search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
107 stars 66 forks source link

Error: This request is not authorized to perform this operation - TerraformTaskV4@4 - init #231

Open rjosephp opened 3 months ago

rjosephp commented 3 months ago

Discussed in https://github.com/microsoft/azure-pipelines-terraform/discussions/230

Originally posted by **rjosephp** August 2, 2024 I am using Azure Pipelines, and the Terraform tasks published by Dev Test Labs. I am trying to connect to my Storage Account to be used a my remote backend. I am using Workload Identity Federation (Service Principal). The App registration is successfully completed, Federated Credentials are saved, and the Azure DevOps Service Connection is verified and saved. The SPN also has "**Contributor**" assigned to subscription scope where the Storage Account is, and also given the "**Storage Blob Data Contributor**" on the Storage Account. However, I keep getting the error with the Status=403 Code="AuthorizationFailure". ``` _024-08-02T23:34:12.8694487Z [command]C:\hostedtoolcache\windows\terraform\1.8.5\x64\terraform.exe init -backend-config=storage_account_name=lb0eusxxxxxxxxx001 -backend-config=container_name=tfstate -backend-config=key=dev.terraform.tfstate -backend-config=resource_group_name=RG-SBX-PTFM -backend-config=subscription_id=38xxxxxxxxxxxxxxxxxde -backend-config=tenant_id=63xxxxxxxxxxxxxxx0e -backend-config=use_azuread_auth=true -backend-config=client_id=*** -backend-config=oidc_token=*** -backend-config=use_oidc=true 2024-08-02T23:34:12.9731436Z 2024-08-02T23:34:12.9733716Z Initializing the backend... 2024-08-02T23:34:13.6681681Z Initializing modules... 2024-08-02T23:34:13.6695582Z - rg_hub_network in modules\resource_group 2024-08-02T23:34:13.6712198Z ╷ 2024-08-02T23:34:13.6713341Z │ Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:e65f2375-b01e-007a-3434-e5377d000000\nTime:2024-08-02T23:34:13.6516516Z"_ ``` The below is my pipeline code: ``` - task: TerraformTaskV4@4 inputs: provider: 'azurerm' command: 'init' backendServiceArm: 'CON-SUB-DEV-TECH-SBOX' backendAzureRmResourceGroupName: 'RG-SBX-PTFM' backendAzureRmStorageAccountName: 'lb0xxxxxxxxxxxxxx001' backendAzureRmContainerName: 'tfstate' backendAzureRmKey: 'dev.terraform.tfstate' ``` I also tried backendAzureRmUseEntraIdForAuthentication: true. But, same error. Any insights would be helpful!
vanmash commented 3 months ago

You might want to try adding backendAzureRmUseEnvironmentVariablesForAuthentication: true

brk3 commented 3 months ago

Check that your storage account has public access enabled?

mmohamednazeer commented 1 month ago

We are also facing the same issue while accessing the azure databricks workspace, the databricks workspace has also disabled public network access. But we have private endpoints to connect the azure databricks workspace.

Terraform version : 2.203.0

chwilliamson commented 4 weeks ago

You might want to try adding backendAzureRmUseEnvironmentVariablesForAuthentication: true

backendAzureRmUseEnvironmentVariablesForAuthentication: true is correct and works supplying the command line option: -backend-config=use_azuread_auth=true

When using a pipeline variable ensure it's a string type, not boolean.

parameters:
- name: backendAzureRmUseEntraIdForAuthentication
  type: string
  default: false

steps
- task: TerraformTaskV4@4
  displayName: Terraform Init
  inputs:
    provider: azurerm
    command: init
    // other parameters
    backendAzureRmUseEntraIdForAuthentication: ${{ parameters.backendAzureRmUseEntraIdForAuthentication }}