set policy to access secrets in your key vault

Question

Hi Please can someone help me on how to fix this error.

I am using the secret store csi driver to mount secrets and certificates from Azure key Vault to pods in my AKS cluster.

The whole process is via a CI/CD pipeline (Github Actions).

My first job enables the secret store csi driver on my exisiting cluster.

My Second job depends on the 1st job and it sets the access policy to the key vault and this is where i have the error:

ERROR: The command failed with an unexpected error. Here is the traceback:  
ERROR: Insufficient privileges to complete the operation.  
azure.cli.core.azclierror.HTTPError: Forbidden(***"error":***"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."  

this is an extract of my second job:

  enable-key-vault-access:  
    runs-on: [self-hosted, linux]  
    environment: ${{inputs.ENVIRONMENT }}  
  
    steps:  
      - name: Azure Login  
        uses: azure/login@v1  
        with:  
          creds:${{secrets.AZURE_CREDENTIALS }}  
  
      - name: connect to key Vault  
        run: |  
          MI_CLIENT_ID=$(az aks show -g ${{secrets.aks_rg }} -n ${{secrets.aks_name }} --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv)  
          az keyvault set-policy -n ${{secrets.keyvault }} --secret-permissions get --spn $MI_CLIENT_ID  
          az keyvault set-policy -n ${{secrets.keyvault }} --certificate-permissions get --spn $MI_CLIENT_ID  
          az keyvault set-policy -n ${{secrets.keyvault }} --key-permissions get --spn $MI_CLIENT_ID  

$MI_CLIENT_ID is the Value of my User Managed Identity from the 1st job.

Everything works fine when i set the policy outside of the CI/CD pipline from my vs code terminal but when i do the same thing in the pipline i have this error. Any idea on how to fix this error? Thank you