错误:获取状态锁时出错。锁信息:锁 ID:“abc123”,操作:OperationNotAllowed:无法获取状态锁,因为当前用户没有所需的权限。
Error: Error acquiring the state lock. Lock Info: Lock ID: "abc123", Operation: OperationNotAllowed: The state lock cannot be acquired because the current user does not have the required permission.
ID: policy/terraform-state-lock-policy-violation
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Terraform 1.5.x | active | — | — | — |
| Google Cloud Storage (GCS) | active | — | — | — |
| AWS S3 | active | — | — | — |
根因分析
状态存储后端(例如 GCS 存储桶或 S3 存储桶)上的 IAM 策略未向尝试获取锁的服务帐户或用户授予 'storage.objects.create' 权限(对于 GCS)或 's3:PutObject'(对于 S3)。
English
The IAM policy on the state storage backend (e.g., GCS bucket or S3 bucket) does not grant the 'storage.objects.create' permission (for GCS) or 's3:PutObject' (for S3) to the service account or user attempting to acquire the lock.
官方文档
https://developer.hashicorp.com/terraform/language/state/locking解决方案
-
向服务帐户授予特定存储桶上的 'roles/storage.objectAdmin' 角色(对于 GCS)或 's3:PutObject' 和 's3:DeleteObject' 权限(对于 S3)。对于 GCS:`gsutil iam ch serviceAccount:[email protected]:roles/storage.objectAdmin gs://your-terraform-state-bucket`。然后等待 2 分钟并重试。
-
如果使用 GCS,请使用 `gsutil iam get gs://your-terraform-state-bucket` 验证存储桶的 IAM 策略,并确保服务帐户至少具有 'roles/storage.objectAdmin' 或具有 'storage.objects.create' 和 'storage.objects.delete' 权限的自定义角色。
-
切换到支持细粒度访问控制的远程后端(例如 Terraform Cloud),其中锁权限与状态存储分开管理。
无效尝试
常见但无效的做法:
-
80% 失败
The force-unlock command also requires the same write permission on the state backend to delete the lock file. If the current user lacks the permission, force-unlock will fail with the same error.
-
50% 失败
IAM policy changes can take up to 2 minutes to propagate. Additionally, the issue may be at the bucket-level policy, not the project-level. The user may still lack the specific object-level permissions.
-
90% 失败
This bypasses the lock and can cause state corruption if multiple users run Terraform concurrently. It is a dangerous workaround, not a fix, and may lead to data loss.