open-vault/website/source/docs/secrets/nomad/index.html.md

---
layout: "docs"
page_title: "Nomad Secret Backend"
sidebar_title: "Nomad"
sidebar_current: "docs-secrets-nomad"
description: |-
  The Nomad secret backend for Vault generates tokens for Nomad dynamically.
---

# Nomad Secret Backend

Name: `Nomad`

The Nomad secret backend for Vault generates
[Nomad](https://www.nomadproject.io)
API tokens dynamically based on pre-existing Nomad ACL policies.

This page will show a quick start for this backend. For detailed documentation
on every path, use `vault path-help` after mounting the backend.

~> **Version information** ACLs are only available on Nomad 0.7.0 and above.

## Quick Start

The first step to using the vault backend is to mount it.
Unlike the `generic` backend, the `nomad` backend is not mounted by default.

```
$ vault secrets enable nomad
Successfully mounted 'nomad' at 'nomad'!
```

Optionally, we can configure the lease settings for credentials generated
by Vault. This is done by writing to the `config/lease` key:

```
$ vault write nomad/config/lease ttl=3600 max_ttl=86400
Success! Data written to: nomad/config/lease
```

For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap
process](https://www.nomadproject.io/guides/acl.html#generate-the-initial-token), although this
is discouraged for production deployments. 

```
$ nomad acl bootstrap
Accessor ID  = 95a0ee55-eaa6-2c0a-a900-ed94c156754e
Secret ID    = c25b6ca0-ea4e-000f-807a-fd03fcab6e3c
Name         = Bootstrap Token
Type         = management
Global       = true
Policies     = n/a
Create Time  = 2017-09-20 19:40:36.527512364 +0000 UTC
Create Index = 7
Modify Index = 7
```
The suggested pattern is to generate a token specifically for Vault, following the 
[Nomad ACL guide](https://www.nomadproject.io/guides/acl.html)

Next, we must configure Vault to know how to contact Nomad.
This is done by writing the access information:

```
$ vault write nomad/config/access \
    address=http://127.0.0.1:4646 \
    token=adf4238a-882b-9ddc-4a9d-5b6758e4159e
Success! Data written to: nomad/config/access
```

In this case, we've configured Vault to connect to Nomad
on the default port with the loopback address. We've also provided
an ACL token to use with the `token` parameter. Vault must have a management
type token so that it can create and revoke ACL tokens.

The next step is to configure a role. A role is a logical name that maps
to a set of policy names used to generate those credentials. For example, lets create
an "monitoring" role that maps to a "readonly" policy:

```
$ vault write nomad/role/monitoring policies=readonly
Success! Data written to: nomad/role/monitoring
```

The backend expects either a single or a comma separated list of policy names.

To generate a new Nomad ACL token, we simply read from that role:

```
$ vault read nomad/creds/monitoring
Key              Value
---              -----
lease_id         nomad/creds/monitoring/78ec3ef3-c806-1022-4aa8-1dbae39c760c
lease_duration   768h0m0s
lease_renewable  true
accessor_id      a715994d-f5fd-1194-73df-ae9dad616307
secret_id        b31fb56c-0936-5428-8c5f-ed010431aba9
```

Here we can see that Vault has generated a new Nomad ACL token for us.
We can test this token out, by reading it in Nomad (by it's accessor):

```
$ nomad acl token info a715994d-f5fd-1194-73df-ae9dad616307
Accessor ID  = a715994d-f5fd-1194-73df-ae9dad616307
Secret ID    = b31fb56c-0936-5428-8c5f-ed010431aba9
Name         = Vault example root 1505945527022465593
Type         = client
Global       = false
Policies     = [readonly]
Create Time  = 2017-09-20 22:12:07.023455379 +0000 UTC
Create Index = 138
Modify Index = 138
```

## API

The Nomad secret backend has a full HTTP API. Please see the
[Nomad secret backend API](/api/secret/nomad/index.html) for more
details.
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`---`
			`layout: "docs"`
			`page_title: "Nomad Secret Backend"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "Nomad"`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`sidebar_current: "docs-secrets-nomad"`
			`description: \|-`
			`The Nomad secret backend for Vault generates tokens for Nomad dynamically.`
			`---`

			`# Nomad Secret Backend`

			Name: `Nomad`

			`The Nomad secret backend for Vault generates`
			`[Nomad](https://www.nomadproject.io)`
			`API tokens dynamically based on pre-existing Nomad ACL policies.`

			`This page will show a quick start for this backend. For detailed documentation`
			on every path, use `vault path-help` after mounting the backend.

