Document permissions required to read resource metadata

[iainelder]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm using an S3 bucket as an example, but I believe this applies to all resources.

My use case: I'm trying to refer to a centralized audit bucket in the delegated administrator account of AWS Config so that I can set up the config recorders in the member accounts to deliver config changes to that bucket.

I'm using the terraform-aws-secure-baseline module to do this (see its organizations example). It uses a data source to refer get metadata for the bucket. Becuase the bucket is in the delegated administrator account and by default does not allow other accounts to access it, reading the metadata from the member account fails.

Error: Failed getting S3 bucket: Forbidden: Forbidden
	status code: 403, request id: 96120BB4E7D053AB, host id: wUZJa464AcyhMENVFS8bV5Z5oAhKxXlU4j5Uug+yj0QqAFKoJHQVpj+Psq+NZMRjXMKBAPGx65g= Bucket: "example-bucket-abc"

I couldn't find the permissions required to set this up in the documentation. I figured them out by reading the source code for terraform-provider-aws and then referencing the AWS documentation (links below). It's an inconvenient way to work with Terraform when the documentation is normally so good.

I may have missed something, but I believe the API methods called by resourceAwsS3BucketRead are:

• HeadBucket (also via GetBucketRegionWithClient)
• GetBucketPolicy
• GetBucketAcl
• GetBucketCors
• GetBucketWebsite
• GetBucketVersioning
• GetBucketLifecycleConfiguration
• GetBucketReplication
• GetObjectLockConfiguration (via readS3ObjectLockConfiguration)
• GetBucketTagging (via S3BucketListTags)

Most of the methods use IAM actions with the same name, but there are exceptions:

• HeadBucket: s3:ListBucket
• GetBucketLifecycleConfiguration: s3:GetLifecycleConfiguration
• GetBucketReplication: s3:GetReplicationConfiguration
• GetBucketCors: s3:GetBucketCORS (spelling differs only in case, and IAM is
  insensitive)
• GetObjectLockConfiguration: s3:GetBucketObjectLockConfiguration

After

New or Affected Resource(s)

• aws_s3_bucket
• all others?

Potential Terraform Configuration

data "aws_s3_bucket" "external" {
  bucket = "bucket-in-another-account"
}

References

• https://github.com/nozaq/terraform-aws-secure-baseline/tree/master/examples/organization
• S3 API Method list: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html
• S3 IAM action list: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
  "Teaching Terraform from the ground up..." by Erick Soen is an example of reverse-engineering this info
• https://dev.to/ericksoen/teaching-terraform-from-the-ground-up-55nm

[ewbankkit]

@iainelder Thanks for raising this issue.
There is Roadmap item (#9154) that you may want to check out that is gathering requirements and feedback on such a feature.

[iainelder]

Perfect. Fine to close this as a duplicate :-)

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!