I've been struggling with setting up a keyvault backed pulumi for hours now, I can never get past the stack creation process due to the following error:

Sorry, could not create stack 'dev': secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=[REDACTED];oid=[REDACTED];iss=<https://sts.windows.net/[REDACTED]/>
Action: 'Microsoft.KeyVault/vaults/keys/encrypt/action'
Resource: '/subscriptions/[REDACTED]/resourcegroups/[REDACTED]/providers/microsoft.keyvault/vaults/[REDACTED]/keys/pulumi'
Assignment: (not found)
DecisionReason: 'DeniedWithNoValidRBAC'
Vault: [REDACTED];location=[REDACTED]" InnerError={"code":"ForbiddenByRbac"}

After trying everything I can think of I've now assigned the service principal to Owner of the key vault and still I get the same error. Any ideas what I'm doing wrong? Command:

pulumi new \
         --secrets-provider="<azurekeyvault://xxxxxxxxx.vault.azure.net/keys/xxxx>" \
         azure-typescript

Environment vars:

AZURE_STORAGE_ACCOUNT=[REDACTED]
AZURE_STORAGE_KEY=[REDACTED]
AZURE_CLIENT_ID=[REDACTED]
AZURE_CLIENT_SECRET=[REDACTED]
AZURE_TENANT_ID=[REDACTED]

how are you authing to azure?

I'm logged in via the AZ cli, but the variables mentioned above are set to the service principal I created

have you set the key permissions correctly? https://github.com/pulumi/examples/tree/master/secrets-provider/azure#create-an-azure-keyvault-key

It uses RBAC authentication...

well that’s how I’ve had it working before, but likely your RBAC is not correct:

ForbiddenByRbac

- is pretty clear

it sure is 🙂