Problem
When running Terraform with the Azure provider, a plan or apply fails with the following error message:
Error: unexpected status 403 (403 Key based authentication is not permitted on this storage account)
Cause
This error occurs when the "Allow storage account key access" option is disabled on the target Azure Storage Account.
By default, the azurerm provider uses Shared Key authentication to manage Azure Storage resources. When this access method is disabled on the storage account, Terraform must use Azure Active Directory (Azure AD) authentication instead.
Note that not all Azure Storage services currently support Azure AD authentication. You must also ensure that the user or service principal executing Terraform has the appropriate Storage roles, which are typically included with Contributor or Owner role assignments.
Solutions
Solution 1: Enable Azure AD Authentication in the Provider Configuration
To resolve the 403 KeyBasedAuthenticationNotPermitted error, you must set the storage_use_azuread parameter to true in your azurerm provider configuration.
Update your provider block as shown in this example.
provider "azurerm" {
subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
storage_use_azuread = true
features {}
}
resource "azurerm_storage_account" "strgacc" {
name = "samplestorageac"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
public_network_access_enabled = false
allow_nested_items_to_be_public = false
shared_access_key_enabled = true
account_kind = "StorageV2"
is_hns_enabled = true
access_tier = "Cool"
lifecycle {
ignore_changes = [shared_access_key_enabled]
}
}The lifecycle block with ignore_changes prevents Terraform from reverting the shared_access_key_enabled setting when it is disabled on the storage account.
Additional Information
- For more details on this resource, refer to the azurerm_storage_account resource documentation.