VPC endpoint policy Deny and read access for terraform

Terraform Providers AWS
1

Hi folks, need your help.

I write a policy for S3 Bucket as example below:

{
    "Version": "2012-10-17",
    "Id": "Access-to-bucket-using-specific-endpoint",
    "Statement": [
      {
        "Sid": "DenyIfNotFromAllowedVPC",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": [
          "arn:aws:s3:::bucket-name-${name_prefix}",
          "arn:aws:s3:::bucket-name-${name_prefix}/*"
                    ],
        "Condition": {
          "StringNotEquals": {
            "aws:sourceVpce": "${vpce_id}"
          }
        }
      }
    ]
  }

After applying the policy in S3 Bucket terraform lost access to reading bucket and I have error

Error: error reading S3 Bucket (bucket-name-dev): Forbidden: Forbidden

Help find a solution for apply policy and manage s3 Bucket via terraform :grinning:

2

Solution

run command to get UserId

aws sts get-caller-identity

Then add your ID in the code as the example below

{
    "Version": "2012-10-17",
    "Id": "Access-to-bucket-using-specific-endpoint",
    "Statement": [
      {
        "Sid": "DenyIfNotFromAllowedVPCendpoint",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": [
          "arn:aws:s3:::bucket-name-${name_prefix}",
          "arn:aws:s3:::bucket-name-${name_prefix}/*"
                    ],
        "Condition": {
          "StringNotEquals": {
            "aws:userid" : "AIDFFKDXKYRYIOPRT1C3E",
            "aws:sourceVpce": "${vpc_endpoint}"
          }
        }
      }
    ]
  }