kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
0367b60ca9b06d2f5801ac22e209d7fecd929d37
nomad/website/content/docs/job-specification/identity.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

369 lines
10 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: identity block in the job specification
description: |-
Configure workload identity in the `identity` block of the Nomad job specification. Review how to configure workload identities for Consul and Vault.
---
# `identity` block in the job specification
<Placement
groups={[
['job', 'group', 'service', 'identity'],
['job', 'group', 'task', 'identity'],
['job', 'group', 'task', 'service', 'identity'],
]}
/>
The `identity` block allows a task access to its [Workload Identity][] via an
environment variable or file. Nomad will create a _default_ identity for all
workloads, but it is *not* exposed to a task. You may also set additional
identities intended for use with external applications such as Vault, Consul, or
OIDC authentication.
For example, the following will expose the default Workload Identity as an
environment variable and file to the task, and a second Workload Identity
configured for a third-party OIDC provider:
```hcl
job "docs" {
group "example" {
task "api" {
identity {
env = true
file = true
filepath = "local/example.jwt"
# Restart on token renewal to get the new env var
change_mode = "restart"
}
identity {
name = "example"
aud = ["oidc.example.com"]
file = true
ttl = "1h"
# Send a HUP signal when the token file is updated
change_mode = "signal"
change_signal = "SIGHUP"
}
# ...
}
}
}
```
## Parameters
- `name` `(string: "default")` - The name of the workload identity, which must
be unique per task. Only one `identity` block in a task can omit the `name`
field.
- `aud` `([]string: nil)` - The audience field for the workload identity. This
should always be set for non-default identities.
- `change_mode` `(string: "noop")` - Specifies the behavior Nomad should take when the token changes.
- `"noop"` - take no action. The default since tasks may choose to reload
tokens only when their current token gets rejected or implement their own
change detection.
- `"restart"` - restart the task.
- `"signal"` - send a configurable signal to the task. Must set `change_signal`.
- `change_signal` `(string: "")` - Specifies the signal to send to the task as a
string like `"SIGHUP"` or `"SIGUSR1"`. This option is required if the
`change_mode` is `signal`.
- `env` `(bool: false)` - If true the workload identity will be available in the
task's `NOMAD_TOKEN` environment variable.
- `file` `(bool: false)` - If true the workload identity will be available in
the task's filesystem via the path `secrets/nomad_token`. If the
[`task.user`][taskuser] parameter is set, the token file will only be
readable by that user. Otherwise the file is readable by everyone but is
protected by parent directory permissions.
- `filepath` `(string: "")` - If not empty and file is `true`, the workload
identity is available at the specified location relative to the
[task working directory][] instead of the `NOMAD_SECRETS_DIR`.
- `ttl` `(string: "")` - The lifetime of the identity before it expires. The
client will renew the identity at roughly half the TTL. This is specified
using a label suffix like "30s" or "1h". You may not set a TTL on the default
identity. You should always set a TTL for non-default identities.
## Task API
It can be convenient to combine workload identity with Nomad's [Task API]
[taskapi] for enabling tasks to access the Nomad API.
## Workload identities for Consul
Jobs that need access to Consul can use Nomad workload identities for
authentication. These identities are specified as additional `identity` blocks
inside the task or service that will access Consul.
You can configure Nomad servers to automatically add default identities for
Consul using the [`consul.service_identity`][] and [`consul.task_identity`][]
agent configuration. Upon job registration, the Nomad server updates tasks that
have a [`consul`][] block and services that use the Consul service provider to
include the default identities.
Job specifications that include [`template`][] blocks are not provided with
default identities because Nomad is unable to decipher the contents of the
template data. You must specify the identities required for Consul in the job
specification.
You can also specify these identities directly in the job. When provided, they
override the default identities configured in the Nomad servers. Identities for
tasks must have a [`name`](#name) that follows the pattern
`consul_<cluster name>`. Identities for services do not need to specify a
`name`.
In Nomad Community Edition, `<cluster_name>` is always `default`, so the task
identity name should be `consul_default`.
<Warning>
Nomad Enterprise supports multiple Consul clusters. The value of
`cluster_name` must be the same as the task's [`consul.cluster` parameter value](/nomad/docs/job-specification/consul#cluster).
</Warning>
Refer to [Nomad workload identities][int_consul_wid] section of the Consul
integration documentation for more information.
