--- title: elasticsearch-create-enrollment-token description: The elasticsearch-create-enrollment-token command creates enrollment tokens for Elasticsearch nodes and Kibana instances. Use this command to create enrollment... url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/elasticsearch/command-line-tools/create-enrollment-token products: - Elasticsearch applies_to: - Self-managed Elastic deployments: Generally available --- # elasticsearch-create-enrollment-token The `elasticsearch-create-enrollment-token` command creates enrollment tokens for Elasticsearch nodes and Kibana instances. ## Synopsis ```shell bin/elasticsearch-create-enrollment-token [-f, --force] [-h, --help] [-E ] [-s, --scope] [--url] ``` ## Description `elasticsearch-create-enrollment-token` can only be used with Elasticsearch clusters that have been [auto-configured for security](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/deploy-manage/deploy/self-managed/installing-elasticsearch). Use this command to create enrollment tokens, which you can use to enroll new Elasticsearch nodes to an existing cluster or configure Kibana instances to communicate with an existing Elasticsearch cluster that has security features enabled. The command generates (and subsequently removes) a temporary user in the [file realm](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/deploy-manage/users-roles/cluster-or-deployment-auth/file-based) to run the request that creates enrollment tokens. You cannot use this tool if the file realm is disabled in your `elasticsearch.yml` file. This command uses an HTTP connection to connect to the cluster and run the user management requests. The command automatically attempts to establish the connection over HTTPS by using the `xpack.security.http.ssl` settings in the `elasticsearch.yml` file. If you do not use the default configuration directory, ensure that the `ES_PATH_CONF` environment variable returns the correct path before you run the `elasticsearch-create-enrollment-token` command. You can override settings in your `elasticsearch.yml` file by using the `-E` command option. For more information about debugging connection failures, see [Setup-passwords command fails due to connection failure](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/troubleshoot/elasticsearch/security/trb-security-setup). ## Parameters Configures a standard Elasticsearch or X-Pack setting. Forces the command to run against an unhealthy cluster. Returns all of the command parameters. Specifies the scope of the generated token. Supported values are `node` and `kibana`. Specifies the base URL (hostname and port of the local node) that the tool uses to submit API requests to Elasticsearch. The default value is determined from the settings in your `elasticsearch.yml` file. If `xpack.security.http.ssl.enabled` is set to `true`, you must specify an HTTPS URL. ## Examples The following command creates an enrollment token for enrolling an Elasticsearch node into a cluster: ```shell bin/elasticsearch-create-enrollment-token -s node ``` The following command creates an enrollment token for enrolling a Kibana instance into a cluster. The specified URL indicates where the elasticsearch-create-enrollment-token tool attempts to reach the local Elasticsearch node: ```shell bin/elasticsearch-create-enrollment-token -s kibana --url "https://172.0.0.3:9200" ```