Devops pipline looking for keyvault in wrong subscription...

Bit of an odd one.. When I run my pipline to add some new resources, it is failing at terraform plan with a 403 error.

Error:  retrieving Vault: (Name "kv-name" / Resource Group "rg-name"): keyvault.VaultsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '1' with object id '1' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/3/resourceGroups/-rg/providers/Microsoft.KeyVault/vaults/kv' or the scope is invalid. If access was recently granted, please refresh your credentials."

Trouble is , the KV does exist in the given subscription but is in a different one, I cant understand why its trying to find it in that sub.

Any thoughts? I can see the scope is invalid, but dont know why