kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-07 19:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

docs: name, audience, and TTL fields for identity blocks (#18916)

Browse Source
This commit is contained in:
Tim Gross
2023-10-30 13:45:40 -04:00
committed by GitHub
parent 6fd3143fe7
commit 4850f07295
1 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
website/content/docs/job-specification/identity.mdx
View File

@@ -15,11 +15,14 @@ description: |-
/>
The `identity` block allows a task access to its [Workload Identity][] via an
environment variable or file. By default Nomad will create an identity for all
workloads, but it is *not* exposed to a task.
environment variable or file. Nomad will create a _default_ identity for all
workloads, but it is *not* exposed to a task. You may also set additional
identities intended for use with external applications such as Vault, Consul, or
OIDC authentication.
The following will expose the Workload Identity as an environment variable and
file to the task:
For example, the following will expose the default Workload Identity as an
environment variable and file to the task, and a second Workload Identity
configured for a third-party OIDC provider:
```hcl
job "docs" {
@@ -31,6 +34,14 @@ job "docs" {
file = true
}
identity {
name = "example"
aud = ["oidc.example.com"]
env = true
file = true
ttl = "1h"
}
# ...
}
}
@@ -39,6 +50,11 @@ job "docs" {
## `identity` Parameters
- `name` `(string: "default")` - The name of the workload identity, which must
be unique per task. Only one `identity` block in a task can omit the `name`
field.
- `aud` `([]string: nil)` - The audience field for the workload identity. This
should always be set for non-default identities.
- `env` `(bool: false)` - If true the workload identity will be available in the
task's `NOMAD_TOKEN` environment variable.
- `file` `(bool: false)` - If true the workload identity will be available in
@@ -46,6 +62,10 @@ job "docs" {
[`task.user`][taskuser] parameter is set, the token file will only be
readable by that user. Otherwise the file is readable by everyone but is
protected by parent directory permissions.
- `ttl` `(string: "")` - The lifetime of the identity before it expires. The
client will renew the identity at roughly half the TTL. This is specified
using a label suffix like "30s" or "1h". You may not set a TTL on the default
identity. You should always set a TTL for non-default identities.
## Task API