AWS s3_object resource now requires s3:GetObjectTagging permission
#12137
Comments
|
Swallowing the error seems a bit "dangerous" to me - If a |
|
Hi @ljfranklin I would agree that requiring new write or even delete permissions or resource-agnostic permissions in general (not scoped to resources, like S3 bucket name) would be undesirable, but I'm struggling to understand the problem or context here specifically. I agree with @ewbankkit that ignoring 403 error would cause confusions to users that do want to use tags and just might forgot to setup the right policies.
I agree, unfortunately that's all we get from the AWS API, many errors are as brief as this one. That said I opened #12759 - feedback welcomed there. |
radeksimko
added
the
waiting-response
No problem with adding it, the main issue was it took a bit of time to figure out exactly which new permission was required to avoid the error. But your PR seems to have given a much nicer error now, so I think we're good to close this out. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Starting with Terraform version 0.8.7, the
s3_objectresource now requires thes3:GetObjectTaggingpermission even if no tags are specified in your TF configuration files. Probably introduced in this PR. The error message (shown below) is unfortunately not helpful as it doesn't mention what new permission you need.Could the new s3 tagging code be updated to swallow 403 errors when trying to retrieve the tags for an object, or update docs somewhere to list this as a required permission?
Thanks!
Terraform Version
0.8.7
Affected Resource(s)
Error
The text was updated successfully, but these errors were encountered: