github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/api-docs/acl/tokens.mdx (about) 1 --- 2 layout: api 3 page_title: ACL Tokens - HTTP API 4 description: The /acl/token/ endpoints are used to configure and manage ACL tokens. 5 --- 6 7 # ACL Tokens HTTP API 8 9 The `/acl/bootstrap`, `/acl/tokens`, and `/acl/token/` endpoints are used to manage ACL tokens. 10 For more details about ACLs, please see the [ACL Guide](https://learn.hashicorp.com/collections/nomad/access-control). 11 12 ## Bootstrap Token 13 14 This endpoint is used to bootstrap the ACL system and provide the initial management token. 15 An operator created token can be provided in the body of the request to bootstrap the cluster 16 if required. If no header is provided the cluster will return a generated management token. 17 The provided token should be presented in a UUID format. 18 This request is always forwarded to the authoritative region. It can only be invoked once 19 until a [bootstrap reset](https://learn.hashicorp.com/tutorials/nomad/access-control-bootstrap#re-bootstrap-acl-system) is performed. 20 21 | Method | Path | Produces | 22 | ------ | ---------------- | ------------------ | 23 | `POST` | `/acl/bootstrap` | `application/json` | 24 25 The table below shows this endpoint's support for 26 [blocking queries](/api-docs#blocking-queries) and 27 [required ACLs](/api-docs#acls). 28 29 | Blocking Queries | ACL Required | 30 | ---------------- | ------------ | 31 | `NO` | `none` | 32 33 ### Sample Request 34 35 ```shell-session 36 $ curl \ 37 --request POST \ 38 https://localhost:4646/v1/acl/bootstrap 39 ``` 40 41 ### Sample Response 42 43 ```json 44 { 45 "AccessorID": "b780e702-98ce-521f-2e5f-c6b87de05b24", 46 "SecretID": "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe", 47 "Name": "Bootstrap Token", 48 "Type": "management", 49 "Policies": null, 50 "Global": true, 51 "CreateTime": "2017-08-23T22:47:14.695408057Z", 52 "CreateIndex": 7, 53 "ModifyIndex": 7 54 } 55 ``` 56 57 ### Sample Operator Payload 58 59 ```json 60 { 61 "BootstrapSecret": "2b778dd9-f5f1-6f29-b4b4-9a5fa948757a" 62 } 63 ``` 64 65 ### Sample Request With Operator Token 66 67 ```shell-session 68 $ curl \ 69 --request POST \ 70 --data @root-token.json \ 71 https://localhost:4646/v1/acl/bootstrap 72 ``` 73 74 ### Sample Response With Operator Token 75 76 ```json 77 { 78 "AccessorID": "b780e702-98ce-521f-2e5f-c6b87de05b24", 79 "SecretID": "2b778dd9-f5f1-6f29-b4b4-9a5fa948757a", 80 "Name": "Bootstrap Token", 81 "Type": "management", 82 "Policies": null, 83 "Global": true, 84 "CreateTime": "2017-08-23T22:47:14.695408057Z", 85 "CreateIndex": 7, 86 "ModifyIndex": 7 87 } 88 ``` 89 90 ## List Tokens 91 92 This endpoint lists all ACL tokens. This lists the local tokens and the global 93 tokens which have been replicated to the region, and may lag behind the authoritative region. 94 95 | Method | Path | Produces | 96 | ------ | ------------- | ------------------ | 97 | `GET` | `/acl/tokens` | `application/json` | 98 99 The table below shows this endpoint's support for 100 [blocking queries](/api-docs#blocking-queries), [consistency modes](/api-docs#consistency-modes) and 101 [required ACLs](/api-docs#acls). 102 103 | Blocking Queries | Consistency Modes | ACL Required | 104 | ---------------- | ----------------- | ------------ | 105 | `YES` | `all` | `management` | 106 107 ### Parameters 108 109 - `global` `(bool: false)` - If true, only return ACL tokens that are 110 replicated globally to all regions. 111 112 - `prefix` `(string: "")` - Specifies a string to filter ACL tokens based on an 113 accessor ID prefix. Because the value is decoded to bytes, the prefix must 114 have an even number of hexadecimal characters (0-9a-f). This is specified as 115 a query string parameter. 