# chainctl iam identities update

URL: https://edu.chainguard.dev/chainguard/chainctl/chainctl-docs/chainctl_iam_identities_update.md
Last Modified: April 30, 2026
Tags: chainctl, Reference, Product

 chainctl iam identities update Update an identity
chainctl iam identities update IDENTITY_NAME | IDENTITY_ID [--description=DESC] [--identity-issuer=ISS | --identity-issuer-pattern=PAT] [--subject=SUB | --subject-pattern=PAT] [--audience=AUD | --audience-pattern=PAT] [--claim-pattern=claim:pattern,claim:pattern...] [--issuer-keys=KEYS] [--expiration=yyyy-mm-dd] [--output=id|json|table] [flags] Examples # Update the issuer of an identity. chainctl iam identities update my-identity --identity-issuer=https://new-issuer.mycompany.com # Update the subject to a pattern and update the audience of an identity. chainctl iam identities update my-identity --subject-pattern=&#34;^\d{4}$&#34; --audience=some-audience Options --audience string The audience of the identity (optional). --audience-pattern string A pattern to match the audience of the identity (optional). --claim-pattern stringArray A comma-separated list of claim:pattern pairs of custom claims to match for this identity. --description string A description of the identity (optional). --expiration string The time when the issuer_keys will expire. Defaults to / Maximum of 30 days after creation time (yyyy-mm-dd). --identity-issuer string The issuer of the identity. --identity-issuer-pattern string A pattern to match the issuer of the identity. --issuer-keys string JWKS-formatted public keys for the issuer. --subject string The subject of the identity. --subject-pattern string A pattern to match the subject of the identity. -y, --yes Automatic yes to prompts; assume &#34;yes&#34; as answer to all prompts and run non-interactively. Options inherited from parent commands --api string The url of the Chainguard platform API. (default &#34;https://console-api.enforce.dev&#34;) --config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly. --console string The url of the Chainguard platform Console. (default &#34;https://console.chainguard.dev&#34;) --force-color Force color output even when stdout is not a TTY. -h, --help Help for chainctl --issuer string The url of the Chainguard STS endpoint. (default &#34;https://issuer.enforce.dev&#34;) --log-level string Set the log level (debug, info) (default &#34;ERROR&#34;) -o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide] -v, --v int Set the log verbosity level. SEE ALSO chainctl iam identities	- Identity management.