policy auth_error ai_generated true

Error: Error acquiring the state lock: AccessDeniedException: User: arn:aws:iam::123456789012:user/ci-bot is not authorized to perform: dynamodb:PutItem on resource: my-terraform-lock-table

ID: policy/terraform-state-lock-dynamodb-permission-denied

Also available as: JSON · Markdown · 中文
95%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Terraform v1.5.0 active
AWS Provider v5.0.0 active

Root Cause

The CI/CD IAM role lacks the dynamodb:PutItem permission on the DynamoDB table used for Terraform state locking.

generic

中文

CI/CD IAM 角色缺少用于 Terraform 状态锁定的 DynamoDB 表的 dynamodb:PutItem 权限。

Official Documentation

https://developer.hashicorp.com/terraform/language/settings/backends/s3#dynamodb-state-locking

Workarounds

  1. 95% success Add the required IAM policy to the CI role: {"Effect": "Allow", "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table"} 
    Add the required IAM policy to the CI role: {"Effect": "Allow", "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table"}
  2. 70% success Use a Terraform backend config with a less restrictive lock mechanism, such as an S3 backend with DynamoDB locking disabled (not recommended for production). 
    Use a Terraform backend config with a less restrictive lock mechanism, such as an S3 backend with DynamoDB locking disabled (not recommended for production).

中文步骤

  1. 向 CI 角色添加所需的 IAM 策略:{"Effect": "Allow", "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table"}
  2. 使用限制较少的 Terraform 后端配置,例如禁用 DynamoDB 锁定的 S3 后端(不推荐用于生产环境)。

Dead Ends

Common approaches that don't work:

  1. 95% fail

    Deleting the lock item does not fix the IAM permission; it only removes the symptom. The lock mechanism is disabled, leading to concurrent state writes.

  2. 80% fail

    While it resolves the immediate error, it introduces a security risk by allowing the CI user to delete tables or modify data beyond locking needs.

  3. 90% fail

    The error will recur when the pipeline runs again; the fix is not automated or scalable.