open-vault/website/content/docs/secrets/nomad.mdx

---
layout: docs
page_title: Nomad Secrets Engine
description: The Nomad secrets engine for Vault generates tokens for Nomad dynamically.
---

# Nomad Secrets Engine

@include 'x509-sha1-deprecation.mdx'

Name: `Nomad`

Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad
secrets secrets engine for Vault generates [Nomad](https://www.nomadproject.io/)
ACL tokens dynamically based on pre-existing Nomad ACL policies.

This page will show a quick start for this secrets engine. For detailed documentation
on every path, use `vault path-help` after mounting the secrets engine.

~> **Version information** ACLs are only available on Nomad 0.7.0 and above.

## Quick Start

The first step to using the Vault secrets engine is to enable it.

```shell-session
$ vault secrets enable nomad
Successfully mounted 'nomad' at 'nomad'!
```

Optionally, we can configure the lease settings for credentials generated
by Vault. This is done by writing to the `config/lease` key:

```shell-session
$ vault write nomad/config/lease ttl=3600 max_ttl=86400
Success! Data written to: nomad/config/lease
```

For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap
process](https://learn.hashicorp.com/collections/nomad/access-control#generate-the-initial-token), although this
is discouraged for production deployments.

```shell-session
$ nomad acl bootstrap
Accessor ID  = 95a0ee55-eaa6-2c0a-a900-ed94c156754e
Secret ID    = c25b6ca0-ea4e-000f-807a-fd03fcab6e3c
Name         = Bootstrap Token
Type         = management
Global       = true
Policies     = n/a
Create Time  = 2017-09-20 19:40:36.527512364 +0000 UTC
Create Index = 7
Modify Index = 7
```

The suggested pattern is to generate a token specifically for Vault, following the
[Nomad ACL guide](https://learn.hashicorp.com/collections/nomad/access-control)

Next, we must configure Vault to know how to contact Nomad.
This is done by writing the access information:

```shell-session
$ vault write nomad/config/access \
    address=http://127.0.0.1:4646 \
    token=adf4238a-882b-9ddc-4a9d-5b6758e4159e
Success! Data written to: nomad/config/access
```

In this case, we've configured Vault to connect to Nomad
on the default port with the loopback address. We've also provided
an ACL token to use with the `token` parameter. Vault must have a management
type token so that it can create and revoke ACL tokens.

The next step is to configure a role. A role is a logical name that maps
to a set of policy names used to generate those credentials. For example, let's create
a "monitoring" role that maps to a "readonly" policy:

```shell-session
$ vault write nomad/role/monitoring policies=readonly
Success! Data written to: nomad/role/monitoring
```

The secrets engine expects either a single or a comma separated list of policy names.

To generate a new Nomad ACL token, we simply read from that role:

```shell-session
$ vault read nomad/creds/monitoring
Key              Value
---              -----
lease_id         nomad/creds/monitoring/78ec3ef3-c806-1022-4aa8-1dbae39c760c
lease_duration   768h0m0s
lease_renewable  true
accessor_id      a715994d-f5fd-1194-73df-ae9dad616307
secret_id        b31fb56c-0936-5428-8c5f-ed010431aba9
```

Here we can see that Vault has generated a new Nomad ACL token for us.
We can test this token out, by reading it in Nomad (by it's accessor):

```shell-session
$ nomad acl token info a715994d-f5fd-1194-73df-ae9dad616307
Accessor ID  = a715994d-f5fd-1194-73df-ae9dad616307
Secret ID    = b31fb56c-0936-5428-8c5f-ed010431aba9
Name         = Vault example root 1505945527022465593
Type         = client
Global       = false
Policies     = [readonly]
Create Time  = 2017-09-20 22:12:07.023455379 +0000 UTC
Create Index = 138
Modify Index = 138
```

## Tutorial

Refer to [Generate Nomad Tokens with HashiCorp
Vault](https://learn.hashicorp.com/tutorials/nomad/vault-nomad-secrets) for a
step-by-step tutorial.

