Terraform Azure Application Gateway does not have secrets get permission on key vault

Question

I am trying to terraform the provision of azure application gateway with trusted_root_certificates certificates in a key vault. But I am getting the following error:

"message":"The user, group or application 'name=Microsoft.Network/applicationGateways;appid=some-id;iss=https://sts.windows.net/xxx-xxx/' does not have secrets get permission on key vault 'jana-kv-ssi-test;location=australiaeast'.

And here's my terrafom code:

module "cert-kv" {
  source                  = "./modules/kv"
  resource_group_name     = var.resource_group_name
  project                 = var.project
  location                = var.location
  environment             = var.environment
  default_tags            = var.default_tags
  kv_sku                  = var.kv_sku
  kv_name                 = var.kv_name
  kv_key_permissions      = var.kv_key_permissions
  kv_secret_permissions   = var.kv_secret_permissions
  kv_storage_permissions  = var.kv_storage_permissions
  certificate_permissions = var.certificate_permissions
  cert_name               = var.cert_name
  local_cert_path         = var.local_cert_path
  local_cert_password     = var.local_cert_password

  root_cert_name                = var.root_cert_name
  root_cert_local_cert_path     = var.root_cert_local_cert_path
  root_cert_local_cert_password = var.root_cert_local_cert_password
}

module "app-gateway" {
  source                               = "./modules/app_gateway"
  resource_group_name                  = var.resource_group_name
  environment                          = var.environment
  default_tags                         = var.default_tags
  project                              = var.project
  location                             = var.location

  gw_sku_name                          = var.gw_sku_name
  gw_tier                              = var.gw_tier

  frontend_port_settings               = var.frontend_port_settings
  autoscale_configuration_max_capacity = var.autoscale_configuration_max_capacity
  appgw_zones                          = var.appgw_zones
  appgw_private_ip                     = var.appgw_private_ip
  appgw_subnet_id                      = module.application-subnets.app_subnet_id
  cipher_suites                        = var.cipher_suites
  tls_version                          = var.tls_version

  appgw_backend_pools                  = var.appgw_backend_pools
  appgw_backend_http_settings          = var.appgw_backend_http_settings
  appgw_http_listeners                 = var.appgw_http_listeners
  ssl_certificates_configs             = var.ssl_certificates_configs
  appgw_routings                       = var.appgw_routings

  appgw_redirect_configuration = var.appgw_redirect_configuration
  gw_key_vault_id              = module.cert-kv.keyvault_id # var.gw_key_vault_id
  health_probe_config          = var.health_probe_config

  kv_secret_id_for_root_cert = module.cert-kv.root_secret_id
  kv_secret_name_for_root_cert = var.root_cert_name


  depends_on = [module.application-subnets, module.cert-kv]
}

And here are the resource files for above modules.

# key-vault

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "cert_kv" {
  name                        = join("-", [var.project, var.environment, var.kv_name])
  location                    = var.location
  resource_group_name         = var.resource_group_name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = var.kv_sku

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions         = var.kv_key_permissions
    secret_permissions      = var.kv_secret_permissions
    storage_permissions     = var.kv_storage_permissions
    certificate_permissions = var.certificate_permissions
  }
  tags = var.default_tags
}

resource "azurerm_key_vault_certificate" "certs" {
  name         = var.cert_name
  key_vault_id = azurerm_key_vault.cert_kv.id

  certificate {
    contents = filebase64(var.local_cert_path)
    password = var.local_cert_password
  }
}

resource "azurerm_key_vault_certificate" "root_cert" {
  name         = var.root_cert_name
  key_vault_id = azurerm_key_vault.cert_kv.id

  certificate {
    contents = filebase64(var.root_cert_local_cert_path)
    password = var.root_cert_local_cert_password
  }
}


resource "azurerm_user_assigned_identity" "key_vault_read" {
  resource_group_name = var.resource_group_name
  location            = var.location
  name                = join("-", [var.project, var.environment, "key_vault_read_permission"])
}


data "azurerm_client_config" "current" {}

resource "azurerm_key_vault_access_policy" "key_vault_role_policy" {
  key_vault_id = var.gw_key_vault_id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_user_assigned_identity.key_vault_read.principal_id

  key_permissions = [
    "Get","List",
  ]

  secret_permissions = [
    "Get","List",
  ]
}

# app-gw

resource "azurerm_application_gateway" "application-gateway" {
  name                = join("-", [var.project, var.environment, "app-gateway"])
  location            = var.location
  resource_group_name = var.resource_group_name
  tags                = var.default_tags
  sku {
    name = var.gw_sku_name
    tier = var.gw_tier
  }

 . . .

  trusted_root_certificate {
    name    =  var.kv_secret_name_for_root_cert
    key_vault_secret_id    = var.kv_secret_id_for_root_cert
  }

  . . .

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.key_vault_read.id]
  }

  

  lifecycle {
    ignore_changes = [
      url_path_map,
      request_routing_rule
    ]
  }

}

Can someone please help me?