I am using “legacy” Nomad vault integration for quite some time. The vault { policies = ["mypolicy"] } exports a VAULT_TOKEN for my job in Nomad, and allows using template {{ key }} templates.
I read vault Block - Job Specification | Nomad | HashiCorp Developer , vault Block - Agent Configuration | Nomad | HashiCorp Developer , Workload Identity | Nomad | HashiCorp Developer , Vault Integration | Nomad | HashiCorp Developer and the main Vault ACL | Nomad | HashiCorp Developer . The tutorial Vault integration and retrieving dynamic secrets | Nomad | HashiCorp Developer uses the “legacy way” of vault integration that I currently also use.
After reading and researching, I have no idea what is going on, thus this post.
“Workload identity” is some JSON with some data. Why (as a user of Nomad and Vault) do I have to know what is “workload identity”? Why would “workload identity” be ever used by a task with NOMAD_TOKEN_vault ?
The page Workload Identity | Nomad | HashiCorp Developer redirects to Vault Integration | Nomad | HashiCorp Developer page which only mentions how to use vault for templates configuration, not how to get VAULT_TOKEN into the job. How do I make “identity vault” Nomad job specification that will generate a VAULT_TOKEN for my job with specific permission?
The migration guide Vault ACL | Nomad | HashiCorp Developer states that I can specify this identity directly in the job or redeploy the job without changes. However, I am not able to do that, becuase I am getting the error: Task .... has a Vault block with policies but uses workload identity to authenticate with Vault, policies will be ignored. Is the migration guide incomplete? What will be the “default”(?) permission of a vault token with ignored policies with identity?
What is “vault.io” in “aud” field in vault Block - Agent Configuration | Nomad | HashiCorp Developer configuration? Similarly, what is “consul.io” in consul identity? Are these hardcoded values or should be replaced with some real values? What does the “io” refer to? Why do I care about this field? Should I replace “aud” field with DNS-resolvable name to the Vault service, like vault.service.consul.my.domain.com? If so, what about port?
If there is default_identity in vault{} block in Nomad configuration, why is there no default cluster name in the default_identity? Should I write idenity { name = "vault_default" } in every job?
Is the configuration in identity Block - Job Specification | Nomad | HashiCorp Developer enough to move from “legacy vault integration” to the workload identity? Will the configuration in the link export VAULT_TOKEN with what permissions for my job?
Finally, after integration with vault identities, will Nomad server be able to start without vault running? Can I run vault as a Nomad service?
Thank you.