Skip to content
Latchkey

nomad var put: Store Secrets in Nomad Variables

nomad var put stores an encrypted key/value variable at a path that jobs can read via template blocks.

Nomad Variables hold per-job secrets and config, encrypted at rest. A pipeline writes them with var put before deploying the job that reads them.

What it does

nomad var put creates or updates a variable at a path, storing one or more key=value items encrypted by the Nomad keyring. Items can be given as arguments, read from a file with -in, or piped on stdin. Jobs read them through {{ with nomadVar "<path>" }} in templates.

Common usage

Terminal
nomad var put secret/web api_key=abc123 db_pass=s3cret
# from a JSON or HCL file
nomad var put -in=json secret/web @vars.json
# safe update guarded by the current index
nomad var put -check-index=7 secret/web api_key=new

Options

FlagWhat it does
-in <hcl|json>Read the variable items from a file in this format
-check-index <n>Only write if the variable ModifyIndex matches
-namespace <ns>Target a specific namespace
-forceOverwrite without an index check
-out <go-template|json>Format the result output

In CI

Scope variable paths so a jobs Workload Identity can read only its own path (for example secret/<job>). Use -check-index for concurrent updates, and never echo the values into the build log.

Common errors in CI

"conflicting value for ... check-index" means the variable changed since your index; re-read and retry. "Permission denied" means the token (or workload identity) lacks variables:write on the path and namespace. "Error: invalid item ..." means an argument was not in key=value form.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →