Terraform version: 1.1.7 (attempted with older versions as well and having the same issue).
I’m not sure what I’m doing wrong here. I created a fresh Azure subscription, and I logged in with azure cli with az login and set my subscription with az account set -s 123subscriptionId. I setup a storage account accordingly and can list the contents with az storage blob list --account-name mystorageaccount --container tfstate
(obviously masking out my real storage account name with an example name, etc.)
In my main.tf, I have azurerm block where I set the tenant_if and subscription_id. ( andthe variable values being pulled in correctly from a terraform.tfvars of course).
terraform {
backend "azurerm" {
resource_group_name = "myresourcegroup"
storage_account_name = "mystorageaccount"
container_name = "tfstate"
key = "mystate.tfstate"
}
}
provider "azurerm" {
subscription_id = var.subscription_id
tenant_id = var.tenant_id
features {}
}
But when I run terraform init I’m getting an authentication error
2022-03-04T12:17:48.553-0700 [INFO] Terraform version: 1.1.7
2022-03-04T12:17:48.553-0700 [INFO] Go runtime version: go1.17.2
2022-03-04T12:17:48.553-0700 [INFO] CLI args: []string{"/usr/local/Cella
r/tfenv/2.2.0/versions/1.1.7/terraform", "init"}
2022-03-04T12:17:48.553-0700 [DEBUG] Attempting to open CLI config file:
/Users/user123/.terraformrc
2022-03-04T12:17:48.553-0700 [DEBUG] File doesn't exist, but doesn't need
to. Ignoring.
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory terraform.d/plugins
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory /Users/user123/.terraform.d/plugins
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory /Users/user123/Library/Application Support/io.terraform/plugi
ns
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory /Library/Application Support/io.terraform/plugins
2022-03-04T12:17:48.554-0700 [INFO] CLI command args: []string{"init"}
Initializing the backend...
2022-03-04T12:17:48.559-0700 [DEBUG] New state was assigned lineage "6497
72b0-ab04-26fc-727c-6a06ca0c863e"
2022-03-04T12:17:48.559-0700 [DEBUG] checking for provisioner in "."
2022-03-04T12:17:48.560-0700 [DEBUG] checking for provisioner in "/usr/lo
cal/Cellar/tfenv/2.2.0/versions/1.1.7"
2022-03-04T12:17:48.560-0700 [DEBUG] New state was assigned lineage "8683
d719-ab13-8c7e-6067-2d37f5ac48b9"
2022-03-04T12:17:48.561-0700 [DEBUG] Azure Backend Request:
GET /tfstate?comp=list&prefix=mystate.tfstateenv%3A&restype=container HTT
P/1.1
Host: mystorageaccount.blob.core.windows.net
User-Agent: Terraform/1.1.7
Content-Type: application/xml; charset=utf-8
X-Ms-Date: Fri, 04 Mar 2022 19:17:48 GMT
X-Ms-Version: 2018-11-09
Accept-Encoding: gzip
2022-03-04T12:17:49.078-0700 [DEBUG] Azure Backend Response for https://m
ystorageaccount.blob.core.windows.net/tfstate?comp=list&prefix=mystate.tf
stateenv%3A&restype=container:
HTTP/1.1 403 Server failed to authenticate the request. Make sure the val
ue of Authorization header is formed correctly including the signature.
Content-Length: 755
Content-Type: application/xml
Date: Fri, 04 Mar 2022 19:17:49 GMT
Server: Microsoft-HTTPAPI/2.0
X-Ms-Error-Code: AuthenticationFailed
X-Ms-Request-Id: f206d9c9-d01e-0075-26fc-2fc6b7000000
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</
Code><Message>Server failed to authenticate the request. Make sure the va
lue of Authorization header is formed correctly including the signature.
RequestId:f206d9c9-d01e-0075-26fc-2fc6b7000000
Time:2022-03-04T19:17:49.2200866Z</Message><AuthenticationErrorDetail>The
MAC signature found in the HTTP request 'wspOSzBTiWqrgHID8T+J23a3pkixsyuW
lmlb76XO0KY=' is not the same as any computed signature. Server used foll
owing string to sign: 'GET
application/xml; charset=utf-8
x-ms-date:Fri, 04 Mar 2022 19:17:48 GMT
x-ms-version:2018-11-09
/mystorageaccount/tfstate
comp:list
prefix:mystate.tfstateenv:
restype:container'.</AuthenticationErrorDetail></Error>
╷
│ Error: Failed to get existing workspaces: containers.Client#ListBlobs:
Failure responding to request: StatusCode=403 -- Original Error: autorest
/azure: Service returned an error. Status=403 Code="AuthenticationFailed"
Message="Server failed to authenticate the request. Make sure the value
of Authorization header is formed correctly including the signature.\nReq
uestId:f206d9c9-d01e-0075-26fc-2fc6b7000000\nTime:2022-03-04T19:17:49.220
0866Z"
│
│
╵
Notably in the azure auth error details tag it states:
The MAC signature found in the HTTP request 'wspOSzBTiWqrgHID8T+J23a3pkixsyuWlmlb76XO0KY=' is not the same as any computed signature. Server used following string to sign: 'GET ...
My laptop clock is in sync and correct… not sure what else would cause an error in generating the auth signature. Again I can authenticate and do operations just fine with the azure cli, which its libraries I thought terraform hooks into in the backend anyways.
edited: formatting for readability.