Cross aws s3 cannot obtain bucket information normally

[colinlabs]

Describe the bug

We created an s3 bucket in account A, and then s3 tested and granted access to a role in account B. The bucket information could be correctly read in terraform, but terragunant could not correctly obtain bucekt information at noon.

Error:

$ terragrunt plan
ERRO[0001] Error checking if bucket iac-terraform-states is have root access: MethodNotAllowed: The specified method is not allowed against this resource.
        status code: 405, request id: HRC9C67M26ABCANB, host id: JeLyKvfn/qWS67omoYSqtoPp4pmlX66DcJQKLeG8rLv/0bEeyT6tfXKBMfxlWP1pCpNnbKA7QIE= 
ERRO[0001] Unable to determine underlying exit code, so Terragrunt will exit with error code 1 

config:

remote_state {
  backend = "s3"
  config = {
    bucket = "iac-terraform-states"     # s3 buckets in different accounts
    key            = "aws/iac/${path_relative_to_include()}/terraform.tfstate"
    region         = "ap-southeast-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
}

s3 policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::1234567890:role/accountA
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::iac-terraform-states/*",
                "arn:aws:s3:::iac-terraform-states"
            ]
        }
    ]
}

Expected behavior

It can be similar to terraform's behavior, and can read bucekt information across aws accounts.

Versions

• Terragrunt version: 0.56.5
• OpenTofu/Terraform version: Terraform v1.5.7 on darwin_arm64
• Environment details (Ubuntu 20.04, Windows 10, etc.): mac

[colinlabs]

Find a description：https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html

If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.

[yhakbar]

Hey @colinlabs ,

Try setting disable_bucket_update = true in your remote_state --> config configurations, and share if you still experience the same error.

By default, Terragrunt will attempt to make sure all relevant backend resources available for use by checking to see if they're provisioned, etc. It can be confusing, but a lot of users configure certain authentication configurations for OpenTofu/Terraform, thinking the same authentication configurations will be used by Terragrunt, but they aren't.

If disabling bucket updates solves your issue, you can either chose to manage the backend resources manually, or investigate the issue with --terragrunt-log-level debug.

Overall, this issue has more to do with AWS authentication than how Terragrunt functions.