error getting S3 Bucket Object Lock configuration: AccessDenied

[ronhanson]

Hi,

I am having an issue with terraform 11.11 only, having a user/role that has readonly policy on S3 to do a terraform planonly.
It fails getting the object lock... AWS answers with a 403, instead of a 404 I think, this makes terraform fail.

Below are some details (and an edited gist of debug logs) showing the request that fails (and other request that work fine).

Note that on version 11.10, when object lock was not implemented, using a Read only user worked perfectly.

It seems to me more like an AWS policy issue, but it would be great to allow a 403 as a valid answer to bypass the problem and allow read only users to do a TF plan.

Thanks for you awesome work btw.

Ronan

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

11.11 (but works on 11.10)

Affected Resource(s)

• aws_s3_bucket.website_bucket

Terraform Configuration Files

resource "aws_s3_bucket" "website_bucket" {
  bucket   = "${var.bucket_name}"
  acl = "public-read"

  website {
    index_document = "index.html"
    error_document = "404.html"  # TODO
    routing_rules  = "${var.s3_routing_rules}"
  }
}

Debug Output

https://gist.github.com/ronhanson/6da53321a37ae6879a6ae98c0ce79d09

Expected Behavior

Should bypass the aws s3 object lock abnormal 403 behavior.

Actual Behavior

Fails with following error :

error getting S3 Bucket Object Lock configuration: AccessDenied

Steps to Reproduce

1. Create a user or role with Readonly access to S3, all resource access (*).

2. terraform plan

3. it crashes on "get object lock" because Amazon sends a 403 on that "readonly" operation...

Important Factoids

User/Role is running with Read Only policy (Get*) on S3, still the terraform plan fails.

[ewbankkit]

@ronhanson Does the user have the AmazonS3ReadOnlyAccess managed policy attached?

If I test (via the AWS CLI but it should be the same API calls underneath) with an IAM user s3ro that just has AmazonS3ReadOnlyAccess attached:

(as admin user)

$ aws iam list-attached-user-policies --user s3ro
{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonS3ReadOnlyAccess", 
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
        }
    ]
}
$ aws iam get-policy --policy-arn "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
{
    "Policy": {
        "PolicyName": "AmazonS3ReadOnlyAccess", 
        "Description": "Provides read only access to all buckets via the AWS Management Console.", 
        "PermissionsBoundaryUsageCount": 0, 
        "CreateDate": "2015-02-06T18:40:59Z", 
        "AttachmentCount": 1, 
        "IsAttachable": true, 
        "PolicyId": "ANPAIZTJ4DXE7G6AGAE6M", 
        "DefaultVersionId": "v1", 
        "Path": "/", 
        "Arn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", 
        "UpdateDate": "2015-02-06T18:40:59Z"
    }
}
$ aws iam get-policy-version --policy-arn "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" --version-id v1
{
    "PolicyVersion": {
        "CreateDate": "2015-02-06T18:40:59Z", 
        "VersionId": "v1", 
        "Document": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": [
                        "s3:Get*", 
                        "s3:List*"
                    ], 
                    "Resource": "*", 
                    "Effect": "Allow"
                }
            ]
        }, 
        "IsDefaultVersion": true
    }
}

(switch credentials to s3ro user)

$ aws s3api get-object-lock-configuration --bucket ewbankkit-testing-object-lock

An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket

However, if I manually create an S3 read-only policy through the guided visual editor in the AWS console (Service=S3, Actions=AccessLevel=Read, Resources=Any bucket/Any object):

(as admin user)