116 117 - `next_token` `(string: "")` - This endpoint supports paging. The `next_token` 118 parameter accepts a string which identifies the next expected ACL token. This 119 value can be obtained from the `X-Nomad-NextToken` header from the previous 120 response. 121 122 - `per_page` `(int: 0)` - Specifies a maximum number of ACL tokens to return 123 for this request. If omitted, the response is not paginated. The value of the 124 `X-Nomad-NextToken` header of the last response can be used as the 125 `next_token` of the next request to fetch additional pages. 126 127 - `filter` `(string: "")` - Specifies the [expression](/api-docs#filtering) 128 used to filter the results. Consider using pagination or a query parameter to 129 reduce resource used to serve the request. 130 131 - `reverse` `(bool: false)` - Specifies the list of returned ACL tokens should 132 be sorted in the reverse order. By default ACL tokens are returned sorted in 133 chronological order (older ACL tokens first), or in lexicographical order by 134 their ID if the `prefix` or `global` query parameters are used. 135 136 ### Sample Request 137 138 ```shell-session 139 $ curl \ 140 https://localhost:4646/v1/acl/tokens 141 ``` 142 143 ```shell-session 144 $ curl \ 145 --request POST \ 146 https://localhost:4646/v1/acl/tokens?prefix=3da2ed52 147 ``` 148 149 ### Sample Response 150 151 ```json 152 [ 153 { 154 "AccessorID": "b780e702-98ce-521f-2e5f-c6b87de05b24", 155 "Name": "Bootstrap Token", 156 "Type": "management", 157 "Policies": null, 158 "Global": true, 159 "CreateTime": "2017-08-23T22:47:14.695408057Z", 160 "CreateIndex": 7, 161 "ModifyIndex": 7 162 } 163 ] 164 ``` 165 166 ## Create Token 167 168 This endpoint creates an ACL Token. If the token is a global token, the request 169 is forwarded to the authoritative region. 170 171 | Method | Path | Produces | 172 | ------ | ------------ | ------------------ | 173 | `POST` | `/acl/token` | `application/json` | 174 175 The table below shows this endpoint's support for 176 [blocking queries](/api-docs#blocking-queries) and 177 [required ACLs](/api-docs#acls). 178 179 | Blocking Queries | ACL Required | 180 | ---------------- | ------------ | 181 | `NO` | `management` | 182 183 ### Parameters 184 185 - `Name` `(string: <optional>)` - Specifies the human-readable name of the token. 186 187 - `Type` `(string: <required>)` - Specifies the type of token. Must be either 188 `client` or `management`. 189 190 - `Policies` `(array<string>: <required>)` - Must be null or blank for 191 `management` type tokens, otherwise must specify at least one policy for 192 `client` type tokens. 193 194 - `Global` `(bool: <optional>)` - If true, indicates this token should be 195 replicated globally to all regions. Otherwise, this token is created local to 196 the target region. 197 198 - `ExpirationTime` `(time: "")` - If set, this represents the point after which 199 a token should be considered revoked and is eligible for destruction. The 200 default unset value represents NO expiration. 201 202 - `ExpirationTTL` `(duration: 0s)` - This is a convenience field and if set will 203 initialize the `ExpirationTime` field to a value of `CreateTime` + 204 `ExpirationTTL`. 205 206 ### Sample Payload 207 208 ```json 209 { 210 "Name": "Readonly token", 211 "Type": "client", 212 "Policies": ["readonly"], 213 "Global": false 214 } 215 ``` 216 217 ### Sample Request 218 219 ```shell-session 220 $ curl \ 221 --request POST \ 222 --data @payload.json \ 223 https://localhost:4646/v1/acl/token 224 ``` 225 226 ### Sample Response 227 228 ```json 229 { 230 "AccessorID": "aa534e09-6a07-0a45-2295-a7f77063d429", 231 "SecretID": "8176afd3-772d-0b71-8f85-7fa5d903e9d4", 232 "Name": "Readonly token", 233 "Type": "client", 234 "Policies": ["readonly"], 235 "Global": false, 236 "CreateTime": "2017-08-23T23:25:41.429154233Z", 237 "CreateIndex": 52, 238 "ModifyIndex": 52 239 } 240 ``` 241 242 ## Update Token 243 244 This endpoint updates an existing ACL Token. If the token is a global token, the request 245 is forwarded to the authoritative region. Note that a token cannot be switched from global 246 to local or visa versa. 