New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform error operation error S3: ListObjectsV2, https response error StatusCode: 403 #34223
Comments
@simonweil I've got the same error. The reason for me was that my default AWS profile was configured to a different account than that which I used with Terraform. Here is my config: terraform {
backend "s3" {
bucket = "state-bucket-name"
key = "<AWS-ACCOUNT-ID>/<accountname>/<env>/terraform.tfstate"
dynamodb_table = "terraform-state-lock-table-name"
region = "<theregion>"
+ access_key = "..." # same value as var.access_key
+ secret_key = "..." # same value as var.secret_key
}
}
provider "aws" {
region = var.region
access_key = var.access_key
secret_key = var.secret_key
} Another way I found to solve the issue is to add to |
@simonweil Just FYI @jbardin works on the core Terraform, whereas the AWS provider team at HashiCorp works on the S3 backend. Due to the recent changes to the S3 backend, the AWS provider team has been fairly responsive to new issues if they are related to the change, but it is ultimately up to their timeline and discretion to pick up these issues. Thanks for reporting this, and hopefully the team will get a chance to look at it. |
PSA for other people learning terraform - I got this same error but it was because the dynamo table and s3 bucket were not created yet. Once I manually created those resources via the console, my script worked as expected. TL;DR: The resources referenced in the |
Thank you for the clarification. Any chance to get the attention of the AWS provider team at HashiCorp for this issue? |
@simonweil I did notify them of this issue, my understanding is that they are aware of it but I am not aware of whether it is currently prioritized. There were changes to the S3 backend in 1.6.6 (just released) but I do not see anything about it in the release notes :( -- normally they would close an issue (such as this) if it was fixed by a change. |
The AWS S3 terraform/internal/backend/remote-state/s3/backend_state.go Lines 45 to 56 in c7f052e
|
@simonweil Could you try setting the |
Thank you for the pointer to this setting @ewbankkit |
This regression has prevented me from upgrading to 1.6/1.7 releases. We aren't using workspaces and if I specify a In #34223 (comment) it's implied there were changes in 1.6.6 around the s3 backend. I tested 1.6.2, 1.6.3, 1.6.4, 1.6.5, and 1.6.6 and receive this ListObjectsV2 issue on all of them. 1.6.0 asks me to migrate state, so didn't go forward with trying that further. Anyway looking forward to 1.6.7 to be released or #34513 to be merged into 1.7.1. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Version
Terraform Configuration Files
Debug Output
https://gist.github.com/simonweil/e023ac03b6966a05f712c93573e86e5b
Expected Behavior
The
terraform init
should succeed like for all previous terraform versions.Actual Behavior
terrafrom init fails accessing the backend with the following error
Initializing the backend...
╷
│ Error: Failed to get existing workspaces: Unable to list objects in S3 bucket "terraform-state-bucket-name": operation error S3: ListObjectsV2, https response error StatusCode: 403, RequestID: , HostID: , api error AccessDenied: Access Denied
Steps to Reproduce
terraform init
Additional Context
Yes, the assumable role has the
StateBucketList
statement with a prefix limitation.This worked until version 1.5.7 but stoped on version 1.6.0
This is needed as the state bucket is shared and we do not want the ability to find all the accounts that are using the state bucket.
It seems to be related to a new request to the bucket (from the debug):
See the
tf_backend.workspace-prefix=env:/
which is being search in the root of the bucket for some reason, and that is not allowed by the statement.References
No response
The text was updated successfully, but these errors were encountered: