Missing: vault.write - on Nomad

[chrisvanmeer]

I am using HashiCorp Nomad to deliver workloads. Amongst them Traefik.
Within the Traefik jobspec I use dynamic template blocks for both the certificate and the private key.

dynamic "template" {
  for_each = var.auto_certs
  content {
    data        = <<-EOH
    {{- with secret "venafi/issue/tpp" "common_name=${template.value}" -}}
    {{.Data.private_key}}
    {{- end -}}
    EOH
    destination = "secrets/private/${template.value}.key"
  }
}

dynamic "template" {
  for_each = var.auto_certs
  content {
    data        = <<-EOH
    {{- with secret "venafi/issue/tpp" "common_name=${template.value}" -}}
    {{.Data.certificate_chain}}
    {{- end -}}
    EOH
    destination = "local/certs/${template.value}.crt"
  }
}

The notation of the Consul templating I got from your README-ADVANCED.md.

Nomad is connected to Vault and Traefik is using a Vault token that has the following policy content:

path "venafi/issue/tpp" {
  capabilities = ["create", "read", "update"]
}

path "venafi/certs" {
  capabilities = ["list"]
}

path "venafi/cert/*" {
  capabilities = ["read"]
}

On Vault I am using the venafi-pki-backend secrets engine plugin v0.14.0. But when I run the jobspec I get the following error in Nomad:

Template: Missing: vault.write(venafi/issue/tpp -> 23df83b7)

Which - on it's own - is a strange error, since Vault does not have a write capability.

If I create a new Vault token (vault token create -orphan -ttl=5m -policy=pol-venafi) and use that token to issue the cert by hand, it works fine.

Am I doing something wrong?