Error: Error acquiring the state lock. Lock Info: Lock ID: "abc123", Operation: OperationNotAllowed: The state lock cannot be acquired because the current user does not have the required permission.
ID: policy/terraform-state-lock-policy-violation
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Terraform 1.5.x | active | — | — | — |
| Google Cloud Storage (GCS) | active | — | — | — |
| AWS S3 | active | — | — | — |
Root Cause
The IAM policy on the state storage backend (e.g., GCS bucket or S3 bucket) does not grant the 'storage.objects.create' permission (for GCS) or 's3:PutObject' (for S3) to the service account or user attempting to acquire the lock.
generic中文
状态存储后端(例如 GCS 存储桶或 S3 存储桶)上的 IAM 策略未向尝试获取锁的服务帐户或用户授予 'storage.objects.create' 权限(对于 GCS)或 's3:PutObject'(对于 S3)。
Official Documentation
https://developer.hashicorp.com/terraform/language/state/lockingWorkarounds
-
90% success Grant the 'roles/storage.objectAdmin' role (for GCS) or 's3:PutObject' and 's3:DeleteObject' permissions (for S3) to the service account on the specific bucket. For GCS: `gsutil iam ch serviceAccount:[email protected]:roles/storage.objectAdmin gs://your-terraform-state-bucket`. Then wait 2 minutes and retry.
Grant the 'roles/storage.objectAdmin' role (for GCS) or 's3:PutObject' and 's3:DeleteObject' permissions (for S3) to the service account on the specific bucket. For GCS: `gsutil iam ch serviceAccount:[email protected]:roles/storage.objectAdmin gs://your-terraform-state-bucket`. Then wait 2 minutes and retry.
-
85% success If using GCS, verify the bucket's IAM policy with `gsutil iam get gs://your-terraform-state-bucket` and ensure the service account has at least 'roles/storage.objectAdmin' or a custom role with 'storage.objects.create' and 'storage.objects.delete' permissions.
If using GCS, verify the bucket's IAM policy with `gsutil iam get gs://your-terraform-state-bucket` and ensure the service account has at least 'roles/storage.objectAdmin' or a custom role with 'storage.objects.create' and 'storage.objects.delete' permissions.
-
70% success Switch to a remote backend that supports fine-grained access control (e.g., Terraform Cloud) where lock permissions are managed separately from state storage.
Switch to a remote backend that supports fine-grained access control (e.g., Terraform Cloud) where lock permissions are managed separately from state storage.
中文步骤
向服务帐户授予特定存储桶上的 'roles/storage.objectAdmin' 角色(对于 GCS)或 's3:PutObject' 和 's3:DeleteObject' 权限(对于 S3)。对于 GCS:`gsutil iam ch serviceAccount:[email protected]:roles/storage.objectAdmin gs://your-terraform-state-bucket`。然后等待 2 分钟并重试。
如果使用 GCS,请使用 `gsutil iam get gs://your-terraform-state-bucket` 验证存储桶的 IAM 策略,并确保服务帐户至少具有 'roles/storage.objectAdmin' 或具有 'storage.objects.create' 和 'storage.objects.delete' 权限的自定义角色。
切换到支持细粒度访问控制的远程后端(例如 Terraform Cloud),其中锁权限与状态存储分开管理。
Dead Ends
Common approaches that don't work:
-
80% fail
The force-unlock command also requires the same write permission on the state backend to delete the lock file. If the current user lacks the permission, force-unlock will fail with the same error.
-
50% fail
IAM policy changes can take up to 2 minutes to propagate. Additionally, the issue may be at the bucket-level policy, not the project-level. The user may still lack the specific object-level permissions.
-
90% fail
This bypasses the lock and can cause state corruption if multiple users run Terraform concurrently. It is a dangerous workaround, not a fix, and may lead to data loss.