'Using terraform in an AWS SSO+Okta environment

I'm using SSO in an AWS SSO+Control Tower+Okta environment

When I login to AWS via Okta, I use the Option 1 setting to allow me to use the aws command

Get credentials for AdministratorAccess

When I run the terraform plan, I get the following error There is no problem with terraform init.

【terraform plan error】

╷
│ Error: AccessDenied: Access Denied
│   status code: 403, request id: QN738HDZPQKMERFX, host id: roylHCGU3cOMfwkWjdpbeG991Ho28bredvY1/6vSgGavaM/VXn6rNtDSGIpnBS2cqetL38YdF1o=
│ 
│ 
╵

I thought the above error might be due to the fact that I cannot access the terraform.tfstate that I have set in backend.tf, but the following command completes successfully

【backend.tf】

terraform {
  backend "s3" {
    bucket               = "test-tfstate2"
    key                  = "provisioning/test/static/production/terraform.tfstate"
    region               = "ap-northeast-1"
    workspace_key_prefix = ""
  }
}

【command】 aws s3 ls s3://test-tfstate2/provisioning/test/static/production/terraform.tfstate

【Result】 2022-02-17 18:18:05 0 terraform.tfstate

What is the cause of the AccessDenied error in this situation?

Any advice would be appreciated.

terraformterraform-provider-aws


Solution 1:[1]

In order to troubleshoot this issue further and find the root cause of the problem you can execute:

TF_LOG=DEBUG terraform plan

This should give you exact reason while plan is failing. I suspect it's due to the permission issue: "Validate Response s3/ListObjects failed" but we need to confirm it first by running plan with the DEBUG option.

It could also happen that your terraform uses default credentials from ~/.aws/credentials file. That's why when you execute aws ls s3 ... manually - it works, but it doesn't work with terraform.

To avoid this, please use option 2 from the guide you provided (by creating additional configuration block in your ~/.aws/credentials file.

Then you can do export AWS_PROFILE={name_of_your_new_profile} and then try to execute terraform plan once again.

If all of this will not work, please update your question with the DEBUG's output.

Best of luck :)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Vorgashor

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

How to enable terraform module only with a specific workspace

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Terragrunt ignores newly added outputs in a project

tls unsigned certificate when using terraform

What is the best way to solve `EntityAlreadyExists` error in terraform?

Terraform: How to create API Gateway endpoints and methods from a list of objects?

Terraform - refactoring modules: Error: Provider configuration not present

Passing multiple provider aliases to a module in terraform 0.12.13

What is the AWS Service Principal value for stepfunction?

Terraform - Use of environment variables in TF files

Terraform : Init