Azure ARM templates in Github Actions Keyvault Policies

Question

I have a .bicep file which creates my cloud resources one of which is a new keyvault into which I am able to store connection strings from the different resources e.g ACR username/password, redis connection string, etc. The .bicep file is referenced in a github actions workflow with the action azure/arm-deploy@v1 I need to be able to access the secrets downstream but for that I would need to run something that updates the keyvault policy to allow the service principal I am using to call the github action workflow get/list permissions. I tried using this:

      - name: set policies
    continue-on-error: true
    env:
      clientId: ${{ secrets.AZURE_CREDENTIALS }}
    run: |
      az keyvault set-policy -n kv-dev-lightningocr --secret-permissions get list set --spn $clientId

but the $clientId is not inserted as expected as shown in the snapshot below:

It is possible to set policies directly in the .bicep template but I am having issues with that because I'm not sure how I can substitute the value for the objectId in the template.

    resource keyVaultPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
  name: '${keyVault.name}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: subscription().tenantId
        objectId: // how to get the objectId of the service principal that calls the azure deploy action? 
        permissions: {
          keys: []
          secrets: [
            'get'
            'list'
          ]
          certificates: []
        }
      }
    ]
  }
}

I have crawled through the microsoft documentation but it feels like looking for a needle in a haystack, so any specific answers to this very specific question are much aprpeciated.