Document permissions required to read resource metadata #17433
Labels
documentation
Introduces or discusses updates to documentation.
enhancement
Requests to existing resources that expand the functionality or scope.
service/s3
Issues and PRs that pertain to the s3 service.
Community Note
Description
I'm using an S3 bucket as an example, but I believe this applies to all resources.
My use case: I'm trying to refer to a centralized audit bucket in the delegated administrator account of AWS Config so that I can set up the config recorders in the member accounts to deliver config changes to that bucket.
I'm using the terraform-aws-secure-baseline module to do this (see its organizations example). It uses a data source to refer get metadata for the bucket. Becuase the bucket is in the delegated administrator account and by default does not allow other accounts to access it, reading the metadata from the member account fails.
I couldn't find the permissions required to set this up in the documentation. I figured them out by reading the source code for terraform-provider-aws and then referencing the AWS documentation (links below). It's an inconvenient way to work with Terraform when the documentation is normally so good.
I may have missed something, but I believe the API methods called by resourceAwsS3BucketRead are:
Most of the methods use IAM actions with the same name, but there are exceptions:
insensitive)
After
New or Affected Resource(s)
Potential Terraform Configuration
References
"Teaching Terraform from the ground up..." by Erick Soen is an example of reverse-engineering this info
The text was updated successfully, but these errors were encountered: