HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Nomad
Nomad Home

Workload Identity

Every workload running in Nomad is given an identity. When an allocation is accepted by the plan applier, the leader generates a Workload Identity for each task in the allocation. This workload identity is a JSON Web Token (JWT) that has been signed by the leader's keyring. The workload identity includes the following identity claims:

{
  "nomad_namespace": "default",
  "nomad_job_id": "example",
  "nomad_allocation_id": "5c6328f7-48c5-4d03-bada-91ef2e904d0d",
  "nomad_task": "web"
}

Using Workload Identity

While Nomad always creates and uses workload identities internally, the JWT is not exposed to tasks by default.

To expose Workload Identity to tasks, add an identity block to your jobspec:

task "example" {

  identity {
    # Expose Workload Identity in NOMAD_TOKEN env var
    env = true

    # Expose Workload Identity in ${NOMAD_SECRETS_DIR}/nomad_token file
    file = true
  }

}

Default Workload ACL Policy

By default, a Workload Identity has access to a implicit ACL policy. This policy grants access to Nomad Variables associated with the job, group, and task, as described in Task Access to Variables. The implicit policy also allows access to list or read any Nomad service registration as with the List Services API or Read Service API.

Workload Associated ACL Policies

You can associate additional ACL policies with workload identities by passing the -job, -group, and -task flags to nomad acl policy apply. When Nomad resolves a workload identity claim, it will automatically include policies that match. If no matching policies exist, the workload identity does not have any additional capabilities.

For example, to allow a workload access to secrets from the namespace "shared", you can create the following policy file:

namespace "shared" {
  variables {
    path "*" {
      capabilities = ["read"]
    }
  }
}

You can then apply this policy to a specific task:

nomad acl policy apply \
   -namespace default -job example -group cache -task redis \
   redis-policy ./policy.hcl

You can also apply this policy to all tasks in the group by omitting the -task flag:

nomad acl policy apply \
   -namespace default -job example -group cache \
   redis-policy ./policy.hcl

And you can apply this policy to all groups in the job by omitting both the -group and -task flag:

nomad acl policy apply \
   -namespace default -job example \
   redis-policy ./policy.hcl
Edit this page on GitHub