Minimum set of permissions required to manage Azure remote backend using AAD

pacorreia · April 8, 2024, 11:26am

I’m using Terraform with a remote Azure backend storage.
For this purpose I want to use only AAD authentication and followed the instructions from this page Back Type: azurerm

It’s mentioned there that Storage Blob Data Owner role msut be granted to the identity being used by Terraform.

My question is, is really necessary the Owner one, couldn’t it be just Contributor?

I’ve done a quick test with Storager Blob Data Contributor, and the plam, apply, force-unlock actions worked well.

I’m looking for an answer from anyone with deep knowledge about the internals of state file management to explain the reason behind the requirement for Owner instead of contributor.

I’m trying to follow the principle of least privilege here.

Thanks

pacorreia · May 13, 2024, 11:35am

I’m disapointed with the lack of response, for so long.

I wonder if the questions can be answered or not, if it can’t that means the documentatiom reference to the Owner rule was arbitrary, or no one is giving a cent about this Discussion page

system · November 9, 2024, 11:36am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why does the azurerm backend not support `storage_use_azuread`? Azure	6	15665	October 20, 2021
AzureRM Provider - storage_use_azuread option Azure	0	495	May 8, 2024
Azurerm_storage_account : how to Enable Identity-based access for file shares with AAD DS Azure	1	744	May 4, 2020
Correct way to Authenticate on azurerm storage account with keys disabled Terraform	4	1071	January 5, 2025
Best-practice for Terraform access to Azure subscription Terraform	0	764	January 14, 2020

Minimum set of permissions required to manage Azure remote backend using AAD

Related topics