When I try to deploy terraform script using gitlab runner I am getting the following error
Error: Error finding Route 53 Hosted Zone: AccessDenied: User: arn:aws:sts::12345678:assumed-role/dev-runner/i-01b2f123f1e1a127c is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action
The IAM role that is attached to the runner has the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:route53:::*",
"arn:aws:acm:us-east-1:12345678:certificate/*",
]
}
]
}
What I am missing here? All the actions are allowed on arn:aws:route53:::* resource.
Try to check role with AWS Policy Simulator
Here is
This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.
error is raising with your role.
Resource should be "Resource": * to be able run ListHostedZones. However, in this case the permissions will be totally insecure, so I recommend to separate the statements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
... any other specific permissions for R53 ...
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:acm:us-east-1:12345678:certificate/*"
]
}
]
}
And just a personal opinion: using wildcard * actions without specifying at least services (route53:*) is not looking like a good idea