i'm creating the vault and then don't have access to create a secret in it

I don't think there's any public examples - but I've worked with a couple folks who have been doing this in their projects. I believe the permissions for access to KeyVault are separate from access to the Graph APIs needed for most ARM resources. So you may need to provide your service principal doing the deployments with additional permissions?