HCP Vault and Nomad Tokens

I’m running HCP Vault and Consul but my question is specifically with Vault and Nomad integration.

I want to use Vault to generate Nomad tokens, I’m following the guide here: Generate Nomad Tokens with HashiCorp Vault | Nomad - HashiCorp Learn to set up vault.

Since vault is unaware of both my Consul DNS configuration and doesn’t have the ability to trust nomad’s TLS certificates - is it a lost cause to expect full integration with Nomad and HCP Vault right now?

I would be using HCP Nomad if it existed, however now I’m knee-deep in a deployment model with no way to fully use vault for this situation - does anyone have any thoughts as to what I can do here outside of just disabling ACLs (breaks down our entire zero-trust security model).

A big downside of vault not using consul’s DNS is trying to keep track of the IP endpoints of the nomad server(s), we use a golden image deploy model so we terminate replaced nodes with new, freshly-configured nodes, the IPs change all of the time, this is the main reason we use consul, but Vault cannot support it in HCP.

One thing I did think of is to generate a few ACL tokens for the roles I need and store them in a vault kv store - this will work for the time being but we lose the ability to rotate our credentials automatically with vault-agent.

Thanks for your time.

1 Like