aws_canonical_user_id data source documentation should indicate ListAllMyBuckets permission is required

[fletchowns]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The documentation for aws_source_canonical_user_id should mention that the s3:ListAllMyBuckets permission is required. Without this permission, you get the following error when running terraform plan with the sample terraform code listed below:

╷
│ Error: AccessDenied: Access Denied
│       status code: 403, request id: NMCES4MSMCCR7MRM, host id: GxTLG0mXGGgnLJBkGTuyH9kDYz1m8UcUnz3UiphNqhIIcqz1GIDhJ1+l21HJw/Qm3wvb+rlln/c=
│ 
│   with data.aws_canonical_user_id.current,
│   on provider.tf line 15, in data "aws_canonical_user_id" "current":
│   15: data "aws_canonical_user_id" "current" {}
│ 
╵

Debug logging reveals the 403 was from a ListBuckets request:

2022-04-03T06:53:24.698Z [DEBUG] provider.terraform-provider-aws_v4.8.0_x5: [aws-sdk-go] DEBUG: Request s3/ListBuckets Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET / HTTP/1.1
Host: s3.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.1.7 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.43.25 (go1.17.6; linux; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=AKIA.../20220403/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=5b58a5...
X-Amz-Content-Sha256: e3b...
X-Amz-Date: 20220403T065324Z
Accept-Encoding: gzip


-----------------------------------------------------: timestamp=2022-04-03T06:53:24.448Z
2022-04-03T06:53:24.757Z [DEBUG] provider.terraform-provider-aws_v4.8.0_x5: [aws-sdk-go] DEBUG: Response s3/ListBuckets Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Sun, 03 Apr 2022 06:53:24 GMT
Server: AmazonS3
X-Amz-Id-2: w1VdSct0AZ...
X-Amz-Request-Id: VV8E7EA4RTD0K077


-----------------------------------------------------: timestamp=2022-04-03T06:53:24.738Z

It was not immediately obvious to me why ListAllMyBuckets permission was required, the terraform documentation page I linked does link to this page though:

• https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

From that page there is a link to Finding the canonical user ID for your AWS account which confirms the requirement:

If you are a federated user or are accessing the information programmatically, such as through the AWS CLI, you must have permission to list and view an Amazon S3 bucket.

It might be useful to add this important tidbit to the terraform documentation. I tried it with just the ListBucket permission, but it seemed to only work if I granted the ListAllMyBuckets permission.

New or Affected Resource(s)

• aws_canonical_user_id

Potential Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

data "aws_canonical_user_id" "current" {}

References

• Rename inconsistent resource/data source names #19999

[github-actions]

This functionality has been released in v4.10.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.