diff --git a/client/allocrunner/csi_hook.go b/client/allocrunner/csi_hook.go
index dd41c3dd7ec..1b03d301f19 100644
--- a/client/allocrunner/csi_hook.go
+++ b/client/allocrunner/csi_hook.go
@@ -96,7 +96,10 @@ func (c *csiHook) Postrun() error {
 				Mode:         structs.CSIVolumeClaimRelease,
 			},
 			WriteRequest: structs.WriteRequest{
-				Region: c.alloc.Job.Region, Namespace: c.alloc.Job.Namespace},
+				Region:    c.alloc.Job.Region,
+				Namespace: c.alloc.Job.Namespace,
+				AuthToken: c.ar.clientConfig.Node.SecretID,
+			},
 		}
 		err := c.rpcClient.RPC("CSIVolume.Unpublish",
 			req, &structs.CSIVolumeUnpublishResponse{})
@@ -156,8 +159,12 @@ func (c *csiHook) claimVolumesFromAlloc() (map[string]*volumeAndRequest, error)
 			AllocationID: c.alloc.ID,
 			NodeID:       c.alloc.NodeID,
 			Claim:        claimType,
+			WriteRequest: structs.WriteRequest{
+				Region:    c.alloc.Job.Region,
+				Namespace: c.alloc.Job.Namespace,
+				AuthToken: c.ar.clientConfig.Node.SecretID,
+			},
 		}
-		req.Region = c.alloc.Job.Region
 
 		var resp structs.CSIVolumeClaimResponse
 		if err := c.rpcClient.RPC("CSIVolume.Claim", req, &resp); err != nil {
diff --git a/nomad/csi_endpoint_test.go b/nomad/csi_endpoint_test.go
index d372e080df2..4053d020ad1 100644
--- a/nomad/csi_endpoint_test.go
+++ b/nomad/csi_endpoint_test.go
@@ -404,6 +404,13 @@ func TestCSIVolumeEndpoint_ClaimWithController(t *testing.T) {
 	err = msgpackrpc.CallWithCodec(codec, "CSIVolume.Claim", claimReq, claimResp)
 	// Because the node is not registered
 	require.EqualError(t, err, "controller publish: attach volume: No path to node")
+
+	// The node SecretID is authorized for all policies
+	claimReq.AuthToken = node.SecretID
+	claimReq.Namespace = ""
+	claimResp = &structs.CSIVolumeClaimResponse{}
+	err = msgpackrpc.CallWithCodec(codec, "CSIVolume.Claim", claimReq, claimResp)
+	require.EqualError(t, err, "controller publish: attach volume: No path to node")
 }
 
 func TestCSIVolumeEndpoint_Unpublish(t *testing.T) {