-
-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error creating S3 bucket ACL for: AccessDenied: Access Denied #242
Comments
The reported problem looks more like your default IAM user doesn't have sufficient permissions required to create the bucket.
I'd recommend to use first 2 suggestions and share the output here |
@yyarmoshyk I'm not sure that's the case. AWS recently changed how ACLs work. https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html
I'm attempting to apply a public read ACL to a bucket with full admin and it's giving me 403s |
my mistake, the error in that case is
|
I was able to reproduce it. And the problem is really strange. The code of the module is up to date with the latest requirements but for some reason the terraform plan still shows all the parameters when creating the bucket: # module.s3_public_buckets.aws_s3_bucket.this[0] will be created
+ resource "aws_s3_bucket" "this" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
+ arn = (known after apply)
+ bucket = (known after apply)
+ bucket_domain_name = (known after apply)
+ bucket_prefix = "yyarmoshyk-test-bucket"
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = false
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ object_lock_enabled = false
+ policy = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags_all = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
} Even with the latest aws provider version, latest terraform and latest |
This issue has been automatically marked as stale because it has been open 30 days |
Iamlive stops at the following message {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"s3:CreateBucket"
],
"Resource": "*"
}
]
} It fails with terraform v1.5.4 and AWS provider v5.10.0. According to the CloudTrail the The same problem appears with It should no appear but it does. I'll post here if I find what is wrong with it. It is very strange that this problem is not reported by more people. |
@yyarmoshyk I was getting the following error:
` this paramter was removed => acl = "private" cors_rule = [ |
I get the same error creating a new bucket with a new TF setup (no state). Interesting enough, there is a workaround: when manually changing the bucket "Object Ownership" settings, from "ACL disabled" (which is The Terraform code that fails is: acl = null # Private bucket
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true Probable causeI think the probable partial cause of this is related to terraform-aws-s3-bucket/main.tf Lines 80 to 81 in 7263d09
var.control_object_ownership being true , but this is false by default.
WorkaroundThus, setting |
I am having the same issue,
how to solve it using this module? |
I have just removed the parameter acl = "private" from my configuration and the problem disappeared. |
@danijelmarsic2 Thanks for the reply but thatt is not a proper solution. I need acl and also |
Also take time to check your default settings as you may be blocked at the top level. On the page "Block Public Access settings for this account" you can turn this on or off. You will not be able to override these per bucket depending on your settings. |
I solved the issue by adding these 2 parameters
|
Based on the provider docs, for data "aws_caller_identity" "current" {}
module "my_public_S3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.15.1"
bucket = "my-public-s3-bucket"
block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
control_object_ownership = true
object_ownership = "BucketOwnerPreferred"
expected_bucket_owner = data.aws_caller_identity.current.account_id
acl = "public-read"
attach_policy = true
policy = file("./my-bucket-policy.json")
cors_rule = [
{
allowed_headers = ["*"]
allowed_methods = ["GET"]
allowed_origins = ["https://my-app.domain.com"]
max_age_seconds = 3000
}
]
} |
This issue has been automatically marked as stale because it has been open 30 days |
As stated before, it seems the cause of this issue is related to: terraform-aws-s3-bucket/main.tf Lines 80 to 81 in 7263d09
var.control_object_ownership being true , but this is false by default.
|
This issue has been automatically marked as stale because it has been open 30 days |
Hmm, still a reproducible issue. |
Should the default resource definition in the readme be changed to this?
To quote the AWS docs: |
We are getting this access denied error due to the fact that we can not have -
|
This issue has been automatically marked as stale because it has been open 30 days |
no. |
I'm also having the same problem when using this module trying to create a bucket with an open-wide policy.
But none of them work, I keep getting a
I can create the bucket manually from the console without problems. |
Having the same issue. resource "aws_s3_bucket" "admin_site" {
bucket = "admin-site"
}
resource "aws_s3_bucket_website_configuration" "admin_site" {
bucket = aws_s3_bucket.admin_site.id
index_document {
suffix = "index.html"
}
error_document {
key = "error.html"
}
}
resource "aws_s3_bucket_acl" "admin_site_acl" {
bucket = aws_s3_bucket.admin_site.id
acl = "public-read"
}
resource "aws_s3_bucket_policy" "admin_site_bucket_policy" {
bucket = aws_s3_bucket.admin_site.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:GetObject"]
Effect = "Allow"
Resource = "${aws_s3_bucket.admin_site.arn}/*"
Principal = "*"
},
]
})
}
The bucket gets created, but both
|
that combination of flags just does not make sense, this code below works:
|
This issue has been automatically marked as stale because it has been open 30 days |
This issue was automatically closed because of stale in 10 days |
Lots of action and still gets closed..? |
And as "not planned." Thankfully, my crappy workaround of manually creating the bucket works, but yeah... 🤦 |
Description
If I try to create public-read bucket I get this error:
Versions
Module version [Required]:
Terraform version: v1.5.1
Provider version(s):
provider registry.terraform.io/hashicorp/aws v4.67.0
Reproduction Code [Required]
Expected behavior
I see successfully created public-read bucket.
Actual behavior
Receiving
Error: error creating S3 bucket ACL for XXX: AccessDenied: Access Denied
error.The text was updated successfully, but these errors were encountered: