I’m seeing this peculiar issue, which I haven’t faced before. aws_route53_zone_association resource returns this error:
Error: associating Route53 Hosted Zone (Zxxxxx) to EC2 VPC (vpc-xxxxx): AccessDenied: User: arn:aws:sts::xxxxxx:assumed-role/TerraformRunner/aws-go-sdk-16847738xxxxxxxxxxxx is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Zxxxxx because no resource-based policy allows the route53:AssociateVPCWithHostedZone action
which doesn’t sense to me as the IAM policy for TerraformRunner role allows Route53:* in the Action list on Resource: "*".
AFAIK, there is no resource-based policy associated with Route53 and the only resources type that associated with VPC is: arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId} and I have "*" for that.
Does anyone know what’s am I missing? Any help will be really appreciated!!
The error you’re facing is completely unrelated to Terraform or the AWS provider. You’d get the same exact error were you to perform this operation using the AWS CLI or SDK. Therefore, the amount of help that can be offered in this forum will be quite limited.
AWS CLI Command Reference: associate-vpc-with-hosted-zone which mentions the need for a CreateVPCAssociationAuthorization request, which you either omitted or are missing in your code.
Here is an example of how that could be done using Terraform code.
thanks @macmiranda for taking time to answer. I’m not saying terraform; just hoping if anyone have seen this before. It still doesn’t adds up for my case. I’m using the Route53 VPC association for years now but never have seen this error.
Maybe I wasn’t clear on few things in the OP
It’s not cross account association
In the allow actions, route53:* is allowed
Resource: "*" is also in the Allow statement
I don’t think this is to do with IAM role/permission but I unable to see what might causing the issue. Does anyone know what’s that aws-go-sdk-16847738..... come from? I have never seen that that part in any role/policy related error.
Sorry, I’m not very familiar with your use case. I’ve always used Route53 zone association with VPCs in different accounts (which requires an authorization).
According to Associating more VPCs with a private hosted zone - Amazon Route 53 this can be easily achieved through the console. So I’d recommend you try that (or perhaps the AWS CLI) first to see if AWS gives you any more hints and check your CouldTrail events as well.
That’s RoleSessionName that’s passed in the AssumeRole request to the STS API by the AWS Go SDK.
i’ll subscribe there also, as getting that as well.
and with same role - cli works.
ok, in my case it was that i mistakenly did wrong association. It should be done from account, where zone is created. But i did from account, where i requested it.