github.com/maier/nomad@v0.4.1-0.20161110003312-a9e3d0b8549d/website/source/docs/vault-integration/index.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Vault Integration" 4 sidebar_current: "docs-vault-integration" 5 description: |- 6 Learn how to integrate with HashiCorp Vault and retrieve Vault tokens for 7 tasks. 8 --- 9 10 # Vault Integration 11 12 Many workloads require access to tokens, passwords, certificates, API keys, and 13 other secrets. To enable secure, auditable and easy access to your secrets, 14 Nomad integrates with HashiCorp's [Vault][]. Nomad servers and clients 15 coordinate with Vault to derive a Vault token that has access to only the Vault 16 policies the tasks needs. Nomad clients make the token avaliable to the task and 17 handle the tokens renewal. Further, Nomad's [`template` block][template] can 18 retrieve secrets from Vault making it easier than ever to secure your 19 infrastructure. 20 21 Note that in order to use Vault with Nomad, you will need to configure and 22 install Vault separately from Nomad. Nomad does not run Vault for you. 23 24 ## Vault Configuration 25 26 To use the Vault integration, Nomad servers must be provided a Vault token. This 27 token can either be a root token or a token from a role. The root token is the 28 easiest way to get started, but we recommend a role-based token for production 29 installations. Nomad servers will renew the token automatically. 30 31 ### Root Token 32 33 If Nomad is given a [root 34 token](https://www.vaultproject.io/docs/concepts/tokens.html#root-tokens), no 35 further configuration is needed as Nomad can derive a token for jobs using any 36 Vault policies. 37 38 ### Role based Token 39 40 Vault's [Token Authentication Backend][auth] supports a concept called "roles". 41 Roles allow policies to be grouped together and token creation to be delegated 42 to a trusted service such as Nomad. By creating a role, the set of policies that 43 tasks managed by Nomad can acess may be limited compared to giving Nomad a root 44 token. 45 46 When given a non-root token, Nomad queries the token to determine the role it 47 was generated from. It will then derive tokens for jobs based on that role. 48 Nomad expects the role to be created with several properties described below 49 when creating the role with the Vault endpoint `/auth/token/roles/<role_name>`: 50 51 ```json 52 { 53 "allowed_policies": "<comma-seperated list of policies>", 54 "explicit_max_ttl": 0, 55 "name": "nomad", 56 "orphan": false, 57 "period": 259200, 58 "renewable": true 59 } 60 ``` 61 62 #### Parameters: 63 64 * `allowed_policies` - Specifies the list of allowed policies as a 65 comma-seperated string This list should contain all policies that jobs running 66 under Nomad should have access to. Further, the list must contain one or more 67 policies that gives Nomad the following permissions: 68 69 ```hcl 70 # Allow creating tokens under the role 71 path "auth/token/create/nomad-server" { 72 capabilities = ["create", "update"] 73 } 74 75 # Allow looking up the role 76 path "auth/token/roles/nomad-server" { 77 capabilities = ["read"] 78 } 79 80 # Allow looking up incoming tokens to validate they have permissions to 81 # access the tokens they are requesting 82 path "auth/token/lookup/*" { 83 capabilities = ["read"] 84 } 85 86 # Allow revoking tokens that should no longer exist 87 path "/auth/token/revoke-accessor/*" { 88 capabilities = ["update"] 89 } 90 ``` 91 92 * `explicit_max_ttl` - Specifies the max TTL of a token. Must be set to `0` to 93 allow periodic tokens. 94 95 * `name` - Specifies the name of the policy. We recommend using the name 96 `nomad-server`. If a different name is chosen, replace the role in the above 97 policy. 98 99 * `orphan` - Specifies whether tokens created againsts this role will be 100 orphaned and have no parents. Must be set to `false`. This ensures that the 101 token can be revoked when the task is no longer needed or a node dies. 102 103 * `period` - Specifies the length the TTL is extended by each renewal in 104 seconds. It is suggested to set this value on the order of magnitude of 3 days 105 (259200 seconds) to avoid a large renewal request rate to Vault. Must be set 106 to a positive value. 107 108 * `renewable` - Specifies whether created tokens are renewable. Must be set to 109 `true`. This allows Nomad to renew tokens for tasks. 110 111 See Vault's [Token Authentication Backend][auth] documentation for all possible 112 fields and more complete documentation. 113 114 #### Example Configuration 115 116 To make getting started easy, the basic [`nomad-server` 117 policy](/data/vault/nomad-server-policy.hcl) and 118 [role](/data/vault/nomad-server-role.json) described above are available for 119 download. 120 121 The below example assumes Vault is accessible, unsealed and the the operator has 122 appropriate permissions. 123 124 ```shell 125 # Download the policy and role 126 $ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L 127 $ curl https://nomadproject.io/data/vault/nomad-server-role.json -O -s -L 128 129 # Write the policy to Vault 130 $ vault policy-write nomad-server nomad-server-policy.hcl 131 132 # Edit the role to add any policies that you would like to be accessible to 133 # Nomad jobs in the list of allowed_policies. Do not remove `nomad-server`. 134 $ editor nomad-server-role.json 135 136 # Create the role with Vault 137 $ vault write /auth/token/roles/nomad-server @nomad-server-role.json 138 ``` 139 140 #### Retrieving the Role based Token 141 142 After the role is created, a token suitable for the Nomad servers may be 143 retrieved by issuing the following Vault command: 144 145 ``` 146 $ vault token-create -role nomad-server 147 Key Value 148 --- ----- 149 token f02f01c2-c0d1-7cb7-6b88-8a14fada58c0 150 token_accessor 8cb7fcb3-9a4f-6fbf-0efc-83092bb0cb1c 151 token_duration 259200s 152 token_renewable true 153 token_policies [<policies>] 154 ``` 155 156 The token can then be set in the server configuration's [vault block][config], 157 as a command-line flag, or via an environment variable. 158 159 ``` 160 $ nomad agent -config /path/to/config -vault-token=f02f01c2-c0d1-7cb7-6b88-8a14fada58c0 161 ``` 162 163 ``` 164 $ VAULT_TOKEN=f02f01c2-c0d1-7cb7-6b88-8a14fada58c0 nomad agent -config /path/to/config 165 ``` 166 167 ## Agent Configuration 168 169 To enable Vault integration, please see the [Nomad agent Vault 170 integration][config] configuration. 171 172 ## Vault Definition Syntax 173 174 To configure a job to retrieve Vault tokens, please see the [`vault` job 175 specification documentation][vault-spec]. 176 177 ## Troubleshooting 178 179 Upon startup, Nomad will attempt to connect to the specified Vault server. Nomad 180 will lookup the passed token and if the token is from a role, the role will be 181 validated. Nomad will not shutdown if given an invalid Vault token, but will log 182 the reasons the token is invalid and disable Vault integration. 183 184 ## Assumptions 185 186 - Vault 0.6.2 or later is needed. 187 188 - Nomad is given either a root token or a token created from an approriate role. 189 190 [auth]: https://www.vaultproject.io/docs/auth/token.html "Vault Authentication Backend" 191 [config]: /docs/agent/configuration/vault.html "Nomad Vault configuration block" 192 [template]: /docs/job-specification/template.html "Nomad template Job Specification" 193 [vault]: https://www.vaultproject.io/ "Vault by HashiCorp" 194 [vault-spec]: /docs/job-specification/vault.html "Nomad Vault Job Specification"