# 错误：获取状态锁失败：AccessDeniedException：用户 arn:aws:iam::123456789012:user/ci-bot 无权对资源 my-terraform-lock-table 执行 dynamodb:PutItem 操作

- **ID:** `policy/terraform-state-lock-dynamodb-permission-denied`
- **领域:** policy
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 95%

## 根因

CI/CD IAM 角色缺少用于 Terraform 状态锁定的 DynamoDB 表的 dynamodb:PutItem 权限。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Terraform v1.5.0 | active | — | — |
| AWS Provider v5.0.0 | active | — | — |

## 解决方案

1. ```
   向 CI 角色添加所需的 IAM 策略：{"Effect": "Allow", "Action": ["dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem"], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-terraform-lock-table"}
   ```
2. ```
   使用限制较少的 Terraform 后端配置，例如禁用 DynamoDB 锁定的 S3 后端（不推荐用于生产环境）。
   ```

## 无效尝试

- **** — Deleting the lock item does not fix the IAM permission; it only removes the symptom. The lock mechanism is disabled, leading to concurrent state writes. (95% 失败率)
- **** — While it resolves the immediate error, it introduces a security risk by allowing the CI user to delete tables or modify data beyond locking needs. (80% 失败率)
- **** — The error will recur when the pipeline runs again; the fix is not automated or scalable. (90% 失败率)