Azure auto unseal - are these permissions needed

Am reading the walkthrough for enabling auto unseal for Azure Key Vault:

It’s asking me to create a service principal with extremely elevated permissions (Owner over my subscription, lots of Active Directory API permissions)
Why are these permissions needed? My technical understanding of the auto unseal process would lead me to think that in reality the service principal/managed service identity only needs very limited permissions over the key vault where the unseal key is stored.

Are the minimum permissions the SP/MSI needs documented anywhere?

I don’t use Azure, but in AWS the access is very specific and limited to the KMS area and nothing more. It’s possible that the learn article is just the quickest way to get you going on setting up the connection but then you can make the access very specific afterwards.

Did you look at the vault guide url on the 2nd half? It’s possible that the terraform code in the repo will be more specific and help you reduce the security overhead.

Worse case, open a ticket with support to get the exact set of permissions needed. I highly doubt it needs that level of access.