kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 17:35:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
65c7f34f2d4c92ffbb51646aacc264f8db33cc06
nomad/website/content/docs/secure/vault/index.mdx
Tim Gross b286a8ee9c docs: update Consul/Vault compatibility matrix (#26368) 
Update our support matrix to show currently-supported versions of Consul, Vault,
and Nomad.
2025-07-28 13:48:38 -04:00

73 lines
3.0 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Vault Integration
description: >-
Integrate Vault with Nomad to use tokens, password, certificates, API keys, and secrets stored in Vault. Configure Nomad to use Vault access control lists (ACLs) to secure your cluster. Learn how to configure Nomad agents and use Consul Template in your job specification.
---
# Vault Integration
Many workloads require access to tokens, passwords, certificates, API keys, and
other secrets. To enable secure, auditable and easy access to your secrets,
Nomad integrates with HashiCorp's [Vault][]. Nomad servers and clients
coordinate with Vault to derive a Vault token that has access to only the Vault
policies the tasks needs. Nomad clients make the token available to the task and
handle the tokens renewal.
## Configuration
In order to use Vault with Nomad, you will need to configure and install Vault
separately from Nomad. Nomad does not run Vault for you.
## Agent configuration
To enable Vault integration, Nomad agents must be configured with
[`vault`][] blocks. Each block can be enabled or disabled and configures how
Nomad connects to the Vault cluster.
## Dynamic configuration with secrets
Nomad's job specification includes a [`template`][] block that uses a tool
called [Consul Template][]. When used with Vault, this mechanism creates a
convenient way to ship configuration files that are populated from Vault
secrets.
For more information on Nomad's template block please see the
[`template` job specification documentation][].
## Vault access control list (ACL)
The Vault ACL system protects the cluster from unauthorized access. When
enabled, both Vault and Nomad must be properly configured in order for their
integrations to work.
Refer to the [Vault ACL integration page][int_vault_acl] for more information.
## Multiple vault clusters <EnterpriseAlert inline />
Nomad Enterprise supports access to multiple Vault clusters. They can be
configured using multiple [`vault`][] blocks with different `name` values. If a
`name` is not provided, the cluster configuration is called `default`.
Jobs that need access to Vault may specify which Vault cluster to use with the
[`vault.cluster`][] parameter.
## Compatibility
All currently supported versions of Nomad are compatible with recent versions of
Vault.
| | Vault 1.18.0+ | Vault 1.19.0+ | Vault 1.20.0+ |
|---------------|---------------|---------------|---------------|
| Nomad 1.10.0+ | ✅ | ✅ | ✅ |
| Nomad 1.9.0+ | ✅ | ✅ | ✅ |
| Nomad 1.8.0+ | ✅ | ✅ | ✅ |
[Consul Template]: https://github.com/hashicorp/consul-template
[Vault]: https://www.vaultproject.io/ 'Vault by HashiCorp'
[`template` job specification documentation]: /nomad/docs/job-specification/template#vault-integration
[`template`]: /nomad/docs/job-specification/template
[`vault.cluster`]: /nomad/docs/job-specification/vault#cluster
[`vault`]: /nomad/docs/configuration/vault 'Nomad Vault Configuration Block'
[int_vault_acl]: /nomad/docs/secure/vault/acl
Reference in New Issue View Git Blame Copy Permalink