-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-descript error message when IAM permissions are too restrictive. #2875
Comments
I had this problem today when Terraform was creating a subnet. The error was related to the
|
@radeksimko The important piece of missing information is which API call failed. All I could tell was that it had something to do with creating a subnet. But since the account had CreateSubnet privileges, I was left scratching my head. I eventually dove into the Terraform source to figure it out. |
Maybe this could be improved by having a wrapping error type in the AWS provider, that can be used to easily return a consistent error message: // ActionError wraps an error returned from an AWS API call to add context about
// which IAM action is relevant to the given API call, to help the user diagnose
// access-related errors.
type ActionError struct {
// The action name as it would be expressed in an IAM policy
// e.g. s3:GetBucketLocation, iam:ChangePassword
ActionName string
// The error that occured
Err error
}
func (err *ActionError) Error() string {
return fmt.Sprintf("%s: %s", err.ActionName, err.Err)
} @kingpong in your If the former, then we could improve the error handling of that call like this: if err != nil {
return &ActionError{"ec2:ModifySubnetAttribute", err};
} else {
d.SetPartial("map_public_ip_on_launch")
} This would then result in the following output:
According to the EC2 permissions docs, this particular action can't actually be granted directly in an IAM policy and must instead be granted via the Of course the above setup would annotate non-access-related errors too, where arguably the IAM action name is less relevant, but the action names are usually reasonably human-readable and are likely to still provide some useful context to the user even if some other sort of error is returned. |
@apparentlymart: sorry, I'm not sure. I tried adding |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
When running a Terraform plan or apply using AWS keys that do not have sufficient permission, an error message occurs. The error message is sometimes descriptive enough to instruct the user of the permission that is needed, but in some cases it isn't.
When managing S3 buckets, if the IAM user does not have
s3:GetBucket*
permissions, a Terraform execution will result in a generic Access Denied message. Terraform should provide context of the provider API call when the API call fails so that the user knows which operation failed and can troubleshoot it - eg. Error while calling [S3 GetBucketLocation] - 403 Access Denied.Terraform Output
Terraform Configuration
The text was updated successfully, but these errors were encountered: