enrollment protocols. Another options for you is to use Okta as an enrollment provider using --okta
. This is a great choice for enrolling users without manual intervention (no need to manually provision tickets for each user). Workforce identities in Okta can be combined with application identities in Ockam for attribute-based access control of distributed applications.
Arguments
[ENROLLMENT TICKET]
(optional)
Path, URL or inlined hex-encoded enrollment ticket
Options
-
--identity [IDENTITY_NAME]
(optional)
Run the command as the given Identity -
--project [PROJECT_NAME]
(optional)
Project name to use for the command -
--authority-identity [IDENTITY]
(optional)
Hex encoded Identity -
--authority-route [AUTHORITY_ROUTE]
(optional)
Address to the Authority node -
--credential-scope [CREDENTIAL_SCOPE]
(optional)
Expect credential manually saved to the storage -
--okta
(optional)
Use Okta instead of an enrollment ticket -
--retry-count [RETRY_COUNT]
(optional)
Number of times to retry the command -
--retry-delay [RETRY_DELAY]
(optional)
Delay between retries -
--no-retry
(optional)
Disable retry for the command, no matter if it's enabled via arguments or environment variables -
--timeout [TIMEOUT]
(optional)
Override the default timeout duration in environments where enrollment can take a long time
Examples
# 1) Use hex encoded string enrollment ticket:
# From the admin machine, generate an enrollment ticket
$ TICKET=$(ockam project ticket --attribute component=user)
# From the user machine, enroll the local identity to the project using the ticket
$ ockam project enroll $TICKET --identity control_identity
# 2) Use file enrollment ticket:
# From the admin machine, generate an enrollment ticket, save to a file
$ ockam project ticket --attribute component=user > $NAME.ticket
# From the user machine, enroll the local identity to the project using the file
$ ockam project enroll --identity control_identity $NAME.ticket