This message was deleted.

Are you using azure or azure-native? One thing to try would be to

pulumi import ...

an existing KeyVault and see what properties it prints out. But ultimately this sounds like a bug - would you mind opening a github issue?

Have you used azure-native (it is quite compatible with the azure "legacy") ? We uses keyvault policies there without issues.

@famous-leather-94346, yes, we are using azure-native. Are you creating policies for AD

Applications

? Policies for

Users

work fine.

@lemon-chef-20322 Do you create links for policies via service principals? I don't think direct link to application works properly. Ie:

properties=keyvault.VaultPropertiesArgs(
            access_policies=[
                keyvault.AccessPolicyEntryArgs(
                    object_id=service_principal.id, # <-- service principal link
                    permissions=keyvault.PermissionsArgs(
                        keys=[
                            keyvault.KeyPermissions.GET,
                            keyvault.KeyPermissions.CREATE,
                            keyvault.KeyPermissions.DELETE,
                            keyvault.KeyPermissions.PURGE,
                        ],
                        secrets=[
                            keyvault.SecretPermissions.SET,
                            keyvault.SecretPermissions.DELETE,
                            keyvault.SecretPermissions.PURGE,
                            keyvault.SecretPermissions.LIST,
                        ],
                    ),
                    tenant_id=tenant_id,
                ),
...