Hi, I'm trying to setup second provider using `azu...
# azure
Hi, I'm trying to setup second provider using
for another subscription. Within a single stack I want to add secrets to KeyVaults, that exist in two separate subscriptions. Authentication is based on service principal and everything works for a single subscription (client id and secret are passed via env variables). Then, I'm trying to add Secret in second subscription:
Copy code
new Secret("test", new SecretArgs()
            ResourceGroupName = keyVaultResourceGroup,
            VaultName = keyVaultName,
            Properties = new SecretPropertiesArgs()
                Value = "value"
        new CustomResourceOptions()
            Provider = new Pulumi.AzureNative.Provider("azure-native1", new Pulumi.AzureNative.ProviderArgs()
               SubscriptionId = "<redacted>"
And I get following error:
Copy code
azure-native:keyvault:Secret (test):
    error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<redacted>' with object id '<redacted>' does not have authorization to perform action 'Microsoft.KeyVault/vaults/secrets/write' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.KeyVault/vaults/<redacted>/secrets/test' or the scope is invalid. If access was recently granted, please refresh your credentials."
It's not about permissions, I've used
az keyvault secret set
using the same service principal and key vautl and it worked. Is it something with access token and its audience?
I had to give a
permission to the KV. Originally, I gave
Key Vault Secret Officer
, which was sufficient for az cli, but not for pulumi. I'm not sure how it works.