Assume_role + S3 backend issue


the S3 Bucket was created already with only the role having access to it. My AWS user that I use for terraform doesn’t have permission to S3 at all.

Now is this a chicken and egg problem that I get a “permission denied” warning when initialising terraform because the “assume_role” part comes after that?
The mentioned key there was not created yet if that matters.

terraform {
  backend "s3" {
    bucket = "bucketname"
    acl    = "private"
    key    = "main/tfkey"
    region = "eu-north-1"
    encrypt = true

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"

provider "aws" {
  assume_role {
    role_arn    = "arn:aws:iam::XXXXXXXXXX:role/tfrole"
    external_id = "terraform"

The error I get is this

Initializing the backend...
Error refreshing state: AccessDenied: Access Denied
	status code: 403, request id: ***, host id: ***


It may seem odd from a user perspective, but Terraform itself (that talks to S3 to store state) and terraform-provider-aws (that manages your infrastructure) are completely separate programs with their own pieces of configuration.

You have configured one of them to assume a role but not the other.

Confusingly they don’t even agree on the shape of the configuration to use! Look at Backend Type: s3 | Terraform | HashiCorp Developer and add additional configuration inside

Thanks @maxb

if I understand correctly, I need to configure “assume_role” for the bucket as well?
With this, I get another error (tried that yesterday already) saying
“Error: error configuring S3 Backend: IAM Role (arn:aws:iam::XXXXXXXXXX:role/tfrole) cannot be assumed.”

EDIT: I am using different profiles, if that matters, and I read somewhere that, without using “default” credentials, we might end up with this issue here.

Well, it seems that’s to do with the IAM User having MFA setup. I guess I have to look at that first.