Vault integration with job provided vault tokens

Hi :wave:

I have a couple of questions regarding the vault integration with allow_unauthenticated = false set.

With it set to false you are required to pass a vault token when submitting jobs, this vault token I assume needs to have all of the required permissions that any templates require, such as reading a secret from kv if its used within a template in the job spec. I am also assuming you still need to define a vault block with the list of policies to use, is that correct?

Following this, assuming the previous assumptions are correct (lots of assumptions here…), is there a need for the nomad servers to have a vault token allowing it to generate tokens for jobs? Assuming that you are providing a vault token in the job then I don’t see the use for these server tokens? a further extension if jobs are providing their own token is there even a need for the integration to be enabled?

I think most of these questions is just me not understanding exactly how the vault integration is intended to work outside of giving nomad the ability to generate tokens for jobs…