Nomad: Consul ACL Token

Created on 18 Jan 2017 · 7Comments · Source: hashicorp/nomad

Reference: https://groups.google.com/forum/#!topic/nomad-tool/UFDam9U3hrU

Nomad should provide a way to pass a Consul token for services registrations and templates.

As our Consul KV store is protected with ACL, we currently cannot use template stenza.
(even if it's a very cool feature !)

themconsul themdiscovery typenhancement

Source

cyrilgdn

👍15

Most helpful comment

I would like to see this as well. It would help people to default to using a more secure Hashistack environment. We should definitely encourage the use of TLS auth and ACLs to drive using the products with a focus on security.

robloxrob on 26 Jul 2018

👍5

All 7 comments

Same here, our consul is protected by ACLs.

pgporada on 18 Jan 2017

👍1

+1 it would be nice to have this.

I'm guessing it was left out because it's a non-issue if you're running Consul, Nomad and Vault.

shilov on 14 Apr 2017

👍1

Would be very useful for us too.

pznamensky on 28 Jun 2017

👍2

robloxrob on 26 Jul 2018

👍5

Same here: consul, nomad, but no vault. how to read consul ACL protected K/V store from nomad jobs in the template stanza?

DBuret on 11 Oct 2018

Any news regarding this issue after several years?
It's just a shame that without this feature we can not achieve a self-contained runtime with the combination of Consul and Nomad (which come from the same company).

chengchen on 26 Jun 2020

Nomad supports passing a Consul ACL token which is used for both service registration and template render. (I'm not sure when this was introduced... maybe after this long-open issue was opened?) This token currently needs to be hard-coded in the consul.token configuration. I've opened https://github.com/hashicorp/nomad/issues/9607 for making this something we could fetch automatically from Vault and renew.

See also https://github.com/hashicorp/nomad/issues/6150 for passing service-specific tokens.