Minimum permissions needed for S3 backed?

terragrunt

#1

Hi,

Normally I run Terragrunt locally using an IAM role and this works great.

I’ve started adding a CI job to a repo but when setting the AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID env variables I get access denied while initializing remote state for the s3 backend when doing terragrunt init.

Reading the README again under the “Work with multiple AWS accounts” section, option 3 says setting these variables should work. I can view the bucket contents with the variables set using the aws command and sync contents both ways. I can also do terraform init and specific the bucket and path without an error.

Is there something I can do to troubleshoot this? I’m using Terraform v0.11.7 and Terragrunt v0.14.10.


#2

After more digging it appears to be permissions related, this is what my policy looks like for my IAM user:

data "aws_iam_policy_document" "default" {
  statement {
    actions = [
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::${var.bucket_name}"]
  }

  statement {
    actions = [
      "s3:ListObject",
      "s3:GetObject",
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}/${var.bucket_path}",
    ]
  }

  statement {
    actions = [
      "dynamodb:DescribeTable",
      "dynamodb:GetItem",
      "dynamodb:PutItem",
      "dynamodb:DeleteItem",
    ]

    resources = [
      "arn:aws:dynamodb:*:*:table/${var.bucket_name}",
    ]
  }
}

When I terragrunt init:

root@b527fdbd796f:/builds/project-1/dir$ terragrunt init
[terragrunt] [/builds/project-1/dir] 2018/06/15 12:15:26 Running command: terraform --version
[terragrunt] 2018/06/15 12:15:26 Reading Terragrunt config file at /builds/project-1/dir/terraform.tfvars
[terragrunt] 2018/06/15 12:15:26 Initializing remote state for the s3 backend
[terragrunt] 2018/06/15 12:15:27 AccessDenied: Access Denied
        status code: 403, request id: 9762866593D8ED3E, host id: fC+o2S/OFjOTGqVeuMefX/rO9DT2Ixp8wDOgCbxb1G6FiPwjfUpIYXKPMz8eaaWXx0J8ZcyrZ1E=
[terragrunt] 2018/06/15 12:15:27 Unable to determine underlying exit code, so Terragrunt will exit with error code 1

When I terraform init:

root@b527fdbd796f:/builds/project-1/dir$ terraform init

Initializing the backend...
bucket
  The name of the S3 bucket

  Enter a value: xxxbucketxxx

key
  The path to the state file inside the bucket

  Enter a value: xxxbucketxxx/xxxpathxxx/terraform.tfstate

region
  The region of the S3 bucket.

  Enter a value: xxx


Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Is it possible Terragrunt is trying to do something extra that causes it to fail? For now I’ve created a default profile and using that.


#3

I’ve managed to solve my issue.

If anyone is looking for a minimum policy for terragrunt config, this is it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:CreateBucket"
            ],
            "Resource": "arn:aws:s3:::<bucket name>"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::<bucket name>/some/path/here"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:CreateTable"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/<table name>"
        }
    ]
}

This will:

  • create the bucket if it doesn’t exist
  • create the dynamodb table if it doesn’t exist
  • allow state updates

#4

Glad you got it sorted. Do the Terragrunt docs need to be updated to make this easier in the future? If so, would you be up for a quick PR?


#5

Sure thing, will create a PR soon.