open-nomad/website/content/docs/job-specification/identity.mdx

---
layout: docs
page_title: identity Block - Job Specification
description: |-
  The "identity" block allows tasks to use their Nomad Workload Identity via an
  environment variable or file.
---

# `identity` Block

<Placement
  groups={[
    ['job', 'group', 'task', 'identity'],
  ]}
/>

The `identity` block allows a task access to its [Workload Identity][] via an
environment variable or file. By default Nomad will create an identity for all
workloads, but it is *not* exposed to a task.

The following will expose the Workload Identity as an environment variable and
file to the task:

```hcl
job "docs" {
  group "example" {
    task "api" {

      identity {
        env  = true
        file = true
      }

      # ...
    }
  }
}
```

## `identity` Parameters

- `env` `(bool: false)` - If true the workload identity will be available in the
  task's `NOMAD_TOKEN` environment variable.
- `file` `(bool: false)` - If true the workload identity will be available in
  the task's filesystem via the path `secrets/nomad_token`. If the
  [`task.user`][taskuser] parameter is set, the token file will only be
  readable by that user. Otherwise the file is readable by everyone but is
  protected by parent directory permissions.

[taskuser]: /nomad/docs/job-specification/task#user "Nomad task Block"
[Workload Identity]: /nomad/docs/concepts/workload-identity "Nomad Workload Identity"
Add option to expose workload token to task (#15755) Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com> 2023-02-02 18:59:14 +00:00			`---`
			`layout: docs`
			`page_title: identity Block - Job Specification`
			`description: \|-`
			`The "identity" block allows tasks to use their Nomad Workload Identity via an`
			`environment variable or file.`
			`---`

			# `identity` Block

			`<Placement`
			`groups={[`
			`['job', 'group', 'task', 'identity'],`
			`]}`
			`/>`

			The `identity` block allows a task access to its [Workload Identity][] via an
			`environment variable or file. By default Nomad will create an identity for all`
			`workloads, but it is not exposed to a task.`

			`The following will expose the Workload Identity as an environment variable and`
			`file to the task:`

			```hcl
			`job "docs" {`
			`group "example" {`
			`task "api" {`

			`identity {`
			`env = true`
			`file = true`
			`}`

			`# ...`
			`}`
			`}`
			`}`
			```

			## `identity` Parameters

			- `env` `(bool: false)` - If true the workload identity will be available in the
			task's `NOMAD_TOKEN` environment variable.
			- `file` `(bool: false)` - If true the workload identity will be available in
			the task's filesystem via the path `secrets/nomad_token`. If the
			[`task.user`][taskuser] parameter is set, the token file will only be
			`readable by that user. Otherwise the file is readable by everyone but is`
			`protected by parent directory permissions.`

			`[taskuser]: /nomad/docs/job-specification/task#user "Nomad task Block"`
			`[Workload Identity]: /nomad/docs/concepts/workload-identity "Nomad Workload Identity"`