azureterraformterraform-provider-azure

Unable to create Storage Sync Cloud Endpoint (MgmtStorageAccountAuthorizationFailed), even though account has Owner role assigned

When trying to create a Storage Sync Cloud Endpoint, I am getting error code MgmtStorageAccountAuthorizationFailed. The account being used to run the TF code & the Storage Sync Service both have Owner role assigned on the Storage Account

"error":{"code":"MgmtStorageAccountAuthorizationFailed","message":"Unable to read specified storage account. Please check the permissions and try again after some time."}

Full Error: Full error message

Owner Role assigned

resource "azurerm_storage_sync_cloud_endpoint" "ena_secure" {
  name                  = "Citrix-File-Sync-Cloud-Endpoint-${var.environment.short}-ENA-Secure"
  storage_sync_group_id = azurerm_storage_sync_group.ena.id
  file_share_name       = module.ena_secure_file_storage[0].upm_share_name
  storage_account_id    = module.ena_secure_file_storage[0].storage_account_id
  depends_on            = [null_resource.ena_secure] # adds role to Storage Account
}

Related to this question

Solution

  • I found the answer. The issue was that the Storage Sync Service was not using a Managed identity, even though the previous Powershell script is creating one.

    If I ran

    Get-AzStorageSyncService -ResourceGroupName "$RGName" --StorageSyncServiceName "$SyncName"

    it would return:

    enter image description here

    Showing that UseIdentity was False. To correct this I had to change my terraform local-exec (see related question linked in question above) to

    resource "null_resource" "enable_identity_and_role" {
  depends_on = [
    azurerm_storage_sync.ena_sync,
    module.ena_file_storage
  ]
  provisioner "local-exec" {
    command     = <<-EOT
     # Enable system-assigned identity on the Storage Sync service
     $syncService = Set-AzStorageSyncServiceIdentity -ResourceGroupName '${var.azurerm_vars.azurerm_resource_group}' -Name '${azurerm_storage_sync.ena_sync.name}'
     # Get the principal ID of the managed identity
     $principalId = $syncService.Identity.PrincipalId
     Write-Output "Storage Sync Service Identity PrincipalId: $principalId"
     # Assign the role to the managed identity on the storage account
     New-AzRoleAssignment -ObjectId $principalId -RoleDefinitionName 'Storage Account Contributor' -Scope '${module.ena_file_storage[0].storage_account_id}'
     New-AzRoleAssignment -ObjectId $principalId -RoleDefinitionName 'Reader and Data Access' -Scope '${module.ena_file_storage[0].storage_account_id}'
     New-AzRoleAssignment -ObjectId $principalId -RoleDefinitionName 'Storage File Data Privileged Contributor' -Scope '${module.ena_file_storage[0].storage_account_id}'
     Write-Output 'Role assignment complete!'
   EOT
    interpreter = ["powershell", "-Command"]
  }
}

    Then it all started working