When following the guides to use Nomad Workload Identities using Vault it has us create a token and use that token as an environment variable when starting up the service.
It seems the token is able to be renewed and go beyond the initial expiration. However, if I restart the service it tries to use the original, and now expired, token. Then it starts to get errors. So then… what is the best way to manage this token? Is there a way to write out the most recently renewed token to a file so it can be reloaded upon a restart? Or some other way?
Hi @nathanpalmer,
I think the mentioned VAULT_TOKEN is only required to run the cli commands against the Vault server (e.g., setup the JWT auth backend).
I just setup the workload identities in my hom lab (no Nomad ACL) and can assure you no such Token is required for running the Nomad process. Also, the root Token from the Tutorial does not need renewal, except you restart the Vault dev server.
Do you want to share the specific error message you struggled with?
Best,
Andreas
Alright, thanks, that’s possibly working for me. No real errors so far. I’m testing on a single machine before I start removing the vault token from others. So the real test will be once I do that.
1 Like
I spent half the day moving all my vault secrets into the proposed {namespace}/{job} format and then restarting all servers and clients. So far everything seems to be loading fine without the vault token that I was previously using. So this might have done it.
1 Like