search

nwsde / nwsde-azuretre

An accelerator to help organizations build Trusted Research Environments on Azure.
https://microsoft.github.io/AzureTRE
MIT License
0 stars 0 forks source link

`make letsencrypt` auth error accessing storage account #3

Closed jonnyry closed 7 months ago

jonnyry commented 7 months ago

Logged in upstream repo: https://github.com/microsoft/AzureTRE/issues/3785

jonnyry commented 7 months ago

This is not an issue with TRE - it's a function of the way Azure handles access to storage accounts.

If you initially deploy the TRE using GitHub Actions (using a Service Principal), the TRE deployment will add the "Storage Blob Data Contributor" role to the Service Principal account, to allow the Service Principal to upload data to that account.

If you then attempt to add run make letsencrypt at the command line (under your own Azure user account), it will fail with the error message above (correctly), as your user account does have access. This occurs even if you have a Subscription level "Owner" or "Contributor" role as these do not have the specific permissions required to read/write/delete from storage accounts:

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"

So not a bug.

Resolution: Add the "Storage Blob Data Contributor" Azure role to your user account.