nsc auth trust-relationships update

Update an existing trust relationship by ID.

nsc auth trust-relationships update modifies an existing trust relationship. You identify the relationship with its --id and provide only the flags you want to change. Fields whose flags are not set keep their current values.

Usage

nsc auth trust-relationships update --id string [--issuer string] [--subject-match string] [--audience string] [--grant string] [--default_token_duration string]

First, find the ID of the relationship you want to change:

$ nsc auth trust-relationships list
Trust Relationships:
 
ID: tr_abc123
  Issuer: https://accounts.google.com
  Subject Match: projects/123456789/serviceAccounts/my-service@my-project.iam.gserviceaccount.com

You can also copy the ID from the Trust Relationships settings page in the Namespace dashboard.

Examples

Change the subject match pattern:

$ nsc auth trust-relationships update \
  --id tr_abc123 \
  --subject-match "projects/123456789/serviceAccounts/*"

Change the issuer:

$ nsc auth trust-relationships update \
  --id tr_abc123 \
  --issuer "https://accounts.google.com"

Replace the granted permissions:

$ nsc auth trust-relationships update \
  --id tr_abc123 \
  --grant '{"resource_type":"instance","resource_id":"*","actions":["create","list","get","destroy"]}' \
  --grant '{"resource_type":"artifact","resource_id":"*","actions":["create","resolve","list"]}'

Set a default token duration:

$ nsc auth trust-relationships update \
  --id tr_abc123 \
  --default_token_duration "3600s"

Required Flags

--id string

The unique identifier of the trust relationship to update. You can find this ID by running nsc auth trust-relationships list or from the Trust Relationships settings page in the dashboard.

Optional Flags

You must provide at least one of the following flags. Only the fields you set are changed; everything else is left as-is.

--issuer string

The token issuer URL that identifies the external identity provider. See add for the list of supported issuers.

--subject-match string

Subject match pattern that defines which subjects from the issuer are trusted. Supports wildcards (*). See add for pattern examples.

--audience string

Expected audience (aud) value for the trusted tokens.

--grant stringArray (can be repeated)

Replaces all existing grants for the relationship with the permissions you provide. Each grant is a JSON object:

{"resource_type":"...","resource_id":"...","actions":["..."]}

When set, the previous grants are discarded and replaced by the new set. See Permissions for the full list of resource types and actions.

--default_token_duration string

Default validity duration for tokens issued via this relationship (e.g. 3600s).

Important Notes

  • Partial updates: Only the flags you pass are changed. Unset fields retain their current values.
  • Grants are replaced: Passing --grant overwrites the existing grants rather than appending to them.
  • Immediate effect: Updates take effect immediately for new authentications; existing sessions remain valid until they expire.
Last updated