github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/docs/concepts/workload-identity.mdx

github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/docs/concepts/workload-identity.mdx (about)

     1  ---
     2  layout: docs
     3  page_title: Workload Identity
     4  description: Learn about Nomad's workload identity feature
     5  ---
     6  
     7  # Workload Identity
     8  
     9  When an [allocation][] is accepted by the [plan applier][], the leader generates
    10  a Workload Identity for each task in the allocation. This workload identity is a
    11  [JSON Web Token (JWT)][] that has been signed by the leader's keyring. The
    12  workload identity includes the following identity claims:
    13  
    14  ```json
    15  {
    16    "nomad_namespace": "default",
    17    "nomad_job_id": "example",
    18    "nomad_allocation_id": "5c6328f7-48c5-4d03-bada-91ef2e904d0d",
    19    "nomad_task": "web"
    20  }
    21  ```
    22  
    23  # Workload Associated ACL Policies
    24  
    25  You can associate additional ACL policies with workload identities by passing
    26  the `-job`, `-group`, and `-task` flags to `nomad acl policy apply`. When Nomad
    27  resolves a workload identity claim, it will automatically include policies that
    28  match. If no matching policies exist, the workload identity does not have any
    29  additional capabilities.
    30  
    31  For example, to allow a workload access to secrets from the namespace "shared",
    32  you can create the following policy file:
    33  
    34  ```hcl
    35  namespace "shared" {
    36    variables {
    37      path "*" {
    38        capabilities = ["read"]
    39      }
    40    }
    41  }
    42  ```
    43  
    44  You can then apply this policy to a specific task:
    45  
    46  ```shell-session
    47  nomad acl policy apply \
    48     -namespace default -job example -group cache -task redis \
    49     redis-policy ./policy.hcl
    50  ```
    51  
    52  You can also apply this policy to all tasks in the group by omitting the `-task`
    53  flag:
    54  
    55  ```shell-session
    56  nomad acl policy apply \
    57     -namespace default -job example -group cache \
    58     redis-policy ./policy.hcl
    59  ```
    60  
    61  And you can apply this policy to all groups in the job by omitting both the
    62  `-group` and `-task` flag:
    63  
    64  ```shell-session
    65  nomad acl policy apply \
    66     -namespace default -job example \
    67     redis-policy ./policy.hcl
    68  ```
    69  
    70  ## Using Workload Identity
    71  
    72  In Nomad 1.4.0 the workload identity is used only for `template`
    73  access to [Variables][] and not exposed outside of Nomad.
    74  
    75  [allocation]: /docs/concepts/architecture#allocation
    76  [plan applier]: /docs/concepts/scheduling/scheduling
    77  [Variables]: /docs/concepts/variables
    78  [JSON Web Token (JWT)]: https://datatracker.ietf.org/doc/html/rfc7519