Hi Team, We are using terraform with Azure and so we use Azure storage account to store the state file. We are creating a state key in the storage account to store the logs. This runs via a azure devops pipeline where it first adds the agent IP to the storage account and then terraform init accesses the storage account via the Storage access key and the agent IP. We have noticed that the task of terraform init fails intermittently with the below error but it works back after multiple re runs. We first thought it might be an issue that the IP is not added correctly but that is not the case because even if the IP is added in the terraform storage account then also the init tasks fails. Can you please help us with this to see what is going wrong and if tf init needs something else to authenticate agains the storage account. **TF TRACE Logs:** 2020/04/30 06:00:24 [DEBUG] checking for provisioner in "." 2020/04/30 06:00:24 [DEBUG] checking for provisioner in "/usr/local/bin" 2020/04/30 06:00:24 [INFO] Failed to read plugin lock file .terraform/plugins/linux_amd64/lock.json: open .terraform/plugins/linux_amd64/lock.json: no such file or directory 2020/04/30 06:00:24 [TRACE] backend/local: state manager for workspace "default" will: - read initial snapshot from terraform.tfstate - write new snapshots to terraform.tfstate - create any backup at terraform.tfstate.backup 2020/04/30 06:00:24 [TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate 2020/04/30 06:00:24 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay 2020/04/30 06:00:24 [TRACE] statemgr.Filesystem: read nil snapshot 2020/04/30 06:00:24 [TRACE] Meta.Backend: ignoring local "default" workspace because its state is empty 2020/04/30 06:00:24 [DEBUG] New state was assigned lineage "" 2020/04/30 06:00:24 [TRACE] Preserving existing state lineage "" Successfully configured the backend "azurerm"! Terraform will automatically use this backend unless the backend configuration changes. 2020/04/30 06:00:24 [DEBUG] Building the Blob Client from an Access Token Error: Failed to get existing workspaces: storage: service returned error: StatusCode=403, ErrorCode=AuthorizationFailure, ErrorMessage=This request is not authorized to perform this operation. RequestId:21647172-601e-003f-24b4-1ea89f000000 Time:2020-04-30T06:00:24.6453798Z, RequestInitiated=Thu, 30 Apr 2020 06:00:23 GMT, RequestId=21647172-601e-003f-24b4-1ea89f000000, API Version=, QueryParameterName=, QueryParameterValue= **Pipeline Steps:** - task: AzureCLI@1 displayName: Add the agent's IP Address to the Storage Account inputs: azureSubscription : ${{ parameters.resourceGroupName }} scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript: | set -eu function addAddressAndWait { # usage: addAddressAndWait "resource group name" "account name" "IP address" # e.g. addAddressAndWait "" "" "1.2.3.4") local RESOURCE_GROUP=$1 local ACCOUNT_NAME=$2 local IP_ADDRESS=$3 echo "Opening storage account '${ACCOUNT_NAME}' firewall for IP '$IP_ADDRESS'" az storage account network-rule add \ --resource-group ${RESOURCE_GROUP} \ --account-name ${ACCOUNT_NAME} \ --ip-address ${IP_ADDRESS} ADDED=false # until IP has been added, sleep + loop until [ $ADDED == "true" ] do echo checking ADDED=$(az storage account network-rule list \ --resource-group ${RESOURCE_GROUP} \ --account-name ${ACCOUNT_NAME} \ --query "ipRules[?ipAddressOrRange == \`${IP_ADDRESS}\`]|[0]|action==\`Allow\`") echo Waiting... done } IP_ADDRESS=$(curl -s ifconfig.co/json | jq -r '.ip') addAddressAndWait "${{ parameters.resourceGroupName }}" "$(tf_storage_account_name)" "$IP_ADDRESS" addAddressAndWait "${{ parameters.resourceGroupName }}" "$(app_storage_account_name)" "$IP_ADDRESS" - bash: 'terraform init -input=false' env: TF_CLI_ARGS_init: '-backend-config="resource_group_name=$(resourceGroupName)" -backend-config="storage_account_name=$(tfStorageAccount)" -backend-config="container_name=$(tfblobContainerName)" -backend-config="key=$(tfKeyName)"' ARM_ACCESS_KEY: $(tf_storage_access_key) displayName: 'terraform init'