[Bug]: Getting Access Denied while creating a SQS Queue with scoped IAM permissions, while removing taint on resource reveals no changes

[sklirg]

Terraform Core Version

1.5.4

AWS Provider Version

5.4.0

Affected Resource(s)

• aws_sqs_queue

Expected Behavior

Expecting Terraform to not mark the resource as tainted if it on a 2nd plan shows "no changes" (after manually removing the taint)

Actual Behavior

Applying the resource results in an error, where Terraform receives AccessDenied:

aws_sqs_queue.test: Creating...
╷
│ Error: waiting for SQS Queue (https://sqs.<region>.amazonaws.com/<account>/z-testing-queue) attributes create: AccessDenied: User: arn:aws:sts::<account>:assumed-role/myrole-testing/aws-go-sdk-1691744402198686000 is not authorized to perform: sqs:getqueueattributes on resource: arn:aws:sqs:<region>:<account>:z-testing-queue because no identity-based policy allows the sqs:getqueueattributes action
│       status code: 403, request id: 7a49ac2c-7e70-5c5a-8300-f16385712cd7
│
│   with aws_sqs_queue.test,
│   on main.tf line 133, in resource "aws_sqs_queue" "test":
│  133: resource "aws_sqs_queue" "test" {
│
╵

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

IAM Policy for the role in use:

{
    "Statement": [
        {
            "Action": [
                "sqs:UntagQueue",
                "sqs:TagQueue",
                "sqs:SetQueueAttributes",
                "sqs:RemovePermission",
                "sqs:ListQueueTags",
                "sqs:ListMessagesMoveTasks",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:Get*",
                "sqs:DeleteQueue",
                "sqs:AddPermission"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Service": "my-service",
                    "aws:ResourceTag/Terraform": "true"
                },
                "StringEqualsIfExists": {
                    "aws:RequestTag/Service": "my-service",
                    "aws:RequestTag/Terraform": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "SQSManage"
        },
        {
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:CreateQueue"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Service": "my-service",
                    "aws:RequestTag/Terraform": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "SQSCreate"
        },
        {
            "Action": [
                "kms:ListKeys",
                "kms:DescribeKey"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "KMSForSNSSQS"
        },
    ],
    "Version": "2012-10-17"
}

Terraform:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.4.0"
    }
  }
}

provider "aws" {}

resource "aws_sqs_queue" "test" {
  name = "z-testing-queue"

  tags = {
    Service   = "my-service"
    Terraform = "true"
  }
}

Steps to Reproduce

• Create an IAM Role with the above policy assigned
• Run terraform plan/apply, and get the following output:

❯ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # aws_sqs_queue.test will be created
  + resource "aws_sqs_queue" "test" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 0
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = (known after apply)
      + max_message_size                  = 262144
      + message_retention_seconds         = 345600
      + name                              = "z-testing-queue"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 0
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = (known after apply)
      + tags                              = {
          + "Service"   = "ordr-service"
          + "Terraform" = "true"
        }
      + tags_all                          = {
          + "Service"   = "ordr-service"
          + "Terraform" = "true"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 30
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_sqs_queue.test: Creating...
aws_sqs_queue.test: Still creating... [10s elapsed]
aws_sqs_queue.test: Still creating... [20s elapsed]
aws_sqs_queue.test: Still creating... [30s elapsed]
aws_sqs_queue.test: Still creating... [40s elapsed]
╷
│ Error: waiting for SQS Queue (https://sqs.<region>.amazonaws.com/<account>/z-testing-queue) attributes create: AccessDenied: User: arn:aws:sts::<account>:assumed-role/myrole-testing/aws-go-sdk-1691744402198686000 is not authorized to perform: sqs:getqueueattributes on resource: arn:aws:sqs:<region>:<account>:z-testing-queue because no identity-based policy allows the sqs:getqueueattributes action
│       status code: 403, request id: 7a49ac2c-7e70-5c5a-8300-f16385712cd7
│
│   with aws_sqs_queue.test,
│   on main.tf line 133, in resource "aws_sqs_queue" "test":
│  133: resource "aws_sqs_queue" "test" {
│
╵

