Use Vault in a job

Use a Vault namespace

This example job specifies to use the engineering namespace in Vault. The job authenticates to Vault using its workload identity with the nomad-workloads Vault role, reads the value at secret/foo, and fetches the value for key bar.

job "vault" {

  group "demo" {
    task "task" {
      vault {
        namespace = "engineering"
        role      = "nomad-workloads"
      }

      driver = "raw_exec"
      config {
        command = "/usr/bin/cat"
        args    = ["secrets/config.txt"]
      }

      template {
        data        = <<EOF
{{ with secret "secret/foo" }}
SOME_VAL={{.Data.bar}}
{{ end }}
EOF
        destination = "secrets/config.txt"
      }
    }
  }
}

Resources

Job specification vault block
Vault integration documentation