--- layout: commands page_title: 'Commands: ACL Auth Method Create' description: | The `consul acl auth-method create` command creates a new auth method according to defined parameters. --- # Consul ACL Auth Method Create Command: `consul acl auth-method create` Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/auth-method](/consul/api-docs/acl/auth-methods#create-an-auth-method) The `acl auth-method create` command creates new auth methods. The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of [blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. | ACL Required | | ------------ | | `acl:write` | ## Usage Usage: `consul acl auth-method create [options] [args]` #### Command Options - `-description=` - A description of the auth method. - `-meta` - Indicates that auth method metadata such as the raft indices should be shown for each entry. - `-name=` - The new auth method's name. This flag is required. - `-type=` - The new auth method's type. This flag is required. - `-display-name=` - An optional name to use instead of the name when displaying this auth method in a UI. Added in Consul 1.8.0. - `-max-token-ttl=` - Duration of time all tokens created by this auth method should be valid for. Added in Consul 1.8.0. - `-token-locality=` - Defines the kind of token that this auth method should produce. This can be either 'local' or 'global'. If empty the value of 'local' is assumed. Added in Consul 1.8.0. - `-config=` - The configuration for the auth method. Must be JSON. May be prefixed with '@' to indicate that the value is a file path to load the config from. '-' may also be given to indicate that the config is available on stdin. Added in Consul 1.8.0. - `-kubernetes-ca-cert=` - PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. May be prefixed with '@' to indicate that the value is a file path to load the cert from. This flag is required for `-type=kubernetes`. - `-kubernetes-host=` - Address of the Kubernetes API server. This flag is required for `-type=kubernetes`. - `-kubernetes-service-account-jwt=` - A Kubernetes service account JWT used to access the TokenReview API to validate other JWTs during login. This flag is required for `-type=kubernetes`. - `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options @include 'cli-http-api-partition-options.mdx' @include 'http_api_namespace_options.mdx' - `-namespace-rule-bind-namespace=` - Namespace to bind on match. Can use `${var}` interpolation. Added in Consul 1.8.0. - `-namespace-rule-selector=` - An expression that matches against verified identity attributes returned from the auth method during login to determine if the namespace rule applies. Added in Consul 1.8.0. #### API Options @include 'http_api_options_client.mdx' @include 'http_api_options_server.mdx' ## Examples Create a new Kubernetes auth method: ```shell-session $ consul acl auth-method create -name minikube -type kubernetes \ -description 'minikube auth method' \ -kubernetes-host 'https://192.0.2.42:8443' \ -kubernetes-ca-cert '@minikube-ca.crt' \ -kubernetes-service-account-jwt 'eyJhbGciOiJSUzI1NiIsImtpZCI...' Name: minikube Type: kubernetes Description: minikube auth method Config: { "CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n", "Host": "https://192.0.2.42:8443", "ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI..." } ```