• Run terraform plan

❯ terraform plan
aws_sqs_queue.test: Refreshing state... [id=https://sqs.<region>.amazonaws.com/<account>/z-testing-queue]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_sqs_queue.test is tainted, so must be replaced
-/+ resource "aws_sqs_queue" "test" {
      ~ arn                               = "arn:aws:sqs:<region>:<account>:z-testing-queue" -> (known after apply)
      + deduplication_scope               = (known after apply)
      + fifo_throughput_limit             = (known after apply)
      ~ id                                = "https://sqs.<region>.amazonaws.com/<account>/z-testing-queue" -> (known after apply)
      ~ kms_data_key_reuse_period_seconds = 300 -> (known after apply)
        name                              = "z-testing-queue"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      ~ sqs_managed_sse_enabled           = true -> (known after apply)
        tags                              = {
            "Service"   = "ordr-service"
            "Terraform" = "true"
        }
      ~ url                               = "https://sqs.<region>.amazonaws.com/<account>/z-testing-queue" -> (known after apply)
        # (8 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

• Notice that the resource is tainted. (Verify in AWS that the queue looks as expected)

  • Note that if the resource is not untainted, it will be recreated, ending up in the same state (destroying -> creating -> AccessDenied -> Tainted resource)

• Untaint the resource

  ❯ terraform untaint aws_sqs_queue.test
  Resource instance aws_sqs_queue.test has been successfully untainted.

• Terraform plan shows no changes

❯ terraform plan
aws_sqs_queue.test: Refreshing state... [id=https://sqs.<region>.amazonaws.com/<account>/z-testing-queue]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Debug Output

Partial output from apply step:

