Hello,
I’m trying to use terraform/azurerm to create a StorageV2 style storage account, populate it with containers, file shares, and data, and mount the shares in containers for the app service. However, I’m running into a permissions error - I can’t create directories in the SMB share?
The storage account has firewall rules in place which prevent it from being accessed by anybody outside my company, and that’s working alright. I am creating role assignments in Terraform so that the team creating the asset has “Storage File Data SMB Share Contributor” as well as Blob Contributor on the storage account, and that works and appears in the Role Assignments panel. I can create and view containers and blobs, add files, delete files, etc. But when I try to access a file share I get nada.
I am able to create additional file shares both via TF and in the webUI, but I can’t browse any of them.
I assume it’s some kind of permission error, hence the 403, but I have no idea what it could be. I mean, I’m a contributor, right? Or is there somewhere else I need to be adding permissions?
This is the error that Terraform gives me:
Error: checking for existing Directory Path "myappnameyvxjsa" (Share Name
"myappnameyvxjsa" / Account "Account \"myappnameyvxjsa\" (IsEdgeZone false
/ ZoneName \"\" / Subdomain Type \"file\" / DomainSuffix \"core.windows.net\")"):
executing request: unexpected status 403 (403 Forbidden) with expected
element type <Error> but have <HTML>
│
│ with module.my_app.azurerm_storage_share_directory.directory["0"],
│ on ..\..\modules\azure\azure_app_service\storage.tf line 69, in resource "azurerm_storage_share_directory" "directory":
│ 69: resource "azurerm_storage_share_directory" "directory" {
When I go through the azure portal and try to access the share that way, I get this:
This machine doesn't seem to have access.
This browser doesn't seem to be able to reach the necessary data plane
APIs that interact with the files in an Azure file share. Interacting
with share content is different from managing the Azure file share.
Managing the share from this browser could be possible while accessing
operations like listing the contents of a file share might not be. This
is an issue reported from your side of the network. Check that your machine,
from the network it is connected to, is expected to have access. If that
is the case, check your networking configuration (proxy configuration,
IP rules, Azure network settings for storage, etc) in your organization
to ensure Azure services can be fully accessed.
and
"authMode":"1 content":"endpoint":"2 name":"StorageError otherErrors":[
{
"name":"StorageError",
"requestId":null,
"xhr":{
"_persistedParams":{
"originalUri":"https://myappnameyvxjsa.file.core.windows.net/myappnameyvxjsa?restype=directory&comp=list&prefix=&marker=&maxresults=30&_=1743107765515",
"headers":{
"x-ms-allow-trailing-dot":"true",
"x-ms-command-name":"StorageClient.ListDirectoriesAndFiles222",
"x-ms-client-session-id":"[redacted]",
"x-ms-date":"Thu, 27 Mar 2025 20:36:05 GMT",
"x-ms-version":"2022-11-02",
"Authorization":"Bearer [redacted]",
"x-ms-file-request-intent":"backup"
}
}
},
"content":"",
"url":"https://myappnameyvxjsa.file.core.windows.net/myappnameyvxjsa?restype=directory&comp=list&prefix=&marker=&maxresults=30&_=1743107765515",
"authMode":4,
"endpoint":2
}
]"url":"https"::"25":"46Z&sig=[redacted] xhr":{
"_persistedParams":{
"originalUri":"https://myappnameyvxjsa.file.core.windows.net/myappnameyvxjsa?restype=directory&comp=list&prefix=&marker=&maxresults=30&_=[redacted]&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxy&se=2025-03-28T04:25:46Z&sig=[redacted]",
"headers":{
"x-ms-allow-trailing-dot":"true",
"x-ms-command-name":"StorageClient.ListDirectoriesAndFiles222",
"x-ms-client-session-id":"[redacted]",
"x-ms-date":"Thu, 27 Mar 2025 20:36:05 GMT",
"x-ms-version":"2022-11-02"
}
}
}