Nomad Vault Integration

Hi,

I am trying to inject secrets from Vault into my Nomad task via template.

While I have had success with this template -

template {
  data = <<EOH
    {{ with secret "aws/data/s3" }}
      SECRET1 = {{ .Data.data.secret1 }}
      SECRET2 = {{ .Data.data.secret2 }}
    {{ end }}
  EOH

  destination = "secrets/env"
  env         = true
}

This pattern becomes a bit tedious when there are over 100 secrets at this path.

Is there a way to iterate over the returned secrets and get the key and value like so -

{{ with secret "aws/data/s3" }}
   {{ range $k,$v := .Data.data }}
     {{ $k }} = {{ $v }}
   {{end}}
{{ end }}

This template with range throws an error Template failed: (dynamic): parse: template: :13: unexpected "," in range

To me it looks to be valid syntax but Nomad doesn’t like it.

I have also tried this pattern (Using Hashicorp Nomad’s Vault integration | by Amanda Edades | Medium)

template {
  data = <<EOH
{{ range secrets "aws/metadata/" }}
{{ (printf "%s" .) | toUpper }}={{ with secret (printf "aws/data/%s" .) }}{{ .Data.data.value }}{{ end }}
{{ end }}
EOH

  destination = "secrets/file.env"
  env = true
}

But I get this error Template Missing: vault.list(aws/metadata)

Appreciate any help on this.

Thanks,
Vikas

1 Like

Hi @vikas.saroha,

What secrets engine is this path using? Some engines do not support listing.

According to the consul-template docs the syntax should look as follows:

{{ range secrets "aws/metadata/" }}
{{ with secret (printf "secret/%s" .) }}{{ range $k, $v := .Data }}
{{ $k }}: {{ $v }}
{{ end }}{{ end }}{{ end }}

Thanks,
jrasell and the Nomad team

Thanks for your reply @jrasell .

This is for the V2 KV secrets engine

Unfortunately I am still seeing the same error

Template    Missing: vault.list(aws/metadata)

The list command on this path is working from vault cli, so listing on this engine/path is supported.

$ vault kv list aws                                                    ✔  
Keys
----
s3

I am using the same policy for the cli as the job, so doesn’t look like its an issue with permissions either.

Vault v1.10.1
Nomad v1.3.1

Hi @vikas.saroha,

.Data should be replaced with .Data.data for KV-V2 secrets engines.

The Vault CLI list only shows s3 and not metadata which you are calling from the template. Is the CLI output you’ve shown cut short? What does vault kv list aws/metadata/ show?

Thanks,
jrasell and the Nomad team

Thanks for replying.

Finally got it working with this template -

{{ with secret "aws/data/s3/" }}{{ range $k, $v := .Data.data }}
{{ $k }} = {{ $v }}
{{ end }}{{ end }}

This is what I tried initially too. The problem I think was an invisible character in the template.

The cli output wasn’t cut short. Here’s the output for metadata

❯ vault kv list aws/metadata/
No value found at aws/metadata/metadata

it seems cli adds the metadata.

Thanks for your help.

Cheers.