aws_s3_object: clearer error message when no s3:GetObjectVersion permission

[tometzky]

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.6.0

Affected Resource(s)

• data.aws_s3_object

Terraform Configuration Files

data "aws_s3_object" "someservice_outputs" {
  bucket   = "999999999999-us-east-1-terraform-state"
  key      = "services/someservice/terraform-outputs.json"
  provider = aws.us-east-1
}

Expected Behavior

│ Error: Failed getting S3 object version .G_VHeyUIfDPBB7Y0p616E8ZJpqasuTc: GetObjectVersion: Access Denied
│   status code: 403, request id: MTG4SWK8YK4907JF, host id: wLOG2uPLrdF8bemPx8QXOxqII/RCgb4nYKieiAYw34go6XZTEPWXSTcjalokTnHTlpdgu+caekg=
│ 
│   with data.aws_s3_object.someservice_outputs,
│   on main.tf line 81, in data "aws_s3_object" "someservice_outputs":
│   81: data "aws_s3_object" "someservice_outputs" {
│ 

Actual Behavior

│ Error: Failed getting S3 object: AccessDenied: Access Denied
│   status code: 403, request id: MTG4SWK8YK4907JF, host id: wLOG2uPLrdF8bemPx8QXOxqII/RCgb4nYKieiAYw34go6XZTEPWXSTcjalokTnHTlpdgu+caekg=
│ 
│   with data.aws_s3_object.someservice_outputs,
│   on main.tf line 81, in data "aws_s3_object" "someservice_outputs":
│   81: data "aws_s3_object" "someservice_outputs" {
│ 

Steps to Reproduce

Just try to use data.aws_s3_object from a role with s3:GetObject and s3:GetObjectTagging but without s3:GetObjectVersion.

Important Factoids

When it is s3:GetObjectTagging missing, the error message is much more clear - that "get object tagging" operation failed, which makes it easy to figure out what is wrong.

The cause of this Access Denied is very hard to figure out, as even using "aws s3api get-object" from command line is working.

It would also be nice if Data Source: aws_s3_object documentation had information about which permissions are required for it to work. Although s3:GetObject is pretty obvious, s3:GetObjectTagging and s3:GetObjectVersion are not.

---

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[ollytheninja]

Almost two years later the error is worse and I'd argue is now a bug rather than an enhacement request. Now rather than just unclear it is patently wrong.

│ Error: downloading S3 Bucket (mybucket) Object (myfile.json): operation error S3: GetObject, https response error StatusCode: 403, RequestID: XXXXXXX, HostID: xxxxx=, api error AccessDenied: Access Denied │ │ with data.aws_s3_object.this, │ on main.tf line 1, in data "aws_s3_object" "this": │ 1: data "aws_s3_object" "this" {

Took ages to find that giving the role s3:GetObject* rather than just s3:GetObject was the fix.