Open sorenisanerd opened 1 year ago
Hi @sorenisanerd I agree this seems straightforwardly a bug. We're also in the middle of deprecating this whole process for Nomad 1.7.0 so that we can use Workload Identity for jobs that need service identities, and this code will be removed outright in Nomad 1.9.0.
That being said, I don't love leaving a known bug around until 1.9.0. I'll mark this for roadmapping but it's also likely a small enough fix that we could take a community contribution, so I'll mark it as such for that as well.
I've moved entirely to the workload identity approach, so this does not affect me anymore. As such, I'm not investing more effort here.
I think a bit of Terraform demonstrates the problem best:
Attempting to apply that Terraform code yields:
nomad.consulACLsAPI.canWriteService
goes through:service
orservice_prefix
policies in the token: https://github.com/hashicorp/nomad/blob/a8e68e64793670f0d19ae5659a8b78606b24aa27/nomad/consul_policy.go#L175-L181service
orservice_prefix
policies in the roles assigned to the token: https://github.com/hashicorp/nomad/blob/a8e68e64793670f0d19ae5659a8b78606b24aa27/nomad/consul_policy.go#L184-L200Notably absent is a check for service identities in the roles assigned to the token.