Nomad unable to get vault token

spuder · August 1, 2019, 9:34pm

I attempting to put vault secrets in my nomad job files according to these instructions.

Running Nomad 0.9.4 and Vault 1.1.0

I’m using token role based integration, not root token integration

So far I have

Created vault policy

path "auth/token/create/nomad-cluster" {
  capabilities = ["update"]
}
path "auth/token/roles/nomad-cluster" {
  capabilities = ["read"]
}
path "auth/token/lookup-self" {
  capabilities = ["read"]
}
path "auth/token/lookup" {
  capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
  capabilities = ["update"]
}
path "sys/capabilities-self" {
  capabilities = ["update"]
}
path "auth/token/renew-self" {
  capabilities = ["update"]
}

Applied the policy

vault policy write nomad-server nomad-server-policy.hcl
vault policy read nomad-server

Generated the vault token role using the blacklist (disallowed policies) strategy.

{
  "disallowed_policies": "nomad-server",
  "explicit_max_ttl": 0,
  "name": "nomad-cluster",
  "orphan": true,
  "period": 259200,
  "renewable": true
}

vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.json
vault read /auth/token/roles/nomad-cluster

Retrieve the token role based token

vault token create -policy nomad-server -period 72h -orphan

Key                  Value
---                  -----
token                s.xxxxxxxxx
token_accessor       yyyyyyyy
token_duration       72h
token_renewable      true
token_policies       ["default" "nomad-server"]
identity_policies    []
policies             ["default" "nomad-server"]

Add the token to my nomad config and restart nomad
(This will be moved to an environment variable for security)

vault {
  enabled = true
  address = 'https://vault.example.com:8200'
  create_from_role = nomad-cluster
  token = 's.xxxxxxxxx'
}

Then on the nomad agents I enable vault

vault {
  enabled = true
  address = 'https://vault.example.com:8200'
}

Add a secret to vault

vault write secret/foo bar=42
vault read secret/foo

However when I attempt to submit a job that uses the vault secret, I get this error

I’ve tried several ways to get the secret

template {
        data = <<EOH
        {{ with secret "secret/foo" }}
        bar = {{ .Data.bar}}
        {{end}}
        EOH
        destination = "${NOMAD_SECRETS_DIR}/foo.txt"
      }

template {
        data = <<EOH
        {{ with secret "foo" }}
        bar = {{ .Data.bar}}
        {{end}}
        EOH
        destination = "${NOMAD_SECRETS_DIR}/foo.txt"
      }

template {
        data = <<EOH
        {{ with secret "foo" }}
        bar = {{ .Data.data.bar}}
        {{end}}
        EOH
        destination = "${NOMAD_SECRETS_DIR}/foo.txt"
      }

But I always get the error

	Template	Missing: vault.read(foo)

Do I need to make a new policy for every secret?

  vault {
    policies = ["foobar"]
  }

spuder · August 7, 2019, 5:05pm

I got it to work by creating a role and policy for every app that needs to store secrets. I’m not positive if this is the best workflow.

path "secret/foobar" {
  capabilities = ["read"]
}

resource "vault_token_auth_backend_role" "foobar" {
  role_name = "foobar"
  allowed_policies = ["foobar"]
  explicit_max_ttl = 0
  orphan = true
  period = 259200
  renewable = true
}

teutat3s · February 6, 2020, 1:26pm

Hello, I’m looking at this guide, too - I guess for the blacklist approach you’d just need to have any policy that’s not blacklisted that allows read on that path.
So you should not need to create that "foobar" role, but the policy has to be created if no other policy exists that gives read capability to "secret/foobar"

That’s how I understood it, please someone correct me if I’m wrong.

spuder · April 25, 2020, 5:05am

I ended up switching to the blacklist approach

vault read auth/token/roles/nomad-cluster
Key                       Value
---                       -----
allowed_entity_aliases    <nil>
allowed_policies          []
disallowed_policies       [nomad-server]
explicit_max_ttl          0s
name                      nomad-cluster
orphan                    true
path_suffix               n/a
period                    72h
renewable                 true
token_explicit_max_ttl    0s
token_period              72h
token_type                default-service

I’m not quite positive what change fixed it, but I suspect it was this change the the vault policy

Before

path "secret/data/foo/*" {
  capabilities = ["read"]
}

After

path "secret/data/foo" {
  capabilities = ["read"]
}

Wolfsrudel · April 25, 2020, 7:59am

Your “before” policy is for every secret in the path of foo (so foo is like a directory). Your “after” policy is for the secret foo (like a file).
The default policy is to deny, so if you can read everything under foo you cannot read the secret foo at all.

Confusing explanation.

Topic		Replies	Views
Problem getting vault secrets in a Nomad job Vault vault , nomad-release	18	6788	January 31, 2022
Nomad missing vault client token Nomad	3	747	April 2, 2022
How to get VAULT_TOKEN in Nomad job? Nomad vault , consul-vault , consul	0	159	April 24, 2024
Secrets from Vault (Missing: vault.read(secrets/xxxxx)) Nomad vault	2	147	November 25, 2024
Trying to set up vault for secret management in cluster already running nomad an consult Nomad vault	0	296	August 16, 2022

Nomad unable to get vault token

Related topics