Introduction Terraform S3 backend errors block all state operations. The backend cannot read the existing state or write new state, which prevents plan and apply operations.
Symptoms - `terraform init` fails: "Failed to get existing workspaces: AccessDenied" - Error: "NoSuchBucket: The specified bucket does not exist" - Error: "InvalidClientTokenId: The security token included in the request is invalid" - Error: "AccessDenied: Access Denied" - State operations hang (network issue to S3)
Common Causes - S3 bucket does not exist - IAM credentials lack s3:GetObject, s3:PutObject permissions - S3 bucket policy denying access - S3 bucket encryption (SSE) not matching Terraform configuration - VPC endpoint policy blocking S3 access - Missing or incorrect DynamoDB table for locking
Step-by-Step Fix 1. **Verify the S3 bucket exists and is accessible**: ```bash aws s3 ls s3://my-terraform-state/ aws s3api head-bucket --bucket my-terraform-state ```
- 1.Check IAM permissions:
- 2.```bash
- 3.aws sts get-caller-identity
- 4.aws iam simulate-principal-policy \
- 5.--policy-source-arn <arn> \
- 6.--action-names s3:GetObject s3:PutObject s3:ListBucket \
- 7.--resource-arns arn:aws:s3:::my-terraform-state arn:aws:s3:::my-terraform-state/*
- 8.
` - 9.Verify bucket encryption matches config:
- 10.```bash
- 11.aws s3api get-bucket-encryption --bucket my-terraform-state
- 12.
` - 13.If bucket uses SSE-KMS, add to backend config:
- 14.```hcl
- 15.terraform {
- 16.backend "s3" {
- 17.bucket = "my-terraform-state"
- 18.key = "prod/terraform.tfstate"
- 19.region = "us-east-1"
- 20.dynamodb_table = "terraform-lock"
- 21.encrypt = true
- 22.kms_key_id = "arn:aws:kms:..."
- 23.}
- 24.}
- 25.
`