Vaultx.Secrets.Nomad (Vaultx v0.7.0)

View Source

Unified Nomad secrets engine interface for HashiCorp Vault.

This module provides a comprehensive, enterprise-grade interface for the Nomad secrets engine, offering dynamic credential management, configuration operations, and role management. It supports all Nomad token types with advanced security features and compliance capabilities.

Enterprise Nomad Credential Management

  • Dynamic Token Generation: Nomad ACL tokens with policies and global scope
  • Configuration Management: Root credentials, access settings, and connection parameters
  • Role Management: Dynamic role configuration with policy enforcement
  • Lease Management: TTL and max TTL configuration for generated tokens
  • Multi-Version Support: Compatible with Nomad 0.8+ through latest versions
  • Security Compliance: Audit logging, least privilege, and policy validation

Supported Token Types

Client Tokens

  • Limited access tokens with specific policies
  • Suitable for application and service authentication
  • Can be scoped to specific policies and regions

Management Tokens

  • Full administrative access tokens
  • Suitable for cluster administration and automation
  • Global scope with all permissions

Configuration Examples

# Configure root Nomad credentials
config = %{
  address: "http://127.0.0.1:4646",
  token: "management-token-here",
  max_token_name_length: 256,
  ca_cert: "-----BEGIN CERTIFICATE-----...",
  client_cert: "-----BEGIN CERTIFICATE-----...",
  client_key: "-----BEGIN PRIVATE KEY-----..."
}
{:ok, _} = Nomad.configure_access(config)

# Configure lease settings
lease_config = %{
  ttl: "1h",
  max_ttl: "24h"
}
{:ok, _} = Nomad.configure_lease(lease_config)

# Create a role with policies
role_config = %{
  policies: "web-policy,db-read-policy",
  type: "client",
  global: false
}
{:ok, _} = Nomad.create_role("web-service", role_config)

# Generate credentials
{:ok, creds} = Nomad.generate_credentials("web-service")

API Compliance

Fully implements HashiCorp Vault Nomad secrets engine:

Summary

Functions

configure_access(config, opts \\ [])

Configure access information for Nomad.

configure_lease(config, opts \\ [])

Configure lease settings for generated tokens.

create_role(name, config, opts \\ [])

Create or update a Nomad role.

delete_lease_config(opts \\ [])

Delete lease configuration.

delete_role(name, opts \\ [])

Delete a Nomad role.

generate_credentials(name, opts \\ [])

Generate credentials for a Nomad role.

list_roles(opts \\ [])

List all configured Nomad roles.

read_access_config(opts \\ [])

Read access configuration for Nomad.

read_lease_config(opts \\ [])

Read lease configuration.

read_role(name, opts \\ [])

Read a Nomad role configuration.

Functions

configure_access(config, opts \\ [])

Configure access information for Nomad.

Sets up the Nomad connection parameters that Vault will use to communicate with Nomad and generate tokens. Supports both HTTP and HTTPS connections with optional TLS client certificate authentication.

Parameters

  • config - Access configuration parameters
  • opts - Request options including mount path

Examples

# Basic HTTP configuration
config = %{
  address: "http://127.0.0.1:4646",
  token: "management-token"
}
{:ok, _} = Nomad.configure_access(config)

# HTTPS with client certificates
config = %{
  address: "https://nomad.example.com:4646",
  token: "management-token",
  ca_cert: File.read!("ca.pem"),
  client_cert: File.read!("client.pem"),
  client_key: File.read!("client-key.pem"),
  max_token_name_length: 256
}

configure_lease(config, opts \\ [])

Configure lease settings for generated tokens.

Parameters

  • config - Lease configuration parameters
  • opts - Request options

Examples

config = %{
  ttl: "1h",
  max_ttl: "24h"
}
{:ok, _} = Nomad.configure_lease(config)

create_role(name, config, opts \\ [])

Create or update a Nomad role.

Configures a role that can be used to generate Nomad tokens. The role defines the type of credentials to generate and the associated policies and constraints.

Parameters

  • name - Role name
  • config - Role configuration
  • opts - Request options

Examples

# Client token with policies
config = %{
  policies: "web-policy,db-read-policy",
  type: "client",
  global: false
}
{:ok, _} = Nomad.create_role("web-service", config)

# Management token
config = %{
  type: "management",
  global: true
}
{:ok, _} = Nomad.create_role("admin-role", config)

delete_lease_config(opts \\ [])

Delete lease configuration.

Examples

:ok = Nomad.delete_lease_config()

delete_role(name, opts \\ [])

Delete a Nomad role.

Examples

:ok = Nomad.delete_role("old-role")

generate_credentials(name, opts \\ [])

Generate credentials for a Nomad role.

Generates a dynamic Nomad token based on the given role definition. The token will have the policies and type configured in the role.

Parameters

  • name - Role name to generate credentials for
  • opts - Request options

Returns

  • {:ok, credentials} - Successfully generated credentials
  • {:error, error} - Failed to generate credentials

Examples

{:ok, creds} = Nomad.generate_credentials("web-service")
%{
  accessor_id: "c834ba40-8d84-b0c1-c084-3a31d3383c03",
  secret_id: "65af6f07-7f57-bb24-cdae-a27f86a894ce"
}

list_roles(opts \\ [])

List all configured Nomad roles.

Examples

{:ok, roles} = Nomad.list_roles()
["web-service", "api-service", "admin-role"]

read_access_config(opts \\ [])

Read access configuration for Nomad.

Examples

{:ok, config} = Nomad.read_access_config()
%{
  address: "http://localhost:4646/"
}

read_lease_config(opts \\ [])

Read lease configuration.

Examples

{:ok, config} = Nomad.read_lease_config()
%{
  max_ttl: 86400,
  ttl: 86400
}

read_role(name, opts \\ [])

Read a Nomad role configuration.

Examples

{:ok, config} = Nomad.read_role("web-service")
%{
  policies: ["web-policy", "db-read-policy"],
  type: "client",
  global: false
}