<Tabs>
<Tab heading="Nomad Community Edition" group="ce">
<CodeBlockConfig highlight="3,14-17,30-34">
```hcl
job "httpd" {
group "httpd" {
consul {}
network {
port "http" {}
}
service {
provider = "consul"
name = "httpd"
port = "http"
identity {
aud = ["consul.io"]
ttl = "1h"
}
}
task "httpd" {
driver = "docker"
config {
image = "busybox:1.36"
command = "httpd"
args = ["-f", "-p", "${NOMAD_PORT_http}"]
ports = ["http"]
}
identity {
name = "consul_default"
aud = ["consul.io"]
ttl = "1h"
}
}
}
}
```
</CodeBlockConfig>
</Tab>
<Tab heading="Nomad Enterprise" group="ent">
<CodeBlockConfig highlight="3-5,16-19,32-36">
```hcl
job "httpd" {
group "httpd" {
consul {
cluster = "prod"
}
network {
port "http" {}
}
service {
provider = "consul"
name = "httpd"
port = "http"
identity {
aud = ["consul.io"]
ttl = "1h"
}
}
task "httpd" {
driver = "docker"
config {
image = "busybox:1.36"
command = "httpd"
args = ["-f", "-p", "${NOMAD_PORT_http}"]
ports = ["http"]
}
identity {
name = "consul_prod"
aud = ["consul.io"]
ttl = "1h"
}
}
}
}
```
</CodeBlockConfig>
</Tab>
</Tabs>
## Workload identities for Vault
Jobs that need access to Vault can use Nomad workload identities for
authentication. These identities are specified as additional `identity` blocks
inside the task that will access Vault.
You can configure Nomad servers to automatically add default identities for
Vault using the [`vault.default_identity`][] agent configuration. Upon job
registration, the Nomad server updates tasks that have a [`vault`][] block to
include the default identity.
You can also specify these identities directly in the job. When provided, they
override the default identity configured in the Nomad servers. The identity
[`name`](#name) must follow the pattern `vault_<cluster name>`.
In Nomad Community Edition, `<cluster_name>` is always `default`, so the
identity name should be `vault_default`.
<Warning>
Nomad Enterprise supports multiple Vault clusters. The cluster name
must be the same as the task's [`vault.cluster` parameter value](/nomad/docs/job-specification/vault#cluster).
</Warning>
Refer to [Nomad Workload Identities][int_vault_wid] section of the Vault
integration documentation for more information.
<Tabs>
<Tab heading="Nomad Community Edition" group="ce">
<CodeBlockConfig highlight="19,21-25">
```hcl
job "mongo" {
namespace = "default"
group "db" {
network {
port "db" {
to = 27017
}
}
task "mongo" {
driver = "docker"
config {
image = "mongo:7"
ports = ["db"]
}
vault {}
identity {
name = "vault_default"
aud = ["vault.io"]
ttl = "1h"
}
template {
data = <<EOF
{{with secret "kv/data/default/mongo/config"}}
MONGO_INITDB_ROOT_USERNAME=root
MONGO_INITDB_ROOT_PASSWORD={{.Data.data.root_password}}
{{end}}
EOF
destination = "secrets/env"
env = true
}
}
}
}
```
</CodeBlockConfig>
</Tab>
<Tab heading="Nomad Enterprise" group="ent">
<CodeBlockConfig highlight="19-21,23-27">
```hcl
job "mongo" {
namespace = "default"
group "db" {
network {
port "db" {
to = 27017
}
}
task "mongo" {
driver = "docker"
config {
image = "mongo:7"
ports = ["db"]
}
vault {
cluster = "prod"
}
identity {
name = "vault_prod"
aud = ["vault.io"]
ttl = "1h"
}
template {
data = <<EOF
{{with secret "kv/data/default/mongo/config"}}
MONGO_INITDB_ROOT_USERNAME=root
MONGO_INITDB_ROOT_PASSWORD={{.Data.data.root_password}}
{{end}}
EOF
destination = "secrets/env"
env = true
}
}
}
}
```
</CodeBlockConfig>
</Tab>
</Tabs>
[Workload Identity]: /nomad/docs/concepts/workload-identity "Nomad Workload Identity"
[`consul.cluster`]: /nomad/docs/job-specification/consul#cluster
[`consul.service_identity`]: /nomad/docs/configuration/consul#service_identity
[`consul.task_identity`]: /nomad/docs/configuration/consul#task_identity
[`consul`]: /nomad/docs/job-specification/consul
[`template`]: /nomad/docs/job-specification/template
[`vault.default_identity`]: /nomad/docs/configuration/vault#default_identity
[`vault`]: /nomad/docs/job-specification/vault
[int_consul_wid]: /nomad/docs/secure/acl/consul
[int_vault_wid]: /nomad/docs/secure/vault/acl
[taskapi]: /nomad/api-docs/task-api
[taskuser]: /nomad/docs/job-specification/task#user "Nomad task Block"
[windows]: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/
[task working directory]: /nomad/docs/reference/runtime-environment-settings#task-directories 'Task Directories'
Reference in New Issue View Git Blame Copy Permalink