Azure Storage Account: Disable Shared Key Access

One9twO
2 min readJan 5, 2024

--

To disable Shared Key Access (Microsoft Learn) using Terraform, you need to enable storage_use_azuread so Terraform can still interact with Storage Account APIs:

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#storage_use_azuread

However, when I tried to enable storage_use_azuread, I got a 403 AuthorizationPermissionMismatch error upon terraform plan:

Planning failed. Terraform encountered an error while generating this plan.


│ Error: retrieving queue properties for Storage Account (Subscription: "xyz"
│ Resource Group Name: "myResourceGroupName"
│ Storage Account Name: "myStorageAccount"): queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:xxyyzz\nTime:2024-01-04T06:15:26.3377491Z"

I tried adding these role assignments to the Storage Account but the error remained:

  • Storage Account Contributor
  • Storage Blob Data Contributor
  • Storage Queue Data Contributor

So I navigated to a Storage Container in the Storage Account on Azure Portal, and tried making the change via the UI.

After clicking on ‘Switch to Microsoft Entra user account’, an error message appeared:

“You do not have permission to list the data using your user account with Microsoft Entra ID”.

This is strange because I was the Owner of the subscription.

I tried adding a role assignment of Storage Blob Data Owner to my Azure account (ref). Then I was then able to toggle between Microsoft Entra ID authentication and Access Key on Azure portal.

For some reasons, terraform plan/apply (which uses a different service principal) no longer errored out with 403. Even after I remove the Storage Blob Data Owner role assignment on my account, and restored all configurations to the original, I am no longer able to recreate the original error.

--

--

One9twO
One9twO

Written by One9twO

A security engineer who shifts things left

Responses (2)