[humblepie]

I've been using nomad for smaller setups in AWS and it's been great.

The biggest issue I've encountered on it is when you move out of AWS (and you can't apply EC2-based IAM) but still have S3-hosted artifacts. Specifically it cannot receive Vault secrets for the artifact credentials because the nomad templates get applied at a much later stage.

[CGamesPlay]

Have you looked into levant? Seems like it would allow you to do this. Now, with levant the developer machine would be the thing retrieving the vault secrets, but it may be a useful stopgap.

https://github.com/hashicorp/levant

[humblepie]

Hmm, would the stored job data still include the AWS credentials? That is, if I change the artifact S3 credentials and I run "nomad job plan" it will show the diff of the AWS keys. That means somewhere in the nomad raft logs the keys are exposed.

[CGamesPlay]

Yes, exactly. Definitely not ideal, but potentially a workaround depending on the security requirements.

[glynnforrest]

Yeah, this pains me too. Here's a relevant issue to keep an eye on:

https://github.com/hashicorp/nomad/issues/3854

I've used an nginx-based S3 proxy in the past to get around this. Not ideal but it works.