$ aws iam list-attached-user-policies --user s3ro
{
    "AttachedPolicies": [
        {
            "PolicyName": "my-s3-read-only", 
            "PolicyArn": "arn:aws:iam::0000000000000:policy/my-s3-read-only"
        }
    ]
}
$ aws iam get-policy --policy-arn "arn:aws:iam::0000000000000:policy/my-s3-read-only"
{
    "Policy": {
        "PolicyName": "my-s3-read-only", 
        "PermissionsBoundaryUsageCount": 0, 
        "CreateDate": "2019-02-14T15:24:13Z", 
        "AttachmentCount": 1, 
        "IsAttachable": true, 
        "PolicyId": "ANPAJV4EJJ7Z7AGWLG6ZK", 
        "DefaultVersionId": "v1", 
        "Path": "/", 
        "Arn": "arn:aws:iam::0000000000000:policy/my-s3-read-only", 
        "UpdateDate": "2019-02-14T15:24:13Z"
    }
}
$ aws iam get-policy-version --policy-arn "arn:aws:iam::0000000000000:policy/my-s3-read-only" --version-id v1
{
    "PolicyVersion": {
        "CreateDate": "2019-02-14T15:24:13Z", 
        "VersionId": "v1", 
        "Document": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": [
                        "s3:GetObjectVersionTorrent", 
                        "s3:GetObjectAcl", 
                        "s3:GetObject", 
                        "s3:GetObjectTorrent", 
                        "s3:GetObjectVersionTagging", 
                        "s3:GetObjectVersionAcl", 
                        "s3:GetObjectTagging", 
                        "s3:GetObjectVersionForReplication", 
                        "s3:GetObjectVersion", 
                        "s3:ListMultipartUploadParts"
                    ], 
                    "Resource": "arn:aws:s3:::*/*", 
                    "Effect": "Allow", 
                    "Sid": "VisualEditor0"
                }, 
                {
                    "Action": [
                        "s3:GetBucketPolicyStatus", 
                        "s3:GetBucketPublicAccessBlock", 
                        "s3:ListBucketByTags", 
                        "s3:GetLifecycleConfiguration", 
                        "s3:ListBucketMultipartUploads", 
                        "s3:GetBucketTagging", 
                        "s3:GetInventoryConfiguration", 
                        "s3:GetBucketWebsite", 
                        "s3:ListBucketVersions", 
                        "s3:GetBucketLogging", 
                        "s3:GetAccelerateConfiguration", 
                        "s3:GetBucketVersioning", 
                        "s3:GetBucketAcl", 
                        "s3:GetBucketNotification", 
                        "s3:GetBucketPolicy", 
                        "s3:GetReplicationConfiguration", 
                        "s3:GetEncryptionConfiguration", 
                        "s3:GetBucketRequestPayment", 
                        "s3:GetBucketCORS", 
                        "s3:GetAnalyticsConfiguration", 
                        "s3:GetMetricsConfiguration", 
                        "s3:GetBucketLocation"
                    ], 
                    "Resource": "arn:aws:s3:::*", 
                    "Effect": "Allow", 
                    "Sid": "VisualEditor1"
                }, 
                {
                    "Action": "s3:GetAccountPublicAccessBlock", 
                    "Resource": "*", 
                    "Effect": "Allow", 
                    "Sid": "VisualEditor2"
                }
            ]
        }, 
        "IsDefaultVersion": true
    }
}

(switch credentials to s3ro user)

$ aws s3api get-object-lock-configuration --bucket ewbankkit-testing-object-lock

An error occurred (AccessDenied) when calling the GetObjectLockConfiguration operation: Access Denied

The visual editor does not add the required s3:GetObjectLockConfiguration action.

[ronhanson]

@ewbankkit , first thanks for your help and demonstration.
Well this is the kind of nightmare I am experiencing with ACLs, and it is even worst when you don't use stars* to select all resources.
I will retest it soon then, but I am pretty sure I manually add the GetObjectLockConfiguration to my policy in json... so I don't understand why it would still fail.
I'll post my policy and an example terraform AWS script to showcase the bug if I still encounter it.
Again, many thanks for you time and effort solving my issue.

[eradegus]

@ronhanson try with s3:GetBucketObjectLockConfiguration instead of s3:GetObjectLockConfiguration

You must have the s3:GetBucketObjectLockConfiguration permission in order to view a bucket's configuration.

• https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-managing.html

[y0-0y]

It's gotta be aws provider version

1.60.0 error
1.53.0 success

[aeschright]

Hi @ronhanson! Since you didn't post again, I'm hoping the suggestions above worked for you. I'm going to close this issue so we can focus on active reports, but please open a new bug if you're still having problems with the most recent versions of Terraform and the AWS provider. Thanks!

[ronhanson]

Thanks @aeschright ,
My problem came from the fact the AWS console was not presenting all the choices/ticks at the time. I guess the GetBucketObjectLockConfiguration was not listed in the UI. I had to use broader permission or declare it in json, as @ewbankkit did, and it finally worked. Sorry for not declaring this issue as solved.
Cheers!
Ronan

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!