Terraform-provider-aws: EFS Mount Target creation Failed: User is not authorized to perform that action
Terraform Version
Terraform v0.10.6
Affected Resource(s)
Please list the resources as a list, for example:
- aws_efs_file_system
- aws_efs_mount_target
Terraform Configuration Files
resource "aws_efs_file_system" "fgw-shared-filesystem"
{
tags
{
"Name" = "fgw-cs-${var.codesplitt}-shared-filesystem-regression"
}
}
resource "aws_efs_mount_target" "fgw-shared-filesystem-moun-target"
{
file_system_id = "${aws_efs_file_system.fgw-shared-filesystem.id}"
subnet_id = "subnet-ca9dcca2"
security_groups = ["sg-0b30c561"]
}
Expected Behavior
Mount target should be created.
Actual Behavior
Mount target is not created and i don't get a clear reason which permission is missing !
1 error(s) occurred:
* aws_efs_mount_target.fgw-shared-filesystem-moun-target: 1 error(s) occurred:
* aws_efs_mount_target.fgw-shared-filesystem-moun-target: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 35027496-9f9b-11e7-b53e-45fe21728a81
Steps to Reproduce
terraform apply
Important Factoids
The used policy is the following. I granted full access to EFS, but it still not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504192188000",
"Effect": "Allow",
"Action": [
"ec2:*",
"route53:*",
"rds:*",
"elasticfilesystem:*"
],
"Resource": [
"*"
]
}
]
}
reda134
All 10 comments
you can turn on debug (TF_LOG=debug) and see what API invocation fails therefore deriving the permission
trung
on 22 Sep 2017
Thanks trung for your quick reply, but i didn't the real reason for rejecting my request. Here is the debug trace:
2017-09-23T11:01:22.438Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] Locking "efs-mt-fs-dcf61785-eu-central-1a"
2017-09-23T11:01:22.438Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] Locked "efs-mt-fs-dcf61785-eu-central-1a"
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] Creating EFS mount target: {
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: FileSystemId: "fs-dcf61785",
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: SubnetId: "subnet-ca9dcca2"
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: }
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] [aws-sdk-go] DEBUG: Request elasticfilesystem/CreateMountTarget Details:
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: POST /2015-02-01/mount-targets HTTP/1.1
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Host: elasticfilesystem.eu-central-1.amazonaws.com
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: User-Agent: aws-sdk-go/1.8.44 (go1.8; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.9.8
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Content-Length: 59
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Authorization: AWS4-HMAC-SHA256 Credential=ASIAIRTUEKOZCKLUA5DQ/20170923/eu-central-1/elasticfilesystem/aws4_request, SignedHeaders=content-length;host;x-amz-date;x-amz-security-token, Signature=43334949ac33ccc592ac76c4bd9e0283dd2cc4d9edc733c260e30556771f97a6
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: X-Amz-Date: 20170923T110122Z
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: X-Amz-Security-Token: FQoDYXdzEBQaDOFu54aS7Zw71fSpuCK9A6K8hIsd1EOpuvstC0mpnNw03CQ8daFy6hPbtXBrjDVFQOayWWy3cNf3OX8WyDgbo/ALTf/uAJVb00lBHQQqpyofTpCpu+NOUhEuWQQNg8N+zySolV2eR7+Q2kr47oCZjDQ4jdkmmIrclZOdtdOrF7chmJuc1L2kEy1WayO90ojAojBBRDUhEbJqRkc8K6IljmgyO7eopkjsl/nNuv45sz+wFpGfKRDemqk2Sgbr6QY0kwRm1dND+6F/slvLNK4JxZb+jwtnbmkBAaDmf3n7u/ymMAT0ROlxgjz9vBRKi0XXFFU9Yj3SS/Se0LF0B8fecdmDzgCZLPqUaEKJa5ghKTxOTC9lkzWpMH1jFzAiYT+OYqw62jSlh75r8y8MSyCwLF9DDrrguq/dwiYTKVOQ44c4UcuWwugFFDgyVjK6gjrJbZKym4mQwsPOJ8K1OEkpEBqw/92xzIK+ebUKLJ8j8oKrJmM9JYFwPhFkCykPjfRDWom+hjDLEEY2hkQvGrWwsSqDuhqLx5U1m6JJxz5oE0rrbWbhBieHsGQXY5WIQJqlAuzWBx68w7OYLmvbkkZIjnkE/IeZcSqTq6Bygl0oo+6YzgU=
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Accept-Encoding: gzip
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4:
2017-09-23T11:01:22.439Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: -----------------------------------------------------
