terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

aws elbv2 describe-rules not using explicit aws region in HTTP call resulting in 403

Open bhoudu opened this issue 2 years ago • 1 comments

I am running a terraform plan with tf 1.2.6 on a modification on an listener rule on an ELB V2 resource. It seems the AWS region is not used explicitly on the aws HTTP call, I get 403 (as the profile I use has an IAM policy that denies access to resources in other regions) :

│ Error: Error retrieving Rules for listener 
"arn:aws:elasticloadbalancing:eu-west-1:****:listener-rule/app/myalb/****/****/****": 
AccessDenied: User: arn:aws:iam::****:user/service-account/my_account is not authorized to perform: elasticloadbalancing:DescribeRules with an explicit deny in an identity-based policy
│ 	status code: 403, request id: ****

When using AWS CLI V2 I observe that if I explictly use --region, the exact same action works. But if I do not add it in the CLI command, it fails! Seems AWSCLI V2 does not parse AWS_DEFAULT_REGION environment variable for some ELBV2 commands and refuses to use it in this command. Maybe the problem has its roots in AWS SDK / AWS CLI.

As the region is explicitly set in my provider part in terraform, the fix should be to always use this region parameter explicitly when calling AWS API on ELBV2 describe-rules action (as AWS_DEFAULT_REGION environment variable does not work here). I suspect other actions suffer the same problem (describe-listeners for instance, I don't know if other actions on ELBV2 are also in trouble).

bhoudu avatar Aug 09 '22 12:08 bhoudu

Hey @bhoudu 👋 Thank you for taking the time to raise this! So that we have all of the necessary information in order to look into this, can you update the issue description to include all of the information requested in the bug report template?

justinretzolk avatar Aug 09 '22 19:08 justinretzolk

Since we haven't heard back, I'm going to close this issue. If you're still having trouble, please feel free to open a new issue, referencing this one for context as needed.

justinretzolk avatar Mar 19 '24 17:03 justinretzolk

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Apr 19 '24 02:04 github-actions[bot]