I attempting to put vault secrets in my nomad job files according to these instructions.
Running Nomad 0.9.4 and Vault 1.1.0
I’m using token role based integration, not root token integration
So far I have
- Created vault policy
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/lookup" {
capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
path "sys/capabilities-self" {
capabilities = ["update"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
- Applied the policy
vault policy write nomad-server nomad-server-policy.hcl
vault policy read nomad-server
- Generated the vault token role using the blacklist (disallowed policies) strategy.
{
"disallowed_policies": "nomad-server",
"explicit_max_ttl": 0,
"name": "nomad-cluster",
"orphan": true,
"period": 259200,
"renewable": true
}
vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.json
vault read /auth/token/roles/nomad-cluster
- Retrieve the token role based token
vault token create -policy nomad-server -period 72h -orphan
Key Value
--- -----
token s.xxxxxxxxx
token_accessor yyyyyyyy
token_duration 72h
token_renewable true
token_policies ["default" "nomad-server"]
identity_policies []
policies ["default" "nomad-server"]
- Add the token to my nomad config and restart nomad
(This will be moved to an environment variable for security)
vault {
enabled = true
address = 'https://vault.example.com:8200'
create_from_role = nomad-cluster
token = 's.xxxxxxxxx'
}
Then on the nomad agents I enable vault
vault {
enabled = true
address = 'https://vault.example.com:8200'
}
- Add a secret to vault
vault write secret/foo bar=42
vault read secret/foo
However when I attempt to submit a job that uses the vault secret, I get this error
I’ve tried several ways to get the secret
template {
data = <<EOH
{{ with secret "secret/foo" }}
bar = {{ .Data.bar}}
{{end}}
EOH
destination = "${NOMAD_SECRETS_DIR}/foo.txt"
}
template {
data = <<EOH
{{ with secret "foo" }}
bar = {{ .Data.bar}}
{{end}}
EOH
destination = "${NOMAD_SECRETS_DIR}/foo.txt"
}
template {
data = <<EOH
{{ with secret "foo" }}
bar = {{ .Data.data.bar}}
{{end}}
EOH
destination = "${NOMAD_SECRETS_DIR}/foo.txt"
}
But I always get the error
Template Missing: vault.read(foo)
Do I need to make a new policy for every secret?
vault {
policies = ["foobar"]
}