diff --git a/nomad/node_endpoint_test.go b/nomad/node_endpoint_test.go
index 099bd2ae2..06b2bf82e 100644
--- a/nomad/node_endpoint_test.go
+++ b/nomad/node_endpoint_test.go
@@ -1844,7 +1844,7 @@ func TestClientEndpoint_DeriveVaultToken_Bad(t *testing.T) {
 
 	// Now we should get an error about the job not needing any Vault secrets
 	err = msgpackrpc.CallWithCodec(codec, "Node.DeriveVaultToken", req, &resp)
-	if err == nil || !strings.Contains(err.Error(), "without defined Vault") {
+	if err == nil || !strings.Contains(err.Error(), "does not require") {
 		t.Fatalf("Expected no policies error: %v", err)
 	}
 
diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
index dad219bca..75c43c14f 100644
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@@ -1277,7 +1277,6 @@ func (j *Job) VaultPolicies() map[string]map[string]*Vault {
 
 	for _, tg := range j.TaskGroups {
 		tgPolicies := make(map[string]*Vault, len(tg.Tasks))
-		policies[tg.Name] = tgPolicies
 
 		for _, task := range tg.Tasks {
 			if task.Vault == nil {
@@ -1286,6 +1285,10 @@ func (j *Job) VaultPolicies() map[string]map[string]*Vault {
 
 			tgPolicies[task.Name] = task.Vault
 		}
+
+		if len(tgPolicies) != 0 {
+			policies[tg.Name] = tgPolicies
+		}
 	}
 
 	return policies