service/s3: Use the current credentials when trying to get the bucket…

… region (#15481) This fixes #15420 where in aws-cn using anonymous credentials will cause the Head request to return Unauthorized. That error in turn fill cause terraform bucket operations to fail.
hashicorp · Nov 17, 2020 · 17429ae · 17429ae
1 parent 27353a2
commit 17429ae
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/aws/data_source_aws_s3_bucket.go b/aws/data_source_aws_s3_bucket.go
@@ -100,6 +100,12 @@ func bucketLocation(client *AWSClient, d *schema.ResourceData, bucket string) er
 		// the provider s3_force_path_style configuration, which defaults to
 		// false, but allows override.
 		r.Config.S3ForcePathStyle = client.s3conn.Config.S3ForcePathStyle
+
+		// By default, GetBucketRegion uses anonymous credentials when doing
+		// a HEAD request to get the bucket region. This breaks in aws-cn regions
+		// when the account doesn't have an ICP license to host public content.
+		// Use the current credentials when getting the bucket region.
+		r.Config.Credentials = client.s3conn.Config.Credentials
 	})
 	if err != nil {
 		return err

diff --git a/aws/resource_aws_s3_bucket.go b/aws/resource_aws_s3_bucket.go
@@ -1263,6 +1263,12 @@ func resourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error {
 			// the provider s3_force_path_style configuration, which defaults to
 			// false, but allows override.
 			r.Config.S3ForcePathStyle = s3conn.Config.S3ForcePathStyle
+
+			// By default, GetBucketRegion uses anonymous credentials when doing
+			// a HEAD request to get the bucket region. This breaks in aws-cn regions
+			// when the account doesn't have an ICP license to host public content.
+			// Use the current credentials when getting the bucket region.
+			r.Config.Credentials = s3conn.Config.Credentials
 		})
 	})
 	if err != nil {