diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3b5da97ea..42a3fd4d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ ENHANCEMENTS:
 * Deny public access to TRE management storage account, and add private endpoint for TRE core [#4353](https://github.com/microsoft/AzureTRE/issues/4353)
 
 BUG FIXES:
-
+* Resolved a 403 storage account error when creating a new TRE environment ([#4405](https://github.com/microsoft/AzureTRE/issues/4405)) in PR [#4406](https://github.com/microsoft/AzureTRE/pull/4406)
 
 ## 0.21.0
 
diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index 8abd7bc2c..7cfb14920 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -38,29 +38,67 @@ if [ -n "${ARM_CLIENT_ID:-}" ]; then
 else
     USER_OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)
 fi
+
+az role assignment create --assignee "$USER_OBJECT_ID" \
+  --role "Storage Account Contributor" \
+  --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name"
+
 az role assignment create --assignee "$USER_OBJECT_ID" \
   --role "Storage Blob Data Contributor" \
   --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name"
 
 # Function to check if the role assignment exists
-check_role_assignment() {
-  az role assignment list --assignee "$USER_OBJECT_ID" --role "Storage Blob Data Contributor" --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" --query "[].id" --output tsv
+check_role_assignments() {
+  local sbdc
+  sbdc=$(az role assignment list \
+    --assignee "$USER_OBJECT_ID" \
+    --role "Storage Blob Data Contributor" \
+    --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
+    --query "[].id" --output tsv)
+
+  local sac
+  sac=$(az role assignment list \
+    --assignee "$USER_OBJECT_ID" \
+    --role "Storage Account Contributor" \
+    --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
+    --query "[].id" --output tsv)
+
+  # Return a non-empty value only if both roles are assigned
+  if [[ -n "$sbdc" && -n "$sac" ]]; then
+    echo "both"
+  fi
 }
 
 # Wait for the role assignment to be applied
 echo -e "\n\e[34m»»» ⏳ \e[96mWaiting for role assignment to be applied\e[0m..."
-while [ -z "$(check_role_assignment)" ]; do
+while [ -z "$(check_role_assignments)" ]; do
   echo "Waiting for role assignment..."
   sleep 10
 done
 echo "Role assignment applied."
-
+sleep 30
 # Blob container
 # shellcheck disable=SC2154
-az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$TF_VAR_terraform_state_container_name" --auth-mode login -o table
 
-# logs container
-az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "tflogs" --auth-mode login -o table
+echo -e "\n\e[34m»»» 📦 \e[96mCreating storage containers\e[0m..."
+# List of containers to create
+containers=("$TF_VAR_terraform_state_container_name" "tflogs")
+max_retries=5
+
+for container in "${containers[@]}"; do
+  for ((i=1; i<=max_retries; i++)); do
+    if az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$container" --auth-mode login -o table; then
+      echo "Container '$container' created successfully."
+      break
+    else
+      sleep 10
+    fi
+    if [ $i -eq $max_retries ]; then
+      echo "ERROR: Failed to create container '$container' after $max_retries attempts."
+      exit 1
+    fi
+  done
+done
 
 cat > bootstrap_backend.tf <<BOOTSTRAP_BACKEND
 terraform {