hi,
I have an issue with nomad to get vault secret
I search a solution for 4h without success
I have follow doc to integrate vault put I have always some error in nomad log like this
avril 01 23:01:16 oscar nomad[539057]: * missing client token (retry attempt 6 after "8s")
avril 01 23:01:16 oscar nomad[539057]: Code: 400. Errors:
avril 01 23:01:16 oscar nomad[539057]: URL: GET http://active.vault.service.consul:8200/v1/secrets/data/p>
I have create a token role like this:
Key Value
--- -----
allowed_entity_aliases <nil>
allowed_policies []
allowed_policies_glob []
disallowed_policies [nomad-server]
disallowed_policies_glob []
explicit_max_ttl 0s
name nomad-cluster
orphan true
path_suffix n/a
period 0s
renewable true
token_explicit_max_ttl 0s
token_no_default_policy false
token_period 72h
token_type default-service
below nomad policy
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate # the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}
here nmad config
vault {
enabled = true
address = "http://active.vault.service.consul:8200"
create_from_role = "nomad-cluster"
token = ""
namespace = ""
task_token_ttl = "1h"
}
and here my template definition
"Templates": [
{
"ChangeMode": "restart",
"ChangeSignal": "",
"DestPath": "local/file.env",
"EmbeddedTmpl": " WEBPASSWORD=\"{{with secret \"secrets/data/pihole\"}}{{.Data.data.WEBPASSWORD}}{{end}}\"\n",
"Envvars": true,
"LeftDelim": "{{",
"Perms": "0644",
"RightDelim": "}}",
"SourcePath": "",
"Splay": 5000000000,
"VaultGrace": 0,
"Wait": null
}
I don’t understant if I miss something
morever when I start my nomad server
I see that renewal token work
avril 01 21:24:04 oscar nomad[539057]: 2022-04-01T21:23:56.389+0200 [DEBUG] nomad.vault: successfully renewed server token
avril 01 21:24:04 oscar nomad[539057]: 2022-04-01T21:23:56.389+0200 [INFO] nomad.vault: successfully renewed token: next_renewal=35h59m59.999969828s