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] [aws-sdk-go] DEBUG: Response elasticfilesystem/CreateMountTarget Details:
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: ---[ RESPONSE ]--------------------------------------
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: HTTP/1.1 403 Forbidden
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Connection: close
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Content-Length: 85
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Content-Type: application/json
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: Date: Sat, 23 Sep 2017 11:01:21 GMT
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: X-Amzn-Errortype: AccessDeniedException:http://internal.amazon.com/coral/com.amazon.coral.service/
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: X-Amzn-Requestid: 8908ae12-a04e-11e7-af98-cbddae446733
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4:
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4:
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: -----------------------------------------------------
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] [aws-sdk-go] {"Message":"User is not authorized to perform that action on the specified resource"}
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] Unlocking "efs-mt-fs-dcf61785-eu-central-1a"
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] Unlocked "efs-mt-fs-dcf61785-eu-central-1a"
2017/09/23 11:01:22 [TRACE] root: eval: *terraform.EvalWriteState
2017/09/23 11:01:22 [TRACE] root: eval: *terraform.EvalApplyProvisioners
2017/09/23 11:01:22 [TRACE] root: eval: *terraform.EvalIf
2017/09/23 11:01:22 [TRACE] root: eval: *terraform.EvalWriteState
2017/09/23 11:01:22 [TRACE] root: eval: *terraform.EvalWriteDiff
2017/09/23 11:01:22 [TRACE] root: eval: *terraform.EvalApplyPost
2017/09/23 11:01:22 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:
* aws_efs_mount_target.fgw-shared-filesystem-moun-target: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 8908ae12-a04e-11e7-af98-cbddae446733
2017/09/23 11:01:22 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:
* aws_efs_mount_target.fgw-shared-filesystem-moun-target: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 8908ae12-a04e-11e7-af98-cbddae446733
2017/09/23 11:01:22 [TRACE] [walkApply] Exiting eval tree: aws_efs_mount_target.fgw-shared-filesystem-moun-target
2017/09/23 11:01:22 [TRACE] dag/walk: upstream errored, not walking "provider.aws (close)"
2017/09/23 11:01:22 [TRACE] dag/walk: upstream errored, not walking "meta.count-boundary (count boundary fixup)"
2017/09/23 11:01:22 [TRACE] dag/walk: upstream errored, not walking "root"
2017/09/23 11:01:22 [TRACE] Preserving existing state lineage "bc59239b-1ea6-47be-a248-dee818a3f157"
2017/09/23 11:01:22 [TRACE] Preserving existing state lineage "bc59239b-1ea6-47be-a248-dee818a3f157"
2017/09/23 11:01:22 [TRACE] Preserving existing state lineage "bc59239b-1ea6-47be-a248-dee818a3f157"
2017/09/23 11:01:22 [TRACE] Preserving existing state lineage "bc59239b-1ea6-47be-a248-dee818a3f157"
Seeing a similar situation:
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: 2017/10/17 16:09:19 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeInstances Details:
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: POST / HTTP/1.1
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Host: ec2.eu-west-1.amazonaws.com
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: User-Agent: aws-sdk-go/1.12.8 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.10.0-dev
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Content-Length: 76
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Authorization: AWS4-HMAC-SHA256 Credential=AKIAIY7UNKLGDH3NHGKA/20171017/eu-west-1/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=201f61ed8558a238d1b1ccd13fdc3b505ae0faa987e6739f96123005940902c5
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: X-Amz-Date: 20171017T130919Z
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Accept-Encoding: gzip
