cc6f4719f1
Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
56 lines
1.5 KiB
Plaintext
56 lines
1.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: identity Block - Job Specification
|
|
description: |-
|
|
The "identity" block allows tasks to use their Nomad Workload Identity via an
|
|
environment variable or file.
|
|
---
|
|
|
|
# `identity` Block
|
|
|
|
<Placement
|
|
groups={[
|
|
['job', 'group', 'task', 'identity'],
|
|
]}
|
|
/>
|
|
|
|
The `identity` block allows a task access to its [Workload Identity][] via an
|
|
environment variable or file. By default Nomad will create an identity for all
|
|
workloads, but it is *not* exposed to a task.
|
|
|
|
The following will expose the Workload Identity as an environment variable and
|
|
file to the task:
|
|
|
|
```hcl
|
|
job "docs" {
|
|
group "example" {
|
|
task "api" {
|
|
|
|
identity {
|
|
env = true
|
|
file = true
|
|
}
|
|
|
|
# ...
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## `identity` Parameters
|
|
|
|
- `env` `(bool: false)` - If true the workload identity will be available in the
|
|
task's `NOMAD_TOKEN` environment variable.
|
|
- `file` `(bool: false)` - If true the workload identity will be available in
|
|
the task's filesystem via the path `secrets/nomad_token`. If the
|
|
[`task.user`][taskuser] parameter is set, the token file will only be
|
|
readable by that user. Otherwise the file is readable by everyone but is
|
|
protected by parent directory permissions.
|
|
|
|
Note that while both parameters default to `true`, the `identity` block itself
|
|
must be present in the job specification or the workload identity will not be
|
|
exposed.
|
|
|
|
[taskuser]: /nomad/docs/job-specification/task#user "Nomad task Block"
|
|
[Workload Identity]: /nomad/docs/concepts/workload-identity "Nomad Workload Identity"
|