312dc5d859
* docs: add dynamic node metadata api docs Also update all paths in the client API docs to explicitly state the `/v1/` prefix. We're inconsistent about that, but I think it's better to display the full path than to only show the fragment. If we ever do a `/v2/` whether or not we explicitly state `/v1/` in our docs won't be our greatest concern. * docs: add task-api docs
52 lines
1.4 KiB
Plaintext
52 lines
1.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: identity Block - Job Specification
|
|
description: |-
|
|
The "identity" block allows tasks to use their Nomad Workload Identity via an
|
|
environment variable or file.
|
|
---
|
|
|
|
# `identity` Block
|
|
|
|
<Placement
|
|
groups={[
|
|
['job', 'group', 'task', 'identity'],
|
|
]}
|
|
/>
|
|
|
|
The `identity` block allows a task access to its [Workload Identity][] via an
|
|
environment variable or file. By default Nomad will create an identity for all
|
|
workloads, but it is *not* exposed to a task.
|
|
|
|
The following will expose the Workload Identity as an environment variable and
|
|
file to the task:
|
|
|
|
```hcl
|
|
job "docs" {
|
|
group "example" {
|
|
task "api" {
|
|
|
|
identity {
|
|
env = true
|
|
file = true
|
|
}
|
|
|
|
# ...
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## `identity` Parameters
|
|
|
|
- `env` `(bool: false)` - If true the workload identity will be available in the
|
|
task's `NOMAD_TOKEN` environment variable.
|
|
- `file` `(bool: false)` - If true the workload identity will be available in
|
|
the task's filesystem via the path `secrets/nomad_token`. If the
|
|
[`task.user`][taskuser] parameter is set, the token file will only be
|
|
readable by that user. Otherwise the file is readable by everyone but is
|
|
protected by parent directory permissions.
|
|
|
|
[taskuser]: /nomad/docs/job-specification/task#user "Nomad task Block"
|
|
[Workload Identity]: /nomad/docs/concepts/workload-identity "Nomad Workload Identity"
|