I have a Github Action that I’m trying to use to create a terraspace plan and post back to the PR. On the AWS side we have an Org and your access keys are for the mgmt account, then you can assume roles in other accounts as needed. With the provider.tf config in terraspace we’re using the
provider "aws" {
region = "us-east-1"
assume_role {
role_arn = var.iam_roles["<%= Terraspace.env %>"]
}
In the GH Actions I’m using this to auth the runner:
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
aws-region: us-east-1
Then when I run this:
TS_ENV="$env_name" TF_LOG="DEBUG" terraspace plan stackname | tee "${{ github.workspace }}/plan_$env_name.txt"
Terraspace gives me this error:
Building .terraspace-cache/us-east-1/dev/stacks/stackname
Aws::S3::Errors::Forbidden: Aws::S3::Errors::Forbidden
ERROR: Bucket is not available: terraform-state-dev-us-east-1
Bucket might be owned by someone else or is on another one of your AWS accounts.
Exception SystemExit: exit
This makes me think that there’s some issue with Terraspace being able to assume the role in the other account, but I can’t get the logs to prove it either from TF_LOG or setting debug in terraspace config.
The user that GH Actions is using is in the same Admin group in AWS that I am and assuming the same roles. There’s no problem on our workstations, but there is in the action. How can I get more info on the issue here?