Terraform-provider-aws: error getting S3 Bucket Object Lock configuration: AccessDenied
Hi,
I am having an issue with terraform 11.11 only, having a user/role that has readonly policy on S3 to do a terraform planonly.
It fails getting the object lock... AWS answers with a 403, instead of a 404 I think, this makes terraform fail.
Below are some details (and an edited gist of debug logs) showing the request that fails (and other request that work fine).
Note that on version 11.10, when object lock was not implemented, using a Read only user worked perfectly.
It seems to me more like an AWS policy issue, but it would be great to allow a 403 as a valid answer to bypass the problem and allow read only users to do a TF plan.
Thanks for you awesome work btw.
Ronan
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
11.11 (but works on 11.10)
Affected Resource(s)
- aws_s3_bucket.website_bucket
Terraform Configuration Files
resource "aws_s3_bucket" "website_bucket" {
bucket = "${var.bucket_name}"
acl = "public-read"
website {
index_document = "index.html"
error_document = "404.html" # TODO
routing_rules = "${var.s3_routing_rules}"
}
}
Debug Output
https://gist.github.com/ronhanson/6da53321a37ae6879a6ae98c0ce79d09
Expected Behavior
Should bypass the aws s3 object lock abnormal 403 behavior.
Actual Behavior
Fails with following error :
error getting S3 Bucket Object Lock configuration: AccessDenied
Steps to Reproduce
Create a user or role with Readonly access to S3, all resource access (*).
terraform planit crashes on "get object lock" because Amazon sends a 403 on that "readonly" operation...
Important Factoids
User/Role is running with Read Only policy (Get*) on S3, still the terraform plan fails.
ronhanson
All 7 comments
@ronhanson Does the user have the AmazonS3ReadOnlyAccess managed policy attached?
If I test (via the AWS CLI but it should be the same API calls underneath) with an IAM user s3ro that just has AmazonS3ReadOnlyAccess attached:
(as admin user)
$ aws iam list-attached-user-policies --user s3ro
{
"AttachedPolicies": [
{
"PolicyName": "AmazonS3ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
]
}
$ aws iam get-policy --policy-arn "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
{
"Policy": {
"PolicyName": "AmazonS3ReadOnlyAccess",
"Description": "Provides read only access to all buckets via the AWS Management Console.",
"PermissionsBoundaryUsageCount": 0,
"CreateDate": "2015-02-06T18:40:59Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPAIZTJ4DXE7G6AGAE6M",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"UpdateDate": "2015-02-06T18:40:59Z"
}
}
$ aws iam get-policy-version --policy-arn "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" --version-id v1
{
"PolicyVersion": {
"CreateDate": "2015-02-06T18:40:59Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]
},
"IsDefaultVersion": true
}
}
(switch credentials to s3ro user)
$ aws s3api get-object-lock-configuration --bucket ewbankkit-testing-object-lock
An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket
However, if I manually create an S3 read-only policy through the guided visual editor in the AWS console (_Service=S3, Actions=AccessLevel=Read, Resources=Any bucket/Any object_):
(as admin user)
$ aws iam list-attached-user-policies --user s3ro
{
"AttachedPolicies": [
{
"PolicyName": "my-s3-read-only",
"PolicyArn": "arn:aws:iam::0000000000000:policy/my-s3-read-only"
}
]
}
$ aws iam get-policy --policy-arn "arn:aws:iam::0000000000000:policy/my-s3-read-only"
{
"Policy": {
"PolicyName": "my-s3-read-only",
"PermissionsBoundaryUsageCount": 0,
"CreateDate": "2019-02-14T15:24:13Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPAJV4EJJ7Z7AGWLG6ZK",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::0000000000000:policy/my-s3-read-only",
"UpdateDate": "2019-02-14T15:24:13Z"
}
}
$ aws iam get-policy-version --policy-arn "arn:aws:iam::0000000000000:policy/my-s3-read-only" --version-id v1
{
"PolicyVersion": {
"CreateDate": "2019-02-14T15:24:13Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::*/*",
"Effect": "Allow",
"Sid": "VisualEditor0"
},
{
"Action": [
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketByTags",
"s3:GetLifecycleConfiguration",
"s3:ListBucketMultipartUploads",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetBucketWebsite",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow",
"Sid": "VisualEditor1"
},
{
"Action": "s3:GetAccountPublicAccessBlock",
"Resource": "*",
"Effect": "Allow",
"Sid": "VisualEditor2"
}
]
},
"IsDefaultVersion": true
}
}
(switch credentials to s3ro user)
$ aws s3api get-object-lock-configuration --bucket ewbankkit-testing-object-lock
An error occurred (AccessDenied) when calling the GetObjectLockConfiguration operation: Access Denied
The visual editor does not add the required s3:GetObjectLockConfiguration action.
ewbankkit
on 14 Feb 2019
@ewbankkit , first thanks for your help and demonstration.
Well this is the kind of nightmare I am experiencing with ACLs, and it is even worst when you don't use stars* to select all resources.
I will retest it soon then, but I am pretty sure I manually add the GetObjectLockConfiguration to my policy in json... so I don't understand why it would still fail.
I'll post my policy and an example terraform AWS script to showcase the bug if I still encounter it.
Again, many thanks for you time and effort solving my issue.
ronhanson
on 18 Feb 2019
@ronhanson try with s3:GetBucketObjectLockConfiguration instead of s3:GetObjectLockConfiguration
You must have the s3:GetBucketObjectLockConfiguration permission in order to view a bucket's configuration.
eradegus
on 25 Feb 2019
It's gotta be aws provider version
1.60.0 error
1.53.0 success
y0-0y
on 25 Feb 2019
Hi @ronhanson! Since you didn't post again, I'm hoping the suggestions above worked for you. I'm going to close this issue so we can focus on active reports, but please open a new bug if you're still having problems with the most recent versions of Terraform and the AWS provider. Thanks!
aeschright
on 22 Nov 2019
Thanks @aeschright ,
My problem came from the fact the AWS console was not presenting all the choices/ticks at the time. I guess the GetBucketObjectLockConfiguration was not listed in the UI. I had to use broader permission or declare it in json, as @ewbankkit did, and it finally worked. Sorry for not declaring this issue as solved.
Cheers!
Ronan
ronhanson
on 27 Nov 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 29 Mar 2020
Related issues
modax
·
3Comments
joelittlejohn
·
3Comments
hashibot
·
3Comments
EmmN
·
3Comments
blaltarriba
·
3Comments
Most helpful comment
It's gotta be aws provider version