Terraform apply "AccessDenied / UnauthorizedOperation" creating a resource
Apply makes real provider API calls. When the runner credentials lack the IAM action a resource needs, the create/update call is denied and the apply fails partway through.
What this error means
terraform apply errors creating a specific resource with a cloud AccessDenied or EC2 UnauthorizedOperation, naming the API action the role is missing.
Error: creating EC2 Security Group: UnauthorizedOperation: You are not
authorized to perform this operation. User: arn:aws:sts::123:assumed-role/ci
is not authorized to perform: ec2:CreateSecurityGroupCommon causes
IAM policy missing the action
The runner role can create some resources but not this one; the exact action (for example ec2:CreateSecurityGroup) is not granted.
Resource-level or condition restriction
A permission boundary, SCP, or condition key blocks the call even though the base action is allowed.
Wrong account or role assumed
The pipeline assumed a role in the wrong account, so the resource cannot be created where expected.
How to fix it
Identify the exact missing action
The error names the action; add it to the runner policy scoped to the right resources.
aws sts get-caller-identity
# confirm which role/account Terraform is using before editing IAMGrant least-privilege and re-apply
- Add the named action to the CI role policy, scoped by ARN/tag where possible.
- Check for an SCP or permission boundary that denies it at the org level.
- Re-run apply; if the create half-succeeded, Terraform resumes from the failed resource.
How to prevent it
- Derive the CI policy from a plan-time dry run of required actions.
- Keep one role per environment to avoid account confusion.
- Test new resource types in a lower environment first.