---
title: "TF State Bucket Accessor"
type: entity
entity_type: product
tags:
  - Terraform
  - IAM
  - S3
  - State-Management
  - AWS
sources:
  - ctp-topic-16-cross-account-terraform-modules.md
last_updated: 2026-05-15
---

## Overview

TF State Bucket Accessor 是部署在目标 AWS 账号中的一种专门 IAM 角色，仅允许部署工具（ECS Deploy Runner）访问存储在该账号 S3 桶中的 Terraform 状态文件。

## Purpose

Terraform 通过状态文件（state file）追踪基础设施的实际部署状态。在跨账号场景中：

- **状态文件位置**：存储在目标 Workload 账号的 S3 桶中
- **访问控制问题**：Shared Account 的 ECS Deploy Runner 需要读取这些状态文件，但直接赋予 S3 访问权限存在安全风险
- **解决方案**：创建专门的 IAM 角色，仅允许特定的部署执行器 Assume 该角色

## IAM Policy Design

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SharedAccount>:role/ecs-deploy-runner-execution-role"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::<target-account>-terraform-state/*"
    }
  ]
}
```

## Relationships

- [[ECS-Deploy-Runner]] ← reads_state ← [[TF-State-Bucket-Accessor]]
- [[Cross-account-ECS-Deploy-Runner-Role]] ← sibling_role ← [[TF-State-Bucket-Accessor]]
- [[TerraformState]] ← protected_by ← [[TF-State-Bucket-Accessor]]

## Related Concepts

- [[TerraformState]]：状态文件管理是 IaC 的核心问题
- [[Assume-Role]]：EDR 通过 Assume Role 获取该角色的临时凭证
- [[Blast-Radius]]：专门角色限制了凭证泄露时的爆炸半径