Secure Introduction when running Nomad in a systemd service

I’m not sure what the best practice for getting a token to nomad is when it’s running in a systemd service (without any platform integration, self hosted infra), I can’t directly start it with an environment variables

One of the examples puts the token into consul, but that’s probably not something you should do in production

Another option would be putting it into a file that gets picked up by systemd to inject the env variable

While you could do those with a short lived initial token, it doesn’t seem ideal

Also you have to get a new token every time the service restarts

Any help would be appreciated

Maybe this could help:

1 Like

I assume secure token wrt Vault?

I assume you would have seen this as well:

Yes the vault token for nomand, sorry if that wasn’t clear

I have seen that one, doesn’t help, I want an automated (best practice) way of getting the initial token to nomad

In that example they put it in the config which is not encouraged

Right, so you create a file for environment variabled, do you have any idea what vault-si is?

That’s seemingly what’s supposed to create the token, but the install script is never called and there’s no URL in it

It could be deprecated and merged into the “normal” vault binary. Maybe a developer can explain it.

would need a developer for that :upside_down_face: