5

Question

What AWS permission is required to create a S3 bucket, which causes HTTP/1.1 403 Forbidden on ec2/DescribeAccountAttributes and s3/CreateBucket. Or how to get further information on AWS side to further trouble-shoot.

Added all permissions on EC2 and S3 to the user account, but did not solve the problem.

Note

If I have all the permission as the account owner (using different account), this will not happen.

Problem

Trying to create a S3 bucket.

resource "aws_s3_bucket" "s3_bucket_tfstate" {
  bucket = "${var.s3_bucket_tfstate}"
  acl    = "private"
}

However it causes 403 with the TF_LOG=DEBUG below.

2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 87
Authorization: AWS4-HMAC-SHA256 Credential=<credential>/20171206/ap-southeast-2/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=****
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20171206T075535Z
Accept-Encoding: gzip

Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Date: Wed, 06 Dec 2017 07:55:37 GMT
Server: AmazonEC2


-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>0b9480d5-a687-46f8-a0ca-a212c37ce3fb</RequestID></Response>
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/DescribeAccountAttributes failed, not retrying, error UnauthorizedOperation: You are not authorized to perform this operation.


2017/12/06 19:55:52 [DEBUG] [aws-sdk-go] DEBUG: Request s3/CreateBucket Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT / HTTP/1.1
Host: mule-cdr-billing-adapter-config-tfstate.s3.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 158
Authorization: AWS4-HMAC-SHA256 Credential=****/20171206/ap-southeast-2/s3/aws4_request, SignedHeaders=content-length;host;x-amz-acl;x-amz-content-sha256;x-amz-date, Signature=****
X-Amz-Acl: private
X-Amz-Content-Sha256: 8bfaf12a44a138dc6f38eb5c291558f2c551b0f18ab6e2a5e7f9a00176b25240
X-Amz-Date: 20171206T085552Z
Accept-Encoding: gzip

<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><LocationConstraint>ap-southeast-2</LocationConstraint></CreateBucketConfiguration>
-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Response s3/CreateBucket Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 06 Dec 2017 08:55:55 GMT
Server: AmazonS3
X-Amz-Id-2: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=
X-Amz-Request-Id: 9B562398EEFDF96E


-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>9B562398EEFDF96E</RequestId><HostId>oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=</HostId></Error>
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Validate Response s3/CreateBucket failed, not retrying, error AccessDenied: Access Denied
    status code: 403, request id: 9B562398EEFDF96E, host id: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=
mon
  • 18,789
  • 22
  • 112
  • 205
  • As noted in the debug log it's trying to use both ec2 and s3 resources. So, are you sure the credentials you have supplied to terraform are for the user that you have assigned those permissions through IAM? If so, did you only give read access to those resources, or did you give full access? – Rick Baker Dec 06 '17 at 16:45
  • The problem here isn't Terraform; it's that your credentials do not have the correct permissions. Please include any attached IAM policies that the user you're using has – TJ Biddle Dec 06 '17 at 18:18

1 Answers1

4

Cause

Simulated the AWS S3 create bucket via the IAM Policy simulator and found the policy preventing the creation was MFA.

Solution

session=$(aws sts get-session-token --profile $AWS_PROFILE --serial-number $SECURITY_DEVICE_ARN --token-code $MFA_TOKEN)
export AWS_ACCESS_KEY_ID=$(echo $session | jq  -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $session | jq  -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo $session | jq -r .Credentials.SessionToken)
export AWS_MFA_SERIAL_NUMBER=${MFA_TOKEN}

Then run the terraform.

mon
  • 18,789
  • 22
  • 112
  • 205