No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Ah, this is because there are two models of access control on Azure Key Vault: built-in policies (as deployed by the example you followed), and Azure Active Directory. The roles `Key Vault Crypto Officer` and `Key Vault Secrets Officer` are Azure Active Directory roles, not built-in Key Vault roles. You will need to:

1. Set `enableRbacAuthorization` to true on the Key Value Properties (<https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/#enablerbacauthorization_csharp|see here>)
2. Add your user account/service principal/managed identity to the two Key Vault roles using <https://www.pulumi.com/registry/packages/azure-native/api-docs/authorization/roleassignment/|authorization.RoleAssignment>. Note the `RoleAssignmentName` property is a GUID/UUID, not the human-readable name. You can get the values for this property from <https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles|the Azure docs>.
3. Remove the access policy defintion from the key vault

Thank you so much :slightly_smiling_face: