Nomad: Unable to revert a Nomad job with Vault policies when allow_unauthenticated is set to false

Created on 2 Aug 2018 · 6Comments · Source: hashicorp/nomad

Nomad version

Nomad v0.8.4

Operating system and Environment details

CentOS 7.5

Issue

Unable to revert to a previous revision of a job when allow_unauthenticated is set to false on the nomad server. We can create the job and the validation works. However when attempting to do a revert I get a 500 error that the Vault token is missing. This is a similar error I would receive if I did not provide a vault token when attempting a run.

Reproduction steps

$ env | grep VAULT_TOKEN
VAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

$ nomad run artifacttest.nomad
==> Monitoring evaluation "38c8cd1b"
    Evaluation triggered by job "artifact-test"
    Evaluation within deployment: "e0bc827c"
    Evaluation status changed: "pending" -> "complete"
==> Evaluation "38c8cd1b" finished with status "complete"

$ nomad job history artifact-test
Version     = 8
Stable      = false
Submit Date = 2018-08-01T18:10:49-07:00

Version     = 7
Stable      = true
Submit Date = 2018-08-01T17:56:00-07:00

Version     = 6
Stable      = true
Submit Date = 2018-08-01T17:46:38-07:00

Version     = 5
Stable      = true
Submit Date = 2018-08-01T17:38:16-07:00

Version     = 4
Stable      = true
Submit Date = 2018-08-01T17:07:01-07:00

Version     = 3
Stable      = true
Submit Date = 2018-08-01T17:04:50-07:00

$ nomad job revert artifact-test 7
Error retrieving job versions: Unexpected response code: 500 (rpc error: Vault policies requested but missing Vault Token)

### Attempt to run WITHOUT Vault token
$ env | grep VAULT_TOKEN

$ nomad run artifacttest.nomad 
Error submitting job: Unexpected response code: 500 (rpc error: Vault policies requested but missing Vault Token)

Job file (if appropriate)

job "artifact-test" {
  region      = "us-west"
  datacenters = ["dc1"]
  type        = "service"

  vault {
    policies = ["secret_policy"]
  }


  group "service-group" {

    count = 2

    task "test-task" {
      driver = "docker"

      config {
        image = "nginx:1.15.1-alpine"

        volumes = [ "local/:/usr/share/nginx/html" ]

        port_map {
          http = 80
        }
      }

      resources {
        cpu = 200
        memory = 128

        network {
          mbits = 1

          port "http" {}
        }
      }

      service {
        name = "artifact-test"
        port = "http"
        check {
          name = "artifact"
          type = "http"
          path = "/"
          interval = "10s"
          timeout = "5s"
        }
      }
    }
  }
}

stagwaiting-reply themvault

Source

robloxrob

Most helpful comment

thanks for the report, targeting this for 0.9.1

cgbaker on 25 Mar 2019

👍2

All 6 comments

It is worth looking at whether this issue is also related to https://github.com/hashicorp/nomad/issues/4226

chelseakomlo on 13 Aug 2018

I don't believe they are related. My issue seems to occur for an API call against a Nomad master to the revert the job to a previous version. The issue #4226 is related to restarting the Nomad client service.

robloxrob on 14 Aug 2018

Any news about this issue? I have the same problem. Nomad v8.4 with VAULT_TOKEN exported.

pserranoa on 15 Mar 2019

👍1

thanks for the report, targeting this for 0.9.1

cgbaker on 25 Mar 2019

👍2

Thank you

robloxrob on 25 Mar 2019

Hey there

Since this issue hasn't had any activity in a while - we're going to automatically close it in 30 days. If you're still seeing this issue with the latest version of Nomad, please respond here and we'll keep this open and take another look at this.

Thanks!