247 248 | Method | Path | Produces | 249 | ------ | ------------------------- | ------------------ | 250 | `POST` | `/acl/token/:accessor_id` | `application/json` | 251 252 The table below shows this endpoint's support for 253 [blocking queries](/api-docs#blocking-queries) and 254 [required ACLs](/api-docs#acls). 255 256 | Blocking Queries | ACL Required | 257 | ---------------- | ------------ | 258 | `NO` | `management` | 259 260 ### Parameters 261 262 - `AccessorID` `(string: <required>)` - Specifies the token (by accessor) that is being updated. Must match payload body and request path. 263 264 - `Name` `(string: <optional>)` - Specifies the human readable name of the token. 265 266 - `Type` `(string: <required>)` - Specifies the type of token. Must be either `client` or `management`. 267 268 - `Policies` `(array<string>: <required>)` - Must be null or blank for `management` type tokens, otherwise must specify at least one policy for `client` type tokens. 269 270 ### Sample Payload 271 272 ```json 273 { 274 "AccessorID": "aa534e09-6a07-0a45-2295-a7f77063d429", 275 "Name": "Read-write token", 276 "Type": "client", 277 "Policies": ["readwrite"] 278 } 279 ``` 280 281 ### Sample Request 282 283 ```shell-session 284 $ curl \ 285 --request POST \ 286 --data @payload.json \ 287 https://localhost:4646/v1/acl/token/aa534e09-6a07-0a45-2295-a7f77063d429 288 ``` 289 290 ### Sample Response 291 292 ```json 293 { 294 "AccessorID": "aa534e09-6a07-0a45-2295-a7f77063d429", 295 "SecretID": "8176afd3-772d-0b71-8f85-7fa5d903e9d4", 296 "Name": "Read-write token", 297 "Type": "client", 298 "Policies": ["readwrite"], 299 "Global": false, 300 "CreateTime": "2017-08-23T23:25:41.429154233Z", 301 "CreateIndex": 52, 302 "ModifyIndex": 64 303 } 304 ``` 305 306 ## Read Token 307 308 This endpoint reads an ACL token with the given accessor. If the token is a global token 309 which has been replicated to the region it may lag behind the authoritative region. 310 311 | Method | Path | Produces | 312 | ------ | ------------------------- | ------------------ | 313 | `GET` | `/acl/token/:accessor_id` | `application/json` | 314 315 The table below shows this endpoint's support for 316 [blocking queries](/api-docs#blocking-queries), [consistency modes](/api-docs#consistency-modes) and 317 [required ACLs](/api-docs#acls). 318 319 | Blocking Queries | Consistency Modes | ACL Required | 320 | ---------------- | ----------------- | -------------------------------------------------- | 321 | `YES` | `all` | `management` or a SecretID matching the AccessorID | 322 323 ### Sample Request 324 325 ```shell-session 326 $ curl \ 327 https://localhost:4646/v1/acl/token/aa534e09-6a07-0a45-2295-a7f77063d429 328 ``` 329 330 ### Sample Response 331 332 ```json 333 { 334 "AccessorID": "aa534e09-6a07-0a45-2295-a7f77063d429", 335 "SecretID": "8176afd3-772d-0b71-8f85-7fa5d903e9d4", 336 "Name": "Read-write token", 337 "Type": "client", 338 "Policies": ["readwrite"], 339 "Global": false, 340 "CreateTime": "2017-08-23T23:25:41.429154233Z", 341 "CreateIndex": 52, 342 "ModifyIndex": 64 343 } 344 ``` 345 346 ## Read Self Token 347 348 This endpoint reads the ACL token given by the passed SecretID. If the token is a global token 349 which has been replicated to the region it may lag behind the authoritative region. 350 351 | Method | Path | Produces | 352 | ------ | ----------------- | ------------------ | 353 | `GET` | `/acl/token/self` | `application/json` | 354 355 The table below shows this endpoint's support for 356 [blocking queries](/api-docs#blocking-queries), [consistency modes](/api-docs#consistency-modes) and 357 [required ACLs](/api-docs#acls). 