nomad var put: Store Secrets in Nomad Variables
nomad var put stores an encrypted key/value variable at a path that jobs can read via template blocks.
Nomad Variables hold per-job secrets and config, encrypted at rest. A pipeline writes them with var put before deploying the job that reads them.
What it does
nomad var put creates or updates a variable at a path, storing one or more key=value items encrypted by the Nomad keyring. Items can be given as arguments, read from a file with -in, or piped on stdin. Jobs read them through {{ with nomadVar "<path>" }} in templates.
Common usage
nomad var put secret/web api_key=abc123 db_pass=s3cret
# from a JSON or HCL file
nomad var put -in=json secret/web @vars.json
# safe update guarded by the current index
nomad var put -check-index=7 secret/web api_key=newOptions
| Flag | What it does |
|---|---|
| -in <hcl|json> | Read the variable items from a file in this format |
| -check-index <n> | Only write if the variable ModifyIndex matches |
| -namespace <ns> | Target a specific namespace |
| -force | Overwrite without an index check |
| -out <go-template|json> | Format the result output |
In CI
Scope variable paths so a jobs Workload Identity can read only its own path (for example secret/<job>). Use -check-index for concurrent updates, and never echo the values into the build log.
Common errors in CI
"conflicting value for ... check-index" means the variable changed since your index; re-read and retry. "Permission denied" means the token (or workload identity) lacks variables:write on the path and namespace. "Error: invalid item ..." means an argument was not in key=value form.