Hi,
I’ve started experimenting with Nomad’s ACL system, and came across a discrepancy between the way policies are associated to client tokens compared to workload identities.
It appears that policies can only be associated to workloads when they are defined (i.e. I need to have the policy’s hcl), and cannot be applied to workloads after they have been defined (i.e. “by name”).
Here are the different workflows:
Policy for client token
Typically, when working with policies for client tokens, I would do the following:
-
Once, create a policy
nomad acl policy apply <nameofpolicy> <definition.hcl> -
Many times, create tokens and associate them to a policy (could also use roles, but let’s not consider that for the sake of simplicity)
nomad acl token create -name="<nameoftoken>" -policy <nameofpolicy>
Note importantly that I don’t need <definition.hcl> to assign the policy to the client token.
Policy for workload identity
-
Many times
nomad acl policy apply -namespace <namespace> -job <job> <nameofpolicy> <definition.hcl>
If I ommit <definition.hcl>, the command gives an error
This command takes two arguments: <name> and <path>
For additional help try 'nomad acl policy apply -help'
So it appears that I need the policy definition when I want to apply it to workload identity. (This then also rises a side-question, why does the policy need a “name” argument as well as the definition, if it is applied directly to the workload? It seems that this information is redundant if it cannot be applied later by name)
Ideally I would like to decouple the creation of policies and the assignment to workload identities, just like can be done for regular client tokens. Can this be done? If not, why is the policy definition needed to assign it to a workload and why can’t it by done solely based on a policy’s name?
I’m still quite new to Nomad’s ACL system, so please also let me know if what I’m trying to achieve is somehow an exotic workflow.
thanks!