Reputation: 21
Terraform Cloud not able to create container in storage account that is behind firewall
Facing "Unauthorized error (403)" while creating container in storage account that is behind firewall.
As per solution described here, I confirm that Terraform cloud Public IP is getting whitelisted under Networking --> Firewall of storage account. Service Principal of Terraform cloud is having Contributor as well as Storage Blob Data Owner permissions under Access Control (IAM). However, I am still facing the "Unauthorized error (403)" during the creation of Container. Am I missing something from configuration perspective ?
ERROR message: containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.
Any help would be appreciated.
Upvotes: 2
Views: 2191
Answers (1)
Reputation: 753
I tried to reproduce the same issue in my environment and got the below results
I have the below script to create the storage account and the storage container
I have taken the example script from this URL
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources_new"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "virtnetname123"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "subnetname123"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["XXXXX"]
service_endpoints = ["Microsoft.Sql", "Microsoft.Storage"]
}
resource "azurerm_storage_account" "example" {
name = "storageaccountname123aks"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["XXXX"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_container" "example" {
name = "vhds123"
storage_account_name = azurerm_storage_account.example.name
container_access_type = "private"
}
When I run the script I got the same error as shown below
To resolve this error I have modified the settings in the azure portal like below
Go-To Portal => storage-account => networking => add the client IP address under the firewall check the below steps to added on the screenshot and saved the modifications.
I have the contributor role and data owner permissions under the access control
Again I ran the terraform script now I am able to see the expected output
terraform plan
terraform apply
Upvotes: 1
Related Questions
- Creating Azure Storage Containers in a storage account with network rules, with Terraform
- Azure storage account firewall rule prevents terraform deployment with azure devops
- Terraform 403 error when creating function app and storage account with private endpoint
- Terraform App Service wont connect to Storage account
- Azure backed terraform Error building account
- Terraform backend cannot connect to storage account
- Terraform and Azure: Unable to provision Storage Account
- Error creating Azure Storage account using Terraform
- Fails to create azure container right after storage account was created
- Terraform can not create a storage account in Azure