This message was deleted.

what field in the access policy are you setting? AccessPolicy constructor will take inputs so the direct assignment should work. If the destination needs a string then assigning it an apply won’t work. You will have to enclose the assignment inside the apply. i.e.

self.identity.principal_id.apply(lambda v: AccessPolicy(…: v))

The line where I'm setting it is (part of creating a list of policies, it's not the only one):

access_policies = [  
...,
azure.keyvault.AccessPolicyEntryArgs(object_id=storage_account_id,tenant_id=tenant_id,permissions=azure.keyvault.PermissionsArgs(
               keys=DEFAULT_SA_KEY_PERMISSIONS)
            )
]

self.akv = azure.keyvault.Vault(resource_name=name,
                                            resource_group_name=resource_group_name,
                                            location=location,
                                            properties=azure.keyvault.VaultPropertiesArgs(                                             ...                                         access_policies=access_policies,...)

The variable in question is "storage_account_id" which is ultimately created (and then passed on) here:

self.identity = azure.managedidentity.UserAssignedIdentity(resource_name=id_name,
                                                                   resource_name_=id_name,
                                                                   location=location,
                                                                   resource_group_name=rg_name,
                                                                   opts=opts,
                                                                   tags=tags)

        self.principal_id = self.identity.principal_id.apply(lambda v: v or "<preview>")