短版：

我正在创建一个Azure Active Directory组，一个该组有权访问的Azure密钥库，该库中的一个密钥，一个主体是该组成员的PostgresServer。服务器包装在ComponentResource中

服务器应该使用密钥进行加密，但一开始没有访问权限-只有在尝试使用密钥之前存在时间延迟时，服务器才能访问密钥

问题：在尝试使用密钥加密之前，如何确保权限已传播

长版本

基础设施与我上面描述的相同。它是这样创建的：

group = azuread.Group(
    "security_group",
    display_name=display_name,
    description=description,
    owners=None,
    opts=ResourceOptions(),
    security_enabled=True,
)

policy = azure.keyvault.AccessPolicyEntryArgs(
    object_id=group.object_id,
    tenant_id=tenant_id,
    permissions=azure.keyvault.PermissionsArgs(
        keys=['get', 'list', 'unwrapKey', 'wrapKey']
    )
)

vault = azure.keyvault.Vault(
    "key_vault",
    resource_group_name=resource_group_name,
    location=location,
    properties=azure.keyvault.VaultPropertiesArgs(
        access_policies=[policy],
        # other properties
    ),
    opts=opts
)

class Postgres(ComponentResource)
    def __init__(self, group, vault):
        server = azure.dbforpostgresql.Server(
            "postgres_server",
            identity=azure.dbforpostgresql.ResourceIdentityArgs(type="SystemAssigned"),
            # other properties
        )

        postgres_principal_group_membership = azure_ad.GroupMember(
            "postgres-group-member",
            group_object_id=group.object_id,
            member_object_id=server.identity.principal_id,
        )


        key = azure.keyvault.Key(
            "encryption-key",
            key_name=f"encryption-key",
            # other properties
        )

        def make_key_uri_with_version(args):
            vault_name, key_name, key_uri_with_version = args
            key_version = key_uri_with_version.rsplit('/', 1)[-1]
            return f"{vault_name}_{key_name}_{key_version}"

        postgres_key_name = Output.all(
                encryption_key_vault.name,
                key.name,
                key.key_uri_with_version
            ).apply(make_key_name)


        ### Everything before here is created without issues
        ### This resource cannot be created during the first attempt to run this - but is sucessfull during the second run
        ### We can also make it succeed during the first try if we do:
        # import time
        # time.sleep(120)
        ### This sleep does not need to be placed right here or inside the constructor at all.
        ### It will help as long as it happens after creating the vault, but before completing the constructor

        azure.dbforpostgresql.ServerKey(
            f"server-use-encryption-key",
            key_name=postgres_key_name,
            server_key_type="AzureKeyVault",
            server_name=server.name,
            uri=key.key_uri_with_version,
            # other properties
        )

Postgres(group, vault)

第一次执行此操作时，会发生以下错误：

Error: resource partially created but read failed autorest/azure: Service returned an error.
Status=404
Code="ResourceNotFound"
Message="The requested resource of type 'Microsoft.DBforPostgreSQL/servers/keys' with name '<name of the key>' was not found.":
Code="AzureKeyVaultMissingPermissions" 
Message="The server '<name of the postgres server>' requires following Azure Key Vault permissions: 'Get, WrapKey, UnwrapKey'. Please grant any missing permissions to the service principal with ID '<postgres server principal ID>'."

我已经通过在尝试连接加密密钥之前直接使用time.sleep(120)验证了这个问题是一个计时问题，这使得这个过程能够工作。为了使代码更稳定/更快（而不是等待一个固定的时间并希望它足够长），我认为检查实际权限是一种方法

目前，我看不到任何方法可以通过Pulumi的azure本机提供商实现这一点

因此，我正在考虑直接使用azure API——这将意味着一种新的依赖关系，这本身并不理想

问题：有没有更好的方法来达到预期的效果？我在设置加密密钥时尝试了各种显式dependsOn值，但没有成功

谢谢