I am running into more issues around using Azure Managed Identities. I have a VM with a system assigned managed identity from which i can easily sign into az cli and create secrets using some code like this:

az login --identity
az keyvault secret set --name <secret_name> --vault-name <vault_name>

on the keyvault, the managed identity has been given reader and key vault secrets officer. (Keyv is set to RBAC). Since i can run above statements from the associated VMs with success, I assume access is working. Yet, enabling pulumi to utilize the managed identity always returns the following error:

error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<client obj id>' with object id <client obj id>' does not have authorization to perform action 'Microsoft.KeyVault/vaults/secrets/write' over scope '/subscriptions/<subscription>/resourceGroups/<resource group>/providers/Microsoft.KeyVault/vaults/<vault_name>/secrets/<secret name>' or the scope is invalid. If access was recently granted, please refresh your credentials."

I checked all the object ids and paths a million time by now but can not find any inconsistencies. pulumis python sdk is utilized and the following variables are set as env_vars for LocalWorkspaceOptions:

...
'ARM_USE_MSI': true
'ARM_SUBSCRIPTION_ID': <subscription>
...

Can anyone point me to what I am missing here?

Dumb question:

enableRbacAuthorization

is set to true? https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#enablerbacauthorization_nodejs

thx for the comment 🙂 i figured the issue was due to the permissions granted on keyvault. should have found it earlier really, but besides the key vault secrets officer you need to also assign something like the key vault contributor. given the fact that cli worked, i assumed the permissions are fine, but i guess pulumis process performs some step in between that requires these additional priviledges

IaC tools like Pulumi or Terraform try to perform as much task as possible in parallel after they have done a topological sorting on the resources according their dependencies. Sometimes as practitioner you have to set explicit dependencies if they're not obvious like referencing an output of a resource in another resources. Especially Azure Keyvault and it's RBAC roles and Access Policies is a candidate for such explicit dependencies when you deploy permission assignments together with changes to secrets, keys or certificates on one single state.

How would that affect my setup? To clarify: The keyvault i am accessing is not created through Pulumi, therefore i do not see how that would be impacting my usecase 🙂