I suspect this is not a bug, therefore I am writing to this forum.
The azurerm terraform provider is able to use Azure RBAC to read/write within Azure Storage (blobs/queues, to be precise). This is achieved by either adding the configuration attribute
storage_use_azuread to the provider configuration or by using the
ARM_STORAGE_USE_AZUREAD environment variable.
However, the azurerm terraform backend does not support RBAC and always attempts to use the storage account key. Is there a reason for this? Given the type of data that is stored by terraform itself I would expect it to be much more important to have RBAC for the backend rather than random storage accounts created as IaC.
P. S. I tested with the environment variable and by setting the undocumented
storage_use_azuread attribute on the backend config, but, as expected, the backend has no support for this and continues trying to use the key instead.
This results in an (expected) error message:
Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="KeyBasedAuthenticationNotPermitted" Message="Key based authentication is not permitted on this storage account.
The service principal in use has the “Storage Blob Data Contributor” role set at the scope of the Storage Account. I can use that service principal via Azure CLI with
--auth-mode login to upload/download blobs successfully.