Terraform init - Generating incorrect authorization signature?

Terraform version: 1.1.7 (attempted with older versions as well and having the same issue).

I’m not sure what I’m doing wrong here. I created a fresh Azure subscription, and I logged in with azure cli with az login and set my subscription with az account set -s 123subscriptionId. I setup a storage account accordingly and can list the contents with az storage blob list --account-name mystorageaccount --container tfstate
(obviously masking out my real storage account name with an example name, etc.)

In my main.tf, I have azurerm block where I set the tenant_if and subscription_id. ( andthe variable values being pulled in correctly from a terraform.tfvars of course).

terraform {
  backend "azurerm" {
    resource_group_name  = "myresourcegroup"
    storage_account_name = "mystorageaccount"
    container_name       = "tfstate"
    key                  = "mystate.tfstate"
  }
}

provider "azurerm" {
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id

  features {}
}

But when I run terraform init I’m getting an authentication error

2022-03-04T12:17:48.553-0700 [INFO]  Terraform version: 1.1.7
2022-03-04T12:17:48.553-0700 [INFO]  Go runtime version: go1.17.2
2022-03-04T12:17:48.553-0700 [INFO]  CLI args: []string{"/usr/local/Cella
r/tfenv/2.2.0/versions/1.1.7/terraform", "init"}
2022-03-04T12:17:48.553-0700 [DEBUG] Attempting to open CLI config file: 
/Users/user123/.terraformrc
2022-03-04T12:17:48.553-0700 [DEBUG] File doesn't exist, but doesn't need 
to. Ignoring.
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory terraform.d/plugins
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory /Users/user123/.terraform.d/plugins
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory /Users/user123/Library/Application Support/io.terraform/plugi
ns
2022-03-04T12:17:48.553-0700 [DEBUG] ignoring non-existing provider searc
h directory /Library/Application Support/io.terraform/plugins
2022-03-04T12:17:48.554-0700 [INFO]  CLI command args: []string{"init"}

Initializing the backend...
2022-03-04T12:17:48.559-0700 [DEBUG] New state was assigned lineage "6497
72b0-ab04-26fc-727c-6a06ca0c863e"
2022-03-04T12:17:48.559-0700 [DEBUG] checking for provisioner in "."
2022-03-04T12:17:48.560-0700 [DEBUG] checking for provisioner in "/usr/lo
cal/Cellar/tfenv/2.2.0/versions/1.1.7"
2022-03-04T12:17:48.560-0700 [DEBUG] New state was assigned lineage "8683
d719-ab13-8c7e-6067-2d37f5ac48b9"
2022-03-04T12:17:48.561-0700 [DEBUG] Azure Backend Request: 
GET /tfstate?comp=list&prefix=mystate.tfstateenv%3A&restype=container HTT
P/1.1
Host: mystorageaccount.blob.core.windows.net
User-Agent: Terraform/1.1.7
Content-Type: application/xml; charset=utf-8
X-Ms-Date: Fri, 04 Mar 2022 19:17:48 GMT
X-Ms-Version: 2018-11-09
Accept-Encoding: gzip
2022-03-04T12:17:49.078-0700 [DEBUG] Azure Backend Response for https://m
ystorageaccount.blob.core.windows.net/tfstate?comp=list&prefix=mystate.tf
stateenv%3A&restype=container: 
HTTP/1.1 403 Server failed to authenticate the request. Make sure the val
ue of Authorization header is formed correctly including the signature.
Content-Length: 755
Content-Type: application/xml
Date: Fri, 04 Mar 2022 19:17:49 GMT
Server: Microsoft-HTTPAPI/2.0
X-Ms-Error-Code: AuthenticationFailed
X-Ms-Request-Id: f206d9c9-d01e-0075-26fc-2fc6b7000000

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</
Code><Message>Server failed to authenticate the request. Make sure the va
lue of Authorization header is formed correctly including the signature.
RequestId:f206d9c9-d01e-0075-26fc-2fc6b7000000
Time:2022-03-04T19:17:49.2200866Z</Message><AuthenticationErrorDetail>The 
MAC signature found in the HTTP request 'wspOSzBTiWqrgHID8T+J23a3pkixsyuW
lmlb76XO0KY=' is not the same as any computed signature. Server used foll
owing string to sign: 'GET




application/xml; charset=utf-8






x-ms-date:Fri, 04 Mar 2022 19:17:48 GMT
x-ms-version:2018-11-09
/mystorageaccount/tfstate
comp:list
prefix:mystate.tfstateenv:
restype:container'.</AuthenticationErrorDetail></Error>
╷
│ Error: Failed to get existing workspaces: containers.Client#ListBlobs:
Failure responding to request: StatusCode=403 -- Original Error: autorest
/azure: Service returned an error. Status=403 Code="AuthenticationFailed"
 Message="Server failed to authenticate the request. Make sure the value 
of Authorization header is formed correctly including the signature.\nReq
uestId:f206d9c9-d01e-0075-26fc-2fc6b7000000\nTime:2022-03-04T19:17:49.220
0866Z"
│ 
│ 
╵

Notably in the azure auth error details tag it states:

The MAC signature found in the HTTP request 'wspOSzBTiWqrgHID8T+J23a3pkixsyuWlmlb76XO0KY=' is not the same as any computed signature. Server used following string to sign: 'GET ...

My laptop clock is in sync and correct… not sure what else would cause an error in generating the auth signature. Again I can authenticate and do operations just fine with the azure cli, which its libraries I thought terraform hooks into in the backend anyways.

edited: formatting for readability.

Turns out my ARM_ACCESS_KEY was set incorrectly. To set the value correctly, see this: Store Terraform state in Azure Storage | Microsoft Docs

Just wish the error made that more clear on Azure’s side… not sure if terraform would have been able to detect the issue being the ARM_ACCESS_KEY.