Add option to expose workload token to task (#15755)

Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
2026-01-06 18:35:44 +03:00 · 2023-02-02 13:59:14 -05:00
parent 9f583f57f5
commit fe4ff5be2a
34 changed files with 1078 additions and 86 deletions
--- a/client/taskenv/env.go
+++ b/client/taskenv/env.go
@@ -122,6 +122,9 @@ const (

 	// VaultNamespace is the environment variable for passing the Vault namespace, if applicable
 	VaultNamespace = "VAULT_NAMESPACE"
+
+	// WorkloadToken is the environment variable for passing the Nomad Workload Identity token
+	WorkloadToken = "NOMAD_TOKEN"
 )

 // The node values that can be interpreted.
@@ -406,25 +409,27 @@ type Builder struct {
 	// clientTaskSecretsDir is the secrets dir from the client's perspective; eg <client_task_root>/secrets
 	clientTaskSecretsDir string

-	cpuCores         string
-	cpuLimit         int64
-	memLimit         int64
-	memMaxLimit      int64
-	taskName         string
-	allocIndex       int
-	datacenter       string
-	cgroupParent     string
-	namespace        string
-	region           string
-	allocId          string
-	allocName        string
-	groupName        string
-	vaultToken       string
-	vaultNamespace   string
-	injectVaultToken bool
-	jobID            string
-	jobName          string
-	jobParentID      string
+	cpuCores            string
+	cpuLimit            int64
+	memLimit            int64
+	memMaxLimit         int64
+	taskName            string
+	allocIndex          int
+	datacenter          string
+	cgroupParent        string
+	namespace           string
+	region              string
+	allocId             string
+	allocName           string
+	groupName           string
+	vaultToken          string
+	vaultNamespace      string
+	injectVaultToken    bool
+	workloadToken       string
+	injectWorkloadToken bool
+	jobID               string
+	jobName             string
+	jobParentID         string

 	// otherPorts for tasks in the same alloc
 	otherPorts map[string]string
@@ -567,6 +572,11 @@ func (b *Builder) buildEnv(allocDir, localDir, secretsDir string,
 		envMap[VaultNamespace] = b.vaultNamespace
 	}

+	// Build the Nomad Workload Token
+	if b.injectWorkloadToken && b.workloadToken != "" {
+		envMap[WorkloadToken] = b.workloadToken
+	}
+
 	// Copy and interpolate task meta
 	for k, v := range b.taskMeta {
 		envMap[hargs.ReplaceEnv(k, nodeAttrs, envMap)] = hargs.ReplaceEnv(v, nodeAttrs, envMap)
@@ -1018,6 +1028,14 @@ func (b *Builder) SetVaultToken(token, namespace string, inject bool) *Builder {
 	return b
 }

+func (b *Builder) SetWorkloadToken(token string, inject bool) *Builder {
+	b.mu.Lock()
+	b.workloadToken = token
+	b.injectWorkloadToken = inject
+	b.mu.Unlock()
+	return b
+}
+
 // addPort keys and values for other tasks to an env var map
 func addPort(m map[string]string, taskName, ip, portLabel string, port int) {
 	key := fmt.Sprintf("%s%s_%s", AddrPrefix, taskName, portLabel)