Skip to content
Latchkey

Terraform apply "AccessDenied / UnauthorizedOperation" creating a resource

Apply makes real provider API calls. When the runner credentials lack the IAM action a resource needs, the create/update call is denied and the apply fails partway through.

What this error means

terraform apply errors creating a specific resource with a cloud AccessDenied or EC2 UnauthorizedOperation, naming the API action the role is missing.

terraform
Error: creating EC2 Security Group: UnauthorizedOperation: You are not
authorized to perform this operation. User: arn:aws:sts::123:assumed-role/ci
is not authorized to perform: ec2:CreateSecurityGroup

Common causes

IAM policy missing the action

The runner role can create some resources but not this one; the exact action (for example ec2:CreateSecurityGroup) is not granted.

Resource-level or condition restriction

A permission boundary, SCP, or condition key blocks the call even though the base action is allowed.

Wrong account or role assumed

The pipeline assumed a role in the wrong account, so the resource cannot be created where expected.

How to fix it

Identify the exact missing action

The error names the action; add it to the runner policy scoped to the right resources.

Terminal
aws sts get-caller-identity
# confirm which role/account Terraform is using before editing IAM

Grant least-privilege and re-apply

  1. Add the named action to the CI role policy, scoped by ARN/tag where possible.
  2. Check for an SCP or permission boundary that denies it at the org level.
  3. Re-run apply; if the create half-succeeded, Terraform resumes from the failed resource.

How to prevent it

  • Derive the CI policy from a plan-time dry run of required actions.
  • Keep one role per environment to avoid account confusion.
  • Test new resource types in a lower environment first.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →