nomad acl token create: Mint Nomad Tokens in CI
nomad acl token create issues a new Nomad ACL token of a given type, bound to one or more policies.
CI should authenticate to Nomad with a scoped token, not the bootstrap management token. acl token create mints one limited to the policies a deploy needs.
What it does
nomad acl token create creates an ACL token. A client token is restricted to the policies you attach with -policy; a management token (-type=management) has full access and takes no policies. The output includes the Secret ID you set as NOMAD_TOKEN.
Common usage
nomad acl token create \
-name="ci-deploy" -type=client -policy=deploy
# short-lived token that expires automatically
nomad acl token create -name="pr-bot" -policy=deploy -ttl=1h
# emit JSON to parse out the SecretID
nomad acl token create -policy=deploy -jsonOptions
| Flag | What it does |
|---|---|
| -type <client|management> | Token type (client tokens need policies) |
| -policy <name> | Attach a policy by name (repeatable) |
| -name <text> | Human-readable token name |
| -ttl <duration> | Expire the token after this duration |
| -global | Replicate the token to all regions |
| -json | Output token details as JSON |
In CI
Use -ttl so a leaked CI token expires on its own, and parse the SecretID from -json into NOMAD_TOKEN for later steps. Attach only the policies the deploy requires; reserve management tokens for cluster administration.
Common errors in CI
"Error creating token: ... ACL support disabled" means acl { enabled = true } is not set on the servers. "Permission denied" means the calling token is not a management token. "Cannot specify a policy for a management token" means you passed -policy with -type=management.