kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 17:35:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
65c7f34f2d4c92ffbb51646aacc264f8db33cc06
nomad/website/content/docs/concepts/workload-identity.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

202 lines
6.5 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Workload Identity
description: Nomad's workload identity feature isolates and uniquely identities each workload so you can associate Access Control List (ACL) policies to jobs. Learn about workload identity claims, claims attributes specific to Nomad Enterprise, default workload ACL policy, and workload identity for Consul and Vault.
---
# Workload Identity
This page provides conceptual information about Nomad's workload identity
feature, which isolates and uniquely identities each workload so you can associate Access Control List (ACL) policies to jobs. Learn about workload identity claims, claims attributes specific to Nomad Enterprise, default workload ACL policy, and workload identity for Consul and Vault.
Every workload running in Nomad is given a default identity. When an
[allocation][] is accepted by the [plan applier][], the leader generates a
Workload Identity for each task in the allocation. This workload identity is a
[JSON Web Token (JWT)][] that has been signed by the leader's keyring.
Additional workload identities may be defined in tasks and services using the
[`identity`][identity-block] block.
## Workload Identity Claims
Nomad workload identity for tasks include the following identity claims.
```json
{
"nomad_namespace": "default",
"nomad_job_id": "example",
"nomad_allocation_id": "5c6328f7-48c5-4d03-bada-91ef2e904d0d",
"nomad_task": "web"
}
```
Workload identities for Consul services have a claim with the service name
instead of the task name.
```json
{
"nomad_namespace": "default",
"nomad_job_id": "example",
"nomad_allocation_id": "8623ac7a-28ba-20c3-24a6-e615a39bbbf3",
"nomad_service": "example-cache-redis"
}
```
Workload identities for tasks that use Vault have an additional claim for
[`vault.role`][jobspec_vault_role] if a role is specified in the job.
-> **Note:** This claim will *not* be added if the role is inherited from
the [agent configuration][vault_role_agent_config] and is not present
in the Nomad job specification.
```json
{
"nomad_namespace": "default",
"nomad_job_id": "example",
"nomad_allocation_id": "8623ac7a-28ba-20c3-24a6-e615a39bbbf3",
"nomad_service": "example-cache-redis",
"vault_role": "nomad-jwt-login"
}
```
### Nomad Enterprise <EnterpriseAlert inline />
In Nomad Enterprise, tasks and services with a [`consul`][jobspec_consul] block
that defines a [`namespace`][jobspec_consul_ns] value, or inside a `group`
block that does it, have an additional claim called `consul_namespace`.
```json
{
"consul_namespace": "prod",
"nomad_namespace": "default",
"nomad_job_id": "example",
"nomad_allocation_id": "8623ac7a-28ba-20c3-24a6-e615a39bbbf3",
"nomad_service": "example-cache-redis"
}
```
Similarly, tasks with a [`vault.namespace`][jobspec_vault_ns] value have the additional claim
`vault_namespace`.
```json
{
"nomad_namespace": "default",
"nomad_job_id": "example",
"nomad_allocation_id": "8623ac7a-28ba-20c3-24a6-e615a39bbbf3",
"nomad_service": "example-cache-redis",
"vault_namespace": "prod"
}
```
## Workload Identity for Nomad
While Nomad always creates and uses workload identities internally, the JWT is
not exposed to tasks by default.
To expose Workload Identity to tasks, add an [`identity`][identity-block] block
to your jobspec:
```hcl
task "example" {
identity {
# Expose Workload Identity in NOMAD_TOKEN env var
env = true
# Expose Workload Identity in ${NOMAD_SECRETS_DIR}/nomad_token file
file = true
}
}
```
### Default Workload ACL Policy
By default, a Workload Identity has access to a implicit ACL policy. This policy
grants access to Nomad Variables associated with the job, group, and task, as
described in [Task Access to Variables][]. The implicit policy also allows
access to list or read any Nomad service registration as with the [List Services
API][] or [Read Service API][].
### Workload Associated ACL Policies
You can associate additional ACL policies with workload identities by passing
the `-job`, `-group`, and `-task` flags to `nomad acl policy apply`. When Nomad
resolves a workload identity claim, it will automatically include policies that
match. If no matching policies exist, the workload identity does not have any
additional capabilities.
For example, to allow a workload access to secrets from the namespace "shared",
you can create the following policy file:
```hcl
namespace "shared" {
variables {
path "*" {
capabilities = ["read"]
}
}
}
```
You can then apply this policy to a specific task:
```shell-session
nomad acl policy apply \
-namespace default -job example -group cache -task redis \
redis-policy ./policy.hcl
```
You can also apply this policy to all tasks in the group by omitting the `-task`
flag:
```shell-session
nomad acl policy apply \
-namespace default -job example -group cache \
redis-policy ./policy.hcl
```
You can apply this policy to all groups in the job by omitting both the
`-group` and `-task` flag:
```shell-session
nomad acl policy apply \
-namespace default -job example \
redis-policy ./policy.hcl
```
And you can apply this policy to all jobs in the namespace by omitting the
`-job`, `-group`, and `-task` flag:
```shell-session
nomad acl policy apply \
-namespace default redis-policy ./policy.hcl
```
### Task API
It can be convenient to combine workload identity with Nomad's [Task API]
[taskapi] for enabling tasks to access the Nomad API.
## Workload Identity for Consul and Vault
Consul and Vault can be configured to accept workload identities from Nomad for
authentication. Refer to the [Consul][consul_int] and [Vault][vault_int]
integration pages for more information.
[allocation]: /nomad/docs/glossary#allocation
[identity-block]: /nomad/docs/job-specification/identity
[jobspec_consul]: /nomad/docs/job-specification/consul
[jobspec_consul_ns]: /nomad/docs/job-specification/consul#namespace
[jobspec_vault_ns]: /nomad/docs/job-specification/vault#namespace
[jobspec_vault_role]: /nomad/docs/job-specification/vault#role
[vault_role_agent_config]: /nomad/docs/configuration/vault#create_from_role
[plan applier]: /nomad/docs/concepts/scheduling/how-scheduling-works
[JSON Web Token (JWT)]: https://datatracker.ietf.org/doc/html/rfc7519
[Task Access to Variables]: /nomad/docs/concepts/variables#task-access-to-variables
[List Services API]: /nomad/api-docs/services#list-services
[Read Service API]: /nomad/api-docs/services#read-service
[windows]: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/
[taskapi]: /nomad/api-docs/task-api
[consul_int]: /nomad/docs/secure/acl/consul
[vault_int]: /nomad/docs/secure/vault
Reference in New Issue View Git Blame Copy Permalink