Basic configuration revolves around 4 settings:
- The store to read JWTs from
- The HTTP/S configuration
- NATS (for cases where updates are enabled)
You can start a server using a plain directory. In this case you'll be responsible for adding any JWT that you want resolved.
The server looks for account JWTs by using the public key of the account as the file name followed by the extension
.jwt. The server will not introspect the JWTs, so if you don't name the files correctly, it will fail to find them or serve a JWT that doesn't match the requested account.
nats-account-server -dir /tmp/jwts
2019/05/10 11:33:40.501305 [INF] starting NATS Account server, version 0.0-dev
2019/05/10 11:33:40.501383 [INF] server time is Fri May 10 11:33:40 CDT 2019
2019/05/10 11:33:40.501404 [INF] creating a store at /tmp/jwts
2019/05/10 11:33:40.501430 [INF] NATS is not configured, server will not fire notifications on update
2019/05/10 11:33:40.510273 [INF] http listening on port 9090
2019/05/10 11:33:40.510283 [INF] nats-account-server is running
2019/05/10 11:33:40.510285 [INF] configure the nats-server with:
2019/05/10 11:33:40.510291 [INF] resolver: URL(http://localhost:9090/jwt/v1/accounts/)
Configuration for the NATS server is the same as in the previous example:
-dirstore flag is sufficient for some very simple developer setups, any production or non-read-only server will require a configuration file.
Let's take a look at the configuration options:
The path to an operator JWT. Required for non-read-only servers. Only JWTs signed by the operator (or one of it's signing keys) are accepted.
Path to an Account JWT that should be returned as the system account.
URL for the primary,
Timeout, in milliseconds, used by the replica when talking to the primary, defaults to
Configures a directory as a store.
Interface to listen for requests on.
Port to listen for requests on.
Max amount of time in milliseconds to wait for a http read operation to complete.
Max amount of time in milliseconds to wait for a http write operation to complete.
List of NATS servers for the account server to use when connecting to a NATS server to publish updates.
Max amount of time in milliseconds to wait for a NATS connection.
Amount of time in milliseconds to between NATS server reconnect attempts.
A credentials creds file for connecting to the NATS server. Account must be a member of a system account.
filepath to the CA certificate.
filepath to the certificate.
filepath to the certificate key.
Provided a setup with 4 accounts, one of them a system account, this example shows how to set up the account server by:
- adding the account server to the operator
- configuring the account server
- push the accounts to the account server
- configure a
nats-serverto make use of the account server
- test the setup
Set environment variables
Run setup script that creates a few sample accounts and a system account
curl -sSL https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh
List all accounts
nsc list accounts
│ Accounts │
│ Name │ Public Key │
│ A │ AA6LOQIZRKEAC5FUGLMZHAXERZRQFAFQOO7YC6ZMQ325BYUAEPDUEIV5 │
│ B │ ACPD2M7QFV33HPPY563PI7C664LXG2YVWXQBB6EAHDXZR7EK7L52AWUG │
│ STAN │ ABD4DPO745A5U2JKPWCI7LFGW4UCTN5LPUXDA5BCMXEYWLCU7J346NGU │
│ SYS │ AB25DCM6BL5SDWYR45F65MSVOVXATN64AZXGI7IGS3IXBPWWDB4FIR2H │
Add the endpoint for the account server to which accounts can be published
nsc edit operator --account-jwt-server-url http://localhost:9090/jwt/v1/ --service-url nats://localhost:4222
Generate account server config that references the operator jwt
' > nats-account-server.conf
Start the account server
nats-account-server -c nats-account-server.conf &
Upload the local accounts in the nsc directory structure
nsc push -A
Generate the NATS Server config that points to the account server
' > nats-server.conf
Start the NATS Server in trusted operator mode
nats-server -c nats-server.conf &
Try to subscribe on account without permissions, this should fail
nats sub -creds nsc/nkeys/creds/KO/A/test.creds foo
nats: Permissions Violation for Subscription to "foo"
Subscribe then publish to subject should work on 'test' since enough permissions
nats sub -creds nsc/nkeys/creds/KO/A/test.creds test &
Published message on 'test' subject would be received by started subscriber above
nats pub -creds nsc/nkeys/creds/KO/A/test.creds test foo &
Subscribe using the system account user credentials can receive all system events
nats sub -creds nsc/nkeys/creds/KO/SYS/sys.creds '>'