Environment Variable Setup (Nomad and Vault)

[chris.w...@boku.com]

Hello,

I cannot for the life of me understand what I'm doing wrong setting up my Nomad job to create environment variables from Vault secrets. At the moment everything is just declared in env {} which is terrible so I'm trying to move it into Vault. This is already setup but not utilisied.

I'm running, Vault 0.9.4, Nomad 0.7.0, Consul 1.2.2. I have policies setup, but I'm just using the root token (bad practice) while I sort out whatever the connectivity or configuration issue is.

I have my secrets accessible directly via Vault. This is authenticated with the root token:

[ec2-user@ip-xxxxx ~]$ vault read secret/jasper_user

Key                 Value
---                 -----
refresh_interval    768h
JS_DB_USER          root

I access this via the root token as I'm not running any policies while I try and workout the problem. 

My HCL Config file for Nomad states the following. Nothing fancy, but just enough to connect to Vault (hopefully). 

# Setup data dir
data_dir = "/tmp/client1"

# Enable the client
client {
    enabled = true
    node_class = "web"
    meta {
    "server_type" = "web"
  }
}

vault {
  enabled = true
  address = "https://127.0.0.1:8200"
  token = "xxxxx" #root token
}

My Nomad file for the job contains the following:

      template {
        data = <<EOH
          JS_DB_HOST="{{with secret "secret/jasper_host"}}{{.Data.value}}{{end}}"
          JS_DB_USER="{{with secret "secret/jasper_user"}}{{.Data.value}}{{end}}"
          JS_DB_PASSWORD="{{with secret "secret/jasper_password"}}{{.Data.value}}{{end}}"
          JS_WEB_DEPLOYMENT_URI="{{with secret "secret/jasper_deploy"}}{{.Data.value}}{{end}}"
        EOH


        destination = "secrets/file.env"
        env         = true
      }

And yet every time I try and run the task, the UI gives me the following error: Missing: vault.read(secret/jasper_deploy), vault.read(secret/jasper_host), vault.read(secret/jasper_password), and 1 more

[Lowe Schmidt]

Your job needs to request access to Vault as well, and define what policy’s it needs.
(I made the exact same misstake), see the vault stanza for Nomad

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/nomad/issues
IRC: #nomad-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Nomad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomad-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/1c094761-d936-4ed9-825c-3243e738452f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[chris.w...@boku.com]

Thank you for your help. I followed your change and progressed further.

I still couldn't seem to get it working (more issues) so I rebuilt it with Nomad v0.8.4 and Vault v0.10.4 and am having less errors.