Storing Nomad Variables
Nomad Variables provide the option to securely store configuration at file-like paths directly in Nomad's state store. The contents of these secrets are encrypted and replicated between servers via raft. Access to secrets is controlled by ACL policies, and tasks have implicit ACL policies that allow them to access their own secrets. You can create, read, update, or delete secrets via the command line or in the Nomad web UI.
Note that the Nomad Variables feature is intended for small pieces of configuration data needed by workloads. Because writing to the Nomad state store uses resources needed by Nomad, it's not well-suited for large or fast-changing data. For example, do not store batch job results as variables - these should be stored in an external database. Variables are also not intended to be a full replacement for HashiCorp Vault. If you need powerful options like dynamic secrets or transit encryption, continue using Vault.
For complete documentation on the Nomad Variables feature and related concepts, see the Variables reference documentation, the Key Management documentation, and the Workload Identity documentation
In this tutorial you'll store variables in Nomad via the command line.
Note
You should always protect access to variables with Access Control Lists (ACLs). Writing ACL policies for variables is covered in the Nomad Variables Access Control tutorial
Using the variables command-line interface
First, create two namespaces named prod
and dev
.
$ nomad namespace apply -description "production environment" prodSuccessfully applied namespace "prod"!
$ nomad namespace apply -description "development environment" devSuccessfully applied namespace "dev"!
Create a variable in the prod
namespace.
nomad var put -namespace prod project/example user=me password=passw0rd1
Read the variable.
$ nomad var get -namespace prod project/exampleNamespace = prodPath = project/exampleCreate Time = 2022-09-19T11:21:23-04:00Check Index = 27 Itemspassword = passw0rd1user = me
When writing a variable, you can use the -out
option to display the output.
$ nomad var put -namespace prod -out table project/another-example user=you password=passw0rd2Namespace = prodPath = project/another-exampleCreate Time = 2022-09-19T11:21:56-04:00Check Index = 28 Itemspassword = passw0rd2user = you
The var put
and var get
commands both accept the -out
option. You can read
variables in a machine-friendly format using the -out json
option:
$ nomad var get -namespace prod -out json project/example{ "Namespace": "prod", "Path": "project/example", "CreateIndex": 27, "ModifyIndex": 27, "CreateTime": 1663600883130070567, "ModifyTime": 1663600883130070567, "Items": { "password": "passw0rd1", "user": "me" }}
Updating variables
You can use var put
to overwrite all items in a variable, but to avoid
conflicting with other writes that may have happened since you last read the
variable, you must use the -check-index
flag and set it to the last modified
index.
Note
Running the following command without updating the check-index to the ModifyIndex value printed by the previous command will result in a Check-and-Set conflict.
$ nomad var put -namespace prod -out json -check-index 27 project/example password=passw0rd3{ "Namespace": "prod", "Path": "project/example", "CreateIndex": 27, "ModifyIndex": 30, "CreateTime": 1663600883130070567, "ModifyTime": 1663600984406100205, "Items": { "password": "passw0rd3" }}
Try it again, this time leaving off the -check-index
flag (or setting it to an
index value in the future). Note the value is not updated and you receive the
current value to avoid conflicts.
$ nomad var put -namespace prod -out json -check-index 100 project/example password=passw0rd3 Check-and-Set conflict Your provided check-index (100) does not match the server-side index (30). The server-side item was last updated on 2022-09-19T11:23:04-04:00. If you are sure you want to perform this operation, add the -force or -check-index=30 flag before the positional arguments.
To patch a variable without overwriting all the values, you can pipe var get
into var put
with the initial value set to -
to signal that you're accepting
input from stdin
. This will automatically set the -check-index
flag so that
you avoid conflicts.
$ nomad var get -namespace prod project/example | \ nomad var put -namespace prod -out json - user=me2
The command will output the updated variable in JSON format.
"Namespace": "prod", "Path": "project/example", "CreateIndex": 27, "ModifyIndex": 39, "CreateTime": 1663600883130070567, "ModifyTime": 1663601343585644939, "Items": { "password": "passw0rd3", "user": "me2" }}
List the two variables. Note that the list response only includes the paths and metadata, not any of the data.
$ nomad var list -namespace prodNamespace Path Last Updatedprod project/another-example 2022-09-19T11:21:56-04:00prod project/example 2022-09-19T11:29:03-04:00
List the variables, using a prefix filter. Note that only variables at the path matching the prefix are shown.
$ nomad var list -namespace prod project/exNamespace Path Last Updatedprod project/example 2022-09-19T11:29:03-04:00
Create three more variables, this time in the dev
namespace.
nomad var put -namespace dev system/config foo=barnomad var put -namespace dev project/example foo=barnomad var put -namespace dev another-project/example foo=bar
Using the wildcard namespace indicator (*
), list all the variables you have
access to. For many shells, the *
character is significant, so you might need
to wrap it in double ("
) or single ('
) quotation marks.
$ nomad var list -namespace '*'Namespace Path Last Updateddev another-project/example 2022-09-19T11:29:54-04:00dev project/example 2022-09-19T11:29:54-04:00dev system/config 2022-09-19T11:29:54-04:00prod project/another-example 2022-09-19T11:21:56-04:00prod project/example 2022-09-19T11:29:03-04:00
You can list the variables in a given namespace by using the namespace
option. For example, list all of the variables in the dev
namespace by adding
-namespace dev
to the nomad var list
command.
$ nomad var list -namespace devNamespace Path Last Updateddev another-project/example 2022-09-19T11:29:54-04:00dev project/example 2022-09-19T11:29:54-04:00dev system/config 2022-09-19T11:29:54-04:00
Next steps
Now that you have used the nomad var
command to create and view Nomad
Variables, consider learning more about how to control access to Nomad Variables
with the Nomad Variables Access Control tutorial and how to use Nomad
Variables in your jobs with the Accessing Variables From Tasks tutorial.