Storage Account `shared_access_key_enabled` is dangerous on `StorageV2`

[fuzzykiller]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.8

AzureRM Provider Version

4.6.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "main" {
  location            = var.location
  name                = var.name
  resource_group_name = var.resource_group_name

  account_tier             = "Standard"
  account_replication_type = "LRS"

  shared_access_key_enabled = false
}

Debug Output/Panic Output

╷
│ Error: retrieving queue properties for Storage Account (Subscription: "redacted"
│ Resource Group Name: "redacted"
│ Storage Account Name: "redacted"): queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="KeyBasedAuthenticationNotPermitted" Message="Key based authentication is not permitted on this storage account.\nRequestId:redacted\nTime:2024-10-24T13:30:45.7584080Z"
│ 
│   with module.storage_account.azurerm_storage_account.main,
│   on ../../modules/storage-account/main.tf line 1, in resource "azurerm_storage_account" "main":
│    1: resource "azurerm_storage_account" "main" {
│ 
╵

Expected Behaviour

No errors, because there were no errors applying the plan.

Actual Behaviour

Refreshing the state (as part of apply) fails.

Steps to Reproduce

1. terraform apply
2. terraform plan

I am not creating anything else like nested blob containers or even file shares.

Important Factoids

No response

References

No response

[magodo]

@fuzzykiller Since you've disabled the shared access key, you'll need to also specify the storage_use_azuread at the provider block.

[fuzzykiller]

I only had it on the backend, so this was indeed missing. I can no longer test it though. Thank and sorry for wasting everyone’s time.

---

Still, couldn’t the request be automatically retried with Entra ID Auth?