'AWS Terraform IAM user with assume role for S3 back end

To store the Terraform state file in S3 bucket, I have used admin account credentials and configured. Now I have created IAM user and trying to use assume role. Assume role has the administrator policy attached.

I have tested this AIM user setup with aws sts assume-role --role-arn commands. I was able to get the token and using the token able access the S3 bucket using aws s3 ls command.

Now trying to use the IAM user access/secret key with assume role for terraform. when I run terraform refresh command its giving below errors.

provider code:

provider "aws" {
  region  = "us-west-2"
  max_retries = 1
  assume_role {
    role_arn = var.assume_role_arn
  }

}

Error

 Error: Error acquiring the state lock
│
│ Error message: 2 errors occurred:
│       * AccessDeniedException: User: arn:aws:iam::xxxxxxxx:user/deploy is not authorized to perform: dynamodb:PutItem on resource:
│ arn:aws:dynamodb:us-west-2:xxxxxxxx:table/terraform-state-lock
│       status code: 400, request id: CV4J3JN1LD0KPDGHAOA9UL13ONVV4KQNSO5AEMVJF66Q9ASUAAJG
│       * AccessDeniedException: User: arn:aws:iam::xxxxxxxx:user/deploy is not authorized to perform: dynamodb:GetItem on resource:
│ arn:aws:dynamodb:us-west-2:xxxxxxxx:table/terraform-state-lock
│       status code: 400, request id: BISQQDU4659LLI3CEDP26T8RJ7VV4KQNSO5AEMVJF66Q9ASUAAJG
│
│
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.

Why this is not working in Terraform How to fix this error?

Thanks SR

terraformamazon-iamterraform-provider-awsassume-role


Solution 1:[1]

It does not seem like it's even assuming the role, otherwise the error would show up as an assumed-role/deploy identity.

I'd suggest you try exporting the AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID variables in the command line and then run Terraform again.

I tried this few days back using Terraform Cloud with the terraform user credentials there, which is not exactly your case, but it should behave in the same way.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Choose Amazon S3 storage class using Laravel Filesystem

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

Why my cloudformation template is over 1 MB?

MemoryError zipfile in memory

Determine if an object exists in a S3 bucket based on wildcard

Trouble setting cache-cotrol header for Amazon S3 key using boto

Trouble setting cache-cotrol header for Amazon S3 key using boto

Connect Thumbor with AWS - s3

Logging to Amazon S3

Why is my access denied on s3 (using the aws-sdk for Node.js)?

Alluxio on kubernetes(EKS) supports s3 connection without aws accessKey and secretKey? Is the s3 connection configurable with role arn alone?

Uploading image to amazon s3 using multer-s3 nodejs

Reading file from s3 in pyspark using org.apache.hadoop:hadoop-aws

Load data from S3 into Aurora Serverless using AWS Glue

Apache Iceberg table format to ADLS / azure data lake