Permission denied for token generated with OIDC provider

ednxzu · March 13, 2023, 6:49pm

I’m trying the new OIDC integration with nomad and I’m finding myself in quite the dead end here. I have setup the OIDC provider without issue, made an “admin” policy that basically allows everything, and made a binding rule for the oidc provider to that ACL policy.

here is the policy

namespace "default" {
  policy = "write"
  capabilities = ["alloc-exec"]
  variables {
    path "*" {
      capabilities = ["read", "write"]
    }
  }
}

host_volume "*" {
  policy = "write"
}

agent {
  policy = "write"
}

node {
  policy = "write"
}

quota {
  policy = "write"
}

operator {
  policy = "write"
}

plugin {
  policy = "read"
}

however, I am unable to alloc-exec inside of tasks with this generated token. I can do it just fine with the admin one, but the OIDC one doesn’t let me do anything.

The jobs were initially depoyed with the admin token if that can be an issue (I don’t think so).

Any help would be appreciated

ednxzu · March 14, 2023, 6:47pm

Nevermind, I found the issue.

For anyone that might face the same issue, make sure that when you update your token, you also update the binding-rule, as it doesnt appear to do so automatically.

Nomad will essentially recreate a binding-rule every time the token is updated, and from my (limited) testing, the least privileged token takes priority, so essentially if you added permissions to a policy, these new permissions will not take effect if you get your token via the oidc binding-rule.

Solution: make sure you delete all the old binding rule and only keep the most recent one, that binds to the most recent token.