terraform-provider-scaleway: Can't create `scaleway_object_bucket_policy`

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

Terraform v1.5.3
on linux_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v4.10.0
+ provider registry.terraform.io/hashicorp/aws v5.8.0
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/integrations/github v5.30.1
+ provider registry.terraform.io/mongodb/mongodbatlas v1.10.0
+ provider registry.terraform.io/scaleway/scaleway v2.24.0
+ provider registry.terraform.io/umisora/stripe v1.3.6
+ provider registry.terraform.io/vercel/vercel v0.14.0

Terraform Configuration Files

resource "scaleway_object_bucket_policy" "read_all" {
  bucket = scaleway_object_bucket.images.id
  policy = jsonencode({
    Version = "2023-04-17",
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
        ]
        Principal = { SCW = "application_id:xxx" }
        Resource = [
          scaleway_object_bucket.images.name,
          "${scaleway_object_bucket.images.name}/*",
        ]
      },
    ]
  })
}

Panic Output

Error: error putting SCW bucket policy: MalformedPolicy: Action does not apply to any resource(s) in statement status code: 400, request id: tx29df4b60fb3a4e9b87a1e-0064b9537a, host id: tx29df4b60fb3a4e9b87a1e-0064b9537a
with module.production.scaleway_object_bucket_policy.read_all
on modules/environment/s3.tf line 52, in resource "scaleway_object_bucket_policy" "read_all":
resource "scaleway_object_bucket_policy" "read_all" {

Expected Behavior

the resource (policy) to be created for the given bucket name.

Important Factoids

I don’t want to set a principal, but struggle to find a correct setting for that. AWS suggests setting

Principal = {
  type = "*"
  identifiers = ["*"]
}

which doesn’t seem to be valid in the eyes of the scw api validation.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 17 (8 by maintainers)

Most upvoted comments

Oh geez, I hit the same issue. I tried to create new project and two buckets and application per bucket. From some reason Principal doesn’t work and I lost access to bucket from UI as well. It seems like for buckets my user does’t inherit organisation/group/project permissions (WTF) and I needed to set additional rule eg.

{
        Effect = "Allow"
        Action = [
          "s3:*"
        ]
        "Principal": {
          "SCW": "user_id:<uuid>",
        },
        Resource = [
          scaleway_object_bucket.homelab_backups[each.key].name,
          "${scaleway_object_bucket.homelab_backups[each.key].name}/*"
        ]
      },

This IAM implementation sucks (wtf scaleway, you had one job, copy AWS’ IAM 1:1), coming back to wasabi. I wasted few hours here

+2
mis4s on Aug 15, 2023
Read more comments on GitHub
← terraform-provider-scaleway: Accessing Kubernetes resources after cluster creation fails with "no such host"
scanner: Broken pipe error while installing on Mac OS  →