Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation"

Question

I am trying to run a terraform deployment that deploys a storage container. The initial deployment works (due to no IP filtering yet being in place), but subsequent fail. When running terraform plan I am getting the following:

Error: retrieving Container "xxxx" (Account "xxxx" / Resource Group "xxx"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:62a85c92-901e-0021-12de-816608000000\nTime:2022-06-17T00:11:56.2063816Z"

From some research and debugging this happens when the storage container does not have the IP of the hosted pipeline agent whitelisted.

I have modified my pipeline so that the IP of the agent is retrieved and added as a firewall rule. I have then added sleeps of various times (up to 5 minutes) to try and give time for the rule to take affect, but it never works.

Here is a snippet of my pipeline:

          - task: AzureCLI@2
            inputs:
              azureSubscription: '$(azureSubscription)'
              scriptType: 'bash'
              scriptLocation: 'inlineScript'
              inlineScript: |
                 agentIP=$(curl -s https://api.ipify.org/)
                 az storage account network-rule add -g xxx --account-name xxx --ip-address $agentIP
                 sleep 300

During the sleep period I have confirmed that the agent IP is added to the whitelist. The whitelisting is also done within the same stage as the terraform plan.

Is anyone able to advise as to where I might be going wrong?

EDIT

I have taken this a step further and added a step in my pipeline to whitelist all IP addresses in my DevOps Organization Region (114 ranges) and it still fails.

And the IP my Azure DevOps pipeline agent gets is not even part of the ranges returned by az network list-service-tags --location australiaeast --query "values[?name == 'AzureCloud.australiaeast'].properties.addressPrefixes[]"

Answer 1

To resolve the error "Status=403 Code=AuthorizationFailure Message=This request is not authorized to perform this operation" try to modify setting in Azure Portal like below:

Go to Azure Portal -> Storage Accounts -> Your Storage Account you have created from terraform -> Networking

• Enabling "Allow trusted Microsoft services to access this storage account" allows you to access storage account.
• Make sure to have the required permissions like Contributor and User Access Administrator roles / Storage Blob Data Owner role.

If still the issue persists, make use of the sample code in this similar SO Thread by Ansuman Bal.

Answer 2

Enabling storage_use_azuread in the provider section did the work for me.

provider "azurerm" {
  storage_use_azuread = true
  features {}
}