For anyone else who stumbles upon this issue, make sure you are adding the required IAM permissions mentioned in the CreateBackupVault row to the role creating the Vault. I was misssing the required kms and backup-storage permissions and got the same 403 error.

from terraform-aws-backup.

@lgallard The IAM permissions need to be added to the Role running the terraform. In @thiagolsfortunato's case, his "pipeline user" (i.e., not the IAM role used by AWS Backup that your module creates).

I think just adding this to the README (e.g., Troubleshooting: error creating Backup Vault () ...) would be helpful as the error message from AWS is not useful. This is mentioned in the AWS docs as a requirement so I'll leave that up to you. As a disclaimer, I'm not using this module but I stumbled upon this issue (google search) due to the same error from the aws_backup_vault resource 😄

from terraform-aws-backup.

@carflo thanks for the clarification. Comment added in README!!

from terraform-aws-backup.

Hi @GuilhermeRizzottoLis, the module uses the service role as defined here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L12 and add a policies in the iam.tf, in particular here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L24.

With those roles/policies should be enough to create the a new vault. I checked the simple_plan_using_list example last week and it created the vault named "vault-1" as in the example.

Did you check if the service role were created?

from terraform-aws-backup.

Yeah, it was created, maybe its some configuration in AWS, but i have Full Access permition.

from terraform-aws-backup.

@GuilhermeRizzottoLis did you check this issue reported here ?

It seems a async problem (maybe due to networking issues or token expiration) as expressed in this comment

from terraform-aws-backup.

I just started encountering this same exact issue. I'm able to create vaults via the aws console and aws cli directly no problem, but when I attempt to do so using the same exact IAM role via Terraform, I get this cryptic 403 error. Looking through Terrform's debug log reveals nothing useful.

Terraform v0.14.9, AWS provider v3.35.0

from terraform-aws-backup.

@faucherb94 can you share your Terraform definition?

from terraform-aws-backup.

I am suffering the same issue. Terraform v0.14.10, AWS provider 3.36.0.
This is what the plan outputs:

# aws_backup_vault.ps-backup-vault will be created
+ resource "aws_backup_vault" "ps-backup-vault" {
    + arn             = (known after apply)
    + id              = (known after apply)
    + kms_key_arn     = (known after apply)
    + name            = "prod-backup-vault"
    + recovery_points = (known after apply)
 }

from terraform-aws-backup.

@jralonso i just applied the complete example in my account using Terraform v0.14.10, AWS provider 3.36.0.

Are you using the complete example or any other example?

Did you check you have enough permission privileges to create AWS Backup resources (vaults, plans, rules, etc) ?

from terraform-aws-backup.

@jralonso I checked the simple_plan example with the latest version of the module (0.11.2) and it's working with Terraform v0.14.10, AWS provider 3.36.0 as well.

from terraform-aws-backup.

I have the same error when run with my Pipeline User. This User has backup:* permission attached to your policy.

When I perform terraform apply returns AccessDeniedException: status code: 403

I have Full Administrator Access and can create AWS Backup Vault with my credentials. Which permissions my pipeline user needs?

from terraform-aws-backup.

@thiagolsfortunato the module creates a service role, meaning your pipeline must be able to create roles in IAM.

from terraform-aws-backup.

@carflo maybe we can add those permissions in the IAM policy here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L40

from terraform-aws-backup.