diff --git a/README.rst b/README.rst
index d3cef70b7..5d32d5610 100644
--- a/README.rst
+++ b/README.rst
@@ -412,12 +412,16 @@ from the commandline:
     $ az keyvault create --name $keyvault_name --resource-group sops-rg --location westeurope
     $ az keyvault key create --name sops-key --vault-name $keyvault_name --protection software --ops encrypt decrypt
     $ az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \
-        --key-permissions encrypt decrypt
+        --key-permissions get encrypt decrypt
     # Read the key id:
     $ az keyvault key show --name sops-key --vault-name $keyvault_name --query key.kid
 
     https://sops.vault.azure.net/keys/sops-key/some-string
 
+.. note::
+
+  The ``get`` key permission is required when the key version is ommited (for example if the URL ends with a trailing slash). In that case SOPS calls the Azure Key Vault API to resolve the latest key version, which requires the ``get`` permission. If you specifty an explicit key version in the URL you can omit ``get``, but this means you will need to update your configuration every time the key is rotated.
+
 Now you can encrypt a file using::
 
     $ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml