Closed jonnyry closed 7 months ago
This is not an issue with TRE - it's a function of the way Azure handles access to storage accounts.
If you initially deploy the TRE using GitHub Actions (using a Service Principal), the TRE deployment will add the "Storage Blob Data Contributor" role to the Service Principal account, to allow the Service Principal to upload data to that account.
If you then attempt to add run make letsencrypt at the command line (under your own Azure user account), it will fail with the error message above (correctly), as your user account does have access. This occurs even if you have a Subscription level "Owner" or "Contributor" role as these do not have the specific permissions required to read/write/delete from storage accounts:
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
So not a bug.
Resolution: Add the "Storage Blob Data Contributor" Azure role to your user account.
Logged in upstream repo: https://github.com/microsoft/AzureTRE/issues/3785