Unable to create Storage Sync Cloud Endpoint (MgmtStorageAccountAuthorizationFailed), even though account has Owner role assigned
When trying to create a Storage Sync Cloud Endpoint, I am getting error code MgmtStorageAccountAuthorizationFailed. The account being used to run the TF code & the Storage Sync Service both have Owner role assigned on the Storage Account
"error":{"code":"MgmtStorageAccountAuthorizationFailed","message":"Unable to read specified storage account. Please check the permissions and try again after some time."}
Full Error:
resource "azurerm_storage_sync_cloud_endpoint" "ena_secure" {
name = "Citrix-File-Sync-Cloud-Endpoint-${var.environment.short}-ENA-Secure"
storage_sync_group_id = azurerm_storage_sync_group.ena.id
file_share_name = module.ena_secure_file_storage[0].upm_share_name
storage_account_id = module.ena_secure_file_storage[0].storage_account_id
depends_on = [null_resource.ena_secure] # adds role to Storage Account
}
Related to this question
Solution
Unable to create Storage Sync Cloud Endpoint (MgmtStorageAccountAuthorizationFailed), even though account has Owner role assigned
According to this MS-Document,
When using a managed identity with Azure File Sync:
- The Storage Sync Service managed identity needs
Storage Account Contributorrole on the storage account. - It also needs
Storage File Data Privileged Contributorrole on the Azure file share.
According to this Document
Azure File Sync has access to your Storage Account, assign the Reader and Data Access role to Microsoft.StorageSync on the storage account (service principal)
Code:
provider "azurerm" {
features {}
subscription_id = "xxxx"
}
provider "azuread" {
# Use default config, authenticates via az login or environment
}
variable "environment" {
default = {
short = "prod"
}
}
variable "azurerm_vars" {
default = {
azurerm_location = "eastus"
azurerm_resource_group = "xxxxx"
}
}
# Resource Group
resource "azurerm_resource_group" "main" {
name = var.azurerm_vars.azurerm_resource_group
location = var.azurerm_vars.azurerm_location
}
# Storage Account
resource "azurerm_storage_account" "my_storage" {
name = "mystorage${var.environment.short}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = "LRS"
}
# File Share
resource "azurerm_storage_share" "my_share" {
name = "fileshare${var.environment.short}"
storage_account_id = azurerm_storage_account.my_storage.id
quota = 50
acl {
id = "GhostedRecall"
access_policy {
permissions = "r"
}
}
}
# Storage Sync Service (without managed identity)
resource "azurerm_storage_sync" "ena_sync" {
name = "Citrix-File-Sync-${var.environment.short}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
}
# Lookup existing Azure AD app Microsoft.StorageSync
data "azuread_service_principal" "storage_sync_app" {
display_name = "Microsoft.StorageSync"
}
# Assign Reader and Data Access role to the Microsoft.StorageSync app on your Storage Account
resource "azurerm_role_assignment" "assign_reader_and_data_access" {
principal_id = data.azuread_service_principal.storage_sync_app.object_id
role_definition_name = "Reader and Data Access"
scope = azurerm_storage_account.my_storage.id
depends_on = [azurerm_storage_account.my_storage]
}
# Wait to allow role assignment to propagate
resource "time_sleep" "wait_for_rbac" {
depends_on = [azurerm_role_assignment.assign_reader_and_data_access]
create_duration = "60s"
}
# Storage Sync Group
resource "azurerm_storage_sync_group" "sync_group" {
name = "sync-group-${var.environment.short}"
storage_sync_id = azurerm_storage_sync.ena_sync.id
}
# Storage Sync Cloud Endpoint
resource "azurerm_storage_sync_cloud_endpoint" "cloud_endpoint" {
name = "cloud-endpoint-${var.environment.short}"
storage_sync_group_id = azurerm_storage_sync_group.sync_group.id
file_share_name = azurerm_storage_share.my_share.name
storage_account_id = azurerm_storage_account.my_storage.id
depends_on = [time_sleep.wait_for_rbac]
}
Output:
azurerm_storage_sync_cloud_endpoint.cloud_endpoint: Creation complete after 26s [id=/subscriptions/xxxxx/resourceGroups/xxg/providers/Microsoft.StorageSync/storageSyncServices/Citrix-File-Sync-prod/syncGroups/sync-group-prod/cloudEndpoints/cloud-endpoint-prod]
Apply complete! Resources: 8 added, 0 changed, 1 destroyed.
Portal:
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules