Alias creation in the Vault Token Role via Nomad API using Token Role based Integration.

Avatar
Suyash Kumar
  • Updated

This document is intended to cover the idea of how we can create an alias in vault token role via Nomad API using "Token Role-based Integration".

As you know, Vault's Token Authentication Backend supports a concept called "roles". Token roles allow policies to be grouped together and token creation to be delegated to a trusted service such as Nomad. By creating a token role, the set of policies that tasks managed by Nomad can access may be limited compared to giving Nomad a root token. Token roles allow both allowlist and denylist management of policies accessible to the role.

We can create vault token roles on the basis of policies for Nomad Cluster and can manage them like read/update/delete via API from Nomad clusters.

We can follow the below steps to achieve the same thing -  

Step 1 - Create Policy

First, we need to create a policy that will be used by Nomad to read and create the alias in the vault token role. The policy which will create must have the below capabilities that have been defined in the policy file named "nomad-server-policy.hcl".

# Allow creating tokens under "nomad-cluster" role. The role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}

# Allow looking up "nomad-cluster" role. The role name should be updated if
# "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read","update"]
}

# Allow looking up the token passed to Nomad to validate
# the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}

# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}

# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}

# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}

# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}

Run the below command to create the policy - 

vault policy write nomad-server nomad-server-policy.hcl

 

Step 2 - Create a Vault Token Role

Please create a token role using the below JSON file template named "nomad-cluster-role.json"

{
 "allowed_policies": "nomad-server",
 "token_explicit_max_ttl": 0,
 "name": "nomad-cluster",
 "orphan": true,
 "token_period": 259200,
 "renewable": true
}

Run below command to create token role - 

vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.json

 

Step 3 - Create token for Nomad

Use the below command to create a token for Nomad using the Vault token role which we created in Step 2.

vault token create -policy nomad-server -period 72h -orphan

Here, we have created tokens for 72 hours. You can define it as your convenience.

 

Step 4 - Configure Nomad to use the created token role.

Configure your Nomad Server configuration file using the role name and token. we created in previous steps like below - 

vault {
 enabled = true
 address = "https://<vault_address>:<vault_port>"
 create_from_role = "nomad-cluster"
 token = <token-role-created-in-step-3>
}

 

Step 5 - Now try to read the current token role by running the below command from the Nomad server - 

curl -s --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/auth/token/roles/nomad-cluster

Note - 

Please set below environment variable before running the above curl command - 

$VAULT_TOKEN - Which we created in Step-3.

$VAULT_ADDR - VAULT Server address and port.

 

Step 6 - Create your alias file named - payload.json using the below sample JSON template file - 

{
 "allowed_entity_aliases": ["new-nomad-entity"],
 "allowed_policies": ["nomad-server"],
 "disallowed_policies": [],
 "explicit_max_ttl": 0,
 "name": "nomad-cluster",
 "orphan": false
 "renewable": true,
 "token_explicit_max_ttl": 0,
 "token_period": 259200,
 "token_type": "default-service"
}

 

Step 7 - Try to post your created payload file "payload.json" using the below command - 

curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @payload.json $VAULT_ADDR/v1/auth/token/roles/nomad-cluster

 

Step 8 - Again, run the below command to check whether your aliases have been updated in the token role "nomad-cluster".

curl -s --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/auth/token/roles/nomad-cluster

Note - Once you run the above command, please check the below tag in output -

{
.
.
.
  "data": {
    "allowed_entity_aliases": [
      "new-nomad-entity"
    ],
.
.
.
}

 

 

Thanks and Happy Learning..!!

 

Resources - 

https://www.nomadproject.io/docs/integrations/vault-integration

https://www.vaultproject.io/api/auth/token

 

 

 

Articles in this section

See more

Related articles