Skip to content
Latchkey

nomad acl token create: Mint Nomad Tokens in CI

nomad acl token create issues a new Nomad ACL token of a given type, bound to one or more policies.

CI should authenticate to Nomad with a scoped token, not the bootstrap management token. acl token create mints one limited to the policies a deploy needs.

What it does

nomad acl token create creates an ACL token. A client token is restricted to the policies you attach with -policy; a management token (-type=management) has full access and takes no policies. The output includes the Secret ID you set as NOMAD_TOKEN.

Common usage

Terminal
nomad acl token create \
  -name="ci-deploy" -type=client -policy=deploy
# short-lived token that expires automatically
nomad acl token create -name="pr-bot" -policy=deploy -ttl=1h
# emit JSON to parse out the SecretID
nomad acl token create -policy=deploy -json

Options

FlagWhat it does
-type <client|management>Token type (client tokens need policies)
-policy <name>Attach a policy by name (repeatable)
-name <text>Human-readable token name
-ttl <duration>Expire the token after this duration
-globalReplicate the token to all regions
-jsonOutput token details as JSON

In CI

Use -ttl so a leaked CI token expires on its own, and parse the SecretID from -json into NOMAD_TOKEN for later steps. Attach only the policies the deploy requires; reserve management tokens for cluster administration.

Common errors in CI

"Error creating token: ... ACL support disabled" means acl { enabled = true } is not set on the servers. "Permission denied" means the calling token is not a management token. "Cannot specify a policy for a management token" means you passed -policy with -type=management.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →