Terraform AWS provider "AccessDenied: User is not authorized to perform" in CI
A non-EC2 service (IAM, S3, Lambda, and others) returned AccessDenied naming the exact action and resource ARN the CI principal may not perform. The message tells you precisely what to add.
What this error means
terraform apply fails with "AccessDenied: User: arn:aws:sts::...:assumed-role/... is not authorized to perform: <service:Action> on resource: <arn>". The action and ARN are spelled out in the error.
Error: creating IAM Role (deploy): operation error IAM: CreateRole,
https response error StatusCode: 403, api error AccessDenied: User:
arn:aws:sts::111122223333:assumed-role/ci-deploy/GitHubActions is not
authorized to perform: iam:CreateRole on resource: arn:aws:iam::111122223333:role/deployCommon causes
The role policy is missing the named action
The exact service:Action in the message is not allowed for the CI principal, so the API call is denied.
The resource ARN is outside the policy scope
The action is allowed but only for other ARNs; the specific resource in the message is not covered by any allow statement.
How to fix it
Add the named action for the named ARN
- Copy the
service:ActionandresourceARN directly from the error. - Add an allow statement for that action covering that ARN to the CI role.
- Re-run apply; the message changes if a second action is also missing.
{
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::111122223333:role/deploy"
}Verify the principal, not just the policy
Confirm CI assumed the role whose policy you are editing; a stale OIDC mapping can point at a different role.
aws sts get-caller-identity --query Arn --output textHow to prevent it
- Build the CI policy from the actual actions your resources need.
- Use the ARN in the error to scope resources precisely.
- Add actions one failure at a time rather than granting broad wildcards.