I was trying to deploy my first Nomad job that queried values out of Vault to
set environment variables. The nomad logs kept indicating that the token
couldn’t renew-self, getting permission denied. I was able to use the token
that my Nomad Client was given and renew-self, so I was very confused.
As it turns out, the derived token that is used for the job also calls
renew-self! I needed to give the extra line to the policy to allow the job
token to renew itself.