One of the big security wave items that is becoming pervasive internally at Microsoft even for the most mundane of use cases is that the antiquated, yet all too convenient, Storage account Access Keys are going the way of the dodo.

The shared_access_key_enabled flag will disable your ability to use the Storage Access Keys to access the Storage Account’s Data Plane. This means when you try to access anything inside the Storage Account itself you need to use Entra ID Authentication.

resource "azurerm_storage_account" "main" {
  name                      = "st${random_string.storage_account_name.result}"
  resource_group_name       = azurerm_resource_group.main.name
  location                  = azurerm_resource_group.main.location
  account_tier              = "Standard"
  account_replication_type  = "LRS"

  shared_access_key_enabled = false

  network_rules {
    default_action             = "Deny"
    virtual_network_subnet_ids = [azurerm_subnet.default.id]
  }
}

The azurerm provider by default uses Storage Account Access Keys to talk to the Data Plane. If you set shared_access_key_enabled to false then the next time you attempt to run Terraform Apply it will fail spectacularly like this:

Error: retrieving queue properties for Storage Account (Subscription: "a8dc551f-cbe8-47e9-87c1-d9570ac6d69d"
│ Resource Group Name: "rg-terraform-state"
│ Storage Account Name: "stjmavzhot"): executing request: unexpected status 403 (403 Key based authentication is not permitted on this storage account.) with KeyBasedAuthenticationNotPermitted: Key based authentication is not permitted on this storage account.
│ RequestId:7dd4be61-f003-0022-763b-2a1fee000000
│ Time:2024-10-29T19:45:30.5939020Z
│
│   with azurerm_storage_account.main,
│   on storage.tf line 8, in resource "azurerm_storage_account" "main":
│    8: resource "azurerm_storage_account" "main" {

You need to set a provider attribute called storage_use_azuread to force Azure Storage.

provider "azurerm" {

    storage_use_azuread = true

    features {
    }

}

This setting defaults to false which helps proliferate the ubiquity of Storage Account access keys. I think more and more this setting will be a standard for those who prefer to be “Secure by Default”.