Error: unexpected status 403 (403 Key based authentication is not permitted on this storage account – HashiCorp Help Center

Introduction

This article provides step-by-step guidance for troubleshooting Terraform run failures related to the following error message:

Error: unexpected status 403 (403 Key based authentication is not permitted on this storage account)

This issue typically occurs when the "Allow storage account key access" option is disabled on the target Azure Storage Account. When this setting is turned off, pipelines or Terraform runs that rely on shared key authentication will fail with this error on all subsequent runs.

Cause

As outlined in the official documentation for resource azurerm_storage_account resource -

Terraform, by default, uses Shared Key authentication to manage Azure Storage resources (such as containers, blobs, and tables). When Shared Key access is disabled on the storage account, Terraform must use Azure Active Directory (Azure AD) authentication instead.

However, it's important to note that not all Azure Storage services currently support Azure AD authentication.

Additionally, ensure that the user or service principal executing Terraform has the appropriate Storage roles, which are typically included with Contributor or Owner role assignments.

Solutions:

To address the 403 KeyBasedAuthenticationNotPermitted error you're encountering, you’ll need to set the storage_use_azuread parameter to true in your azurerm provider configuration.

provider "azurerm" {
  subscription_id = "xxxxxxxxxxxx"
  storage_use_azuread = true
  features{}
}

resource "azurerm_storage_account" "strgacc" {

  name                     = "samplestorageac"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  public_network_access_enabled = false
  allow_nested_items_to_be_public = false
  shared_access_key_enabled  = true
  account_kind             = "StorageV2"
  is_hns_enabled           = true
  access_tier              = "Cool"

 lifecycle {
    ignore_changes = [shared_access_key_enabled]
  }

 }

Note: The lifecycle block with ignore_changes is used to prevent Terraform from reverting the shared_access_key_enabled setting when it is disabled on the storage account.

Additional Information

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
If you're still experiencing issues, please contact HCP Terraform Support by submitting a ticket through our support portal

Introduction

Cause

Solutions:

Additional Information

Articles in this section

Related articles