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Action=DescribeInstances&InstanceId.1=i-03a98d1bcd89963ba&Version=2016-11-15
2017-10-17T16:09:19.561+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: -----------------------------------------------------
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: 2017/10/17 16:09:19 [DEBUG] [aws-sdk-go] DEBUG: Response elasticfilesystem/DescribeMountTargetSecurityGroups Details:
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: ---[ RESPONSE ]--------------------------------------
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: HTTP/1.1 403 Forbidden
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Connection: close
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Content-Length: 85
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Content-Type: application/json
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: Date: Tue, 17 Oct 2017 13:09:19 GMT
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: X-Amzn-Errortype: AccessDeniedException:http://internal.amazon.com/coral/com.amazon.coral.service/
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: X-Amzn-Requestid: 62e4a267-b33c-11e7-9772-ef103adff919
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: -----------------------------------------------------
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: 2017/10/17 16:09:19 [DEBUG] [aws-sdk-go] {"Message":"User is not authorized to perform that action on the specified resource"}
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: 2017/10/17 16:09:19 [DEBUG] [aws-sdk-go] DEBUG: Validate Response elasticfilesystem/DescribeMountTargetSecurityGroups failed, not retrying, error AccessDeniedException: User is not authorized to perform that action on the specified resource
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: status code: 403, request id: 62e4a267-b33c-11e7-9772-ef103adff919
2017/10/17 16:09:19 [ERROR] root.efs_storage: eval: *terraform.EvalRefresh, err: aws_efs_mount_target.efs_mount_target: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 62e4a267-b33c-11e7-9772-ef103adff919
2017/10/17 16:09:19 [ERROR] root.efs_storage: eval: *terraform.EvalSequence, err: aws_efs_mount_target.efs_mount_target: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 62e4a267-b33c-11e7-9772-ef103adff919
2017/10/17 16:09:19 [TRACE] [walkRefresh] Exiting eval tree: module.efs_storage.aws_efs_mount_target.efs_mount_target
2017/10/17 16:09:19 [TRACE] root.config1.ami: eval: *terraform.EvalOpFilter
2017/10/17 16:09:19 [TRACE] root.config1.ami: eval: *terraform.EvalSequence
2017/10/17 16:09:19 [TRACE] dag/walk: upstream errored, not walking "module.efs_storage.output.efs_mount_target_ip_address"
2017/10/17 16:09:19 [TRACE] root.config1.ami: eval: *terraform.EvalWriteOutput
alvarl
on 17 Oct 2017
From the logs,
@reda134 missing permission elasticfilesystem:CreateMountTarget
2017-09-23T11:01:22.620Z [DEBUG] plugin.terraform-provider-aws_v0.1.0_x4: 2017/09/23 11:01:22 [DEBUG] [aws-sdk-go] DEBUG: Response elasticfilesystem/CreateMountTarget Details:
@alvarl missing permission elasticfilesystem:DescribeMountTargetSecurityGroups
2017-10-17T16:09:19.722+0300 [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4: 2017/10/17 16:09:19 [DEBUG] [aws-sdk-go] DEBUG: Response elasticfilesystem/DescribeMountTargetSecurityGroups Details:
I'll let other comment on this if you do have the permission and still hit this error.
trung
on 17 Oct 2017
similar issue with Administrative access of elasticfilesystem
kkpatel2025-xx
on 18 Oct 2017
verified that I can't re-produce with aws cli
kk@sagfnsdpg:$ aws efs describe-mount-targets --file-system-id=XXX-XXXXX
{
"MountTargets": [
{
"MountTargetId": "XXXX-XXXXX",
"NetworkInterfaceId": "XXX-XXXXX",
"FileSystemId": "XXXXXXXXXXXXXX",
"LifeCycleState": "XXXXXXXXXX",
"SubnetId": "XXXXXXXXXXX",
"OwnerId": "XXXXXXXXXXX",
"IpAddress": "XXX.XXX.XXX.XXX"
}
]
}
Hi folks,
The error has to do with describe-mount-target-security-groups not describe-mount-targets, and is actually reproducible on AWS as per below example (calls made via an Admin level IAM user's app key.
