On the azurerm_managed_disk documentation page there is the below note:
NOTE: The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault
I can’t find references in the Microsoft documentation that key vault reader role is required for disk encryption sets. Is this role actually required? The reason this issue is important is because having the ability to assign roles requires a specific role be assigned to the service principal in Azure which is a security concern.