github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/docs/concepts/variables.mdx (about) 1 --- 2 layout: docs 3 page_title: Variables 4 description: Learn about the Nomad Variables feature 5 --- 6 7 # Nomad Variables 8 9 Most Nomad workloads need access to config values or secrets. Nomad has a 10 `template` block to provide such configuration to tasks, but prior to Nomad 1.4 11 has left the role of storing that configuration to external services such as 12 [HashiCorp Consul] and [HashiCorp Vault]. 13 14 Nomad Variables provide the option to store configuration at file-like paths 15 directly in Nomad's state store. The contents of these variables are encrypted 16 and replicated between servers via raft. Access to variables is controlled by 17 ACL policies, and tasks have implicit ACL policies that allow them to access 18 their own variables. You can create, read, update, or delete variables via the 19 command line, the Nomad API, or in the Nomad web UI. 20 21 Note that the Variables feature is intended for small pieces of configuration 22 data needed by workloads. Because writing to the Nomad state store uses 23 resources needed by Nomad, it is not well-suited for large or fast-changing 24 data. For example, do not store batch job results as Variables - these should be 25 stored in an external database. Variables are also not intended to be a full 26 replacement for HashiCorp Vault. Unlike Vault, Nomad stores the root encryption 27 key on the servers. See [Key Management][] for details. 28 29 ## ACL for Variables 30 31 Every Variable belongs to a specific Nomad namespace. ACL policies can restrict 32 access to Variables within a namespace on a per-path basis, using a list of 33 `path` blocks, located under `namespace.variables`. See the [ACL policy 34 specification] docs for details about the syntax and structure of an ACL policy. 35 36 Path definitions may also include wildcard symbols, also called globs, allowing 37 a single path policy definition to apply to a set of paths within that 38 namespace. For example, the policy below allows full access to variables at all 39 paths in the "dev" namespace that are prefixed with "project/" (including child 40 paths) but only read access to paths prefixed with "system/". Note that the glob 41 can match an empty string and all other characters. This policy grants read 42 access to paths prefixed with "system/" but not a path named "system" (without a 43 trailing slash). 44 45 ```hcl 46 namespace "dev" { 47 policy = "write" 48 capabilities = ["alloc-node-exec"] 49 50 variables { 51 52 # full access to variables in all "project" paths 53 path "project/*" { 54 capabilities = ["write", "read", "destroy", "list"] 55 } 56 57 # read/list access within a "system/" path belonging to administrators 58 path "system/*" { 59 capabilities = ["read"] 60 } 61 } 62 } 63 ``` 64 65 The available capabilities for Variables are as follows: 66 67 | Capability | Notes | 68 |------------|-----------------------------------------------------------------------------------------------------------------------| 69 | write | Create or update Variables at this path. Includes the "list" capability but not the "read" or "destroy" capabilities. | 70 | read | Read the decrypted contents of Variables at this path. Also includes the "list" capability | 71 | list | List the metadata but not contents of Variables at this path. | 72 | destroy | Delete Variables at this path. | 73 74 ## Task Access to Variables 75 76 In Nomad 1.4.0 tasks can only access Variables with the [`template`] block. The 77 [workload identity] for each task grants it automatic read and list access to 78 Variables found at Nomad-owned paths with the prefix `nomad/jobs/`, followed by 79 the job ID, task group name, and task name. This is equivalent to the following 80 policy: 81 82 ```hcl 83 namespace "$namespace" { 84 variables { 85 86 path "nomad/jobs" { 87 capabilities = ["read", "list"] 88 } 89 90 path "nomad/jobs/$job_id" { 91 capabilities = ["read", "list"] 92 } 93 94 path "nomad/jobs/$job_id/$task_group" { 95 capabilities = ["read", "list"] 96 } 97 98 path "nomad/jobs/$job_id/$task_group/$task_name" { 99 capabilities = ["read", "list"] 100 } 101 } 102 } 103 ``` 104 105 For example, a task named "redis", in a group named "cache", in a job named 106 "example", will automatically have access to Variables as if it had the 107 following policy: 108 109 ```hcl 110 namespace "default" { 111 variables { 112 113 path "nomad/jobs" { 114 capabilities = ["read", "list"] 115 } 116 117 path "nomad/jobs/example" { 118 capabilities = ["read", "list"] 119 } 120 121 path "nomad/jobs/example/cache" { 122 capabilities = ["read", "list"] 123 } 124 125 path "nomad/jobs/example/cache/redis" { 126 capabilities = ["read", "list"] 127 } 128 } 129 } 130 ``` 131 132 You can provide access to additional variables by creating policies associated 133 with the task's [workload identity]. For example, to give the task above access 134 to all variables in the "shared" namespace, you can create the following policy 135 file: 136 137 ```hcl 138 namespace "shared" { 139 variables { 140 path "*" { 141 capabilities = ["read"] 142 } 143 } 144 } 145 ``` 146 147 Then create the policy and associate it with the specific task: 148 149 ```shell-session 150 nomad acl policy apply \ 151 -namespace default -job example -group cache -task redis \ 152 redis-policy ./policy.hcl 153 ``` 154 155 See [Workload Associated ACL Policies] for more details. 156 157 [HashiCorp Consul]: https://www.consul.io/ 158 [HashiCorp Vault]: https://www.vaultproject.io/ 159 [Key Management]: /docs/operations/key-management 160 [ACL policy specification]: /docs/other-specifications/acl-policy 161 [`template`]: /docs/job-specification/template 162 [workload identity]: /docs/concepts/workload-identity 163 [Workload Associated ACL Policies]: /docs/concepts/workload-identity#workload-associated-acl-policies