Azure Storage Account error: Status=403 Code="AuthorizationFailure" in self-hosted github runner

Ifiokobong Offiong 56 Reputation points
2022-11-02T18:23:32.777+00:00

I am using Azure Blob to store my terraform state file. Restricted network access is enabled on the Storage account with a specified list of allowed ip addresses. I deploy my azure resources via github action using a self-hosted agent. i have a script that gets the ip address of the agent and adds it to the list of allowed ip addresses on the Storage Account. there is also a 10 seconds delay in the script to allow the changes to be propagated.
Also i have assigned both Contributor Role and Storage Blob Data Contributor to the Service Principal used in the pipeline to authenticate to my azure subscription

but when the step for terrafrom init is executed in the workflow, i get this error:

Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation  

please can someone help me out on how to resolve this error? thank you

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,810 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,536 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Manu Philip 17,021 Reputation points MVP
    2022-11-02T19:53:36.193+00:00

    Can you check, if the service principle has got enough permissions in the subscription, you are in? Provide maximum possible privilages and have a try to test it first

    Terraform script that runs in Cloud Shell overwrites the ARM_SUBSCRIPTION_ID and ARM_TENANT_ID environment variables using values from the current Azure subscription. As a result, if the service principal referenced by the environment variables doesn't have rights to the current Azure subscription, any Terraform operations will fail

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--