Azure VMSS needs access to key vault

Question

An Azure virtual machine scale set needs to use secrets from a pre-existing Azure key vault.

Terraform is the tool being used to create the Azure virtual machine scale set.

What specific terraform code must be used in order to configure the virtual machines in the virtual machine scale set to be able to automatically retrieve secrets from a named key vault which exists before the virtual machine scale set is created?

The terraform azurerm_linux_virtual_machine_scale_set resource has a secrets block option that can receive a key_vault_id, but we have not been able to find examples.

What we need is for bash scripts running within the virtual machine scale set to be able to retrieve secrets from the pre-existing key vault. Specifically the cloud-init startup script.

So far, we have been using the CLI to make requests to the key vault in the cloud-init script, but we are getting access denied errors.

The answer to this question should include 1. terraform code for creating the virtual machine scale set, and 2. simple code to retrieve a secret from that key vault that can be added to a bash script running in the virtual machine scale set, such as the cloud-init script.

Does the VMSS need to run as some sort of identity to make this happen?