If you use the Infrastructure as Code (IaC) tool terraform with a backend of type azurerm that stores terraform state as a blob with the specified key in a blob container in an Azure Blob Storage Account, you may face the following error during terraform init.
│Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:00000000-0000-0000-0000-000000000000\nTime:2024-02-07T13:40:00.0000000Z"
This error means that the user or service principal that executes the terraform init command does not have the necessary permissions to list blobs. As terraform will also need write permissions to update the state (blob), one of the following roles need to be assigned to the executor (user or service principal).
Storage Blob Data Contributorrole on storage account level or resource group level (second option is only recommended, if you have a dedicated resource group for the IaC storage account)Storage Blob Data Ownerrole on storage account level or resource group level (second option is only recommended, if you have a dedicated resource group for the IaC storage account)
NOTE: if possible, go for least privilege solution mentioned right above
After the assignment is successfully done, run the following commands where you usually execute terraform (i.e. PowerShell).
az logout
az login -t [tenant id]
The az logout command is crucial to force Az CLI to refresh the token on the subsequent login.
blog.rufer.be 
Leave a comment