To disable Shared Key Access (Microsoft Learn) using Terraform, you need to enable storage_use_azuread so Terraform can still interact with Storage Account APIs:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#storage_use_azuread
However, when I tried to enable storage_use_azuread, I got a 403 AuthorizationPermissionMismatch error upon terraform plan:
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: retrieving queue properties for Storage Account (Subscription: "xyz"
│ Resource Group Name: "myResourceGroupName"
│ Storage Account Name: "myStorageAccount"): queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:xxyyzz\nTime:2024-01-04T06:15:26.3377491Z"
│I tried adding these role assignments to the Storage Account but the error remained:
- Storage Account Contributor
- Storage Blob Data Contributor
- Storage Queue Data Contributor
So I navigated to a Storage Container in the Storage Account on Azure Portal, and tried making the change via the UI.
After clicking on ‘Switch to Microsoft Entra user account’, an error message appeared:
“You do not have permission to list the data using your user account with Microsoft Entra ID”.
This is strange because I was the Owner of the subscription.
I tried adding a role assignment of Storage Blob Data Owner to my Azure account (ref). Then I was then able to toggle between Microsoft Entra ID authentication and Access Key on Azure portal.
For some reasons, terraform plan/apply (which uses a different service principal) no longer errored out with 403. Even after I remove the Storage Blob Data Owner role assignment on my account, and restored all configurations to the original, I am no longer able to recreate the original error.
