I'm having a bit of a head scratcher trying to do the very simple Azure 'Get Started' Guide. I've done the first stage, which creates the resource group, storage account in the resource group, and exports the primary key - no problem. Then I try to enable static website support, and something errors out with a permission error on a pulumi up. the code I added (from the guide):

# Enable static website support
static_website = storage.StorageAccountStaticWebsite(
    "staticWebsite",
    account_name=account.name,
    resource_group_name=resource_group.name,
    index_document="index.html",
)

Errors with the following when doing a 'pulumi up'. I have not uploaded the index.html - I narrowed the error down to just the snippet above.

(venv) sr@stinky:~/src/quickstart$ pulumi up
Previewing update (dev)

View in Browser (Ctrl+O): <https://app.pulumi.com/><snip>/quickstart/dev/previews/d80c7b52-66a5-43dd-b047-c6db7c991a54

     Type                                                 Name            Plan       
     pulumi:pulumi:Stack                                  quickstart-dev             
 +   └─ azure-native:storage:StorageAccountStaticWebsite  staticWebsite   create     

Resources:
    + 1 to create
    3 unchanged

Do you want to perform this update? yes
Updating (dev)

View in Browser (Ctrl+O): <https://app.pulumi.com/><snip>/quickstart/dev/updates/5

     Type                                                 Name            Status                  Info
     pulumi:pulumi:Stack                                  quickstart-dev  **failed**              1 error
 +   └─ azure-native:storage:StorageAccountStaticWebsite  staticWebsite   **creating failed**     1 error

Diagnostics:
  pulumi:pulumi:Stack (quickstart-dev):
    error: update failed

  azure-native:storage:StorageAccountStaticWebsite (staticWebsite):
    error: GET https://<snip>.blob.core.windows.net
    --------------------------------------------------------------------------------
    RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.
    ERROR CODE: AuthorizationPermissionMismatch
    --------------------------------------------------------------------------------
    <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
    RequestId:8a2a4554-d01e-0016-2e74-709ba1000000
    Time:2025-01-27T04:30:11.3935750Z</Message></Error>
    --------------------------------------------------------------------------------

Outputs:
    account_name       : "<snip - I added this output>"
    primary_storage_key: "<snip>"

Resources:
    3 unchanged

Duration: 6s

For additional info - I've used the Azure CLI to do these steps manually from the same shell with the same az login, so I don't really think it's a general permissions issue - I was able to run through these steps with no issue. Anyone able to put me out of my misery to let me know what might be causing pulumi to fail on this step? Thanks in advance!

I'm pretty sure it's because

AZURE_STORAGE_KEY

in env is not set. But try to give your user the Role for

Storage Blob Data Contributor

directly in the storageaccount(IAM) instead of exposing the key.

Thanks for responding, @early-advantage-63854 - I was away a few days, and only got back now. Your reply is perhaps showing my lack of experience with Azure, but I thought my single user already had the access required - if I go to the 'storage account | IAM' section, then hit 'Check access', I get a result of 'Service Administrator Has full access to all resources in the subscription" - this is just my own personal azure tenant, and I was using my only user account. I do have two subscriptions - the default, and a 'visual studio subscription'. I've tried both for the getting started guide. Also, the pulumi quickstart can create the storage account, and provides the access key printed out in the terminal - which would be the AZURE_STORAGE_KEY, right? In any case, I set that environment variable before running this, and I got the same error as before - a permission denied when trying to set the staticwebsite option (or at least, that's the step I think that's failing).

I was re-reading your question and im not sure what you want to do exactly. I was guessing because i had the same error as i was trying to use remote state for pulumi on my storage account. Being the owner of the subscription doesn't mean that you can do everything. Pulumi is searching for the

AZURE_STORAGE_KEY

to write on it. Giving your User the permission to do contribute, avoids that. So what exactly do you want to do? Write on the Sta?

Hi @early-advantage-63854, Sorry for the delay again. I'm just trying to do what's in the getting started guide:

# Enable static website support
static_website = storage.StorageAccountStaticWebsite(
    "staticWebsite",
    account_name=account.name,
    resource_group_name=resource_group.name,
    index_document="index.html",
)

But putting that in to the

__main__.py

file gives me the error in the first post. It seems like my 'normal' Azure account doesn't work as is with Pulumi (which is using az login's magic to authenticate), but manual steps work when I'm using the azure cli. Considering this is the start of my journey with Pulumi, I'm not sure what else I'm expected to know or provide.