• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Nomad
  • Install
  • Intro
  • Tutorials
  • Documentation
  • API
  • Tools
  • Plugins
  • Sign up
Nomad Home

Documentation

Skip to main content
  • Documentation

    • Overview
    • Architecture
    • Consensus Protocol
    • Filesystem
    • Gossip Protocol
    • Security Model
    • Workload Identity
    • Variables

  • Schedulers

  • Nomad Ecosystem
  • Nomad Partnerships
  • Who Uses Nomad
  • FAQ

  • Resources

  • Tutorial Library
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Nomad
  3. Documentation
  4. Concepts
  5. Workload Identity
  • Nomad
  • v1.3.x
  • v1.2.x
  • v1.1.x
  • v1.0.x
  • v0.12.x
  • v0.11.x

»Workload Identity

When an allocation is accepted by the plan applier, the leader generates a Workload Identity for each task in the allocation. This workload identity is a JSON Web Token (JWT) that has been signed by the leader's keyring. The workload identity includes the following identity claims:

{
  "nomad_namespace": "default",
  "nomad_job_id": "example",
  "nomad_allocation_id": "5c6328f7-48c5-4d03-bada-91ef2e904d0d",
  "nomad_task": "web"
}

»Workload Associated ACL Policies

You can associate additional ACL policies with workload identities by passing the -job, -group, and -task flags to nomad acl policy apply. When Nomad resolves a workload identity claim, it will automatically include policies that match. If no matching policies exist, the workload identity does not have any additional capabilities.

For example, to allow a workload access to secrets from the namespace "shared", you can create the following policy file:

namespace "shared" {
  variables {
    path "*" {
      capabilities = ["read"]
    }
  }
}

You can then apply this policy to a specific task:

nomad acl policy apply \
   -namespace default -job example -group cache -task redis \
   redis-policy ./policy.hcl

You can also apply this policy to all tasks in the group by omitting the -task flag:

nomad acl policy apply \
   -namespace default -job example -group cache \
   redis-policy ./policy.hcl

And you can apply this policy to all groups in the job by omitting both the -group and -task flag:

nomad acl policy apply \
   -namespace default -job example \
   redis-policy ./policy.hcl

Using Workload Identity

In Nomad 1.4.0 the workload identity is used only for template access to Variables and not exposed outside of Nomad.

Edit this page on GitHub

On this page

  1. Workload Identity
  2. Workload Associated ACL Policies
  3. Using Workload Identity
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)