[roles="xpack"] [[create-enrollment-token]] == elasticsearch-create-enrollment-token The `elasticsearch-create-enrollment-token` command creates enrollment tokens for {es} nodes and {kib} instances. [discrete] === Synopsis [source,shell] ---- bin/elasticsearch-create-enrollment-token [-f, --force] [-h, --help] [-E ] [-s, --scope] [--url] ---- [discrete] === Description NOTE: `elasticsearch-create-enrollment-token` can only be used with {es} clusters that have been <>. Use this command to create enrollment tokens, which you can use to enroll new {es} nodes to an existing cluster or configure {kib} instances to communicate with an existing {es} cluster that has security features enabled. The command generates (and subsequently removes) a temporary user in the <> to run the request that creates enrollment tokens. IMPORTANT: You cannot use this tool if the file realm is disabled in your `elasticsearch.yml` file. This command uses an HTTP connection to connect to the cluster and run the user management requests. The command automatically attempts to establish the connection over HTTPS by using the `xpack.security.http.ssl` settings in the `elasticsearch.yml` file. If you do not use the default configuration directory, ensure that the `ES_PATH_CONF` environment variable returns the correct path before you run the `elasticsearch-create-enrollment-token` command. You can override settings in your `elasticsearch.yml` file by using the `-E` command option. For more information about debugging connection failures, see <>. [discrete] [[create-enrollment-token-parameters]] === Parameters `-E `:: Configures a standard {es} or {xpack} setting. `-f, --force`:: Forces the command to run against an unhealthy cluster. `-h, --help`:: Returns all of the command parameters. `-s, --scope`:: Specifies the scope of the generated token. Supported values are `node` and `kibana`. `--url`:: Specifies the base URL (hostname and port of the local node) that the tool uses to submit API requests to {es}. The default value is determined from the settings in your `elasticsearch.yml` file. If `xpack.security.http.ssl.enabled` is set to `true`, you must specify an HTTPS URL. [discrete] === Examples The following command creates an enrollment token for enrolling an {es} node into a cluster: [source,shell] ---- bin/elasticsearch-create-enrollment-token -s node ---- The following command creates an enrollment token for enrolling a {kib} instance into a cluster. The specified URL indicates where the elasticsearch-create-enrollment-token tool attempts to reach the local {es} node: [source,shell] ---- bin/elasticsearch-create-enrollment-token -s kibana --url "https://172.0.0.3:9200" ----