terraform-provider-azurerm: azurerm_storage_account_blob_container_sas produced a different token to one created on portal. Terraform created token does not authenticate.

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

2.14.0

AzureRM Provider Version

3.1.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account_blob_container_sas

Terraform Configuration Files

data "azurerm_storage_account_blob_container_sas" "objects" {
  connection_string = module.eus2-this-sta.stor_primary_connstring
  container_name    = azurerm_storage_container.objects.name
  https_only        = true

  start  = "2022-09-30T09:00:00"
  expiry = "2024-09-30T09:00:00"

  permissions {
    read   = true
    add    = true
    create = true
    write  = true
    delete = true
    list   = true
  }
}

output "object_sas" {
  description = "SAS token"
  value       = data.azurerm_storage_account_blob_container_sas.objects.sas
  sensitive   = true
}

resource "azurerm_key_vault_secret" "storage-account-container-objects-sas" {
  key_vault_id = data.azurerm_key_vault.hub_kv.id
  name = "airflow-storage-account-container-objects-sas"
  value = data.azurerm_storage_account_blob_container_sas.objects.sas
}

Debug Output/Panic Output

N/A - the configuration works and terraform apply succeeds. When the token is used to authenticate against the KV, it fails. Authentication is via Az Copy (https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10) SAS token method. This authentication works when I create the SAS token directly in the portal.

Expected Behaviour

SAS token should be in the following format: image

Actual Behaviour

image

Steps to Reproduce

  1. Create blob container
  2. Create azure key vault
  3. create sas token and store in vault
  4. use sas token for authentication (my method was with Az Copy, I assume other auth methods would also fail).

Important Factoids

No response

References

I followed this thread which was very similar: https://github.com/hashicorp/terraform-provider-azurerm/issues/16295 However I have tried different entries for start and end date in ISO 8601 format with no offsets, but I still get the issue.

This thread had the same issue but for account_sas rather than container_sas and their fix does not apply here: https://github.com/hashicorp/terraform-provider-azurerm/issues/17558

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 4
  • Comments: 17 (2 by maintainers)

Most upvoted comments

@dipesh747 I think it’s possible to fork the original PR, make the changes that @tombuildsstuff requested, and go from there. I think that’s the most viable path forward.

+1
westonplatter on Jan 24, 2023

The temporary fix doesnt apply as I don’t have keys tag, filter or signed version in my tf.

When will your pr from magodo:sas_fix be merged?

+1
dipesh747 on Nov 14, 2022
Read more comments on GitHub
← terraform-provider-azurerm: azurerm_sql_database.webdb: Error setting database threat detection policy
terraform-provider-azurerm: azurerm_storage_data_lake_gen2_filesystem: datalakestore.Client#GetProperties: Failure responding to request: StatusCode=403 →