I have a storage account created inside a resource group and I want to import both of them into a .tfstate file to be managed by Terraform. The Resource group gets imported fine, but the storage account import command gives me an error saying that I do not have authorization to perform listKeys/action. Heres my Terraform code:
resource "azurerm_resource_group" "rg" {
name = var.rg_name
location = var.location
tags = local.default_tags
}
resource "azurerm_storage_account" "st_acc" {
name = var.st_acc_name
resource_group_name = azurerm_resource_group.rg.name
location = var.location
account_tier = "Standard"
account_replication_type = "ZRS"
depends_on = [azurerm_resource_group.rg]
tags = local.default_tags
}
This is the command I run to import the storage account:
terraform import -var-file=var.tfvars azurerm_storage_account.st_acc /subscriptions/<my-subscription>/resourceGroups/<my-resource-group>/providers/Microsoft.Storage/storageAccounts/<my-storage-acc>
This is the error I get:
│ Error: building Queues Client: retrieving Account Key: Listing Keys for Storage Account
"<my-storage-acc>" (Resource Group "<my-resource-group>"): storage.AccountsClient#ListKeys:
Failure responding to request: StatusCode=403 -- Original Error: autorest/azure:
Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client
'<my-email>' with object id '<my-object-id>' does not have authorization to perform action
'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/<my-subscription>/resourceGroups/<my-resource-group>/providers/Microsoft.Storage/storageAccounts/<my-storage-acc>'
or the scope is invalid. If access was recently granted, please refresh your credentials."
I have the Reader role in the subscription level, and the Storage Account Key Operator Service Role in the subscription level as well.
Can someone explain why this is happening and how should I resolve this please?
I got this fixed by assigning the
Storage Account Contributorrole. But I like to have a discussion here about whether there is a lower level role that lets you import a storage account into Terraform.Or is this the least privilege level for that?