Use the current credentials when trying to get the bucket region

[ebabani]

This fixes #15420 where in aws-cn using anonymous credentials will cause the Head request to return Unauthorized. That error in turn fill cause terraform bucket operations to fail.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #15420

Release note for CHANGELOG:

resource/aws_s3_bucket: Use current provider credentials when fetching the bucket region

Output from acceptance testing in AWS Commercial:

$ make testacc TESTARGS='-run= TestAccAWSS3Bucket_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSS3Bucket_basic -timeout 120m
=== RUN   TestAccAWSS3Bucket_basic
=== PAUSE TestAccAWSS3Bucket_basic
=== CONT  TestAccAWSS3Bucket_basic
--- PASS: TestAccAWSS3Bucket_basic (63.20s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	65.843s
...

Acceptance tests fail in aws-cn due to a separate issue (resource_aws_s3_bucket_test.go:170: Check 2/8 error: aws_s3_bucket.bucket: Attribute 'hosted_zone_id' not found) but have verified the fix manually.

[ebabani]

Hi,

Anything else that needs to be done before this is reviewed? At the moment this bug blocks s3 bucket creates/updates for accounts in aws-cn which don't have ICP configured.

In our use case that is every account created through AWS Organizations.

[damoco]

When will this request can be merged in?

[all4innov]

Any timeline when this PR will be merged ?

[ebabani]

Hi. Any updates on this PR? As it stands terraform s3 operations in a large subset of aws-cn accounts will always fail.

[yogeek]

Our team currently have to use the code of this PR to deploy poduction infrastructure in China so we can confirm this code is solving the issue. Thanks again @ebabani 👍

But until this is merged, we have to recompile the provider and override the default one by the patched one...not really ideal for an automated process !
Can someone take a look and merge please ? Thank you :-)

[ybulakhau]

Hi, guys. We also cannot continue to work in China until these changes are merged. Please merged it.

[dawidmalina]

We are also blocked by this issue :(

[bflad]

Looks good, thank you for this update, @ebabani 🚀

Output from acceptance testing:

--- PASS: TestAccAWSS3Bucket_acceleration (96.61s)
--- PASS: TestAccAWSS3Bucket_AclToGrant (91.15s)
--- PASS: TestAccAWSS3Bucket_basic (58.12s)
--- PASS: TestAccAWSS3Bucket_Bucket_EmptyString (57.42s)
--- PASS: TestAccAWSS3Bucket_Cors_Delete (48.59s)
--- PASS: TestAccAWSS3Bucket_Cors_EmptyOrigin (58.18s)
--- PASS: TestAccAWSS3Bucket_Cors_Update (99.78s)
--- PASS: TestAccAWSS3Bucket_disableDefaultEncryption_whenDefaultEncryptionIsEnabled (97.18s)
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenAES256IsUsed (58.48s)
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenTypical (59.64s)
--- PASS: TestAccAWSS3Bucket_forceDestroy (42.93s)
--- PASS: TestAccAWSS3Bucket_forceDestroyWithEmptyPrefixes (40.26s)
--- PASS: TestAccAWSS3Bucket_forceDestroyWithObjectLockEnabled (37.51s)
--- PASS: TestAccAWSS3Bucket_generatedName (56.37s)
--- PASS: TestAccAWSS3Bucket_GrantToAcl (96.56s)
--- PASS: TestAccAWSS3Bucket_ignoreTags (92.12s)
--- PASS: TestAccAWSS3Bucket_LifecycleBasic (117.55s)
--- PASS: TestAccAWSS3Bucket_LifecycleExpireMarkerOnly (95.88s)
--- PASS: TestAccAWSS3Bucket_LifecycleRule_AbortIncompleteMultipartUploadDays_NoExpiration (59.40s)
--- PASS: TestAccAWSS3Bucket_LifecycleRule_Expiration_EmptyConfigurationBlock (50.49s)
--- PASS: TestAccAWSS3Bucket_Logging (57.51s)
--- PASS: TestAccAWSS3Bucket_namePrefix (54.99s)
--- PASS: TestAccAWSS3Bucket_objectLock (63.40s)
--- PASS: TestAccAWSS3Bucket_Policy (142.88s)
--- PASS: TestAccAWSS3Bucket_Replication (164.69s)
--- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AccessControlTranslation (117.29s)
--- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AddAccessControlTranslation (110.12s)
--- PASS: TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError (45.30s)
--- PASS: TestAccAWSS3Bucket_ReplicationSchemaV2 (142.38s)
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutPrefix (72.68s)
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutStorageClass (79.07s)
--- PASS: TestAccAWSS3Bucket_RequestPayer (96.23s)
--- PASS: TestAccAWSS3Bucket_SameRegionReplicationSchemaV2 (53.21s)
--- PASS: TestAccAWSS3Bucket_shouldFailNotFound (38.56s)
--- PASS: TestAccAWSS3Bucket_tagsWithNoSystemTags (181.24s)
--- PASS: TestAccAWSS3Bucket_tagsWithSystemTags (228.92s)
--- PASS: TestAccAWSS3Bucket_UpdateAcl (100.08s)
--- PASS: TestAccAWSS3Bucket_UpdateGrant (147.12s)
--- PASS: TestAccAWSS3Bucket_Versioning (132.83s)
--- PASS: TestAccAWSS3Bucket_Website_Simple (138.92s)
--- PASS: TestAccAWSS3Bucket_WebsiteRedirect (142.12s)
--- PASS: TestAccAWSS3Bucket_WebsiteRoutingRules (99.74s)
--- PASS: TestAccAWSS3MultiBucket_withTags (58.18s)

--- PASS: TestAccDataSourceS3Bucket_basic (52.91s)
--- PASS: TestAccDataSourceS3Bucket_website (52.97s)

[ghost]

This has been released in version 3.16.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!