Unable to execute "nomad alloc logs..." with ACL token that has "write" policy

[blairnangle]

I am using Vault for secrets management to generate short-lived Nomad ACL tokens with which my deployment agent can authenticate against Nomad:

vault read -field=secret_id nomad/creds/deployment-agent

My ACL policy is:

namespace "default" {
  policy = "write"
}

I am using my deployment agent to submit Nomad jobs for deployment:

nomad job run {{ temp_directory.path }}/{{ service_name }}.nomad

Both of the above steps work as expected. However, when I try to get the logs of a failed Nomad deployment using

nomad alloc logs -token {{ nomad_token.stdout }} -job {{ service_name }} {{ task_name }}

I am getting

"Error reading file: Unexpected response code: 403 (Permission denied)"

According to the Nomad documentation, the "write" policy includes the "read-logs" capability, so I don't understand why I am unable to get the logs using the same token with which I am able to submit a job.

Notes

• I was unable to get the logs after updating the policy to explicitly include the "read-logs" capability (as well as the "write" policy)
• I was able to get the logs using the root/bootstrap ACL token

[blairnangle]

I found that adding a "read" policy for node in my ACL policy did the trick:

namespace "default" {
  policy = "write"
}

node {
  policy = "read"
}

[langmartin]

Here is another report of the same issue, with some context that explains why read is required: #5754

[blairnangle]

Thank you, @langmartin. That explains the issue I was having.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.