Execute function on vault secret inside Nomad job

I want to write the bcrypt version of a vault secret into a file via a template in a Nomad job.
A snippet from my job:

            template {
                data = <<-EOF
                working: ${bcrypt("test")}
                failing:{{ with secret "secret/environments/data/myscecret" }}{{ bcrypt(.Data.data.admin_dashboard_password) }}{{ end }}
                destination = "secrets/admin_dashboard.users"

When calling the bcrypt function (or any other function) from within double curly braces I get the message that the function is not defined. Both in the above form or with a pipeline.

Is it at all possible to do an operation on a secret or should I encrypt the password outside of the jobfile?

Hi @PeterB,

The first example bcrypt function is a HCL job specification function which means it will be executed on the local machine where the nomad job run command is triggered. It uses the ${}style syntax and will be writing the result of the function execution as a string to the job specification before the job is submitted to the Nomad API.

The failing example is using consul-template syntax and therefore is executed once the allocation has been placed on a Nomad client. These templates are opaque to Nomad and are rendered by an internal template runner that utilises consul-template. The available consul-template functions do not include a bcrypt function unfortunately, however, it would be possible to use defined functions in the way you describe.

jrasell and the Nomad team

Thanks @jrasell that makes sense.

Note: It seems that the consul-template docs are not entirely correct. They mention that I can use any function from the sprig lib (which also contains a bcrypt function :confetti_ball: ). However, the sprig_bcrypt method didn’t work. Turns out only sprig 2.22.0 is merged, which has way less functions available. Maybe the docs should link to the correct version of sprig :slightly_smiling_face: