Hi folks, I used to do this with the classic Azure provider to give the provisioned app access to a central KeyVault:

// Get a reference to our centralized key vault service which lives
// in another resource group. The key vault service itself is not created or maintained
// by this program.
var keyVault =
	await GetKeyVault.InvokeAsync(
		new GetKeyVaultArgs()
		{
			ResourceGroupName = centralResourceGroupName,
			Name = keyVaultName
		}).ConfigureAwait(false);

// Create an access policy in the key vault to allow the function app to read
// keys, secrets and certificates.
var keyVaultAccessPolicy = new AccessPolicy(
	$"orgflow-licensing-{stackName}-keyVaultPolicy",
	new AccessPolicyArgs()
	{
		TenantId = app.Identity.Apply(x => x.TenantId!),
		ObjectId = app.Identity.Apply(x => x.PrincipalId!),
		KeyPermissions = { "get", "sign" },
		SecretPermissions = { "get" },
		KeyVaultId = keyVault.Id
	});

I can’t figure out how to create key vault access policies with the native provider (like, I can’t even find any resource type for it in the KeyVault namespace) - can someone give me a pointer?

Azure API is bizarre there, so we can’t map it automatically. Tracked in https://github.com/pulumi/pulumi-azure-native/issues/594

Yeah, to be honest this was enough for me to switch to rbac 😄