Terraform "Failed to load state: AccessDenied" in CI
Before planning, Terraform downloads the current state from the backend. When the runner cannot read that object - IAM, KMS, or credential problem - there is no state to plan against.
What this error means
terraform plan/apply fails loading state, wrapping an S3 GetObject AccessDenied or a KMS decrypt denial for the state object.
terraform
Error: Failed to load state: operation error S3: GetObject, https response
error StatusCode: 403, AccessDenied: Access Denied
Failed to open state file at s3://tf-state-prod/prod/terraform.tfstateCommon causes
No s3:GetObject on the state key
The runner role can list but not read the specific state object.
KMS decrypt denied
The state is encrypted with a CMK the runner role cannot use, so the read fails on decrypt.
Wrong credentials or account
Expired keys or the wrong assumed role denies the read entirely.
How to fix it
Grant read and KMS decrypt
- Add
s3:GetObjecton the state object ARN to the runner policy. - If the bucket uses a CMK, grant
kms:Decrypton that key. - Confirm the right role is assumed with
aws sts get-caller-identity.
Terminal
aws s3 cp s3://tf-state-prod/prod/terraform.tfstate - >/dev/nullHow to prevent it
- Scope the CI role to read+write the state object and use its KMS key.
- Prefer OIDC role assumption over static keys.
- Keep KMS key policies in sync with the CI role.
Related guides
Terraform "Failed to get existing workspaces" - S3 backend in CIFix Terraform init "Failed to get existing workspaces" with an S3 backend in CI - the runner cannot list the…
Terraform "Error acquiring the state lock" - lock already held in CIFix Terraform "Error acquiring the state lock" when the lock is already held in CI - a parallel run or a cras…
Terraform apply "AccessDenied / UnauthorizedOperation" creating a resourceFix Terraform apply failures where creating a cloud resource is denied in CI - the runner identity lacks the…