The solution to this was pointed out here: Problem getting vault secrets in a Nomad job - #10 by Just-Insane
In short:
path "secret/*" {
capabilities = ["list"]
}
path "secret/data/db/config" {
capabilities = ["list", "read"]
}
Note the “data” in the path.