From 279ee8132b102dae960dcb2d5d14473ec537d383 Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Wed, 21 Sep 2016 11:14:09 -0700
Subject: [PATCH] Fix VaultPolicies returning non-empty map when there are no
 policies

---
 nomad/node_endpoint_test.go | 2 +-
 nomad/structs/structs.go    | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/nomad/node_endpoint_test.go b/nomad/node_endpoint_test.go
index 099bd2ae2..06b2bf82e 100644
--- a/nomad/node_endpoint_test.go
+++ b/nomad/node_endpoint_test.go
@@ -1844,7 +1844,7 @@ func TestClientEndpoint_DeriveVaultToken_Bad(t *testing.T) {
 
 	// Now we should get an error about the job not needing any Vault secrets
 	err = msgpackrpc.CallWithCodec(codec, "Node.DeriveVaultToken", req, &resp)
-	if err == nil || !strings.Contains(err.Error(), "without defined Vault") {
+	if err == nil || !strings.Contains(err.Error(), "does not require") {
 		t.Fatalf("Expected no policies error: %v", err)
 	}
 
diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
index dad219bca..75c43c14f 100644
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@@ -1277,7 +1277,6 @@ func (j *Job) VaultPolicies() map[string]map[string]*Vault {
 
 	for _, tg := range j.TaskGroups {
 		tgPolicies := make(map[string]*Vault, len(tg.Tasks))
-		policies[tg.Name] = tgPolicies
 
 		for _, task := range tg.Tasks {
 			if task.Vault == nil {
@@ -1286,6 +1285,10 @@ func (j *Job) VaultPolicies() map[string]map[string]*Vault {
 
 			tgPolicies[task.Name] = task.Vault
 		}
+
+		if len(tgPolicies) != 0 {
+			policies[tg.Name] = tgPolicies
+		}
 	}
 
 	return policies