Skip to content
Latchkey

Terraform "Failed to load state: AccessDenied" in CI

Before planning, Terraform downloads the current state from the backend. When the runner cannot read that object - IAM, KMS, or credential problem - there is no state to plan against.

What this error means

terraform plan/apply fails loading state, wrapping an S3 GetObject AccessDenied or a KMS decrypt denial for the state object.

terraform
Error: Failed to load state: operation error S3: GetObject, https response
error StatusCode: 403, AccessDenied: Access Denied

Failed to open state file at s3://tf-state-prod/prod/terraform.tfstate

Common causes

No s3:GetObject on the state key

The runner role can list but not read the specific state object.

KMS decrypt denied

The state is encrypted with a CMK the runner role cannot use, so the read fails on decrypt.

Wrong credentials or account

Expired keys or the wrong assumed role denies the read entirely.

How to fix it

Grant read and KMS decrypt

  1. Add s3:GetObject on the state object ARN to the runner policy.
  2. If the bucket uses a CMK, grant kms:Decrypt on that key.
  3. Confirm the right role is assumed with aws sts get-caller-identity.
Terminal
aws s3 cp s3://tf-state-prod/prod/terraform.tfstate - >/dev/null

How to prevent it

  • Scope the CI role to read+write the state object and use its KMS key.
  • Prefer OIDC role assumption over static keys.
  • Keep KMS key policies in sync with the CI role.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →