--- layout: commands page_title: 'Commands: ACL Binding Rule Create' description: | The `consul acl binding-rule create` command creates new ACL binding rules. These rules bind auth methods to specific services or roles. --- # Consul ACL Binding Rule Create Command: `consul acl binding-rule create` Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/binding-rule](/consul/api-docs/acl/binding-rules#create-a-binding-rule) The `acl binding-rule create` command creates new binding rules. The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of [blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. | ACL Required | | ------------ | | `acl:write` | ## Usage Usage: `consul acl binding-rule create [options] [args]` #### Command Options - `-bind-name=` - Name to bind on match. Can use `${var}` interpolation. This flag is required. - `-bind-type=` - Type of binding to perform (`"service"`, `"node"`, `"templated-policy"`, `"policy"` or `"role"`). - `-description=` - A description of the binding rule. - `-meta` - Indicates that binding rule metadata such as the raft indices should be shown for each entry. - `-method=` - The auth method's name for which this binding rule applies. This flag is required. - `-selector=` - Selector is an expression that matches against verified identity attributes returned from the auth method during login. - `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options @include 'cli-http-api-partition-options.mdx' @include 'http_api_namespace_options.mdx' #### API Options @include 'http_api_options_client.mdx' @include 'http_api_options_server.mdx' ## Examples Create a new binding rule that binds to a service identity: ```shell-session $ consul acl binding-rule create -method 'minikube' \ -description 'wildcard service' \ -bind-type 'service' \ -bind-name 'k8s-${serviceaccount.name}' \ -selector 'serviceaccount.namespace==default and serviceaccount.name!=vault' ID: 0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890 AuthMethod: minikube Description: wildcard service BindType: service BindName: k8s-${serviceaccount.name} Selector: serviceaccount.namespace==default and serviceaccount.name!=vault ``` Create a new binding rule that binds to a role: ```shell-session $ consul acl binding-rule create -method 'minikube' \ -description 'just vault role' \ -bind-type 'role' \ -bind-name 'vault' \ -selector 'serviceaccount.namespace==default and serviceaccount.name==vault' ID: e21ae868-7b13-a230-0235-f8e83510642c AuthMethod: minikube Description: just vault role BindType: role BindName: vault Selector: serviceaccount.namespace==default and serviceaccount.name==vault ``` Create a new binding rule that binds to a policy: ```shell-session $ consul acl binding-rule create -method 'nomad' \ -description 'gets policy for nomad job' \ -bind-type 'policy' \ -bind-name 'nomad-${nomad.jobname}' \ -selector 'nomad.jobname==billing-app' ID: e21ae868-7b13-a230-0235-f8e83510642c AuthMethod: nomad Description: gets policy for nomad job BindType: policy BindName: nomad-billing-app Selector: nomad.jobname==billing-app ``` Create a new binding rule that binds to a templated policy: ```shell-session $ consul acl binding-rule create -method 'remote-jwks' \ -description 'gets templated policy for dns tokens' \ -bind-type 'templated-policy' \ -bind-name 'builtin/dns' \ -selector 'serviceaccount.namespace==default' ID: eaca9aa4-8913-c8ef-ba39-bfae64f66d99 AuthMethod: remote-jwks Description: gets templated policy for dns tokens BindType: templated-policy BindName: builtin/dns Selector: serviceaccount.namespace==default ```