Hi @Richard Barraclough ,
Please confirm that the Microsoft.KeyVault/vaults/write permissions are assigned at the subscription scope level and not just at the resource group or resource level. The action requires unrestricted 'Microsoft.Authorization/roleAssignments/write' permission, which is part of Owner and User Access Administrator roles at the subscription level, or can be added as a custom role. https://video2.skills-academy.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#enable-azure-rbac-permissions-on-key-vault
To add the permissions at the subscription level, can search for the application/SPN name with client ID: 'f6f...."
Then, navigate to the subscription > Choose the subscription > Add Role assignment > Owner (or User Access Administrator) > assign to the application service principal:
Or you can add the permissions via Azure CLI (using a built-in or custom role), as described here: https://video2.skills-academy.com/en-us/azure/cosmos-db/managed-identity-based-authentication?tryIt=true&source=docs#code-try-1
Let me know if this helps and if you still face the issue.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.