124 lines
3.9 KiB
Plaintext
Raw Normal View History

---
layout: commands
2020-04-07 14:55:19 -04:00
page_title: 'Commands: ACL Binding Rule Create'
description: |
The `consul acl binding-rule create` command creates new ACL binding rules. These rules bind auth methods to specific services or roles.
---
# Consul ACL Binding Rule Create
Command: `consul acl binding-rule create`
Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/binding-rule](/consul/api-docs/acl/binding-rules#create-a-binding-rule)
The `acl binding-rule create` command creates new binding rules.
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ------------ |
| `acl:write` |
## Usage
Usage: `consul acl binding-rule create [options] [args]`
#### Command Options
2020-04-07 14:55:19 -04:00
- `-bind-name=<string>` - Name to bind on match. Can use `${var}`
interpolation. This flag is required.
- `-bind-type=<string>` - Type of binding to perform (`"service"`, `"node"`, `"templated-policy"`, `"policy"` or `"role"`).
2020-04-07 14:55:19 -04:00
- `-description=<string>` - A description of the binding rule.
2020-04-07 14:55:19 -04:00
- `-meta` - Indicates that binding rule metadata such as the raft
indices should be shown for each entry.
2020-04-07 14:55:19 -04:00
- `-method=<string>` - The auth method's name for which this binding rule
applies. This flag is required.
2020-04-07 14:55:19 -04:00
- `-selector=<string>` - Selector is an expression that matches against
verified identity attributes returned from the auth method during login.
2020-04-07 14:55:19 -04:00
- `-format={pretty|json}` - Command output format. The default value is `pretty`.
#### Enterprise Options
@include 'http_api_partition_options.mdx'
2020-04-07 14:55:19 -04:00
@include 'http_api_namespace_options.mdx'
#### API Options
@include 'http_api_options_client.mdx'
@include 'http_api_options_server.mdx'
## Examples
Create a new binding rule that binds to a service identity:
2020-05-19 14:32:38 -04:00
```shell-session
$ consul acl binding-rule create -method 'minikube' \
-description 'wildcard service' \
-bind-type 'service' \
-bind-name 'k8s-${serviceaccount.name}' \
-selector 'serviceaccount.namespace==default and serviceaccount.name!=vault'
ID: 0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890
AuthMethod: minikube
Description: wildcard service
BindType: service
BindName: k8s-${serviceaccount.name}
Selector: serviceaccount.namespace==default and serviceaccount.name!=vault
```
Create a new binding rule that binds to a role:
2020-05-19 14:32:38 -04:00
```shell-session
$ consul acl binding-rule create -method 'minikube' \
-description 'just vault role' \
-bind-type 'role' \
-bind-name 'vault' \
-selector 'serviceaccount.namespace==default and serviceaccount.name==vault'
ID: e21ae868-7b13-a230-0235-f8e83510642c
AuthMethod: minikube
Description: just vault role
BindType: role
BindName: vault
Selector: serviceaccount.namespace==default and serviceaccount.name==vault
```
Create a new binding rule that binds to a policy:
```shell-session
$ consul acl binding-rule create -method 'nomad' \
-description 'gets policy for nomad job' \
-bind-type 'policy' \
-bind-name 'nomad-${nomad.jobname}' \
-selector 'nomad.jobname==billing-app'
ID: e21ae868-7b13-a230-0235-f8e83510642c
AuthMethod: nomad
Description: gets policy for nomad job
BindType: policy
BindName: nomad-billing-app
Selector: nomad.jobname==billing-app
```
Create a new binding rule that binds to a templated policy:
```shell-session
$ consul acl binding-rule create -method 'remote-jwks' \
-description 'gets templated policy for dns tokens' \
-bind-type 'templated-policy' \
-bind-name 'builtin/dns' \
-selector 'serviceaccount.namespace==default'
ID: eaca9aa4-8913-c8ef-ba39-bfae64f66d99
AuthMethod: remote-jwks
Description: gets templated policy for dns tokens
BindType: templated-policy
BindName: builtin/dns
Selector: serviceaccount.namespace==default
```