We use below Terraform providers to configure Azure storages:
terraform {
required_version = “~> 1.8.2”
backend “azurerm” {}
#backend “local” {}
required_providers {
azuread = {
source = “hashicorp/azuread”
version = “=2.6.0”
}
azuredevops = {
source = “microsoft/azuredevops”
version = “= 1.0.1”
}
azurerm = {
source = “hashicorp/azurerm”
version = “=3.101.0”
}
random = {
source = “hashicorp/random”
version = “=3.6.0”
}
local = {
source = “hashicorp/local”
version = “=2.5.0”
}
azapi = {
source = “azure/azapi”
version = “=1.13.0”
}
}
}
When we used to have shared keys option on, there were no problems with planning and applying changes. Recently, we were asked by infosec to have shared keys off on our storages and we started to getting below errors:
Error: retrieving queue properties for Storage Account (Subscription: ‘a05d42ef-e511-4033-9ece-d4ea89bcd987’
│ Resource Group Name: ‘rg-pada-iadwh-adf-snd’
│ Storage Account Name: ‘sapadaiadwhadfdatasnd’): queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=‘KeyBasedAuthenticationNotPermitted’ Message=‘Key based authentication is not permitted on this storage account.\nRequestId:59634ec7-f003-0018-19d8-97a525000000\nTime:2024-04-26T12:51:50.4577647Z’
│
│ with module.storage.azurerm_storage_account.storage[‘adfdata’],
│ on …\modules\storage-module\accounts\storage.tf line 1, in resource ‘azurerm_storage_account’ ‘storage’:
│ 1: resource ‘azurerm_storage_account’ ‘storage’ {
We do not deploy any queues.
The service principal that is used in a context in Terraform has below roles:
-owner
- Storage File Data SMB Share Contributor
- Storage Table Data Contributor
- Storage Blob Data Contributor
- Storage Queues Data Contributor
Also, I enabled the debug and it seems that storage provider try to use keys to authenticate to read about queue:
2024-05-07T10:28:26.541+0200 [ERROR] provider.terraform-provider-azurerm_v3.101.0_x5.exe: Response contains error diagnostic: diagnostic_severity=ERROR
diagnostic_summary=
| retrieving queue properties for Storage Account (Subscription: “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
| Resource Group Name: “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
| Storage Account Name: “XXXXXXXXXXXXXXXXXXXXXXXXX”): executing request: unexpected status 403 (403 Key based authentication is not permitted on this storage account.) with KeyBasedAuthenticationNotPermitted: Key based authentication is not permitted on this storage account.
| RequestId:58cd976e-b003-0016-4b58-a0b7ce000000
| Time:2024-05-07T08:28:26.5494826Z
tf_req_id=993c0ada-7a98-2ae5-ab23-daff30361ff1 tf_resource_type=azurerm_storage_account tf_proto_version=5.4 tf_provider_addr=provider tf_rpc=ReadResource caller=/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_detail=“” timestamp=“2024-05-07T10:28:26.540+0200”
2024-05-07T10:28:26.541+0200 [TRACE] provider.terraform-provider-azurerm_v3.101.0_x5.exe: Served request: tf_provider_addr=provider tf_req_id=993c0ada-7a98-2ae5-ab23-daff30361ff1 @caller=github.com/hashicorp/terraform-plugin-gov0.19.0/tfprotov5/tf5server/server.go:802 tf_proto_version=5.4 tf_resource_type=azurerm_storage_account tf_rpc=ReadResource @module=sdk.proto timestamp=“2024-05-07T10:28:26.540+0200”
2024-05-07T10:28:26.541+0200 [ERROR] vertex “module.storage.azurerm_storage_account.storage["adfbatch"]” error: retrieving queue properties for Storage Account (Subscription: “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
Resource Group Name: “XXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
Storage Account Name: “XXXXXXXXXXXXXXXXXXXXXXXXXXXX”): executing request: unexpected status 403 (403 Key based authentication is not permitted on this storage account.) with KeyBasedAuthenticationNotPermitted: Key based authentication is not permitted on this storage account.
RequestId:58cd976e-b003-0016-4b58-a0b7ce000000
Time:2024-05-07T08:28:26.5494826Z
2024-05-07T10:28:26.541+0200 [TRACE] vertex “module.storage.azurerm_storage_account.storage["adfbatch"]”: visit complete, with errors
2024-05-07T10:28:26.576+0200 [DEBUG] provider.terraform-provider-azurerm_v3.101.0_x5.exe: AzureRM Response for management.azure.com/subscriptions/XXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/XXXXXXXXXXXXXXXX/providers/Microsoft.Storage/storageAccounts/XXXXXXXXXXXXXXXXXXXXXXXX/listKeys?%24expand=kerb&api-version=2023-01-01:
/2.0 200 OK
Does it mean that Azure provider does not support access to azure queues with RBAC?