github actions not using right spn from azure to execute terraform

Question

I'm using github actions to deploy terraform code into azure. I made a dev environment, deployments worked perfectly. But now I'm going to prd, new subscription, new storage account where the state will be written to, new spn. The spn has same rights on storage account, and on subscription, as the dev one on its subscription. I've written the right details in the backend block, referring to the new storage account, I've created new github action secrets, referring to the new spn, and I've used these secrets in my yml workflow file. But still, I'm getting this error:

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "xxx": storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/xxx/resourceGroups/rg-terraform-state-weu/providers/Microsoft.Storage/storageAccounts/xxxx ' or the scope is invalid. If access was recently granted, please refresh your credentials." 

I find it strange, the 'client' or 'object ID' they are talking about is not the application ID I've entered in the secret. Shouldn't this be the case? Or what else could be wrong?

Answer 1

No much to go on here.

I've had some issue with this before, and mostly it's just a little mistake of putting the secret in the wrong place, or naming the secret wrong. Do you have ie. Repo/Org secrets that has that Application ID in it's secret?