Open tometzky opened 2 years ago
Almost two years later the error is worse and I'd argue is now a bug rather than an enhacement request. Now rather than just unclear it is patently wrong.
│ Error: downloading S3 Bucket (mybucket) Object (myfile.json): operation error S3: GetObject, https response error StatusCode: 403, RequestID: XXXXXXX, HostID: xxxxx=, api error AccessDenied: Access Denied │ │ with data.aws_s3_object.this, │ on main.tf line 1, in data "aws_s3_object" "this": │ 1: data "aws_s3_object" "this" {
Took ages to find that giving the role s3:GetObject*
rather than just s3:GetObject
was the fix.
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Actual Behavior
Steps to Reproduce
Just try to use
data.aws_s3_object
from a role withs3:GetObject
ands3:GetObjectTagging
but withouts3:GetObjectVersion
.Important Factoids
When it is
s3:GetObjectTagging
missing, the error message is much more clear - that "get object tagging" operation failed, which makes it easy to figure out what is wrong.The cause of this
Access Denied
is very hard to figure out, as even using "aws s3api get-object" from command line is working.It would also be nice if Data Source: aws_s3_object documentation had information about which permissions are required for it to work. Although
s3:GetObject
is pretty obvious,s3:GetObjectTagging
ands3:GetObjectVersion
are not.Community Note