0

When I try to deploy terraform script using gitlab runner I am getting the following error

Error: Error finding Route 53 Hosted Zone: AccessDenied: User: arn:aws:sts::12345678:assumed-role/dev-runner/i-01b2f123f1e1a127c is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action

The IAM role that is attached to the runner has the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "*",
            "Resource": [                
                "arn:aws:route53:::*",
                "arn:aws:acm:us-east-1:12345678:certificate/*",                
            ]
        }
    ]
}

What I am missing here? All the actions are allowed on arn:aws:route53:::* resource.

LP13
  • 30,567
  • 53
  • 217
  • 400

1 Answers1

1

Try to check role with AWS Policy Simulator

Here is

This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.

error is raising with your role.

Resource should be "Resource": * to be able run ListHostedZones. However, in this case the permissions will be totally insecure, so I recommend to separate the statements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                ... any other specific permissions for R53 ...
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "*",
            "Resource": [                
                "arn:aws:acm:us-east-1:12345678:certificate/*"              
            ]
        }
    ]
}

And just a personal opinion: using wildcard * actions without specifying at least services (route53:*) is not looking like a good idea

rzlvmp
  • 7,512
  • 5
  • 16
  • 45