How to share sensitive files between tasks but hide from UI

Hi Team,

We have a TaskGroup with two or more tasks. One is responsible for generating certificates using an internal Certificate-gen client and storing them in the alloc/data directory. My other task (say Nginx) consumes these certs for TLS Termination. This setup works well, but given the sensitive nature of certs, we don’t want to display the certs/contents in UI.

So, are there any options for sharing secrets like files between tasks in a group


Hi @krundru, with ACLs enabled you should be able to craft ACL tokens for users without the permissions necessary for reading task directories / running commands in allocations.

Thanks, @seth.hoenig, for the response, but I think using ACL, we can restrict viewing all alloc files but not a specific file/folder, correct?

I definitely don’t want to hide all alloc files but only specific files like certs.

It looks like there is no option in nomad to share sensitive files between tasks, and the secret directory is tightly coupled with Hashicorp tools :frowning:
We need to have a direct secret directory on the parent alloc, and it should be hidden from UI/API like task level secret folder.

ACL can only hide the entire FS but not a specific file, and the hiding file system can result in poor developer experience.