Comments (14)
For anyone else who stumbles upon this issue, make sure you are adding the required IAM permissions mentioned in the CreateBackupVault row to the role creating the Vault. I was misssing the required kms
and backup-storage
permissions and got the same 403 error.
from terraform-aws-backup.
@lgallard The IAM permissions need to be added to the Role running the terraform. In @thiagolsfortunato's case, his "pipeline user" (i.e., not the IAM role used by AWS Backup that your module creates).
I think just adding this to the README (e.g., Troubleshooting: error creating Backup Vault () ...) would be helpful as the error message from AWS is not useful. This is mentioned in the AWS docs as a requirement so I'll leave that up to you. As a disclaimer, I'm not using this module but I stumbled upon this issue (google search) due to the same error from the aws_backup_vault
resource 😄
from terraform-aws-backup.
@carflo thanks for the clarification. Comment added in README!!
from terraform-aws-backup.
Hi @GuilhermeRizzottoLis, the module uses the service role as defined here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L12 and add a policies in the iam.tf, in particular here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L24.
With those roles/policies should be enough to create the a new vault. I checked the simple_plan_using_list
example last week and it created the vault named "vault-1" as in the example.
Did you check if the service role were created?
from terraform-aws-backup.
Yeah, it was created, maybe its some configuration in AWS, but i have Full Access permition.
from terraform-aws-backup.
@GuilhermeRizzottoLis did you check this issue reported here ?
It seems a async problem (maybe due to networking issues or token expiration) as expressed in this comment
from terraform-aws-backup.
I just started encountering this same exact issue. I'm able to create vaults via the aws console and aws cli directly no problem, but when I attempt to do so using the same exact IAM role via Terraform, I get this cryptic 403 error. Looking through Terrform's debug log reveals nothing useful.
Terraform v0.14.9, AWS provider v3.35.0
from terraform-aws-backup.
@faucherb94 can you share your Terraform definition?
from terraform-aws-backup.
I am suffering the same issue. Terraform v0.14.10, AWS provider 3.36.0.
This is what the plan outputs:
# aws_backup_vault.ps-backup-vault will be created
+ resource "aws_backup_vault" "ps-backup-vault" {
+ arn = (known after apply)
+ id = (known after apply)
+ kms_key_arn = (known after apply)
+ name = "prod-backup-vault"
+ recovery_points = (known after apply)
}
from terraform-aws-backup.
@jralonso i just applied the complete example in my account using Terraform v0.14.10, AWS provider 3.36.0.
Are you using the complete example or any other example?
Did you check you have enough permission privileges to create AWS Backup resources (vaults, plans, rules, etc) ?
from terraform-aws-backup.
@jralonso I checked the simple_plan example with the latest version of the module (0.11.2) and it's working with Terraform v0.14.10, AWS provider 3.36.0 as well.
from terraform-aws-backup.
I have the same error when run with my Pipeline User. This User has backup:*
permission attached to your policy.
When I perform terraform apply
returns AccessDeniedException: status code: 403
I have Full Administrator Access and can create AWS Backup Vault with my credentials. Which permissions my pipeline user needs?
from terraform-aws-backup.
@thiagolsfortunato the module creates a service role, meaning your pipeline must be able to create roles in IAM.
from terraform-aws-backup.
@carflo maybe we can add those permissions in the IAM policy here https://github.com/lgallard/terraform-aws-backup/blob/master/iam.tf#L40
from terraform-aws-backup.
Related Issues (20)
- Cant create multiple selection tags on one selection HOT 6
- Integration with new AWS PITR. HOT 2
- Are the known issues still relevant? HOT 2
- Recovery point tags should be optional in rule list HOT 2
- Add an example for notifications only on failed jobs HOT 3
- README.md file typo HOT 1
- Invalid lifecycle. MoveToColdStorageAfterDays is unavailable HOT 2
- Include CreateBackupVault policies to IAM role HOT 1
- Support for multiple copy_actions for a single rule HOT 6
- Support for empty list of backup_vault_events in notifications HOT 4
- Terraform re-creates backup selection everytime. HOT 1
- Include dynamic not_resources and conditions for selections HOT 1
- Unsupported argument (not_resources) with aws 3.69.0 provider HOT 2
- How to add my kms key to the vault?
- Invalid lifecycle. DeleteAfterDays cannot be less than 1 or more than 36500 days HOT 1
- Provider Version requirement HOT 2
- Add force-delete flag to backup vault HOT 1
- Add new resource aws_backup_vault_lock_configuration
- Creating SNS resource simultaneously results in error " Error: creating Backup Vault Notifications (): AccessDeniedException: " HOT 11
- var.tags not passed to policy resource HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-backup.