Hi, I'm trying to setup second provider using

azure-native

for another subscription. Within a single stack I want to add secrets to KeyVaults, that exist in two separate subscriptions. Authentication is based on service principal and everything works for a single subscription (client id and secret are passed via env variables). Then, I'm trying to add Secret in second subscription:

new Secret("test", new SecretArgs()
        {
            ResourceGroupName = keyVaultResourceGroup,
            VaultName = keyVaultName,
            Properties = new SecretPropertiesArgs()
            {
                Value = "value"
            }
        },
        new CustomResourceOptions()
        {
            Provider = new Pulumi.AzureNative.Provider("azure-native1", new Pulumi.AzureNative.ProviderArgs()
            {
               SubscriptionId = "<redacted>"
            })
        });

And I get following error:

azure-native:keyvault:Secret (test):
    error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<redacted>' with object id '<redacted>' does not have authorization to perform action 'Microsoft.KeyVault/vaults/secrets/write' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.KeyVault/vaults/<redacted>/secrets/test' or the scope is invalid. If access was recently granted, please refresh your credentials."

It's not about permissions, I've used

az keyvault secret set

using the same service principal and key vautl and it worked. Is it something with access token and its audience?