[user@server terraform]$ aws efs describe-mount-target-security-groups --mount-target-id fsmt-1234abcd
An error occurred (AccessDeniedException) when calling the DescribeMountTargetSecurityGroups operation: User is not authorized to perform that action on the specified resource
[user@server terraform]$ aws --version
aws-cli/1.14.52 Python/2.7.13 Linux/3.10.0-514.36.5.el7.x86_64 botocore/1.9.5
[user@server terraform]$ terraform -v
Terraform v0.11.3
Terraform ran w/ TF_LOG=debug
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: 2018/03/06 11:43:06 [DEBUG] [aws-sdk-go] DEBUG: Request elasticfilesystem/DescribeMountTargetSecurityGroups Det
ails:
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: GET /2015-02-01/mount-targets/fsmt-1234abcd/security-groups HTTP/1.1
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Host: elasticfilesystem.eu-central-1.amazonaws.com
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: User-Agent: aws-sdk-go/1.10.51 (go1.9; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.10.0-dev
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Authorization: AWS4-HMAC-SHA256 Credential=(obfuscated)/20180306/eu-central-1/elasticfilesystem/aws4_re
quest, SignedHeaders=host;x-amz-date, Signature=(obfuscated)
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: X-Amz-Date: 20180306T164306Z
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Accept-Encoding: gzip
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4:
2018-03-06T11:43:06.095-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4:
[...]
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: 2018/03/06 11:43:06 [DEBUG] [aws-sdk-go] DEBUG: Response elasticfilesystem/DescribeMountTargetSecurityGroups Details:
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: ---[ RESPONSE ]--------------------------------------
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: HTTP/1.1 403 Forbidden
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Connection: close
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Content-Length: 85
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Content-Type: application/json
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: Date: Tue, 06 Mar 2018 16:43:06 GMT
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: X-Amzn-Errortype: AccessDeniedException:http://internal.amazon.com/coral/com.amazon.coral.service/
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: X-Amzn-Requestid: 7210d167-215d-11e8-95c7-3596f6f26b14
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4:
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4:
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: -----------------------------------------------------
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: 2018/03/06 11:43:06 [DEBUG] [aws-sdk-go] {"Message":"User is not authorized to perform that action on the specified resource"}
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: 2018/03/06 11:43:06 [DEBUG] [aws-sdk-go] DEBUG: Validate Response elasticfilesystem/DescribeMountTargetSecurityGroups failed, not retrying, error AccessDeniedException: User is not authorized to perform that action on the specified resource
2018-03-06T11:43:06.560-0500 [DEBUG] plugin.terraform-provider-aws_v1.0.0_x4: status code: 403, request id: 7210d167-215d-11e8-95c7-3596f6f26b14
2018/03/06 11:43:06 [ERROR] root.app: eval: *terraform.EvalRefresh, err: aws_efs_mount_target.mount_to_private_1b: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 7210d167-215d-11e8-95c7-3596f6f26b14
2018/03/06 11:43:06 [ERROR] root.app: eval: *terraform.EvalSequence, err: aws_efs_mount_target.mount_to_private_1b: AccessDeniedException: User is not authorized to perform that action on the specified resource
status code: 403, request id: 7210d167-215d-11e8-95c7-3596f6f26b14
Thomas
li-tblancha
on 8 Mar 2018
Had the same problem. According to this, you also need permission ec2:DescribeNetworkInterfaceAttribute to do describeMountTargetSecurityGroups. After adding that to my policy, I could create the EFS mount target with Terraform.
xelalexv
on 26 Mar 2018
👍3
It appears the above has been answered. If there are any Terraform bugs to report, please open a new issue. Thanks!
bflad
on 7 Nov 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 2 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
ccslamstack
ยท
3Comments
joelittlejohn
ยท
3Comments
EmmN
ยท
3Comments
dvishniakov
ยท
3Comments
hazmeister
ยท
3Comments
Most helpful comment
Had the same problem. According to this, you also need permission
ec2:DescribeNetworkInterfaceAttributeto dodescribeMountTargetSecurityGroups. After adding that to my policy, I could create the EFS mount target with Terraform.