In the Azure Key Vault, register an application and create a new application secret as explained in
Configure an access policy with backup, delete, get, list, create, and update permissions. For example, run:
az keyvault set-policy --name azure-key-vault-dest --spn $AZURE_CLIENT_ID --certificate-permissions backup delete get list create update