hashicorp · catriona-m · Feb 9, 2023 · Feb 8, 2023 · Feb 9, 2023
diff --git a/website/docs/r/key_vault_access_policy.html.markdown b/website/docs/r/key_vault_access_policy.html.markdown
@@ -45,6 +45,20 @@ resource "azurerm_key_vault_access_policy" "example" {
     "Get",
   ]
 }
+
+data "azuread_service_principal" "example" {
+  display_name = "example-app"
+}
+
+resource "azurerm_key_vault_access_policy" "example-principal" {
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azuread_service_principal.example.object_id
+
+  key_permissions = [
+    "Get", "List", "Encrypt", "Decrypt"
+  ]
+}
 ```
 
 ## Argument Reference
@@ -55,7 +69,7 @@ The following arguments are supported:
 
 * `tenant_id` - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
 
-* `object_id` - (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
+* `object_id` - (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from  `azuread_service_principal.object_id`. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
 
 * `application_id` - (Optional) The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.