Terraform: Unclear commands for terraform remote state on S3

Created on 30 Nov 2015 · 5Comments · Source: hashicorp/terraform

I'm getting 403 errors when trying to migrate a remote policy to S3. If I give it the AmazonS3FullAccess policy it works.

I've applied the following IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket"
        }
    ]
}

Running the following command:
terraform remote config -backend=S3 -backend-config="bucket=my-bucket" -backend-config="key=prod" -backend-config="region=us-west-2"

Results in this error:

Error while performing the initial pull. The error message is shown
below. Note that remote state was properly configured, so you don't
need to reconfigure. You can now use `push` and `pull` directly.

Error reloading remote state: AccessDenied: Access Denied
    status code: 403, request id:

What's unclear is... what else could this be looking at? Giving it _full_ access to the bucket should not cause any problems (for clarity; I've attempted my-bucket, my-bucket/*, and my-bucket/prod as parts of the resource)

Source

chuckyz

Most helpful comment

Wow, might want to leave this on Github issues for anyone who isn't very familiar with IAM policies.

I did my homework, the correct policy is that both the bucket, and the contents in it need to be specified as resources.

The correct policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

chuckyz on 30 Nov 2015

🎉6 👍6

All 5 comments

Wow, might want to leave this on Github issues for anyone who isn't very familiar with IAM policies.

I did my homework, the correct policy is that both the bucket, and the contents in it need to be specified as resources.

The correct policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

chuckyz on 30 Nov 2015

🎉6 👍6

:+1: Thanks for this, I was also getting 403's.

calvn on 16 Dec 2015

Thank you so much for this, had the same problem!

Maybe this could be added to the s3 backend documentation?

LinusU on 5 Apr 2017

👍1

I thought I was going crazy, thanks!

george-richardson on 30 Aug 2017

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.