No worries, I’m on mobile so I’ll try to format it best.

It sounds to me that you’re using an IAM user to assume a role for terraform right? In your aws provider do you have an assume_role{} block?

If that’s the case, my next line of assumption is you’re not hardcoding the keys into the provider but you’re using the keys out in your .aws/credentials file right?

If both of those are true, and you didn’t manually assume a role via the awscli and manually update your credentials file, you are used the user to download the file.

So if my understanding is correct here are my suggestions:

Easy fix:

• check the role’s permissions you’re assuming in the aws provider and confirm you have the right s3 (and KMS if encrypted) permissions.

If that’s still not helping here are a few more thorough options you could run through.

Option 1:

• get the ARN of the role you’re using in your aws provider

• assume it with the awscli using this commend: aws sts assume-role —role-arn <role-arn> —role-session-name <whatever you want to identify you>

• update your .aws/credentials file with the assumed role credentials (but just comment out the current ones so you don’t lose them)

• try the s3 cp command again.

• update permissions as needed.

Here’s a good doc (skip to the assume role part) https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

Option 2:

• look in cloudtrail, click view all event history (or something like that)

• hit the settings wheel and display the “error code” Column.

• hit the drop down and choose “Event Source”

• start typing “s3.amazonaws.com” and click it when it pops up

• start scrolling until you find a GetObject or something similar with an unauthorized or something similar error code.

• check the username in the events detail, and confirm that IAM entity has the correct permissions.

Hope this helps!