v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/nomad
Overview
12Tables
Versions
GitHub
steampipe plugin install nomad

Table: nomad_acl_token - Query Nomad ACL Tokens using SQL

Nomad ACL Tokens are used in HashiCorp Nomad to provide a flexible, capability-based access control system. They allow operators to restrict access to certain data and APIs, making Nomad more secure. Each ACL token is associated with a set of policies, and these policies dictate the token's specific capabilities.

Table Usage Guide

The nomad_acl_token table provides insights into ACL Tokens within HashiCorp Nomad. As a security analyst, explore token-specific details through this table, including associated policies, token type, and related metadata. Utilize it to uncover information about tokens, such as those with broad permissions, and to verify the security of your Nomad deployment.

Important Notes

  • You need to specify the secret_id config argument in the nomad.spc file to be able to query this table.

Examples

Basic info

Assess the elements within your Nomad ACL tokens to understand the different types, their global status, creation time, and expiration time-to-live (TTL). This can help manage and track the lifecycle and accessibility of each token.

select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token;
select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token;

List management tokens

Explore which management tokens are currently active in your system to understand their creation and expiration timelines. This can be beneficial for assessing your system's security by identifying potential vulnerabilities due to outdated or globally accessible tokens.

select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  type = 'management';
select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  type = 'management';

List global tokens

Explore which access control list (ACL) tokens in Nomad are set as global. This is useful in identifying potential security risks associated with globally accessible tokens.

select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  global;
select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  global = 1;

List tokens which will never expire

Uncover the details of access control list (ACL) tokens that have been set without an expiration time, thus identifying potential security risks due to tokens that will never expire. This is useful for maintaining secure practices by ensuring all tokens have a designated expiry.

select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  expiration_time is null;
select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  expiration_time is null;

List tokens which are not associated with any role

Discover the segments that consist of tokens which are not linked to any role. This is useful for identifying potential security risks, as these tokens may have been created without proper role assignments.

select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  roles is null;
select
  name,
  accessor_id,
  secret_id,
  type,
  global,
  create_time,
  expiration_ttl
from
  nomad_acl_token
where
  roles is null;

Schema for nomad_acl_token

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
accessor_idtext=The accessor ID of the acl token.
create_indexbigintCreate index of the acl token.
create_timetimestamp with time zoneThe creation time of the acl token.
expiration_timetimestamp with time zoneThe expiration time of the acl token.
expiration_ttltextThe maximum life of the acl token.
globalbooleanCheck whether the token is global or not.
modify_indexbigintModify index of the acl token.
nametext=The name of the acl token.
policiesjsonbPolicies attached to the acl token.
rolesjsonbRoles attached to the acl token.
secret_idtextThe secret ID of the acl token.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextThe title of the acl token.
typetextThe type of the acl token.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- nomad

You can pass the configuration to the command with the --config argument:

steampipe_export_nomad --config '<your_config>' nomad_acl_token