HashiCorp Developer AI Private beta now available Sign up today
Nomad
Nomad Home

Vault Integration

Many workloads require access to tokens, passwords, certificates, API keys, and other secrets. To enable secure, auditable and easy access to your secrets, Nomad integrates with HashiCorp's Vault. Nomad servers and clients coordinate with Vault to derive a Vault token that has access to only the Vault policies the tasks needs. Nomad clients make the token available to the task and handle the tokens renewal.

Configuration

In order to use Vault with Nomad, you will need to configure and install Vault separately from Nomad. Nomad does not run Vault for you.

Agent Configuration

To enable Vault integration, Nomad agents must be configured with vault blocks. Each block can be enabled or disabled and configures how Nomad connects to the Vault cluster.

Dynamic Configuration with Secrets

Nomad's job specification includes a template block that uses a tool called Consul Template. When used with Vault, this mechanism creates a convenient way to ship configuration files that are populated from Vault secrets.

For more information on Nomad's template block please see the template job specification documentation.

Vault ACL

The Vault ACL system protects the cluster from unauthorized access. When enabled, both Vault and Nomad must be properly configured in order for their integrations to work.

Refer to the Vault ACL integration page for more information.

Multiple Vault Clusters Enterprise

Nomad Enterprise supports access to multiple Vault clusters. They can be configured using multiple vault blocks with different name values. If a name is not provided, the cluster configuration is called default.

Jobs that need access to Vault may specify which Vault cluster to use with the vault.cluster parameter.

Compatibility

  • Nomad versions 1.4.0 and above are compatible with any currently supported version of Vault.
Vault 1.13.0+
Nomad 1.4.0+✅
Edit this page on GitHub