Nomad Vault Integration

vikas.saroha · May 27, 2022, 3:47am

Hi,

I am trying to inject secrets from Vault into my Nomad task via template.

While I have had success with this template -

template {
  data = <<EOH
    {{ with secret "aws/data/s3" }}
      SECRET1 = {{ .Data.data.secret1 }}
      SECRET2 = {{ .Data.data.secret2 }}
    {{ end }}
  EOH

  destination = "secrets/env"
  env         = true
}

This pattern becomes a bit tedious when there are over 100 secrets at this path.

Is there a way to iterate over the returned secrets and get the key and value like so -

{{ with secret "aws/data/s3" }}
   {{ range $k,$v := .Data.data }}
     {{ $k }} = {{ $v }}
   {{end}}
{{ end }}

This template with range throws an error Template failed: (dynamic): parse: template: :13: unexpected "," in range

To me it looks to be valid syntax but Nomad doesn’t like it.

I have also tried this pattern (Using Hashicorp Nomad’s Vault integration | by Amanda Edades | Medium)

template {
  data = <<EOH
{{ range secrets "aws/metadata/" }}
{{ (printf "%s" .) | toUpper }}={{ with secret (printf "aws/data/%s" .) }}{{ .Data.data.value }}{{ end }}
{{ end }}
EOH

  destination = "secrets/file.env"
  env = true
}

But I get this error Template Missing: vault.list(aws/metadata)

Appreciate any help on this.

Thanks,
Vikas

jrasell · May 27, 2022, 9:18am

Hi @vikas.saroha,

What secrets engine is this path using? Some engines do not support listing.

According to the consul-template docs the syntax should look as follows:

{{ range secrets "aws/metadata/" }}
{{ with secret (printf "secret/%s" .) }}{{ range $k, $v := .Data }}
{{ $k }}: {{ $v }}
{{ end }}{{ end }}{{ end }}

Thanks,
jrasell and the Nomad team

vikas.saroha · May 27, 2022, 12:45pm

Thanks for your reply @jrasell .

This is for the V2 KV secrets engine

Unfortunately I am still seeing the same error

Template    Missing: vault.list(aws/metadata)

The list command on this path is working from vault cli, so listing on this engine/path is supported.

$ vault kv list aws                                                    ✔  
Keys
----
s3

I am using the same policy for the cli as the job, so doesn’t look like its an issue with permissions either.

Vault v1.10.1
Nomad v1.3.1

jrasell · May 27, 2022, 1:03pm

Hi @vikas.saroha,

.Data should be replaced with .Data.data for KV-V2 secrets engines.

The Vault CLI list only shows s3 and not metadata which you are calling from the template. Is the CLI output you’ve shown cut short? What does vault kv list aws/metadata/ show?

Thanks,
jrasell and the Nomad team

vikas.saroha · May 27, 2022, 1:41pm

Thanks for replying.

Finally got it working with this template -

{{ with secret "aws/data/s3/" }}{{ range $k, $v := .Data.data }}
{{ $k }} = {{ $v }}
{{ end }}{{ end }}

This is what I tried initially too. The problem I think was an invisible character in the template.

The cli output wasn’t cut short. Here’s the output for metadata

❯ vault kv list aws/metadata/
No value found at aws/metadata/metadata

it seems cli adds the metadata.

Thanks for your help.

Cheers.

Topic		Replies	Views
Issue on passing vault secrets to nomad Nomad vault	0	248	March 20, 2023
Using vault aws secrets engine with nomad templates Nomad	0	451	May 2, 2022
Vault Agent Templating and rendering all secrets under path X Vault vault	0	540	February 18, 2021
Nomad unable to retrieve secret from vault Nomad vault , consul-vault , nomad-pack	1	693	September 20, 2022
Optional secrets in template stanza Nomad	5	1907	March 23, 2022

Nomad Vault Integration

Related topics