I'm trying to encrypt fields using AlwaysEncrypt in SSMS with a key stored in Azure vault. I've created a vault and a key given it all the permissions (so I don't miss anything, I know I shouldn't give it all of the permissions eventually, just what it needs).
Following through the encryption wizard, I can log into my Azure account and everything proceeds nicely until the final commit, when it fails with the following message.
Dec 31 2019 10:59:10 [Informational] TaskUpdates: Message:Task: 'Generate new column master key CMK_Auto2 in Azure Key Vault MyVault' -- Status: 'Started' -- Details: 'Task 'Generate new column master key CMK_Auto2 in Azure Key Vault MyVault' started ....'.
Dec 31 2019 10:59:10 [Informational] TaskUpdates: Message:Task: 'Generate new column master key CMK_Auto2 in Azure Key Vault MyVault' -- Status: 'Failed' -- Details: 'Task failed due to following error: Access denied. Caller was not found on any access policy.
Caller: appid=aGUID;numgroups=0;iss=https://sts.windows.net/anotherGUID/
Vault: MyVault;location=ukwest'.
Dec 31 2019 10:59:10 [Informational] WorkitemExecution: Message:Work item 'Generate new column master key CMK_Auto2 in Azure Key Vault MyVault' stopped..
Dec 31 2019 10:59:10 [Error] WorkitemExecution: Message:Work item 'Generate new column master key CMK_Auto2 in Azure Key Vault MyVault' did not complete. Details: Access denied. Caller was not found on any access policy.
Caller: appid=aGUID;numgroups=0;iss=https://sts.windows.net/anotherGUID/
Vault: MyVault;location=ukwest'.
Any ideas which permissions I need to add to somewhere or what I'm pointing incorrectly to?
