Use workload identities

example/images/minio/Dockerfile

@@ -1,4 +1,4 @@
-FROM danielberteaud/alpine:24.9-2
+FROM danielberteaud/alpine:24.9-3
 LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"
 
 ARG MINIO_VERSION=2024-09-22T00-33-43Z

example/minio.nomad.hcl

@@ -287,7 +287,7 @@ _EOT
 
 
       vault {
-        policies     = ["minio"]
+        role         = "minio"
         env          = false
         disable_file = true
         change_mode  = "noop"

example/vault/roles/minio.json

@@ -0,0 +1,25 @@
+{
+  "bound_audiences": [
+    "vault.io"
+  ],
+  "bound_claims": {
+    "nomad_job_id": "minio",
+    "nomad_namespace": "default"
+  },
+  "claim_mapping": {
+    "nomad_allocation_id": "nomad_allocation_id",
+    "nomad_job_id": "nomad_job_id",
+    "nomad_namespace": "nomad_namespace",
+    "nomad_task": "nomad_task"
+  },
+  "role_type": "jwt",
+  "token_explicit_max_ttl": 0,
+  "token_period": "1h",
+  "token_policies": [
+    "minio"
+  ],
+  "token_type": "service",
+  "user_claim": "/nomad_allocation_id",
+  "user_claim_json_pointer": true
+}
+

variables.yml

@@ -55,8 +55,10 @@ minio:
       MINIO_API_OBJECT_MAX_VERSIONS: 1000
   
     vault:
-      policies:
-        - '[[ .instance ]][[ .consul.suffix ]]'
+      workload_identity:
+        role:
+          token_policies:
+            - '[[ .instance ]][[ .consul.suffix ]]'
   
     api_port: 2[[ crypto.SHA1 (printf "%s%s" .instance .consul.suffix) | regexp.Replace "[^\\d]" "" | regexp.Replace "^0*" "" | strings.Trunc 4 ]]
   

vault/roles/minio.json

@@ -0,0 +1 @@
+[[ template "common/vault.jwt_role" merge .minio.server .minio . ]]