Input arguments of the ALZ-PowerShell-Module (Optional)
No response
Debug Output/Panic Output (Optional)
No response
Expected Behaviour (Required)
For the Local Option with TF, storing state in Azure, running an Apply results in the follow error:
Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:daf66ed3-001e-0041-4143-13c92c000000\nTime:2024-09-30T14:14:45.9666737Z"
Actual Behaviour (Required)
Default storage account behavior does not allow key/SAS only auth, and rather requires Entra auth (service principal/managed identity). I see a managed identity for "plan" and "apply" are created, but I would expect that the "apply" managed identity is then use to authenticate against the storage account.
jaredfholgate
commented
1 month ago
Is there an existing issue for this?
Infrastrcuture as Code Type? (Required)
terraform
Module Versions (Required)
ALZ PowerShell Module: x.x.x Accelerator Bootstrap Modules: x.x.x Terraform Starter Modules: x.x.x Bicep Starter Modules: x.x.x
Input arguments of the ALZ-PowerShell-Module (Optional)
No response
Debug Output/Panic Output (Optional)
No response
Expected Behaviour (Required)
For the Local Option with TF, storing state in Azure, running an Apply results in the follow error:
Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:daf66ed3-001e-0041-4143-13c92c000000\nTime:2024-09-30T14:14:45.9666737Z"
Actual Behaviour (Required)
Default storage account behavior does not allow key/SAS only auth, and rather requires Entra auth (service principal/managed identity). I see a managed identity for "plan" and "apply" are created, but I would expect that the "apply" managed identity is then use to authenticate against the storage account.
Steps to Reproduce (Optional)
No response
Important Factoids (Optional)
No response
References (Optional)
No response