»Workload Identity
When an allocation is accepted by the plan applier, the leader generates a Workload Identity for each task in the allocation. This workload identity is a JSON Web Token (JWT) that has been signed by the leader's keyring. The workload identity includes the following identity claims:
»Workload Associated ACL Policies
You can associate additional ACL policies with workload identities by passing
the -job
, -group
, and -task
flags to nomad acl policy apply
. When Nomad
resolves a workload identity claim, it will automatically include policies that
match. If no matching policies exist, the workload identity does not have any
additional capabilities.
For example, to allow a workload access to secrets from the namespace "shared", you can create the following policy file:
You can then apply this policy to a specific task:
You can also apply this policy to all tasks in the group by omitting the -task
flag:
And you can apply this policy to all groups in the job by omitting both the
-group
and -task
flag:
Using Workload Identity
In Nomad 1.4.0 the workload identity is used only for template
access to Variables and not exposed outside of Nomad.