# Error: Error acquiring the state lock. Lock Info: Lock ID: "abc123", Operation: OperationNotAllowed: The state lock cannot be acquired because the current user does not have the required permission. - **ID:** `policy/terraform-state-lock-policy-violation` - **Domain:** policy - **Category:** auth_error - **Error Code:** `OperationNotAllowed` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause The IAM policy on the state storage backend (e.g., GCS bucket or S3 bucket) does not grant the 'storage.objects.create' permission (for GCS) or 's3:PutObject' (for S3) to the service account or user attempting to acquire the lock. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Terraform 1.5.x | active | — | — | | Google Cloud Storage (GCS) | active | — | — | | AWS S3 | active | — | — | ## Workarounds 1. **Grant the 'roles/storage.objectAdmin' role (for GCS) or 's3:PutObject' and 's3:DeleteObject' permissions (for S3) to the service account on the specific bucket. For GCS: `gsutil iam ch serviceAccount:your-sa@project.iam.gserviceaccount.com:roles/storage.objectAdmin gs://your-terraform-state-bucket`. Then wait 2 minutes and retry.** (90% success) ``` Grant the 'roles/storage.objectAdmin' role (for GCS) or 's3:PutObject' and 's3:DeleteObject' permissions (for S3) to the service account on the specific bucket. For GCS: `gsutil iam ch serviceAccount:your-sa@project.iam.gserviceaccount.com:roles/storage.objectAdmin gs://your-terraform-state-bucket`. Then wait 2 minutes and retry. ``` 2. **If using GCS, verify the bucket's IAM policy with `gsutil iam get gs://your-terraform-state-bucket` and ensure the service account has at least 'roles/storage.objectAdmin' or a custom role with 'storage.objects.create' and 'storage.objects.delete' permissions.** (85% success) ``` If using GCS, verify the bucket's IAM policy with `gsutil iam get gs://your-terraform-state-bucket` and ensure the service account has at least 'roles/storage.objectAdmin' or a custom role with 'storage.objects.create' and 'storage.objects.delete' permissions. ``` 3. **Switch to a remote backend that supports fine-grained access control (e.g., Terraform Cloud) where lock permissions are managed separately from state storage.** (70% success) ``` Switch to a remote backend that supports fine-grained access control (e.g., Terraform Cloud) where lock permissions are managed separately from state storage. ``` ## Dead Ends - **** — The force-unlock command also requires the same write permission on the state backend to delete the lock file. If the current user lacks the permission, force-unlock will fail with the same error. (80% fail) - **** — IAM policy changes can take up to 2 minutes to propagate. Additionally, the issue may be at the bucket-level policy, not the project-level. The user may still lack the specific object-level permissions. (50% fail) - **** — This bypasses the lock and can cause state corruption if multiple users run Terraform concurrently. It is a dangerous workaround, not a fix, and may lead to data loss. (90% fail)