Nomad missing vault client token

hi,

I have an issue with nomad to get vault secret
I search a solution for 4h without success
I have follow doc to integrate vault put I have always some error in nomad log like this

avril 01 23:01:16 oscar nomad[539057]: * missing client token (retry attempt 6 after "8s")
avril 01 23:01:16 oscar nomad[539057]: Code: 400. Errors:
avril 01 23:01:16 oscar nomad[539057]: URL: GET http://active.vault.service.consul:8200/v1/secrets/data/p>

I have create a token role like this:

Key                         Value
---                         -----
allowed_entity_aliases      <nil>
allowed_policies            []
allowed_policies_glob       []
disallowed_policies         [nomad-server]
disallowed_policies_glob    []
explicit_max_ttl            0s
name                        nomad-cluster
orphan                      true
path_suffix                 n/a
period                      0s
renewable                   true
token_explicit_max_ttl      0s
token_no_default_policy     false
token_period                72h
token_type                  default-service

below nomad policy


# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
  capabilities = ["update"]
}

# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
  capabilities = ["read"]
}

# Allow looking up the token passed to Nomad to validate # the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
  capabilities = ["read"]
}

# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
  capabilities = ["update"]
}

# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
  capabilities = ["update"]
}

# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
  capabilities = ["update"]
}

# Allow our own token to be renewed.
path "auth/token/renew-self" {
  capabilities = ["update"]
}

here nmad config


vault {
  enabled = true
  address = "http://active.vault.service.consul:8200"
  create_from_role =  "nomad-cluster"
    token = ""
  namespace = ""
  task_token_ttl = "1h"
  }

and here my template definition

 "Templates": [
            {
              "ChangeMode": "restart",
              "ChangeSignal": "",
              "DestPath": "local/file.env",
              "EmbeddedTmpl": "        WEBPASSWORD=\"{{with secret \"secrets/data/pihole\"}}{{.Data.data.WEBPASSWORD}}{{end}}\"\n",
              "Envvars": true,
              "LeftDelim": "{{",
              "Perms": "0644",
              "RightDelim": "}}",
              "SourcePath": "",
              "Splay": 5000000000,
              "VaultGrace": 0,
              "Wait": null
            }

I don’t understant if I miss something
morever when I start my nomad server
I see that renewal token work

avril 01 21:24:04 oscar nomad[539057]:     2022-04-01T21:23:56.389+0200 [DEBUG] nomad.vault: successfully renewed server token
avril 01 21:24:04 oscar nomad[539057]:     2022-04-01T21:23:56.389+0200 [INFO]  nomad.vault: successfully renewed token: next_renewal=35h59m59.999969828s

here my vault audit log


  "request": {
    "id": "45fa783f-86ec-8f4a-0c19-0bbf5a92620c",
    "operation": "read",
    "mount_type": "kv",
    "namespace": {
      "id": "root"
    },
    "path": "secrets/data/pihole",
    "remote_address": "192.168.1.40"
  },
  "error": "missing client token"
}
{
  "time": "2022-04-02T13:10:32.577652254Z",
  "type": "response",
  "auth": {
    "token_type": "default"
  },
  "request": {
    "id": "45fa783f-86ec-8f4a-0c19-0bbf5a92620c",
    "operation": "read",
    "mount_type": "kv",
    "namespace": {
      "id": "root"
    },
    "path": "secrets/data/pihole",
    "remote_address": "192.168.1.40"
  },
  "response": {
    "mount_type": "kv",
    "data": {
      "error": "hmac-sha256:7d2de5c7af93939c9e4d0bc0ee5bea4c450571435b380c7b864d3af3bf0fbd09"
    }
  },
  "error": "1 error occurred:\n\t* invalid request\n\n"
}
{
  "time": "2022-04-02T13:10:34.579484728Z",
  "type": "request",
  "auth": {
    "token_type": "default"
  },
  "request": {
    "id": "beeedfd9-ed0b-689a-f55f-73eb12809537",
    "operation": "read",
    "mount_type": "kv",
    "namespace": {
      "id": "root"
    },
    "path": "secrets/data/pihole",
    "remote_address": "192.168.1.40"
  },
  "error": "missing client token"
}
{
  "time": "2022-04-02T13:10:34.579659555Z",
  "type": "response",
  "auth": {
    "token_type": "default"
  },
  "request": {
    "id": "beeedfd9-ed0b-689a-f55f-73eb12809537",
    "operation": "read",
    "mount_type": "kv",
    "namespace": {
      "id": "root"
    },
    "path": "secrets/data/pihole",
    "remote_address": "192.168.1.40"
  },
  "response": {
    "mount_type": "kv",
    "data": {
      "error": "hmac-sha256:7d2de5c7af93939c9e4d0bc0ee5bea4c450571435b380c7b864d3af3bf0fbd09"
    }
  },
  "error": "1 error occurred:\n\t* invalid request\n\n"
}
{
  "time": "2022-04-02T13:10:38.580798818Z",
  "type": "request",
  "auth": {
    "token_type": "default"
  },
  "request": {
    "id": "e2a4f739-b3a6-f9a0-bb30-75625786ea0e",
    "operation": "read",
    "mount_type": "kv",
    "namespace": {
      "id": "root"
    },
    "path": "secrets/data/pihole",
    "remote_address": "192.168.1.40"
  },
  "error": "missing client token"
}
{
  "time": "2022-04-02T13:10:38.580988035Z",
  "type": "response",
  "auth": {
    "token_type": "default"
  },
  "request": {
    "id": "e2a4f739-b3a6-f9a0-bb30-75625786ea0e",
    "operation": "read",
    "mount_type": "kv",
    "namespace": {
      "id": "root"
    },
    "path": "secrets/data/pihole",
    "remote_address": "192.168.1.40"
  },
  "response": {
    "mount_type": "kv",
    "data": {
      "error": "hmac-sha256:7d2de5c7af93939c9e4d0bc0ee5bea4c450571435b380c7b864d3af3bf0fbd09"
    }
  },
  "error": "1 error occurred:\n\t* invalid request\n\n"

I notice something weird I don’t see any lease under nomad-cluster in vault ui I I have understand create token under nomad-cluster role isn’t he?

ok I found my mistake I don’t put vault stanza in my job definition

    vault{
    policies= ["access-tables"]
    }