Closed marlovil closed 3 years ago
In your logs, I see:
[terragrunt] 2020/11/26 11:23:58 Create S3 bucket with retry project-terraform-tfstate returned an error: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: 8903df34-f51c-44f9-b556-3bc45604a342. Sleeping for 10s and will try again.
Some issue with how you're authenticating perhaps?
Hi @brikis98!
Tanks for your question. The profile we used to deploy the infra belongs to Administrator user group. The S3 bucket was created successfully. The only thing that doesn't work is enable versioning and encryption. We've finally enabled both options via console (with the same user). In fact, with the same user, we've deployed other S3 buckets enabling versioning and encryption without any problem.
Thanks!
Ah, if the same user is working now, then it may have been a timing issue, where the creds you were using just happened to expire on that first run. I believe "The security token included in the request is invalid" does show up for expired creds. Sounds like this is resolved, so marking as closed.
Hi!
Thanks @brikis98. But I don't think it was a temporary issue. I have been trying this several times during two different days. Only failed on the first time terragrunt init
is executed. On the other side, it makes no sense that the init was able to create the bucket but not to enable logging and encryption.
Anyway, thanks for your support. If this issue happens again in another account/environment I will let you know.
//reopen
Not sure why this is closed with reason of permission issue? it is still open. I have EC2 instance profile which has all admin access.
terragrunt creates remote state bucket without versioning and without encryption enabled where as by default both should be done.
versions terragrunt version v0.26.7 Terraform v0.13.5
config
remote_state { backend = "s3" config = { encrypt = true bucket = "${get_env("PROJECT_NAME", "")}-${get_env("FLAVOR", "")}-remotestate-${local.account_name}-${local.aws_region}" key = "${path_relative_to_include()}/terraform.tfstate" region = local.aws_region dynamodb_table = "terraform-locks" s3_bucket_tags = { managedby = "Terragrunt" env = "${get_env("PROJECT_NAME", "")}-${get_env("FLAVOR", "")}" } dynamodb_table_tags = { env = "dev" managedby = "Terragrunt" env = "${get_env("PROJECT_NAME", "")}-${get_env("FLAVOR", "")}" } } generate = { path = "backend.tf" if_exists = "overwrite" } }
//reopen please
Hi @brikis98.
Seems that @nsvijay04b1 has the same problem. Could we reopen the issue, please?
Thanks!
Apologies .. Deleted the bucket and ran terragrunt again. I see versioning enabled and encryption enabled with default KMS key ( AWS Key Management Service key (SSE-KMS)) . Thanks.
My mistake to ask to reopen. please, confirm if there is a way to ask for AES256 , the default S3 managed key for encryption than managing KMS master key.
When creating the remote stat backend S3 bucket, encryption and logging are disabled. There is no way to activate it using
terragrunt init
command.Terraform version: 0.13.5 Terragrun version: 0.26.7
Configuration:
The AWS profile
profile-1
has Administrator access level.The output is:
This issue is similar to: https://github.com/gruntwork-io/terragrunt/issues/1369