aws_sqs_queue.test: Creating...
2023-08-11T12:13:43.867+0200 [DEBUG] provider.terraform-provider-aws_v5.4.0_x5: [DEBUG] Waiting for state to become: [success]
2023-08-11T12:13:43.868+0200 [DEBUG] provider.terraform-provider-aws_v5.4.0_x5: HTTP Request Sent: http.request.body="Action=CreateQueue&Attribute.1.Name=DelaySeconds&Attribute.1.Value=0&Attribute.2.Name=MaximumMessageSize&Attribute.2.Value=262144&Attribute.3.Name=MessageRetentionPeriod&Attribute.3.Value=345600&Attribute.4.Name=ReceiveMessageWaitTimeSeconds&Attribute.4.Value=0&Attribute.5.Name=VisibilityTimeout&Attribute.5.Value=30&QueueName=z-testing-queue&Tag.1.Key=Service&Tag.1.Value=ordr-service&Tag.2.Key=Terraform&Tag.2.Value=true&Version=2012-11-05
" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.5 (+https://www.terraform.io) terraform-provider-aws/5.4.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.282 (go1.19.9; darwin; arm64)" tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_sqs_queue aws.sdk=aws-sdk-go aws.service=SQS http.url=https://sqs.<region>.amazonaws.com/ @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.30/logger.go:96 @module=aws aws.operation=CreateQueue http.flavor=1.1 http.request.header.x_amz_date=20230811T101343Z http.request_content_length=442 net.peer.name=sqs.<region>.amazonaws.com aws.region=<region> http.method=POST http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************KVEJ/20230811/<region>/sqs/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" http.request.header.x_amz_security_token=***** tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=1fb59f4a-0770-455a-4faa-818ace1c2dc5 tf_rpc=ApplyResourceChange timestamp=2023-08-11T12:13:43.868+0200
2023-08-11T12:13:44.015+0200 [DEBUG] provider.terraform-provider-aws_v5.4.0_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.30/logger.go:144 @module=aws aws.service=SQS http.duration=144 http.response.body="<?xml version="1.0"?><CreateQueueResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"><CreateQueueResult><QueueUrl>https://sqs.<region>.amazonaws.com/<account>/z-testing-queue</QueueUrl></CreateQueueResult><ResponseMetadata><RequestId>fbd8595f-baf6-5275-817a-040fb6e15067</RequestId></ResponseMetadata></CreateQueueResponse>
" http.response.header.connection=keep-alive tf_rpc=ApplyResourceChange aws.sdk=aws-sdk-go http.response.header.content_type=text/xml http.response_content_length=336 http.status_code=200 tf_provider_addr=registry.terraform.io/hashicorp/aws aws.region=<region> http.response.header.x_amzn_requestid=fbd8595f-baf6-5275-817a-040fb6e15067 tf_mux_provider=*schema.GRPCProviderServer aws.operation=CreateQueue http.response.header.date="Fri, 11 Aug 2023 10:13:44 GMT" tf_req_id=1fb59f4a-0770-455a-4faa-818ace1c2dc5 tf_resource_type=aws_sqs_queue timestamp=2023-08-11T12:13:44.012+0200
2023-08-11T12:13:44.017+0200 [DEBUG] provider.terraform-provider-aws_v5.4.0_x5: [DEBUG] Waiting for state to become: [equal]
2023-08-11T12:13:44.017+0200 [DEBUG] provider.terraform-provider-aws_v5.4.0_x5: HTTP Request Sent: @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.30/logger.go:96 aws.service=SQS http.request.body="Action=GetQueueAttributes&AttributeName.1=All&QueueUrl=https%3A%2F%2Fsqs.<region>.amazonaws.com%2F<account>%2Fz-testing-queue&Version=2012-11-05
" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************KVEJ/20230811/<region>/sqs/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.url=https://sqs.<region>.amazonaws.com/ tf_mux_provider=*schema.GRPCProviderServer http.flavor=1.1 http.request.header.content_type="application/x-www-form-urlencoded; charset=utf-8" aws.operation=GetQueueAttributes http.method=POST http.request.header.x_amz_date=20230811T101344Z http.request.header.x_amz_security_token=***** http.request_content_length=149 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange tf_req_id=1fb59f4a-0770-455a-4faa-818ace1c2dc5 @module=aws aws.region=<region> aws.sdk=aws-sdk-go http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.5.5 (+https://www.terraform.io) terraform-provider-aws/5.4.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.282 (go1.19.9; darwin; arm64)" net.peer.name=sqs.<region>.amazonaws.com tf_resource_type=aws_sqs_queue timestamp=2023-08-11T12:13:44.014+0200
2023-08-11T12:13:44.032+0200 [DEBUG] provider.terraform-provider-aws_v5.4.0_x5: HTTP Response Received: aws.service=SQS http.response.body="<?xml version="1.0"?><ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"><Error><Type>Sender</Type><Code>AccessDenied</Code><Message>User: arn:aws:sts::<account>:assumed-role/my-role-testing/aws-go-sdk-1691748823210223000 is not authorized to perform: sqs:getqueueattributes on resource: arn:aws:sqs:<region>:<account>:z-testing-queue because no identity-based policy allows the sqs:getqueueattributes action</Message><Detail/></Error><RequestId>a330c6ac-9bd7-57ef-90cf-9bfc97cf45fd</RequestId></ErrorResponse>
" http.response_content_length=554 http.status_code=403 tf_rpc=ApplyResourceChange aws.operation=GetQueueAttributes aws.sdk=aws-sdk-go tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.header.date="Fri, 11 Aug 2023 10:13:44 GMT" tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_sqs_queue aws.region=<region> http.duration=16 tf_req_id=1fb59f4a-0770-455a-4faa-818ace1c2dc5 http.response.header.content_type=text/xml http.response.header.x_amzn_requestid=a330c6ac-9bd7-57ef-90cf-9bfc97cf45fd @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.30/logger.go:144 @module=aws timestamp=2023-08-11T12:13:44.030+0200
2023-08-11T12:13:44.033+0200 [ERROR] provider.terraform-provider-aws_v5.4.0_x5: Response contains error diagnostic: diagnostic_summary="waiting for SQS Queue (https://sqs.<region>.amazonaws.com/<account>/z-testing-queue) attributes create: AccessDenied: User: arn:aws:sts::<account>:assumed-role/my-role-testing/aws-go-sdk-1691748823210223000 is not authorized to perform: sqs:getqueueattributes on resource: arn:aws:sqs:<region>:<account>:z-testing-queue because no identity-based policy allows the sqs:getqueueattributes action
        status code: 403, request id: a330c6ac-9bd7-57ef-90cf-9bfc97cf45fd" tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=1fb59f4a-0770-455a-4faa-818ace1c2dc5 tf_resource_type=aws_sqs_queue @caller=github.com/hashicorp/terraform-plugin-go@v0.15.0/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_severity=ERROR tf_rpc=ApplyResourceChange diagnostic_detail= @module=sdk.proto timestamp=2023-08-11T12:13:44.032+0200
╷
│ Error: waiting for SQS Queue (https://sqs.<region>.amazonaws.com/<account>/z-testing-queue) attributes create: AccessDenied: User: arn:aws:sts::<account>:assumed-role/my-role-testing/aws-go-sdk-1691748823210223000 is not authorized to perform: sqs:getqueueattributes on resource: arn:aws:sqs:<region>:<account>:z-testing-queue because no identity-based policy allows the sqs:getqueueattributes action
│       status code: 403, request id: a330c6ac-9bd7-57ef-90cf-9bfc97cf45fd
│
│   with aws_sqs_queue.test,
│   on main.tf line 133, in resource "aws_sqs_queue" "test":
│  133: resource "aws_sqs_queue" "test" {
│
╵
2023-08-11T12:13:44.214+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-11T12:13:44.225+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.4.0/darwin_arm64/terraform-provider-aws_v5.4.0_x5 pid=38758
2023-08-11T12:13:44.226+0200 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

A lot of Terraform examples use IAM Policies with resources = ["*"] or resources = [arn], but here we are using conditions based on resource tags.

One workaround I can think of is to allow sqs:GetQueueAttributes on resources = ["*"], but that will bypass the access restrictions we're trying to impose using tags.

The motivation for doing it this way is to provide a Terraform Module where a user can create, own and manage SQS Queues with a scoped-down IAM Role, but not interfere with other SQS queues than their own. (We are using this in a CI/CD pipeline for an application, where the application has a "deployment profile" in IAM which allows it to access resources based on tags, namely Service="service-name".)

References

I think this https://github.com/hashicorp/terraform-provider-aws/issues/13980 and this https://github.com/hashicorp/terraform-provider-aws/issues/27393 might be related, in case the tags are not propagated to the resource before the API request is sent, which results in an AccessDenied because the resource doesn't match the IAM statement condition.

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[KReg27]

I have also experienced this same behavior in provider version 5.9.0 with SQS and with Amazon Keyspace resources.

Policy attempts tag-based resource restrictions as above, but terraform calls the Get call faster than the tag relationship is established and errors out after the first call. Permissions have been tested in AWS console and CLI with no permission issues. Trace dump from keyspaces example.

[DEBUG] provider.terraform-provider-aws_v5.9.0_x5: HTTP Request Sent: aws.operation=CreateKeyspace aws.sdk=aws-sdk-go-v2 http.request.header.amz_sdk_request="attempt=1; max=25" http.url=https://cassandra.us-east-1.amazonaws.com/ tf_provider_addr=registry.terraform.io/hashicorp/aws http.request.header.x_amz_target=KeyspacesService.CreateKeyspace @module=aws aws.service=Keyspaces http.method=POST http.request.body="{"keyspaceName":"my_keyspace","tags":[{"key":"Name","value":"Provider Tag"},{"key":"Domain","value":"001"},{"key":"Environment","value":"Testprod"}]}
" http.request.header.amz_sdk_invocation_id=0e119d5c-5748-4b71-903d-bf70ca85bd28 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=*****/us-east-1/ca********aws4_request, Sign*********=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=*****" http.request_content_length=149 tf_req_id=42b1a992-2105-e3de-0715-6aa684ffb3f5 http.request.header.content_type=application/x-amz-json-1.0 http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.4.6 (+https://www.terraform.io/) terraform-provider-aws/5.9.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.19.0 os/macos lang/go#1.20.5 md/GOOS#darwin md/GOARCH#amd64 api/keyspaces#1.3.3" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.32/logging/logger.go:39 aws.region=us-east-1 http.request.header.x_amz_date=20230814T172922Z net.peer.name=cassandra.us-east-1.amazonaws.com tf_mux_provider=*schema.GRPCProviderServer tf_resource_type=aws_keyspaces_keyspace tf_rpc=ApplyResourceChange timestamp=2023-08-14T12:29:22.764-0500

[DEBUG] provider.terraform-provider-aws_v5.9.0_x5: HTTP Response Received: http.response.header.content_type=application/x-amz-json-1.0 http.response.header.date="Mon, 14 Aug 2023 17:29:23 GMT" http.status_code=200 @module=aws aws.operation=CreateKeyspace aws.sdk=aws-sdk-go-v2 aws.service=Keyspaces http.duration=261 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange aws.region=us-east-1 http.response_content_length=81 tf_mux_provider=*schema.GRPCProviderServer tf_req_id=42b1a992-2105-e3de-0715-6aa684ffb3f5 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.32/logging/logger.go:39 http.response.body="{"resourceArn":"arn:aws:cassandra:us-east-1:<ACCOUNTID>:/keyspace/my_keyspace/"}
" http.response.header.x_amzn_requestid=0af2af4a-dc35-4eae-b459-6665c9ca1314 tf_resource_type=aws_keyspaces_keyspace timestamp=2023-08-14T12:29:23.026-0500

[DEBUG] provider.terraform-provider-aws_v5.9.0_x5: [DEBUG] Waiting for state to become: [success]

[DEBUG] provider.terraform-provider-aws_v5.9.0_x5: HTTP Request Sent: http.request.header.amz_sdk_invocation_id=6154f7cd-5b75-454c-af93-b53375c2cece http.url=https://cassandra.us-east-1.amazonaws.com/ http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.4.6 (+https://www.terraform.io/) terraform-provider-aws/5.9.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.19.0 os/macos lang/go#1.20.5 md/GOOS#darwin md/GOARCH#amd64 api/keyspaces#1.3.3" net.peer.name=cassandra.us-east-1.amazonaws.com @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.32/logging/logger.go:39 @module=aws tf_req_id=42b1a992-2105-e3de-0715-6aa684ffb3f5 http.method=POST http.request.body="{"keyspaceName":"my_keyspace"}
" http.request.header.content_type=application/x-amz-json-1.0 aws.operation=GetKeyspace http.request.header.x_amz_target=KeyspacesService.GetKeyspace http.request_content_length=30 tf_mux_provider=*schema.GRPCProviderServer http.request.header.authorization="AWS4-HMAC-SHA256 Credential=*****/us-east-1/ca********aws4_request, Sign*********=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=*****" http.request.header.x_amz_date=20230814T172923Z tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_keyspaces_keyspace aws.region=us-east-1 aws.sdk=aws-sdk-go-v2 aws.service=Keyspaces http.request.header.amz_sdk_request="attempt=1; max=25" tf_rpc=ApplyResourceChange timestamp=2023-08-14T12:29:23.026-0500

[DEBUG] provider.terraform-provider-aws_v5.9.0_x5: HTTP Response Received: aws.region=us-east-1 aws.service=Keyspaces http.response.header.content_type=application/x-amz-json-1.0 http.status_code=400 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.32/logging/logger.go:39 http.duration=52 http.response.header.x_amzn_requestid=ea819870-9fd7-4a1a-bd9e-dead38d9025d @module=aws http.response_content_length=191 tf_resource_type=aws_keyspaces_keyspace tf_rpc=ApplyResourceChange aws.sdk=aws-sdk-go-v2 http.response.body="{"__type":"com.amazon.hele*********dend#Acce*************tion","message":"User arn:aws:iam::<ACCOUNTID>:user/tf_user has no Select permission on keyspace my_keyspace or any of its parents."}