Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross aws s3 cannot obtain bucket information normally #3442

Open
colinlabs opened this issue Sep 26, 2024 · 1 comment
Open

Cross aws s3 cannot obtain bucket information normally #3442

colinlabs opened this issue Sep 26, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@colinlabs
Copy link

colinlabs commented Sep 26, 2024
edited
Loading

Describe the bug

We created an s3 bucket in account A, and then s3 tested and granted access to a role in account B. The bucket information could be correctly read in terraform, but terragunant could not correctly obtain bucekt information at noon.

Error:

$ terragrunt plan
ERRO[0001] Error checking if bucket iac-terraform-states is have root access: MethodNotAllowed: The specified method is not allowed against this resource.
        status code: 405, request id: HRC9C67M26ABCANB, host id: JeLyKvfn/qWS67omoYSqtoPp4pmlX66DcJQKLeG8rLv/0bEeyT6tfXKBMfxlWP1pCpNnbKA7QIE= 
ERRO[0001] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

config:

remote_state {
  backend = "s3"
  config = {
    bucket = "iac-terraform-states"     # s3 buckets in different accounts
    key            = "aws/iac/${path_relative_to_include()}/terraform.tfstate"
    region         = "ap-southeast-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
}

s3 policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:role/accountA
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::iac-terraform-states/*",
                "arn:aws:s3:::iac-terraform-states"
            ]
        }
    ]
}

Expected behavior

It can be similar to terraform's behavior, and can read bucekt information across aws accounts.

Versions

  • Terragrunt version: 0.56.5
  • OpenTofu/Terraform version: Terraform v1.5.7 on darwin_arm64
  • Environment details (Ubuntu 20.04, Windows 10, etc.): mac
@colinlabs colinlabs added the bug Something isn't working label Sep 26, 2024
@colinlabs colinlabs changed the title 跨 aws s3 无法正常获取存储桶的信息 Cross aws s3 cannot obtain bucket information normally Sep 26, 2024
@colinlabs
Copy link
Author

Find a description:https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html

If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@colinlabs