Minimum permissions needed for S3 backed?

stephenhoekstra · June 15, 2018, 8:42am

Hi,

Normally I run Terragrunt locally using an IAM role and this works great.

I’ve started adding a CI job to a repo but when setting the AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID env variables I get access denied while initializing remote state for the s3 backend when doing terragrunt init.

Reading the README again under the “Work with multiple AWS accounts” section, option 3 says setting these variables should work. I can view the bucket contents with the variables set using the aws command and sync contents both ways. I can also do terraform init and specific the bucket and path without an error.

Is there something I can do to troubleshoot this? I’m using Terraform v0.11.7 and Terragrunt v0.14.10.

stephenhoekstra · June 15, 2018, 12:29pm

After more digging it appears to be permissions related, this is what my policy looks like for my IAM user:

data "aws_iam_policy_document" "default" {
  statement {
    actions = [
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::${var.bucket_name}"]
  }

  statement {
    actions = [
      "s3:ListObject",
      "s3:GetObject",
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}/${var.bucket_path}",
    ]
  }

  statement {
    actions = [
      "dynamodb:DescribeTable",
      "dynamodb:GetItem",
      "dynamodb:PutItem",
      "dynamodb:DeleteItem",
    ]

    resources = [
      "arn:aws:dynamodb:*:*:table/${var.bucket_name}",
    ]
  }
}

When I terragrunt init:

root@b527fdbd796f:/builds/project-1/dir$ terragrunt init
[terragrunt] [/builds/project-1/dir] 2018/06/15 12:15:26 Running command: terraform --version
[terragrunt] 2018/06/15 12:15:26 Reading Terragrunt config file at /builds/project-1/dir/terraform.tfvars
[terragrunt] 2018/06/15 12:15:26 Initializing remote state for the s3 backend
[terragrunt] 2018/06/15 12:15:27 AccessDenied: Access Denied
        status code: 403, request id: 9762866593D8ED3E, host id: fC+o2S/OFjOTGqVeuMefX/rO9DT2Ixp8wDOgCbxb1G6FiPwjfUpIYXKPMz8eaaWXx0J8ZcyrZ1E=
[terragrunt] 2018/06/15 12:15:27 Unable to determine underlying exit code, so Terragrunt will exit with error code 1

When I terraform init:

root@b527fdbd796f:/builds/project-1/dir$ terraform init

Initializing the backend...
bucket
  The name of the S3 bucket

  Enter a value: xxxbucketxxx

key
  The path to the state file inside the bucket

  Enter a value: xxxbucketxxx/xxxpathxxx/terraform.tfstate

region
  The region of the S3 bucket.

  Enter a value: xxx


Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Is it possible Terragrunt is trying to do something extra that causes it to fail? For now I’ve created a default profile and using that.

stephenhoekstra · June 15, 2018, 2:11pm

I’ve managed to solve my issue.

If anyone is looking for a minimum policy for terragrunt config, this is it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:CreateBucket"
            ],
            "Resource": "arn:aws:s3:::<bucket name>"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket name>/some/path/here"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:CreateTable"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/<table name>"
        }
    ]
}

This will:

create the bucket if it doesn’t exist
create the dynamodb table if it doesn’t exist
allow state updates

jim · June 16, 2018, 3:15pm

Glad you got it sorted. Do the Terragrunt docs need to be updated to make this easier in the future? If so, would you be up for a quick PR?

stephenhoekstra · June 30, 2018, 12:36pm

Sure thing, will create a PR soon.

Topic		Replies	Views
Can I set IAM roles for all accounts in one place in the terragrunt.hcl file? Gruntwork Customers terragrunt , provider , backend , iam_role	2	1250	October 22, 2020
Terraform State file in separate AWS Account \| Terragrunt Approach or Best Terraform Approach! Gruntwork Customers terragrunt , terraform-state , aws , terraform , separate-account	1	1225	March 24, 2020
AWS (Multi-account setup): Access remote states from another account Gruntwork Customers	4	1354	January 11, 2018
Issue with state locking AWS dynamodb Gruntwork Customers terraform-state , locking	8	1341	November 14, 2017
Terragrunt locking permanent Gruntwork Customers	4	672	March 29, 2018

Minimum permissions needed for S3 backed?

Related Topics