{ "id": "policy/terraform-state-lock-dynamodb-permission-denied", "signature": "Error: Error acquiring the state lock: AccessDeniedException: User: arn:aws:iam::123456789012:user/ci-bot is not authorized to perform: dynamodb:PutItem on resource: my-terraform-lock-table", "signature_zh": "错误:获取状态锁失败:AccessDeniedException:用户 arn:aws:iam::123456789012:user/ci-bot 无权对资源 my-terraform-lock-table 执行 dynamodb:PutItem 操作", "regex": "Error acquiring the state lock: AccessDeniedException: User: .* is not authorized to perform: dynamodb:PutItem on resource: .*", "domain": "policy", "category": "auth_error", "subcategory": null, "root_cause": "The CI/CD IAM role lacks the dynamodb:PutItem permission on the DynamoDB table used for Terraform state locking.", "root_cause_type": "generic", "root_cause_zh": "CI/CD IAM 角色缺少用于 Terraform 状态锁定的 DynamoDB 表的 dynamodb:PutItem 权限。", "versions": [ { "version": "Terraform v1.5.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS Provider v5.0.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Deleting the lock item does not fix the IAM permission; it only removes the symptom. The lock mechanism is disabled, leading to concurrent state writes.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "While it resolves the immediate error, it introduces a security risk by allowing the CI user to delete tables or modify data beyond locking needs.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "The error will recur when the pipeline runs again; the fix is not automated or scalable.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Add the required IAM policy to the CI role: {\"Effect\": \"Allow\", \"Action\": [\"dynamodb:PutItem\", \"dynamodb:GetItem\", \"dynamodb:DeleteItem\"], \"Resource\": \"arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table\"}", "success_rate": 0.95, "how": "Add the required IAM policy to the CI role: {\"Effect\": \"Allow\", \"Action\": [\"dynamodb:PutItem\", \"dynamodb:GetItem\", \"dynamodb:DeleteItem\"], \"Resource\": \"arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table\"}", "condition": "", "sources": [] }, { "action": "Use a Terraform backend config with a less restrictive lock mechanism, such as an S3 backend with DynamoDB locking disabled (not recommended for production).", "success_rate": 0.7, "how": "Use a Terraform backend config with a less restrictive lock mechanism, such as an S3 backend with DynamoDB locking disabled (not recommended for production).", "condition": "", "sources": [] } ], "workarounds_zh": [ "向 CI 角色添加所需的 IAM 策略:{\"Effect\": \"Allow\", \"Action\": [\"dynamodb:PutItem\", \"dynamodb:GetItem\", \"dynamodb:DeleteItem\"], \"Resource\": \"arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table\"}", "使用限制较少的 Terraform 后端配置,例如禁用 DynamoDB 锁定的 S3 后端(不推荐用于生产环境)。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://developer.hashicorp.com/terraform/language/settings/backends/s3#dynamodb-state-locking", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.95, "resolvable": "true", "first_seen": "2024-03-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }