Terraform: Terraform init with s3 backend fails to check permissions

Created on 22 Jun 2017  路  10Comments  路  Source: hashicorp/terraform

Terraform Configuration Files

terraform {
  backend "s3" {
    bucket = "vendor-terraform"
    key    = "terraform/us-west-2/terraform.tfstate"
    region = "us-west-2"
  }
}

Expected Behavior

Should error out if access to bucket not present, like this:

Error loading state: AccessDenied: Access Denied
    status code: 403, request id: xxx, host id: UuoNIqtPMPybqcLpSOxxxx=

Actual Behavior

No error

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform init
backens3 enhancement
Source
picture rokka-n
👍8

All 10 comments

I encountered the same situation, but it does not cause a serious problem, terraform just notifies you of the error later than expected. If you call a terraform show or terraform plan after terraform init, it immediately tells you the expected error, and if you check the bucket in AWS, it is untouched. But I agree with you that the tool should tell that you lack credentials as early as possible and fail during init instead of silently continue like nothing happened.

elodani picture elodani on 23 Jun 2017

Hi rokka-n,

I had exactly the same issue. But once I gave the s3 bucket public access. Terraform no longer complains.

But I don't think give s3 public access is a permanently solution.

Waiting for some more valuable answers.

Cheers,
Vincent

Vincenttoolate picture Vincenttoolate on 19 Jan 2018
👎12

This seems to be a duplicate of https://github.com/hashicorp/terraform/issues/5839

Mikulas picture Mikulas on 2 Mar 2018
👎1

check to make sure your environment is using the correct AWS account. You may have multiple accounts on your .aws/credentials

tkjef picture tkjef on 13 Jul 2018
👍1

@tkjef What happens if multiple profiles are specified in .aws/credentials. Which one does terraform picks for the init execution? And what could be done to specify the desired profile for init?

dragonknight88 picture dragonknight88 on 22 Sep 2018
👍1

@dragonknight88 - if nothing is set in terraform, the AWS SDK chooses which credentials to use. The aws provider authentication documentation is here.

mildwonkey picture mildwonkey on 24 Sep 2018

@dragonknight88 you can set the below:

AWS_PROFILE=aws_account_name
export AWS_PROFILE

in your ~/.bash_profile

tkjef picture tkjef on 8 Oct 2018
👍1

Thanks @tkjef My issue got resolved with setting AWS_PROFILE. The problem was with jenkins build system setup. It had configured AWS_ACCOUNT_KEY and SECREY_KEY env variable set up so regardless what I set in AWS_PROFILE tf was picking up ACCT and SECRET key config. I had to reset those on every stage in jenkins pipeline.

dragonknight88 picture dragonknight88 on 11 Oct 2018
👍1

Are you sure your bucket is located in the same region you specified in your backend config? I had this issue once before and the error message is not clear enough.

deniojunior picture deniojunior on 22 Sep 2020

The problem is that 'terraform init' is not following the same way to authenticate on AWS than the further steps (terraform plan, etc).

Also you could have added explicitly the AWS Auth data into Backend block:

terraform {
  backend "s3" {
    bucket        = "bucket-name"
    key              = "path/file.tfstate"
    region         = "us-east-1"
    encrypt       = true
    profile         = "profile_name"
    role_arn      = "arn:aws:iam::0000000000:role/if_needed"
  }
}
alfresanc picture alfresanc on 6 Jan 2021
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kforsthoevel picture kforsthoevel  路  86Comments
dupuy picture dupuy  路  61Comments
radeksimko picture radeksimko  路  80Comments
gwagner picture gwagner  路  81Comments
shubhambhartiya picture shubhambhartiya  路  72Comments