User type Syntax Example Arguments Related topics

Generate a quorum token using CloudHSM CLI

Use the quorum token-sign generate command in CloudHSM CLI to generate a token for a quorum authorized service.

There is a limit to obtaining one active token per user per service on an HSM cluster for services user and quorum.

Note

Only admins can generate a service token.

Admin Services: Quorum authentication is used for admin privileged services like creating users, deleting users, changing user passwords, setting quorum values, and deactivating quorum and MFA capabilities.

Each service type is further broken down into a qualifying service name, which contains a specific set of quorum supported service operations that can be performed.

Service name	Service type	Service operations
user	Admin	user create user delete user change-password user change-mfa
quorum	Admin	quorum token-sign set-quorum-value
cluster¹	Admin	cluster mtls register-trust-anchor cluster mtls deregister-trust-anchor cluster mtls set-enforcement

[1] Cluster service is exclusively available on hsm2m.medium

User type

The following users can run this command.

Admin
Crypto user (CU)

Syntax


aws-cloudhsm > help quorum token-sign generate
Generate a token

Usage: quorum token-sign generate --service <SERVICE> --token <TOKEN>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error

      --service <SERVICE>
          Service the token will be used for

          Possible values:
          - user:
            User management service is used for executing quorum authenticated user management operations
          - quorum:
            Quorum management service is used for setting quorum values for any quorum service
          - cluster: 
            Cluster management service is used for executing quorum for cluster wide configuration managements like mtls enforcement, mtls registration and mtls deregistration
          - registration:
            Registration service is used for registering a public key for quorum authentication

      --token <TOKEN>
          Filepath where the unsigned token file will be written
  -h, --help                     Print help

Example

This command will write one unsigned token per HSM in your cluster to the file specified by token.

Example : Write one unsigned token per HSM in your cluster


aws-cloudhsm > quorum token-sign generate --service user --token /home/tfile
{
  "error_code": 0,
  "data": {
    "filepath": "/home/tfile"
  }
}

Arguments

<CLUSTER_ID>

The ID of the cluster to run this operation on.

Required: If multiple clusters have been configured.

<SERVICE>

Specifies the quorum authorized service for which to generate a token. This parameter is required.

Valid values

user: The user management service that is used for executing quorum authorized user management operations.

quorum: The quorum management service that is used for setting quorum authorized quorum values for any quorum authorized service.

cluster: The cluster management service that is used for executing quorum for cluster wide configuration managements like mtls enforcement, mtls registration and mtls deregistration.

registration: Generates an unsigned token for use in registering a public key for quorum authorization.

Required: Yes

<TOKEN>

Filepath where the unsigned token file will be written.

Required: Yes