# Error: Error acquiring the state lock: AccessDeniedException: User: arn:aws:iam::123456789012:user/ci-bot is not authorized to perform: dynamodb:PutItem on resource: my-terraform-lock-table

- **ID:** `policy/terraform-state-lock-dynamodb-permission-denied`
- **Domain:** policy
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

The CI/CD IAM role lacks the dynamodb:PutItem permission on the DynamoDB table used for Terraform state locking.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Terraform v1.5.0 | active | — | — |
| AWS Provider v5.0.0 | active | — | — |

## Workarounds

1. **Add the required IAM policy to the CI role: {"Effect": "Allow", "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table"}** (95% success)
   ```
   Add the required IAM policy to the CI role: {"Effect": "Allow", "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table"}
   ```
2. **Use a Terraform backend config with a less restrictive lock mechanism, such as an S3 backend with DynamoDB locking disabled (not recommended for production).** (70% success)
   ```
   Use a Terraform backend config with a less restrictive lock mechanism, such as an S3 backend with DynamoDB locking disabled (not recommended for production).
   ```

## Dead Ends

- **** — Deleting the lock item does not fix the IAM permission; it only removes the symptom. The lock mechanism is disabled, leading to concurrent state writes. (95% fail)
- **** — While it resolves the immediate error, it introduces a security risk by allowing the CI user to delete tables or modify data beyond locking needs. (80% fail)
- **** — The error will recur when the pipeline runs again; the fix is not automated or scalable. (90% fail)