You can use Azure Ad instead of the access key

[Boaz101]

Instead of storing the storage account's access key in Key Vault. You can set the use_azuread_auth flag to true. Then give your service principal access to the storage account container. Then disable access key usable on the storage account. This way terraform has less permissions on the storage account and no one can get into the storage account using the access key.