Minimum set of permissions required to manage Azure remote backend using AAD

I’m using Terraform with a remote Azure backend storage.
For this purpose I want to use only AAD authentication and followed the instructions from this page Back Type: azurerm

It’s mentioned there that Storage Blob Data Owner role msut be granted to the identity being used by Terraform.

My question is, is really necessary the Owner one, couldn’t it be just Contributor?

I’ve done a quick test with Storager Blob Data Contributor, and the plam, apply, force-unlock actions worked well.

I’m looking for an answer from anyone with deep knowledge about the internals of state file management to explain the reason behind the requirement for Owner instead of contributor.

I’m trying to follow the principle of least privilege here.


I’m disapointed with the lack of response, for so long.

I wonder if the questions can be answered or not, if it can’t that means the documentatiom reference to the Owner rule was arbitrary, or no one is giving a cent about this Discussion page