AccessDenied error during Route53 VPC association

Hi there,

I’m seeing this peculiar issue, which I haven’t faced before. aws_route53_zone_association resource returns this error:

Error: associating Route53 Hosted Zone (Zxxxxx) to EC2 VPC (vpc-xxxxx): AccessDenied: User: arn:aws:sts::xxxxxx:assumed-role/TerraformRunner/aws-go-sdk-16847738xxxxxxxxxxxx is not authorized to perform: route53:AssociateVPCWithHostedZone on resource: arn:aws:route53:::hostedzone/Zxxxxx because no resource-based policy allows the route53:AssociateVPCWithHostedZone action

which doesn’t sense to me as the IAM policy for TerraformRunner role allows Route53:* in the Action list on Resource: "*".

AFAIK, there is no resource-based policy associated with Route53 and the only resources type that associated with VPC is: arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId} and I have "*" for that.

Does anyone know what’s am I missing? Any help will be really appreciated!!

Could anyone give me any hint about what’s going wrong with the above error pls?

The error you’re facing is completely unrelated to Terraform or the AWS provider. You’d get the same exact error were you to perform this operation using the AWS CLI or SDK. Therefore, the amount of help that can be offered in this forum will be quite limited.

For starters, you could check:

Here is an example of how that could be done using Terraform code.

thanks @macmiranda for taking time to answer. I’m not saying terraform; just hoping if anyone have seen this before. It still doesn’t adds up for my case. I’m using the Route53 VPC association for years now but never have seen this error.

Maybe I wasn’t clear on few things in the OP

  1. It’s not cross account association
  2. In the allow actions, route53:* is allowed
  3. Resource: "*" is also in the Allow statement

I don’t think this is to do with IAM role/permission but I unable to see what might causing the issue. Does anyone know what’s that aws-go-sdk-16847738..... come from? I have never seen that that part in any role/policy related error.

Sorry, I’m not very familiar with your use case. I’ve always used Route53 zone association with VPCs in different accounts (which requires an authorization).

According to Associating more VPCs with a private hosted zone - Amazon Route 53 this can be easily achieved through the console. So I’d recommend you try that (or perhaps the AWS CLI) first to see if AWS gives you any more hints and check your CouldTrail events as well.

That’s RoleSessionName that’s passed in the AssumeRole request to the STS API by the AWS Go SDK.