I am using Azure Automation to retrieve a list of certificates from KeyVault. The RunAs account for Azure Automation is a user with Contributor rights in the KeyVault, but when I execute my PowerShell from the Azure Automation to the KeyVault in the same subscription, it states:
Get-AzKeyVaultKey : Operation returned an invalid status code 'Forbidden'
Is there a permission set I am missing beyond Contributor?
You need to assign the service principal configured as the RunAs account an Access Policy to Key Vault for at least “Get” on Keys. The RBAC permissions to the Azure Key Vault resource are not enough and managed separately as Access Policies