Minor/Cosmetic fixes 2017-10-31 19:11:24 +00:00			`~> Version information ACLs are only available on Nomad 0.7.0 and above.`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
			`## Quick Start`

			`The first step to using the vault backend is to mount it.`
			Unlike the `generic` backend, the `nomad` backend is not mounted by default.

			```
Change "mount" to "secrets enable" in docs 2018-03-02 20:54:28 +00:00			`$ vault secrets enable nomad`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`Successfully mounted 'nomad' at 'nomad'!`
			```
Updated documentation 2017-11-06 15:13:50 +00:00
			`Optionally, we can configure the lease settings for credentials generated`
			by Vault. This is done by writing to the `config/lease` key:

			```
			`$ vault write nomad/config/lease ttl=3600 max_ttl=86400`
			`Success! Data written to: nomad/config/lease`
			```

Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			`For a quick start, you can use the SecretID token provided by the [Nomad ACL bootstrap`
			`process](https://www.nomadproject.io/guides/acl.html#generate-the-initial-token), although this`
			`is discouraged for production deployments.`
Adding Nomad docs to the nav. Minor cosmetics fixes 2017-10-06 15:03:06 +00:00
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			```
			`$ nomad acl bootstrap`
			`Accessor ID = 95a0ee55-eaa6-2c0a-a900-ed94c156754e`
			`Secret ID = c25b6ca0-ea4e-000f-807a-fd03fcab6e3c`
			`Name = Bootstrap Token`
			`Type = management`
			`Global = true`
			`Policies = n/a`
			`Create Time = 2017-09-20 19:40:36.527512364 +0000 UTC`
			`Create Index = 7`
			`Modify Index = 7`
			```
			`The suggested pattern is to generate a token specifically for Vault, following the`
Minor/Cosmetic fixes 2017-10-31 19:11:24 +00:00			`[Nomad ACL guide](https://www.nomadproject.io/guides/acl.html)`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
			`Next, we must configure Vault to know how to contact Nomad.`
			`This is done by writing the access information:`

			```
			`$ vault write nomad/config/access \`
			`address=http://127.0.0.1:4646 \`
			`token=adf4238a-882b-9ddc-4a9d-5b6758e4159e`
			`Success! Data written to: nomad/config/access`
			```

			`In this case, we've configured Vault to connect to Nomad`
			`on the default port with the loopback address. We've also provided`
			an ACL token to use with the `token` parameter. Vault must have a management
			`type token so that it can create and revoke ACL tokens.`

			`The next step is to configure a role. A role is a logical name that maps`
			`to a set of policy names used to generate those credentials. For example, lets create`
			`an "monitoring" role that maps to a "readonly" policy:`

			```
Rename policy into policies 2017-11-29 16:31:17 +00:00			`$ vault write nomad/role/monitoring policies=readonly`
Unifying Storage and API path in role 2017-10-31 20:56:56 +00:00			`Success! Data written to: nomad/role/monitoring`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00			```

			`The backend expects either a single or a comma separated list of policy names.`

			`To generate a new Nomad ACL token, we simply read from that role:`

			```
			`$ vault read nomad/creds/monitoring`
			`Key Value`
			`--- -----`
			`lease_id nomad/creds/monitoring/78ec3ef3-c806-1022-4aa8-1dbae39c760c`
			`lease_duration 768h0m0s`
			`lease_renewable true`
			`accessor_id a715994d-f5fd-1194-73df-ae9dad616307`
			`secret_id b31fb56c-0936-5428-8c5f-ed010431aba9`
			```

			`Here we can see that Vault has generated a new Nomad ACL token for us.`
Spelling (#4119) 2018-03-20 18:54:10 +00:00			`We can test this token out, by reading it in Nomad (by it's accessor):`
Adding Nomad secret backend documentation 2017-09-20 22:31:28 +00:00
			```
			`$ nomad acl token info a715994d-f5fd-1194-73df-ae9dad616307`
			`Accessor ID = a715994d-f5fd-1194-73df-ae9dad616307`
			`Secret ID = b31fb56c-0936-5428-8c5f-ed010431aba9`
			`Name = Vault example root 1505945527022465593`
			`Type = client`
			`Global = false`
			`Policies = [readonly]`
			`Create Time = 2017-09-20 22:12:07.023455379 +0000 UTC`
			`Create Index = 138`
			`Modify Index = 138`
			```

			`## API`

			`The Nomad secret backend has a full HTTP API. Please see the`
			`[Nomad secret backend API](/api/secret/nomad/index.html) for more`
			`details.`