Using mfa_delete on an S3 bucket

[Techbrunch]

How to enable mfa_delete on an s3 bucket ?

Terraform Version

Terraform v0.9.1

Affected Resource(s)

• aws_s3_bucket

Terraform Configuration Files

resource "aws_s3_bucket" "test-terraform-mfa-delete" {
  bucket = "test-terraform-mfa-delete"
  versioning {
    mfa_delete = true
  }
}

Debug Output

provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value:

aws_s3_bucket.test-terraform-mfa-delete: Creating...
  acceleration_status:     "" => "<computed>"
  acl:                     "" => "private"
  arn:                     "" => "<computed>"
  bucket:                  "" => "test-terraform-mfa-delete"
  bucket_domain_name:      "" => "<computed>"
  force_destroy:           "" => "false"
  hosted_zone_id:          "" => "<computed>"
  region:                  "" => "<computed>"
  request_payer:           "" => "<computed>"
  versioning.#:            "" => "1"
  versioning.0.enabled:    "" => "false"
  versioning.0.mfa_delete: "" => "true"
  website_domain:          "" => "<computed>"
  website_endpoint:        "" => "<computed>"
Error applying plan:

1 error(s) occurred:

* aws_s3_bucket.test-terraform-mfa-delete: 1 error(s) occurred:

* aws_s3_bucket.test-terraform-mfa-delete: Error putting S3 versioning: AccessDenied: Mfa Authentication must be used for this request
	status code: 403, request id: 768ACF725BBD91DD

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[aiwilliams]

I am having trouble getting the aws provider to add mfa_delete to an S3 bucket. I have successfully obtained credentials from STS using the aws cli with --token-code, and I have set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN variables with the results. The API is returning a 403 saying that "Mfa Authentication must be used for this request".

I was able to use the aws cli to enable mfa delete:

aws --profile my-credentials-profile s3api put-bucket-versioning --bucket my-bucket --versioning-configuration 'MFADelete=Enabled,Status=Enabled' --mfa 'arn:aws:iam::<account-id>:mfa/root-account-mfa-device <mfacode>'

terraform plan now shows that there is no change to make.

[austinbyers]

I too have this problem, where enabling mfa_delete via Terraform never seems to work.

aws sts get-session-token --serial-number arn:aws:iam::<account-id>:mfa/<user> --token-code=<mfacode>

returns successfully, and I pass the access key, key ID, and session token to the aws provider, but terraform returns the same error as above.

However, in my case, trying the CLI command suggested by aiwilliams gives me this error:
An error occurred (AccessDenied) when calling the PutBucketVersioning operation: This operation may only be performed by the bucket owner

So perhaps Terraform is masking multiple errors with the same error message

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.