The "failed detecting s3 prefix" error occurs when Terraform Enterprise cannot list objects in an S3 bucket during state detection. This typically indicates missing IAM permissions, incorrect credentials, or network connectivity issues with your S3 backend.
This error occurs when Terraform Enterprise tries to detect existing workspaces by listing objects in the configured S3 bucket. The "could not list objects" portion indicates that the S3 ListObjects (or ListObjectsV2) operation has failed. Terraform needs to list bucket contents to discover existing workspace state files. When this operation fails, it prevents Terraform Enterprise from initializing properly. The error can stem from authentication issues, permission problems, network failures, or S3 configuration issues.
Check that Terraform Enterprise has valid AWS credentials. This can be provided via:
1. Instance profile (IAM role attached to the EC2/ECS instance)
2. Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
3. ~/.aws/credentials file
To verify instance profile:
# On the TFE instance
curl http://169.254.169.254/latest/meta-data/iam/infoIf using environment variables or credentials file:
aws sts get-caller-identityThis should return your AWS account ID and IAM principal.
Terraform Enterprise needs the s3:ListBucket permission on the bucket itself (not just objects).
Required minimal IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::your-state-bucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::your-state-bucket/*"
}
]
}If using a prefix restriction:
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::your-state-bucket",
"Condition": {
"StringLike": {
"s3:prefix": ["your-prefix/*"]
}
}
}Confirm the bucket name and region match your Terraform configuration:
# List buckets
aws s3 ls
# Check bucket region
aws s3api get-bucket-location --bucket your-state-bucket
# Verify the bucket is accessible
aws s3 ls s3://your-state-bucket/The bucket must exist in the region specified in your Terraform backend configuration.
If using a custom S3 endpoint (MinIO, LocalStack, or S3-compatible service):
# Verify endpoint URL is correct and includes protocol
# Example: https://minio.example.com:9000 (not just minio.example.com)
# Test connectivity
curl -v https://your-s3-endpoint/For Terraform Enterprise Replicated:
# Check the s3_endpoint setting
replicatedctl app-config show s3_endpoint
# Should include protocol: https://...
# If missing protocol, update it
replicatedctl app-config set s3_endpoint --value https://your-endpoint:9000For custom S3 endpoints, check certificate validity:
# Check certificate expiration
openssl s_client -connect your-s3-endpoint:443 -servername your-s3-endpoint </dev/null 2>/dev/null | openssl x509 -noout -dates
# Verify certificate chain is complete
openssl s_client -connect your-s3-endpoint:443 -showcerts </dev/null 2>/dev/nullIf using self-signed certificates, ensure TFE has them in its trusted CA store.
If using IAM assume role:
# Verify the instance profile exists
aws iam get-instance-profile --instance-profile-name tfe-instance-profile
# Verify the role has S3 permissions
aws iam get-role-policy --role-name tfe-role --policy-name s3-policy
# Check if role assumption is working
aws sts assume-role --role-arn arn:aws:iam::ACCOUNT:role/tfe-role --role-session-name testFor EKS/Kubernetes deployments, verify the ServiceAccount has the correct IAM role annotation (IRSA).
Newer Terraform Enterprise versions (1.6.0+) have different credential handling. If upgrading:
1. For prefix-scoped ListBucket permissions, update the IAM policy to allow ListBucket without prefix conditions
2. Use TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE=true if using instance profiles
3. Verify the upgrade completed successfully and services restarted
Check your TFE version:
# In Replicated TFE
replicatedctl app-config show release_sequenceIncrease logging verbosity:
For Replicated TFE:
# Check application logs
replicatedctl logs app | grep -i "list"
# Or view logs in real-time
tail -f /var/log/replicated/replicated.log | grep -i s3For FDO (Flexible Deployment Options):
# Check pod logs
kubectl logs -n tfe -l app=tfe --tail=100 | grep -i s3Look for the specific S3 error (AccessDenied, NoSuchBucket, InvalidRegion, etc.) to pinpoint the issue.
For Terraform Enterprise 202309-1 and later with Consolidated Services enabled, custom S3 endpoints must include the protocol prefix (https://). If upgrading from an older version, update endpoint URLs explicitly.
For EKS deployments (Terraform Enterprise FDO), ensure HttpPutResponseHopLimit is set to 2 in the launch template, especially on EKS 1.30+, to allow proper IMDS credential retrieval.
For on-premises S3-compatible solutions (MinIO, Wasabi), verify TLS certificates are in the system trust store and that the endpoint supports ListObjectsV2 API calls. Some older S3-compatible implementations may only support ListObjects (v1).
In air-gapped or private network deployments, ensure network routes exist to reach the S3 endpoint, and no firewall rules are blocking egress to the S3 service ports.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform