From 7fffddfaf0c47c9e2281e66ef02c8b7b447d394b Mon Sep 17 00:00:00 2001 From: Ergin Babani Date: Thu, 1 Oct 2020 13:17:36 -0400 Subject: [PATCH] Use the current credentials when trying to get the bucket region This fixes https://github.com/terraform-providers/terraform-provider-aws/issues/15420 where in aws-cn using anonymous credentials will cause the Head request to return Unauthorized. That error in turn fill cause terraform bucket operations to fail. --- aws/data_source_aws_s3_bucket.go | 6 ++++++ aws/resource_aws_s3_bucket.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/aws/data_source_aws_s3_bucket.go b/aws/data_source_aws_s3_bucket.go index 83358f75ee5..d9f8e88bafd 100644 --- a/aws/data_source_aws_s3_bucket.go +++ b/aws/data_source_aws_s3_bucket.go @@ -100,6 +100,12 @@ func bucketLocation(client *AWSClient, d *schema.ResourceData, bucket string) er // the provider s3_force_path_style configuration, which defaults to // false, but allows override. r.Config.S3ForcePathStyle = client.s3conn.Config.S3ForcePathStyle + + // By default, GetBucketRegion uses anonymous credentials when doing + // a HEAD request to get the bucket region. This breaks in aws-cn regions + // when the account doesn't have an ICP license to host public content. + // Use the current credentials when getting the bucket region. + r.Config.Credentials = client.s3conn.Config.Credentials }) if err != nil { return err diff --git a/aws/resource_aws_s3_bucket.go b/aws/resource_aws_s3_bucket.go index f1f54217e62..63c6bb17655 100644 --- a/aws/resource_aws_s3_bucket.go +++ b/aws/resource_aws_s3_bucket.go @@ -1281,6 +1281,12 @@ func resourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error { // the provider s3_force_path_style configuration, which defaults to // false, but allows override. r.Config.S3ForcePathStyle = s3conn.Config.S3ForcePathStyle + + // By default, GetBucketRegion uses anonymous credentials when doing + // a HEAD request to get the bucket region. This breaks in aws-cn regions + // when the account doesn't have an ICP license to host public content. + // Use the current credentials when getting the bucket region. + r.Config.Credentials = s3conn.Config.Credentials }) }) if err != nil {