358 359 | Blocking Queries | Consistency Modes | ACL Required | 360 | ---------------- | ----------------- | ------------------- | 361 | `YES` | `all` | Any valid ACL token | 362 363 ### Sample Request 364 365 ```shell-session 366 $ curl \ 367 --header "X-Nomad-Token: 8176afd3-772d-0b71-8f85-7fa5d903e9d4" \ 368 https://localhost:4646/v1/acl/token/self 369 ``` 370 371 ### Sample Response 372 373 ```json 374 { 375 "AccessorID": "aa534e09-6a07-0a45-2295-a7f77063d429", 376 "SecretID": "8176afd3-772d-0b71-8f85-7fa5d903e9d4", 377 "Name": "Read-write token", 378 "Type": "client", 379 "Policies": ["readwrite"], 380 "Global": false, 381 "CreateTime": "2017-08-23T23:25:41.429154233Z", 382 "CreateIndex": 52, 383 "ModifyIndex": 64 384 } 385 ``` 386 387 ## Delete Token 388 389 This endpoint deletes the ACL token by accessor. This request is forwarded to the 390 authoritative region for global tokens. 391 392 | Method | Path | Produces | 393 | -------- | ------------------------- | -------------- | 394 | `DELETE` | `/acl/token/:accessor_id` | `(empty body)` | 395 396 The table below shows this endpoint's support for 397 [blocking queries](/api-docs#blocking-queries) and 398 [required ACLs](/api-docs#acls). 399 400 | Blocking Queries | ACL Required | 401 | ---------------- | ------------ | 402 | `NO` | `management` | 403 404 ### Parameters 405 406 - `accessor_id` `(string: <required>)` - Specifies the ACL token accessor ID. 407 408 ### Sample Request 409 410 ```shell-session 411 $ curl \ 412 --request DELETE \ 413 https://localhost:4646/v1/acl/token/aa534e09-6a07-0a45-2295-a7f77063d429 414 ``` 415 416 ## Upsert One-Time Token 417 418 This endpoint creates a one-time token for the ACL token provided in the 419 `X-Nomad-Token` header. Returns 403 if the token header is not set. 420 421 | Method | Path | Produces | 422 | ------ | -------------------- | ------------------ | 423 | `POST` | `/acl/token/onetime` | `application/json` | 424 425 The table below shows this endpoint's support for 426 [blocking queries](/api-docs#blocking-queries) and 427 [required ACLs](/api-docs#acls). 428 429 | Blocking Queries | ACL Required | 430 | ---------------- | ------------ | 431 | `NO` | `any` | 432 433 ### Sample Request 434 435 ```shell-session 436 $ curl \ 437 --request POST \ 438 -H "X-Nomad-Token: aa534e09-6a07-0a45-2295-a7f77063d429" \ 439 https://localhost:4646/v1/acl/token/onetime 440 ``` 441 442 ### Sample Response 443 444 ```json 445 { 446 "Index": 15, 447 "OneTimeToken": { 448 "AccessorID": "b780e702-98ce-521f-2e5f-c6b87de05b24", 449 "CreateIndex": 7, 450 "ExpiresAt": "2017-08-23T22:47:14.695408057Z", 451 "ModifyIndex": 7, 452 "OneTimeSecretID": "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe" 453 } 454 } 455 ``` 456 457 ## Exchange One-Time Token 458 459 This endpoint exchanges a one-time token for the original ACL token used to 460 create it. 461 462 | Method | Path | Produces | 463 | ------ | ----------------------------- | ------------------ | 464 | `POST` | `/acl/token/onetime/exchange` | `application/json` | 465 466 The table below shows this endpoint's support for 467 [blocking queries](/api-docs#blocking-queries) and 468 [required ACLs](/api-docs#acls). 469 470 | Blocking Queries | ACL Required | 471 | ---------------- | ------------ | 472 | `NO` | `any` | 473 474 ### Sample Request 475 476 ```shell-session 477 $ curl \ 478 --request POST \ 479 -d '{ "OneTimeSecretID": "aa534e09-6a07-0a45-2295-a7f77063d429" } \ 480 https://localhost:4646/v1/acl/token/onetime/exchange 481 ``` 482 483 ### Sample Response 484 485 ```json 486 { 487 "Index": 17, 488 "Token": { 489 "AccessorID": "b780e702-98ce-521f-2e5f-c6b87de05b24", 490 "CreateIndex": 7, 491 "CreateTime": "2017-08-23T22:47:14.695408057Z", 492 "Global": true, 493 "Hash": "UhZESkSFGFfX7eBgq5Uwph30OctbUbpe8+dlH2i4whA=", 494 "ModifyIndex": 7, 495 "Name": "Developer token", 496 "Policies": ["developer"], 497 "SecretID": "3f4a0fcd-7c42-773c-25db-2d31ba0c05fe", 498 "Type": "client" 499 } 500 } 501 ```