I actually started this forum post when I also sent the reply above. I have my findings detailed there.
The tldr; version is:
I discovered that it is actually doing some sort of chroot.
Asterisk does in fact run as ‘asterisk’.
The dialplan executes a script as System(/var/lib/asterisk/bin/makevmal.sh parameter1 param2 … param8).
The script above I pieced together from an article I found in 2013 and another person’s post from 2016, which sends a voicemail to Google Voice API for Speech to Text, and then includes the contents in the body of the email that is sent out, with an MP3 attachment.
In the script, I added a line that does “echo $USER” so that I can see who is running it, which it always reported root… even though it is executed by Asterisk, running as ‘asterisk’. This execution method doesn’t have root access, so I had to add asterisk to the list of suders with the commands in the script that require elevation. Then, and only then, did it actually work.
The real headache was the fact that when I run the script as root or as the asterisk (su asterisk, and then ran the script), I never had a problem. So something with how the script was executed by Asterisk was locked down. Either way, adding to sudoers with those commands and adding sudo in front of those commands in the script resolved the problem for me.