I’d like to leverage vault approles in nomad to to implement zero trust, but I’m having trouble figuring out how to do this within nomad.
There doesn’t seem to be documentation on passing the role-id and secret-id to a nomad job.
Is it possible to do this? Is it on the product roadmap? How else does one implement zero trust with nomad?
There’s an old unanswered thread here How to use nomad to deliver Vault AppRole SecretID?
If it’s of any help, I was able to get the non-wrapped secret id within a template stanza in a Nomad job using:
{{ with secret "auth/cicd/role/cicd-gitlab-runner/secret-id" "secret_id_num_uses=1" "secret_id_ttl=5m" }}
APPROLE_SECRET_ID={{ .Data.secret_id }}
{{ end }}
The trouble I had was specifying how to get this secret wrapped so that the job itself could unwrap and use the id. The role id in this case is packaged into the docker container used with this job.
I am still after the answers you are looking for after all this time too 
so I would also be appreciative to know how to do this properly!