project ticket


ockam project ticket [OPTIONS]

The project ticket command allows you to create a one-time enrollment ticket, and provide custom attributes, after you have run ockam enroll. This is typically only done by Project administrators. How long the ticket is valid, and how many times it can be redeemed is also configurable via this command. Once redeemed, the attributes in this ticket are assigned to its redeemer. You can also use the --relay argument to allow the other Identity to create a Relay at the given address. The --enroller argument allows the Identity using the ticket to enroll other Identities into the Project, typically something that only administrators can do.

Once you create a ticket, with attributes, for a Project, another Ockam node can use it later to enroll into this Project (using ockam project enroll).

When another Ockam node runs ockam project enroll with this ticket (the Identity of that node is enrolled), they become a member of the Project, and they get a credential at the end of this process. The Project's Membership Authority will cryptographically attest to the specific attributes that the ticket was created with. As a member, they can request a credential whenever they need one. Credentials do not live forever, and expire.

The ticket is plain text representing a one-time use token and the non-sensitive data about the Project, like the route to reach it, and some other information, which will be used to validate the Project Identity. The ticket itself can be stored in an environment variable, or a file.

Options

  • --identity [IDENTITY_NAME] (optional)
    Run the command as the given Identity

  • --project [PROJECT_NAME] (optional)
    Project name to use for the command

  • --authority-identity [IDENTITY] (optional)
    Hex encoded Identity

  • --authority-route [AUTHORITY_ROUTE] (optional)
    Address to the Authority node

  • --credential-scope [CREDENTIAL_SCOPE] (optional)
    Expect credential manually saved to the storage

  • -a, --attribute [ATTRIBUTE] (optional)
    Attributes in key=value format to be attached to the member. You can specify this option multiple times for multiple attributes

  • --expires-in [DURATION] (optional)
    Duration for which the enrollment ticket is valid, if you don't specify this, the default is 10 minutes. Examples: 10000ms, 600s, 600, 10m, 1h, 1d. If you don't specify a length sigil, it is assumed to be seconds

  • --usage-count [USAGE_COUNT] (optional)
    Number of times the ticket can be used to enroll, the default is 1

  • --relay [ENROLLEE_ALLOWED_RELAY_NAME] (optional)
    Name of the relay that the identity using the ticket will be allowed to create. This name is transformed into attributes to prevent collisions when creating relay names. For example: --relay foo is shorthand for --attribute ockam-relay=foo

  • --enroller (optional)
    Add the enroller role to your ticket. If you specify it, this flag is transformed into the attributes --attribute ockam-role=enroller. This role allows the Identity using the ticket to enroll other Identities into the Project, typically something that only admins can do

  • --tls (optional)
    Allows the access to the TLS certificate of the Project, this flag is transformed into the attributes --attribute ockam-tls-certificate=true

  • --retry-count [RETRY_COUNT] (optional)
    Number of times to retry the command

  • --retry-delay [RETRY_DELAY] (optional)
    Delay between retries

  • --no-retry (optional)
    Disable retry for the command, no matter if it's enabled via arguments or environment variables

  • --hex (optional)
    Return the ticket in hex encoded format

  • --legacy (optional)
    Return the ticket using the legacy encoding format

Examples

# To generate an enrollment ticket that can be used to enroll a machine
$ ockam project ticket --attribute component=db --attribute location=sf

# To generate an enrollment ticket that can be used to enroll a machine and save it to a file
$ ockam project ticket --attribute component=db --attribute location=sf > ticket.txt