Question 69436 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Error AccessControlListNotSupported when trying to create a bucket ACL in AWS – Amazon web services

Recently I tried to deploy an resource "aws_s3_bucket_acl" resource using terraform, and received the error:

 Error: error creating S3 bucket ACL for bucket-name: AccessControlListNotSupported: The bucket does not allow ACLs │ status code: 400

I didn’t see why this wouldn’t create. However I checked AWS docs and looks like they recent had an update as of April 2023 that disabled ACLs by default:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Posting this here in case anyone else gets stuck on this issue and can’t make sense of why older solutions are not working. 🙂

Tags:

2

Answers


  1. 0

    Thanks for sharing the info!

    We bypassed this by adding a s3_bucket_ownership_controls resource, ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls

    Further, if you happen to use terraform-aws-modules/s3-bucket/aws module, simply use:

    # S3 Bucket Ownership Controls
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls
control_object_ownership = true
object_ownership         = "BucketOwnerPreferred"

    should work too.

    Login or Signup to reply.
  2. 0

    Sorry for the bad english.

    For people who face the same problem, here are one workaroud.

    The Problem: In the link you pasted AWS change somethings in ACL (bucket s3) and it says the default value is "ObjectWriter" and to use ACL you have to set ownership to "ObjectWriter" or "BucketOwnerPreferred" (Enable mode) if you use "BucketOwnerEnforced" (Disable), terraform (acl resource) will break.
    Well, if the default is "ObjectWriter" so this should work to implement the ACL resource, but, with terraform the default value is "BucketOwnerEnforced" (The only one who don’t work for ACL).

    The Solution: If you see in your terraform apply, it set "aws_s3_bucket_acl" before "aws_s3_bucket_ownership_controls" almost everytime you apply, so, to avoid the error, you change the order they are created, set ownership to be created first and put depends_on in acl resource, it will force the ownership to one value that let acl resource be created.
    It will make the ownership be set to one you want before the acl be implemented.

    Example

    resource "aws_s3_bucket_acl" "s3_bucket_acl" {
  bucket = aws_s3_bucket.bucket-one-two.id
  acl    = "private"
  depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
}

# Resource to avoid error "AccessControlListNotSupported: The bucket does not allow ACLs"
resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
  bucket = aws_s3_bucket.bucket-one-two.id
  rule {
    object_ownership = "ObjectWriter"
  }
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search