Reputation: 21
Am I getting this error because I'm using SSO? "Error loading state: AccessDenied: Access Denied status code: 403"?
This is my terraform set up. When I used an Access Key and a Secret Key in a different account, I had no problems initializing terraform. But now that I'm using SSO with this account, I get this error:
Error loading state: AccessDenied: Access Denied status code: 403, request id: xxx, host id: xxxx
Then I found this in a terraform document. Not sure if I understand this correctly, but am I getting this error because I am using SSO? If so, what do I need to do to fix this and get terraform to work with this account.
"Please note that the AWS Go SDK, the underlying authentication handler used by the Terraform AWS Provider, does not support all AWS CLI features, such as Single Sign On (SSO) configuration or credentials."
Note: "my-bucket" was previously created in this account using the CLI.
provider "aws" {
region = "us-east-1"
profile = "XXXXX"
}
terraform {
required_version = "~> 0.13.0"
backend "s3" {
bucket = "mybucket"
key = "mykey"
region = "us-east-1"
}
}
Upvotes: 1
Views: 1142
Answers (2)
Reputation: 588
If you had access keys set prior to configuring AWS SSO, you have to unset both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and set AWS_PROFILE instead then it should work correctly.
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
export AWS_PROFILE=[profile-name-here]
In my case I am using CDKTF so I also had to update the AWS provider to reference a shared config
AwsProvider(self, "aws", region=region, shared_config_files=["~/.aws/config"], profile=aws_profile)
Then, your AWS config profile should include the sso_region and sso_start_url
I can confirm this works with for following version
"hashicorp/aws@~> 5.12", aws-cli/2.13.9, Python/3.11.4
Upvotes: 0
Reputation: 1
I am having this exact same issue with terraform and sso, will update if I find solution. * Update, in my case it was because the state bucket had an explicit deny for unencrypted transfers. I added encrypt = true to my tfstate backend and it worked fine. https://www.terraform.io/docs/language/settings/backends/s3.html#s3-state-storage
Upvotes: 0
Related Questions
- How to configure aws sso for terraform?
- Terraform AWS credentials file not found
- How to solve Error loading state: AccessDenied: Access Denied status code: 403 when trying to use s3 for terraform backend?
- no valid credential sources for Terraform AWS Provider found
- Unable to access AWS account through terraform AWS provider --
- Terraform failed API authorization
- Not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken
- Terraform - getting terraform_remote_state leads to access denied
- Error authorizing security group egress rules: InvalidGroup.NotFound
- Terraform ECR STOPPED (CannotPullECRContainerError: AccessDeniedException)