To disable Shared Key Access (Microsoft Learn) using Terraform, you need to enable
storage_use_azuread so Terraform can still interact with Storage Account APIs:
However, when I tried to enable
storage_use_azuread, I got a 403
AuthorizationPermissionMismatch error upon
Planning failed. Terraform encountered an error while generating this plan.
│ Error: retrieving queue properties for Storage Account (Subscription: "xyz"
│ Resource Group Name: "myResourceGroupName"
│ Storage Account Name: "myStorageAccount"): queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:xxyyzz\nTime:2024-01-04T06:15:26.3377491Z"
I tried adding these role assignments to the Storage Account but the error remained:
- Storage Account Contributor
- Storage Blob Data Contributor
- Storage Queue Data Contributor
So I navigated to a Storage Container in the Storage Account on Azure Portal, and tried making the change via the UI.
After clicking on ‘Switch to Microsoft Entra user account’, an error message appeared:
“You do not have permission to list the data using your user account with Microsoft Entra ID”.
This is strange because I was the
Owner of the subscription.
I tried adding a role assignment of
Storage Blob Data Owner to my Azure account (ref). Then I was then able to toggle between Microsoft Entra ID authentication and Access Key on Azure portal.
For some reasons,
terraform plan/apply (which uses a different service principal) no longer errored out with 403. Even after I remove the
Storage Blob Data Owner role assignment on my account, and restored all configurations to the original, I am no longer able to recreate the original error.