## API

The Nomad secrets engine has a full HTTP API. Please see the
[Nomad Secrets Engine API](/api-docs/secret/nomad) for more
details.
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-24 02:58:54 +00:00			`page_title: Nomad Secrets Engine`
			`description: The Nomad secrets engine for Vault generates tokens for Nomad dynamically.`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`---`

Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-24 02:58:54 +00:00			`# Nomad Secrets Engine`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
Add note about X.509 SHA-1 deprecation to relevant plugins (#15672) Add note about X.509 SHA-1 deprecation to relevant plugins Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> 2022-06-01 19:41:11 +00:00			`@include 'x509-sha1-deprecation.mdx'`

Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			Name: `Nomad`

website: Update text (#13441) 2021-12-16 17:35:55 +00:00			`Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad`
website: fixes redirected links (#17574) * fixes redirected links * fix broken link to key wrapping guide 2022-10-18 18:06:27 +00:00			`secrets secrets engine for Vault generates [Nomad](https://www.nomadproject.io/)`
Change API token to ACL token (#10425) 2020-11-20 19:07:27 +00:00			`ACL tokens dynamically based on pre-existing Nomad ACL policies.`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-24 02:58:54 +00:00			`This page will show a quick start for this secrets engine. For detailed documentation`
			on every path, use `vault path-help` after mounting the secrets engine.
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
Minor/Cosmetic fixes 2017-10-31 19:11:24 +00:00			`~> Version information ACLs are only available on Nomad 0.7.0 and above.`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
			`## Quick Start`

Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-24 02:58:54 +00:00			`The first step to using the Vault secrets engine is to enable it.`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Change "mount" to "secrets enable" in docs 2018-03-02 20:54:28 +00:00			`$ vault secrets enable nomad`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`Successfully mounted 'nomad' at 'nomad'!`
			```
Updated documentation 2017-11-06 15:13:50 +00:00
			`Optionally, we can configure the lease settings for credentials generated`
			by Vault. This is done by writing to the `config/lease` key:

🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Updated documentation 2017-11-06 15:13:50 +00:00			`$ vault write nomad/config/lease ttl=3600 max_ttl=86400`
			`Success! Data written to: nomad/config/lease`
			```

Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap`
website: content updates for developer (#17035) * Chore (dev portal): update learn nav data links (#15515) * Update docs-nav-data.json * Update docs-nav-data.json * website: fixes internal redirects (#15750) * chore: remove duplicate overview item (#15805) * Use `badge` for `<sup>` tags in nav data JSON files (#15928) * Replacing <sup> tags with badge * Adding type and color to badges * fix broken links in vault docs (#15976) * website: Update old learn links to redirect locations (#16047) * update previews to render developer UI * update redirects * adjust content so it is backwards compat Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com> Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com> Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com> 2022-09-22 15:11:04 +00:00			`process](https://learn.hashicorp.com/collections/nomad/access-control#generate-the-initial-token), although this`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`is discouraged for production deployments.`
Adding Nomad docs to the nav. Minor cosmetics fixes 2017-10-06 15:03:06 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`$ nomad acl bootstrap`
			`Accessor ID = 95a0ee55-eaa6-2c0a-a900-ed94c156754e`
			`Secret ID = c25b6ca0-ea4e-000f-807a-fd03fcab6e3c`
			`Name = Bootstrap Token`
			`Type = management`
			`Global = true`
			`Policies = n/a`
			`Create Time = 2017-09-20 19:40:36.527512364 +0000 UTC`
			`Create Index = 7`
			`Modify Index = 7`
			```
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00
			`The suggested pattern is to generate a token specifically for Vault, following the`
website: content updates for developer (#17035) * Chore (dev portal): update learn nav data links (#15515) * Update docs-nav-data.json * Update docs-nav-data.json * website: fixes internal redirects (#15750) * chore: remove duplicate overview item (#15805) * Use `badge` for `<sup>` tags in nav data JSON files (#15928) * Replacing <sup> tags with badge * Adding type and color to badges * fix broken links in vault docs (#15976) * website: Update old learn links to redirect locations (#16047) * update previews to render developer UI * update redirects * adjust content so it is backwards compat Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com> Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com> Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com> 2022-09-22 15:11:04 +00:00			`[Nomad ACL guide](https://learn.hashicorp.com/collections/nomad/access-control)`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
			`Next, we must configure Vault to know how to contact Nomad.`
			`This is done by writing the access information:`

🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`$ vault write nomad/config/access \`
			`address=http://127.0.0.1:4646 \`
			`token=adf4238a-882b-9ddc-4a9d-5b6758e4159e`
			`Success! Data written to: nomad/config/access`
			```

