Hello, I am trying to use my storage account as backend provider. However due to the restrictions in our subscriptions we are mandatory to disable: “Allow storage account key access”.
From what I read in the documentation it should be still possible to make use of it by using: use_azuread_auth=true in the backend configuration.
However, when I use Init the following error occurs:
Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:a8b460ba-801e-0077-1cbd-cdf02f000000\nTime:2024-07-04T02:57:46.0279506Z
I have given the Service Principal the Roles of: Storage Blob Data Contributor and Storage Blob Data Owner.
When I Enable Allow storage account key access and remove use_azuread_auth=true it works fine…
My complete code:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.72.0"
}
}
backend "azurerm" {
resource_group_name = "rg"
storage_account_name = "mytfsjors"
container_name = "tfstate"
key = "terraform.tfstate"
use_azuread_auth=true
}
}
provider "azurerm" {
features {}
client_id = "xxxxxxxx"
client_secret = "xxxxxxxxxx"
tenant_id = "31b2a69a-e70a-4c2f-88a3-25e8343bbb39"
subscription_id = "R7C8Q~ElVo0I06apPi9mwLXb2B5qlF-ZmOgVVc2a"
}
resource "azurerm_resource_group" "state-demo-secure" {
name = "state-demo"
location = "eastus"
}
Any suggestions?
Hi @sjorspa,
I have a couple of questions to gather some further information that will help assist you:
- You mention a service principal. How are you providing the service principal credentials to the backend block?
use_azuread_auth=true alone will try and use the User Principal via Azure CLI - eg. the currently (AAD) authenticated user in the context in which it is running - Where is the terraform command running (local machine CLI, Azure Devops Pipeline, GitHub Action, etc.)?
Hello, thanks for your reply.
I am not using a SP, I just run it with the app credentials on my local machine (yes this will later be in a pipeline task).
To make it clear, with the above config it works. When I set: “Allow storage account key access” on False, it results in the error:
Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:dd41e90e-101e-0007-769f-ce49d8000000\nTime:2024-07-05T05:49:55.8095318Z"```
Thanks for the clarification.
So, if by the following you mean that you have done an az login on your local machine and you are running the terraform init in the same context.
Then your user account that you used for login via az login will need to be granted ‘Storage Blob Data Contributor’ RBAC role within IAM for that storage account, or at a scope that will be inherited by that storage account (resource group / subscription).
When using ‘identity based’ access to a storage account (as opposed to ‘key-based’ access e.g. storage account key or SAS) then you must set the RBAC roles explicitly for the identities (Azure Entra Accounts) that will need to access it.
If you use another identity (eg. pipeline service connection / service principal) when you move this to your pipeline then you will need to ensure that principal also has the appropriate permissions.
Hope that helps
Happy Terraforming