I’m trying the new OIDC integration with nomad and I’m finding myself in quite the dead end here. I have setup the OIDC provider without issue, made an “admin” policy that basically allows everything, and made a binding rule for the oidc provider to that ACL policy.
here is the policy
namespace "default" {
policy = "write"
capabilities = ["alloc-exec"]
variables {
path "*" {
capabilities = ["read", "write"]
}
}
}
host_volume "*" {
policy = "write"
}
agent {
policy = "write"
}
node {
policy = "write"
}
quota {
policy = "write"
}
operator {
policy = "write"
}
plugin {
policy = "read"
}
however, I am unable to alloc-exec inside of tasks with this generated token. I can do it just fine with the admin one, but the OIDC one doesn’t let me do anything.
The jobs were initially depoyed with the admin token if that can be an issue (I don’t think so).
Any help would be appreciated