Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AppRole for Vault Integration - Goal: Grouped Policies #2171

Closed
justenwalker opened this issue Jan 9, 2017 · 6 comments
Closed

Support AppRole for Vault Integration - Goal: Grouped Policies #2171

justenwalker opened this issue Jan 9, 2017 · 6 comments
Labels
theme/vault type/enhancement

Comments

@justenwalker
Copy link
Contributor

justenwalker commented Jan 9, 2017
edited
Loading

Currently, Nomad 0.5.x supports Vault via injecting a specific token with a list of policies in the job file. It would be good to use AppRoles to group these common policies together under a specific name.

Essentially, this would mean supporting something like:

job "docs" {
  group "example" {
    task "server" {
      vault {
        # Vault App Role Name
        app_role_name = "server_role"

        change_mode   = "signal"
        change_signal = "SIGUSR1"
      }
    }
  }
}

And having the Nomad Client authenticate the task using the app role.

Caveat:

  • App Roles can be mounted under any arbitrary path. Might need to add another option in the Nomad Config to specify the mount point?
@c4milo
Copy link
Contributor

c4milo commented Jan 10, 2017

I would guess this issue also depends on hashicorp/consul-template#744

@dadgar
Copy link
Contributor

dadgar commented Jan 10, 2017

@c4milo Nomad's Vault integration is actually separate from consul-templates. We just hand CT a token but Nomad does all the heavy lifting of getting it.

@dadgar
Copy link
Contributor

dadgar commented Jan 10, 2017

@justenwalker Talked to the Vault team a bit and they have some future work that should make default policies possible without AppRole. AppRole is another authentication backend which is less than ideal since Nomad already uses the token backend.

I am going to keep this open but slightly rename the title.

@dadgar dadgar changed the title Support AppRole for Vault Integration Support AppRole for Vault Integration - Goal: Grouped Policies Jan 10, 2017
@justenwalker justenwalker mentioned this issue Aug 28, 2017
Closed
@chris93111
Copy link

+1

with vault integration , nomad use auth/token/create , and with metrics of vault the number of customers is falsified

image
image

@tgross
Copy link
Member

tgross commented Dec 1, 2023

I'm reviewing open Vault issues following the new Vault workload identity work (ref #15617). We've implemented something roughly similar to what's been proposed here, using signed workload identities to login to Vault and then use roles defined for the auth config. Going to close this issue to tidy up.

@tgross tgross closed this as completed Dec 1, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2025

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
theme/vault type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4milo @justenwalker @dadgar @tgross @chris93111