Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gracefully degrade "List Account Keys" during plan phase #4138

Closed
mud5150 opened this issue Aug 22, 2019 · 3 comments · Fixed by #4248
Closed

Gracefully degrade "List Account Keys" during plan phase #4138

mud5150 opened this issue Aug 22, 2019 · 3 comments · Fixed by #4248
Assignees
@tombuildsstuff
Labels
enhancement service/storage
Milestone
v1.34.0

Comments

@mud5150
Copy link

mud5150 commented Aug 22, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently when running plan if the user does not have access to listKeys on the storage account resource the plan phase will fail. As mentioned in #3651 it could be totally fine, and intentional (least privilege), for the user running plan to not require this access. It would be good if the plan phase could gracefully degrade, perhaps returning empty strings, if the user doesn't have permission to listKeys.

New or Affected Resource(s)

  • azurerm_storage_account

References
@mud5150 mud5150 mentioned this issue Aug 22, 2019
Closed
@tombuildsstuff tombuildsstuff mentioned this issue Aug 28, 2019
Closed
@tombuildsstuff tombuildsstuff added this to the v1.34.0 milestone Aug 28, 2019
@tombuildsstuff tombuildsstuff self-assigned this Sep 4, 2019
tombuildsstuff added a commit that referenced this issue Sep 5, 2019
@tombuildsstuff
storage_account: gracefully degrading when there's a Write Lock or th…
6de6c92 
…e user doesn't have permissions

When the user doesn't have permissions to access the ListKeys endpoint, either because the
Resource has a Write Lock (where ListKeys counts as a Write Operation, which is being tracked
in Azure/azure-rest-api-specs#6363) or because the user doesn't have
permissions - this now degrades these fields into empty values, rather than outright failing.

fixes #4138
@tombuildsstuff tombuildsstuff mentioned this issue Sep 5, 2019
Merged
@ghost
Copy link

ghost commented Sep 18, 2019

This has been released in version 1.34.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.34.0"
}
# ... other configuration ...

@secustor
Copy link
Contributor

secustor commented Sep 24, 2019
edited
Loading

@tombuildsstuff
For the problem still occurs.

provider "azurerm" {
  version = "~> 1.34.0"

Log:

module.our_module.azurerm_storage_account.storage: Refreshing state... [id=/subscriptions/<subscription_id>/resourceGroups/<resource group>/providers/Microsoft.Storage/storageAccounts/<storage account name>]

Error: Error listing Keys for Storage Account "<storage account name>" (Resource Group "<resource group>"): storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=403 -- Original    

Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<client id>' with object id '<object id is the same as client id>' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/<subscription_id>/resourceGroups/<resource group>/providers/Microsoft.Storage/storageAccounts/<storage account name>' or the scope is invalid. If access was recently granted, please refresh your credentials."

@ghost
Copy link

ghost commented Oct 5, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Oct 5, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tombuildsstuff tombuildsstuff

Labels
enhancement service/storage
Projects
None yet
Milestone
v1.34.0
3 participants
@tombuildsstuff @mud5150 @secustor