			`In this case, we've configured Vault to connect to Nomad`
			`on the default port with the loopback address. We've also provided`
			an ACL token to use with the `token` parameter. Vault must have a management
			`type token so that it can create and revoke ACL tokens.`

			`The next step is to configure a role. A role is a logical name that maps`
docs: wording (#6746) * docs: wording Fixed wording: "lets create an"/"lets create a" * Update website/source/docs/secrets/nomad/index.html.md Co-Authored-By: Jeff Mitchell <jeffrey.mitchell@gmail.com> 2019-05-24 19:44:09 +00:00			`to a set of policy names used to generate those credentials. For example, let's create`
			`a "monitoring" role that maps to a "readonly" policy:`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Rename policy into policies 2017-11-29 16:31:17 +00:00			`$ vault write nomad/role/monitoring policies=readonly`
Unifying Storage and API path in role 2017-10-31 20:56:56 +00:00			`Success! Data written to: nomad/role/monitoring`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			```

Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-24 02:58:54 +00:00			`The secrets engine expects either a single or a comma separated list of policy names.`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
			`To generate a new Nomad ACL token, we simply read from that role:`

🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`$ vault read nomad/creds/monitoring`
			`Key Value`
			`--- -----`
			`lease_id nomad/creds/monitoring/78ec3ef3-c806-1022-4aa8-1dbae39c760c`
			`lease_duration 768h0m0s`
			`lease_renewable true`
			`accessor_id a715994d-f5fd-1194-73df-ae9dad616307`
			`secret_id b31fb56c-0936-5428-8c5f-ed010431aba9`
			```

			`Here we can see that Vault has generated a new Nomad ACL token for us.`
Spelling (#4119) 2018-03-20 18:54:10 +00:00			`We can test this token out, by reading it in Nomad (by it's accessor):`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`$ nomad acl token info a715994d-f5fd-1194-73df-ae9dad616307`
			`Accessor ID = a715994d-f5fd-1194-73df-ae9dad616307`
			`Secret ID = b31fb56c-0936-5428-8c5f-ed010431aba9`
			`Name = Vault example root 1505945527022465593`
			`Type = client`
			`Global = false`
			`Policies = [readonly]`
			`Create Time = 2017-09-20 22:12:07.023455379 +0000 UTC`
			`Create Index = 138`
			`Modify Index = 138`
			```

Vault documentation: updated all references from Learn to Tutorial (#15514) * updated learn to tutorial * correct spelling 2022-05-20 01:04:46 +00:00			`## Tutorial`
Add Learn links (#10411) * Add Learn links * Update website/pages/docs/secrets/transform/tokenization.mdx Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> 2020-11-18 00:56:30 +00:00
			`Refer to [Generate Nomad Tokens with HashiCorp`
			`Vault](https://learn.hashicorp.com/tutorials/nomad/vault-nomad-secrets) for a`
			`step-by-step tutorial.`

Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`## API`

Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-24 02:58:54 +00:00			`The Nomad secrets engine has a full HTTP API. Please see the`
			`[Nomad Secrets Engine API](/api-docs/secret/nomad) for more`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`details.`