Reputation: 394
Vault kv secrets and nomad jobs
I am creating a nomad job that accesses vault kv secrets. At the moment I managed to create the policies, and a role, but I can't make it consume the secret.
This would be my nomad job:
job "http-echo" {
datacenters = ["ikerdc2"]
group "echo" {
count = 1
task "server" {
driver = "docker"
vault {
policies = ["access-tables"]
}
template {
data = <<EOT
{{ with secret "kv/me" }}
NAME ="{{ .Data.data.name }}"
{{ end }}
EOT
destination = "echo.env"
env = true
}
config {
image = "hashicorp/http-echo:latest"
args = [
"-listen", ":8080",
"-text", "Hello World!",
]
}
resources {
network {
mbits = 10
port "http" {
static = 8080
}
}
}
service {
name = "http-echo"
port = "http"
tags = [
"urlprefix-/http-echo",
]
}
}
}
}
I have created a vault server with the command vault server -dev
I have a kv secret named "me" and inside it's just like
{
"name" = "Hello Iker"
}
And the policies are like this:
# Allow creating tokens under "nomad-cluster" role. The role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" role. The role name should be updated if
# "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "kv/*" {
capabilities = ["create", "update", "read"]
}
And the role is like this:
{
"allowed_policies": "access-tables",
"token_explicit_max_ttl": 0,
"name": "nomad-cluster",
"orphan": true,
"token_period": 259200,
"renewable": true
}
This are the errors I get when I run the job:
Missing: vault.read(kv/me) Template failed: vault.read(kv/me): vault.read(kv/me): Error making API request. URL: GET http://127.0.0.1:8200/v1/kv/me Code: 403. Errors: * 1 error occurred:
- permission denied
If someone could help me with that it would be great, thanks
Upvotes: 0
Views: 1832
Answers (1)
Reputation: 131
In your post, I don't see the contents of the access-tables policy itself. That ACL policy must have the following rules:
path "kv/data/me" {
capabilities = ["read"]
}
The permissions that the nomad-cluster policy from the documentation requires are for Nomad to create tokens in Vault for the policies that you list in the vault stanzas of your Nomad jobs. Adding the ability for that policy to read KV will not help. Instead, the policy in the vault stanza in your job, access-tables, needs that permission.
Upvotes: 0
Related Questions
- HashiCorp Vault to populate kubernetes secrets
- Error making API request when using Vault secrets
- How Nomad knows internally about the allocation status of job (Running, Failed, Queued, Starting, Complete, Lost)?
- sourcing vault secrets file with lifecycle.postStart and readinessProbe
- Injecting Vault secrets into a few Kubernetes Clusters
- How to inject vault and consume hashicorp vault secrets?
- Nomad constraint "${attr.vault.version} version >= 0.6.1" to access vault
- When I enable a HashiCorp Vault secrets engine e.g. kv and add a secret is this accessible across vault users?
- When pod dies, what happens to secrets Hashicorp Vault
- Vault: how to get list of kv secrets