Automatic Token Handling in `nomad login`

[thetoothpick]

Proposal

The current functionality of the nomad login command in HashiCorp Nomad only outputs the secret token to standard output. This feature request proposes enhancing the nomad login command to persist the secret token and automatically use it in subsequent commands without manual intervention. It would also be useful to handle token expiration, either by displaying a warning to the user or automatically requesting a new token after expiration.

Use-cases

Automatically handling secret tokens generated by nomad login would increase usability and make handling tokens easier.

Attempted Solutions

I have a shell script to export the NOMAD_TOKEN variable based on the output of `nomad login -t "{{.SecretID}}".

nomad-login () {
  export NOMAD_TOKEN=$(nomad login -t "{{.SecretID}}")
  if [[ "-v" == "$1" ]]; then
    nomad acl token self
  fi
}

However, using this on a team requires adding it to everyone's shell setup, and it's not always clear that there is a separate shell function.

[tgross]

Hi @thetoothpick! The tricky thing with setting the env var is that we can't do that in the parent shell, so the login can't persist outside that session without writing to disk somewhere. One approach we've talked about for this is described in https://github.com/hashicorp/nomad/issues/11043, where having some kind of persistent "context" would let you switch between logins while handling all the tokens as you'd like to do here.

Ideally we'd also be able to put tokens in the session keyring rather than having them sit around on disk, but then we get into cross-platform desktop details so that might be in a v2 of any such feature. In any case, thanks for opening the issue and I'll mark this for roadmapping.

[thetoothpick]

thanks @tgross! Even if it's somewhat crude, something as simple as Vault's method of writing a file (mentioned in some of the linked tickets) would be useful here (better than nothing 🙂).