Hi, I am having trouble with some Azure permissions for Pulumi. I have a python script which executes in two subscriptions, accessing the second subscription fails despite the app registration having contributor access to both subs. This is the error:

Exception: invoke of azure-native:storage:listStorageAccountKeys failed: invocation of azure-native:storage:listStorageAccountKeys returned an error: request failed /subscriptions/#######-####-####-####-##########/resourceGroups/rg-core-westeurope-management-81fc415a/providers/Microsoft.Storage/storageAccounts/filesad2a48ab/listKeys: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<mailto:my.email@domain.com|my.email@domain.com>' with object id 'dd9058c3-b6eb-4368-9a1c-3572f102d292' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/#######-####-####-####-##########/resourceGroups/rg-core-westeurope-management-81fc415a/providers/Microsoft.Storage/storageAccounts/filesad2a48ab' or the scope is invalid. If access was recently granted, please refresh your credentials."

I've tried refreshing credentials as it says. I'm sure it has the right permissions. The client is my Azure account, which only had read access over these resources. If I provide myself with full access, then this works, but is not the solution. Does anyone know where to go from here?