Azure Key Vault documentation should mention `get` key permission is needed when key version is omitted

[ncaq]

Summary

The Azure Key Vault section of the documentation only mentions encrypt and decrypt as the required key permissions:

az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \
    --key-permissions encrypt decrypt

However, when the key version is left empty (which is the common case for simplicity), sops needs to call the Azure Key Vault REST API to resolve the latest key version. This requires the get key permission in addition to encrypt and decrypt.

Steps to reproduce

1. Create an Azure Key Vault key for sops
2. Grant only encrypt and decrypt permissions (as documented)
3. Configure .sops.yaml with an empty version (or omit it):

creation_rules:
  - azure_keyvault:
      - vaultUrl: https://my-vault.vault.azure.net
        key: sops
        version: ""

4. Run sops -e or sops -d

Expected result

Encryption/decryption succeeds.

Actual result

failed to fetch Azure Key to retrieve key version: GET https://my-vault.vault.azure.net/keys/sops/
RESPONSE 403: 403 Forbidden
ERROR CODE: Forbidden

Workaround

Grant the get key permission:

az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \
    --key-permissions get encrypt decrypt

Or specify the key version explicitly in .sops.yaml to avoid the get call entirely.

Suggestion

Most users will leave the version empty for simplicity (avoiding .sops.yaml updates on key rotation), so the documentation should list get encrypt decrypt as the recommended permissions.