Bootstrap FreeKB - Terraform - Resolve "UnauthorizedOperation: You are not authorized to perform this operation"
Terraform - Resolve "UnauthorizedOperation: You are not authorized to perform this operation"
Updated:   |  Terraform articles

Let's say the terraform refresh, terraform output, terraform plan or terraform apply command returns something like this.

Error: reading EC2 VPCs: UnauthorizedOperation: You are not authorized to perform this operation.

 

In this example, this occurs when attempting to do something on Amazon Web Services (AWS) using Terraform. Check out my article on Amazon Web Services (AWS) Getting Started with Terraform.

Let's say you have the following files on your Terraform server.

├── locals.tf
├── modules.tf
├── outputs.tf
├── provider.tf
├── terraform.tfstate
├── variables.tf
├── virtual_private_clouds (directory, child module)
│   ├── data.tf
│   ├── outputs.tf
│   ├── resources.tf

 

And let's say variables.tf in the main root module (main.tf) contains something like this. In this example, user johndoe Access Key and Secret Key are being used to connect and authenticated to Amazon Web Services (AWS).

variable "access_key" {
  description = "johndoe AWS access key"
  type = string 
  sensitive = true
  default = "ABCDEFG123456789"
}
variable "secret_key" {
  description = "johndoe AWS secret key"
  type = string 
  sensitive = true
  default = "ABCDEFG123456789ABCDEFG123456789"
}
variable "region" {
  description = "AWS region"
  type = string
  sensitive = false
  default = "us-east-1"
}

 

The most likely issue here is that user johndoe does not have permission to do whatever it is that is attempting to be done. For example, perhaps john.doe does not have any policies attached yet.

~]$ aws iam list-attached-user-policies --user-name john.doe
{
    "AttachedPolicies": []
}

 

One solution is to create a role on Amazon Web Services (my-role in this example).

aws iam create-role --role-name my-role --assume-role-policy-document file://my.json

 

And then attach a policy to the role.

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name my-role

 

In providers.tf, you could try using assume_role to assume a role that has permission to do whatever it is that you are trying to do, something like this.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }
}

provider "aws" {
  access_key = var.access_key 
  secret_key = var.secret_key 
  region     = var.region

  assume_role {
    role_arn = "arn:aws:iam::123456789012:role/my-role"
  }
}

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 1f788e in the box below so that we can be sure you are a human.