Search code examples
amazon-web-servicesamazon-s3terraform

Terraform - s3 static website wont deploy, telling me I dont have permissions when I do


I am trying to deploy a frontend to an S3 bucket using Terraform, and I am receiving 403 AccessDenied errors when Terraform attempts to set the S3 bucket ACL and policy. Below are the error messages:

  • PutBucketAcl: AccessDenied: User is not authorized to perform s3:PutBucketAcl because public access control lists (ACLs) are blocked by the BlockPublicAcls setting.
  • PutBucketPolicy: AccessDenied: User is not authorized to perform s3:PutBucketPolicy because public policies are blocked by the BlockPublicPolicy setting.

I have already tried the following:

  • Setting the aws_s3_bucket_public_access_block resource to disable the block public ACLs and policies.
  • Ensuring the IAM user has s3:PutBucketAcl and s3:PutBucketPolicy permissions.
  • Verified that no organizational-level policies are blocking these actions.

Despite these steps, the error persists. How can I resolve this issue?

Terraform version: v1.5.7

Code:

resource "random_pet" "frontend_name" {}

resource "aws_s3_bucket" "frontend_bucket" {
  bucket = "frontend-bucket-${random_pet.frontend_name.id}"
  force_destroy = true
}

resource "aws_s3_bucket_acl" "frontend_acl" {
  bucket = aws_s3_bucket.frontend_bucket.id
  acl    = "public-read"
}

resource "aws_s3_bucket_website_configuration" "frontend_website" {
  bucket = aws_s3_bucket.frontend_bucket.id

  index_document {
    suffix = "index.html"
  }
}

resource "aws_s3_bucket_public_access_block" "frontend_public_access_block" {
  bucket = aws_s3_bucket.frontend_bucket.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_cors_configuration" "frontend_cors" {
  bucket = aws_s3_bucket.frontend_bucket.id

  cors_rule {
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
    allowed_headers = ["*"]
  }
}

resource "null_resource" "s3_sync" {
  depends_on = [null_resource.build_frontend]

  provisioner "local-exec" {
    command = <<EOT
      AWS_PROFILE=${var.aws_profile} aws s3 sync ../frontend/dist/ s3://${aws_s3_bucket.frontend_bucket.id}/
    EOT
  }
}

resource "aws_s3_bucket_policy" "frontend_bucket_policy" {
  bucket = aws_s3_bucket.frontend_bucket.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::${aws_s3_bucket.frontend_bucket.id}/*"
    }
  ]
}
POLICY
}

Error:

╷
│ Error: creating S3 Bucket (frontend-bucket-giving-unicorn) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 403, RequestID: 8FPDNEDW1WNKTKS2, HostID: V4Bv6r2nOUjVdpK9hbKfo2CLEK9fBVou3Mnw1pp29vM6pabH47V6CSgNiZ2XW5tCLt3o2ljpDtA=, api error AccessDenied: User: arn:aws:iam::<removed>:user/Admin is not authorized to perform: s3:PutBucketAcl on resource: "arn:aws:s3:::frontend-bucket-giving-unicorn" because public access control lists (ACLs) are blocked by the BlockPublicAcls block public access setting.
│ 
│   with module.frontend.aws_s3_bucket_acl.frontend_acl,
│   on frontend/s3.tf line 8, in resource "aws_s3_bucket_acl" "frontend_acl":
│    8: resource "aws_s3_bucket_acl" "frontend_acl" {
│ 
╵
╷
│ Error: putting S3 Bucket (frontend-bucket-giving-unicorn) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 403, RequestID: 8FP73W1TMVZZKQY1, HostID: 7pEKSxxeNBrKX9gif/qnpkl5yWJXmcbureAH5qGIJH6EJNZTaTfBaJNNiUP5non2ens+Z5bsyI8=, api error AccessDenied: User: arn:aws:iam::<removed>:user/Admin is not authorized to perform: s3:PutBucketPolicy on resource: "arn:aws:s3:::frontend-bucket-giving-unicorn" because public policies are blocked by the BlockPublicPolicy block public access setting.
│ 
│   with module.frontend.aws_s3_bucket_policy.frontend_bucket_policy,
│   on frontend/s3.tf line 50, in resource "aws_s3_bucket_policy" "frontend_bucket_policy":
│   50: resource "aws_s3_bucket_policy" "frontend_bucket_policy" {
│ 
╵

IAM User - Admin policies (should be able to do everything):

IAM User Permissions Screenshot


Solution

  • For the first error, try

    resource "aws_s3_bucket_acl" "frontend_acl" {
      bucket = aws_s3_bucket.frontend_bucket.id
      acl    = "public-read"
    
    depends_on = [
      aws_s3_bucket_public_access_block.frontend_public_access_block,
    ]
    }
    

    For the second one

    resource "aws_s3_bucket_policy" "frontend_bucket_policy" {
      bucket = aws_s3_bucket.frontend_bucket.id
    
      policy = <<POLICY
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::${aws_s3_bucket.frontend_bucket.id}/*"
        }
      ]
    }
    POLICY
    
    depends_on = [
      aws_s3_bucket_public_access_block.frontend_public_access_block,
    ]
    }