No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I'm logged in via the AZ cli, but the variables mentioned above are set to the service principal I created

have you set the key permissions correctly?
<https://github.com/pulumi/examples/tree/master/secrets-provider/azure#create-an-azure-keyvault-key>

specifically:
```az keyvault set-policy --name pulumi --object-id $YOUR_OBJECT_ID --key-permissions decrypt get create delete list update import backup restore recover encrypt```

do I need to switch to using policies instead?

well that’s how I’ve had it working before, but likely your RBAC is not correct:
`ForbiddenByRbac` - is pretty clear

thank you :bouquet: switching to policy-based worked like a charm!