diff --git a/vault/policies/nomad-server-policy.hcl b/vault/policies/nomad-server-policy.hcl
new file mode 100644
index 0000000..a4104b4
--- /dev/null
+++ b/vault/policies/nomad-server-policy.hcl
@@ -0,0 +1,30 @@
+# Allow creating tokens under "nomad-cluster" role.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" role.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
diff --git a/vault/roles/nomad-cluster-role.json b/vault/roles/nomad-cluster-role.json
new file mode 100644
index 0000000..60557a5
--- /dev/null
+++ b/vault/roles/nomad-cluster-role.json
@@ -0,0 +1,8 @@
+{
+  "disallowed_policies": "nomad-server,root",
+  "token_explicit_max_ttl": 0,
+  "name": "nomad-cluster",
+  "orphan": true,
+  "token_period": 259200,
+  "renewable": true
+}