How can I create a Vault template policy referencing Nomad job metadata?

Hi, teams I support are deploying workloads using Nomad and retrieving credentials from Vault using the Nomad Vault integration.

To simplify policy management I would like to be able to create a Vault template policy to allow services to access their own credentials from the KV store similar to the identity policy example in the policies guide.

Something like

path "secret/data/{{}}/services/{{}}/*" {
  capabilities = ["read", "list"]

And then grant team access via a team admin policy like

path "secret/data/{{}}/services/+/*" {
  capabilities = ["create", "update", "patch", "read", "delete"]

I can’t find any information about how or if entity information is populated when Nomad generates a Vault job token. Is what I would like to do possible? Could you share some reference on what identity information is associated to the Vault token generated by Nomad, and how to associate metadata to the token?

Thank you :pray:

I did some research on this and in fact came here to post this exact question, but since you beat me to it and this post got no replies, I gather that the answer is no. Furthermore, I don’t think Vault can do this, at least as it stands today - there’s no way for Nomad to create Vault identities (since it doesn’t provide an auth engine for Vault, and since the auth/token/create endpoint doesn’t allow associating an arbitrary identity with the new token), and there’s no way today for Vault ACLs to reference token metadata, which Nomad otherwise could set.

The compromise I’ve arrived at is that each Nomad job also has a unique policy associated with it. This unfortunately means that my automation layer has to have the ability to create those policies, giving it de facto root access to Vault (since it can always create a policy with sudo access), but it works for my needs. I’d love to see this addressed in the product, though.

Hi @ddaws,

This is not currently possible, but certainly something we would be interested into looking into if possible. Would you be able to open a feature request against our repository so more engineers and community members could take a look?

jrasell and the Nomad team

Hey @jrasell, I’ve created an issue here:

1 Like