Access Nomad Variables from within tasks
In this tutorial you'll access Nomad Variables from tasks via the
template
block. Tasks have implicit ACL policies that allow them to access
their own variables, and you can add job, group, and task fields to ACL policies
to extend these permissions.
Note
You should always protect access to variables with Access Control Lists (ACLs). Writing ACL policies for variables is covered in the Nomad Variables Access Control tutorial
For complete documentation on the Nomad Variables feature and related concepts, see the Variables reference documentation, the Key Management documentation, and the Workload Identity documentation
Automatic access
The workload identity for each task grants it automatic read and list access
to variables found at Nomad-owned paths with the prefix nomad/jobs/
, followed
by the job ID, task group name, and task name.
If you've completed the Nomad Variables Access Control tutorial, you will have a "prod" namespace and a token associated with the "prod-ops" policy. If not, you can use a management token for this section and create the "prod" namespace.
In this tutorial you'll be working in the "prod" namespace. Set the
NOMAD_NAMESPACE
variable so that the command line writes all variables to that
namespace.
Create the following variables to see how different jobs, groups, and tasks can access them.
Create the following job specification. This job example
has one group web
with two tasks, httpd
and sidecar
. It includes templates that access all the
variables you wrote earlier.
Run this job and wait for the deployment to complete and note the allocation
short ID. In this example, the allocation short ID is ec6dc2e4
.
First, use nomad alloc exec
to enter the httpd
task and show the command
line arguments for the processes running in the container.
Note that the port number has been interpolated with environment variable that
you rendered in the following template by using the env
field:
Visit the web page being served by the httpd
task at port 8001. If you are
running Nomad on macOS and are using Docker for Mac to run Docker tasks, you can
reach the webpage at your localhost address.
If you are deploying to a remote Linux host or Vagrant box, you can use the IP
address found when you run nomad alloc status
:
You can also use curl
:
This corresponds to this template block that reads the variable accessible to
the job "example" at nomad/jobs/example
and the variable accessible to the
group "web" within the job "example" at nomad/jobs/example/web
.
Visit the webpage rendered by the sidecar task:
This corresponds to the following template block, which lists all the variables this task has access to in its own namespace:
Note that nomad/jobs/example/httpd
does not appear in the list. If you added a
variable to nomad/jobs/another-example
it would also not appear in the
list. If you added nomad/jobs/example/sidecar
to a different namespace, it
would not appear in the list.
Workload associated ACL policies
You may need to give tasks access to variables that are on paths shared by many jobs. For example, all jobs in your cluster may need a shared API key for a third-party monitoring vendor. You can provide access to these variables secrets by creating policies associated with the task's workload identity. See Workload Associated ACL Policies for full documentation.
Create a new namespace named shared
.
Create a variable named vendor/foo/bar
in the shared
namespace.
To give the task you wrote earlier access to all secrets in the shared
namespace, you can create the following policy file shared-policy.hcl
.
Now, create the policy and associate it with the httpd
task in the web group
of the example job, specifying the appropriate flags on the nomad acl policy
apply
command.
You can view the policy to see that it's associated with the workload.
Change the template for the httpd
task.
Update the job and wait for the deployment to complete.
Visit the webpage served by the httpd
task.
Updating task variables
You can update the value of a variable and it will be updated in the templates that read that value.
Update the shared variable so that the "password" field changes.
After a few moments, the value will be updated on the template.
You can use the template
change_mode
to specify Nomad's behavior when a value changes.
Next steps
Because Nomad Variables use functions in the template block to emit data to Nomad jobs, consider learning more about templates in Nomad with the Templates collection.