I am trying to deploy a frontend to an S3 bucket using Terraform, and I am receiving 403 AccessDenied errors when Terraform attempts to set the S3 bucket ACL and policy. Below are the error messages:
I have already tried the following:
Despite these steps, the error persists. How can I resolve this issue?
Terraform version: v1.5.7
Code:
resource "random_pet" "frontend_name" {}
resource "aws_s3_bucket" "frontend_bucket" {
bucket = "frontend-bucket-${random_pet.frontend_name.id}"
force_destroy = true
}
resource "aws_s3_bucket_acl" "frontend_acl" {
bucket = aws_s3_bucket.frontend_bucket.id
acl = "public-read"
}
resource "aws_s3_bucket_website_configuration" "frontend_website" {
bucket = aws_s3_bucket.frontend_bucket.id
index_document {
suffix = "index.html"
}
}
resource "aws_s3_bucket_public_access_block" "frontend_public_access_block" {
bucket = aws_s3_bucket.frontend_bucket.id
block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}
resource "aws_s3_bucket_cors_configuration" "frontend_cors" {
bucket = aws_s3_bucket.frontend_bucket.id
cors_rule {
allowed_methods = ["GET"]
allowed_origins = ["*"]
allowed_headers = ["*"]
}
}
resource "null_resource" "s3_sync" {
depends_on = [null_resource.build_frontend]
provisioner "local-exec" {
command = <<EOT
AWS_PROFILE=${var.aws_profile} aws s3 sync ../frontend/dist/ s3://${aws_s3_bucket.frontend_bucket.id}/
EOT
}
}
resource "aws_s3_bucket_policy" "frontend_bucket_policy" {
bucket = aws_s3_bucket.frontend_bucket.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::${aws_s3_bucket.frontend_bucket.id}/*"
}
]
}
POLICY
}
Error:
╷
│ Error: creating S3 Bucket (frontend-bucket-giving-unicorn) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 403, RequestID: 8FPDNEDW1WNKTKS2, HostID: V4Bv6r2nOUjVdpK9hbKfo2CLEK9fBVou3Mnw1pp29vM6pabH47V6CSgNiZ2XW5tCLt3o2ljpDtA=, api error AccessDenied: User: arn:aws:iam::<removed>:user/Admin is not authorized to perform: s3:PutBucketAcl on resource: "arn:aws:s3:::frontend-bucket-giving-unicorn" because public access control lists (ACLs) are blocked by the BlockPublicAcls block public access setting.
│
│ with module.frontend.aws_s3_bucket_acl.frontend_acl,
│ on frontend/s3.tf line 8, in resource "aws_s3_bucket_acl" "frontend_acl":
│ 8: resource "aws_s3_bucket_acl" "frontend_acl" {
│
╵
╷
│ Error: putting S3 Bucket (frontend-bucket-giving-unicorn) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 403, RequestID: 8FP73W1TMVZZKQY1, HostID: 7pEKSxxeNBrKX9gif/qnpkl5yWJXmcbureAH5qGIJH6EJNZTaTfBaJNNiUP5non2ens+Z5bsyI8=, api error AccessDenied: User: arn:aws:iam::<removed>:user/Admin is not authorized to perform: s3:PutBucketPolicy on resource: "arn:aws:s3:::frontend-bucket-giving-unicorn" because public policies are blocked by the BlockPublicPolicy block public access setting.
│
│ with module.frontend.aws_s3_bucket_policy.frontend_bucket_policy,
│ on frontend/s3.tf line 50, in resource "aws_s3_bucket_policy" "frontend_bucket_policy":
│ 50: resource "aws_s3_bucket_policy" "frontend_bucket_policy" {
│
╵
IAM User - Admin policies (should be able to do everything):
For the first error, try
resource "aws_s3_bucket_acl" "frontend_acl" {
bucket = aws_s3_bucket.frontend_bucket.id
acl = "public-read"
depends_on = [
aws_s3_bucket_public_access_block.frontend_public_access_block,
]
}
For the second one
resource "aws_s3_bucket_policy" "frontend_bucket_policy" {
bucket = aws_s3_bucket.frontend_bucket.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::${aws_s3_bucket.frontend_bucket.id}/*"
}
]
}
POLICY
depends_on = [
aws_s3_bucket_public_access_block.frontend_public_access_block,
]
}