<!-- Hi there, Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html. If your issue relates to a specific Terraform provider, please open it in the provider's own repository. The index of providers is at https://github.com/terraform-providers . --> ### Terraform Version <!--- Run `terraform -v` to show the version, and paste the result between the ``` marks below. If you are not running the latest version of Terraform, please try upgrading because your issue may have already been fixed. --> ``` Terraform v0.12.6 + provider.archive v1.2.2 + provider.aws v2.14.0 ``` ### Terraform Configuration Files <!-- Paste the relevant parts of your Terraform configuration between the ``` marks below. For large Terraform configs, please use a service like Dropbox and share a link to the ZIP file. For security, you can also encrypt the files using our GPG public key. --> ```hcl terraform { required_version = ">= 0.12" backend "s3" { region = "eu-west-1" encrypt = true dynamodb_table = "{redacted}" bucket = "{redacted}" key = "{redacted}" } } ``` ### Debug Output <!-- Full debug output can be obtained by running Terraform with the environment variable `TF_LOG=trace`. Please create a GitHub Gist containing the debug output. Please do _not_ paste the debug output in the issue, since debug output is long. Debug output may contain sensitive information. Please review it before posting publicly, and if you are concerned feel free to encrypt the files using the HashiCorp security public key. --> ``` 2019/08/16 17:31:43 [INFO] Terraform version: 0.12.6 2019/08/16 17:31:43 [INFO] Go runtime version: go1.12.4 2019/08/16 17:31:43 [INFO] CLI args: []string{"{redacted}/terraform", "apply"} 2019/08/16 17:31:43 [DEBUG] Attempting to open CLI config file: {redacted}/.terraformrc 2019/08/16 17:31:43 [DEBUG] File doesn't exist, but doesn't need to. Ignoring. 2019/08/16 17:31:43 [INFO] CLI command args: []string{"apply"} 2019/08/16 17:31:43 [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 1579759270 2019/08/16 17:31:43 [TRACE] Preserving existing state lineage "{redacted}" 2019/08/16 17:31:43 [TRACE] Preserving existing state lineage "{redacted}" 2019/08/16 17:31:43 [TRACE] Meta.Backend: working directory was previously initialized for "s3" backend 2019/08/16 17:31:43 [TRACE] Meta.Backend: using already-initialized, unchanged "s3" backend configuration 2019/08/16 17:31:43 [INFO] Setting AWS metadata API timeout to 100ms 2019/08/16 17:31:44 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id 2019/08/16 17:31:44 [INFO] AWS Auth provider used: "EnvProvider" 2019/08/16 17:31:44 [DEBUG] Trying to get account information via sts:GetCallerIdentity 2019/08/16 17:31:44 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details: ---[ REQUEST POST-SIGN ]----------------------------- POST / HTTP/1.1 Host: sts.amazonaws.com User-Agent: aws-sdk-go/1.21.7 (go1.12.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.6 Content-Length: 43 Authorization: {redacted} Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20190816T163144Z Accept-Encoding: gzip Action=GetCallerIdentity&Version=2011-06-15 ----------------------------------------------------- 2019/08/16 17:31:45 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details: ---[ RESPONSE ]-------------------------------------- HTTP/1.1 200 OK Connection: close Content-Length: 426 Content-Type: text/xml Date: Fri, 16 Aug 2019 16:31:44 GMT X-Amzn-Requestid: {redacted} ----------------------------------------------------- 2019/08/16 17:31:45 [DEBUG] [aws-sdk-go] {redacted} {redacted} {redacted} {redacted} 2019/08/16 17:31:45 [TRACE] Meta.Backend: instantiated backend of type *s3.Backend 2019/08/16 17:31:45 [DEBUG] checking for provider in "." 2019/08/16 17:31:45 [DEBUG] checking for provider in "{redacted}" 2019/08/16 17:31:45 [DEBUG] checking for provider in ".terraform/plugins/linux_amd64" 2019/08/16 17:31:45 [DEBUG] found provider "terraform-provider-archive_v1.2.2_x4" 2019/08/16 17:31:45 [DEBUG] found provider "terraform-provider-aws_v2.14.0_x4" 2019/08/16 17:31:45 [DEBUG] found valid plugin: "aws", "2.14.0", "{redacted}/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.14.0_x4" 2019/08/16 17:31:45 [DEBUG] found valid plugin: "archive", "1.2.2", "{redacted}/.terraform/plugins/linux_amd64/terraform-provider-archive_v1.2.2_x4" 2019/08/16 17:31:45 [DEBUG] checking for provisioner in "." 2019/08/16 17:31:45 [DEBUG] checking for provisioner in "{redacted}" 2019/08/16 17:31:45 [DEBUG] checking for provisioner in ".terraform/plugins/linux_amd64" 2019/08/16 17:31:45 [TRACE] Meta.Backend: backend *s3.Backend does not support operations, so wrapping it in a local backend 2019/08/16 17:31:45 [INFO] backend/local: starting Apply operation 2019/08/16 17:31:45 [TRACE] backend/local: requesting state manager for workspace "default" 2019/08/16 17:31:45 [DEBUG] [aws-sdk-go] DEBUG: Request s3/ListObjects Details: ---[ REQUEST POST-SIGN ]----------------------------- GET /?prefix=env%3A%2F HTTP/1.1 Host: {redacted}.s3.eu-west-1.amazonaws.com User-Agent: aws-sdk-go/1.21.7 (go1.12.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.6 Authorization: {redacted} X-Amz-Content-Sha256: {redacted} X-Amz-Date: 20190816T163145Z Accept-Encoding: gzip ----------------------------------------------------- 2019/08/16 17:31:45 [DEBUG] [aws-sdk-go] DEBUG: Response s3/ListObjects Details: ---[ RESPONSE ]-------------------------------------- HTTP/1.1 403 Forbidden Connection: close Transfer-Encoding: chunked Content-Type: application/xml Date: Fri, 16 Aug 2019 16:31:44 GMT Server: AmazonS3 X-Amz-Bucket-Region: eu-west-1 X-Amz-Id-2: {redacted} X-Amz-Request-Id: {redacted} ----------------------------------------------------- 2019/08/16 17:31:45 [DEBUG] [aws-sdk-go] AccessDeniedAccess Denied{redacted}{redacted} 2019/08/16 17:31:45 [DEBUG] [aws-sdk-go] DEBUG: Validate Response s3/ListObjects failed, attempt 0/5, error AccessDenied: Access Denied status code: 403, request id: {redacted}, host id: {redacted} Error: Error loading state: AccessDenied: Access Denied status code: 403, request id: {redacted}, host id: {redacted} ``` ### Crash Output <!-- If the console output indicates that Terraform crashed, please share a link to a GitHub Gist containing the output of the `crash.log` file. --> ### Expected Behavior <!-- What should have happened? --> No attempt to access env:/ key ### Actual Behavior <!-- What actually happened? --> Attempted to access env:/ key: ``` GET /?prefix=env%3A%2F HTTP/1.1 ``` ### Steps to Reproduce <!-- Please list the full steps required to reproduce the issue, for example: 1. `terraform init` 2. `terraform apply` --> 1. `terraform init` 2. `terraform apply` ### Additional Context <!-- Are there anything atypical about your situation that we should know? For example: is Terraform running in a wrapper script or in a CI system? Are you passing any unusual command line options or environment variables to opt-in to non-default behavior? --> ### References <!-- Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example: - #6017 --> - #15358